Seeker DLP

Seeker DLP finds sensitive data within files on Windows and Macs, across SMB-based file servers and web servers, and within Oracle, MySQL and SQL Server databases. Coming in 2020 it plans to support OneDrive and Box. You can either run multiple concurrent scans on whatever servers or systems you are investigating, or you can run remotely executed scans, see Figure 1 (note that “incredibly” is Seeker’s word rather than ours), which again runs across multiple systems concurrently, with results being returned to the Seeker host.

Customer Quotes

“Seeker has completely changed the way we run our DLP service. Previously, we struggled to ensure all assets were being scanned due to cost and configuration difficulties. With Seeker, these challenges are gone.”

Seeker uses a built-in component of Microsoft Windows called IFilters to scan the contents of most files or, in the case of Macs it uses macOS Spotlight plug-ins. IFilters are the mechanism that Microsoft’s Windows Search uses to extract the content of items for inclusion in a full-text index. Moreover, this feature supports the ability for users to index new or proprietary file types by writing appropriate filters. This represents a significant improvement – reducing false positives – compared to parsing plain text, though Seeker does have facilities to support plain text discovery.

More generally, Seeker ships with a number of pre-defined search patterns (regular expressions) to recognise such things as social security credit card numbers. You can also develop your own such search patterns. In addition, there is support for distance measures whereby a second pattern must exist in close proximity to the initial pattern in order to trigger a positive identification. For example, a social security number is a nine-digit number. There are lots of nine-digit numbers used for all sorts of purposes, so in order to ensure that this really is a social security number then you might want to establish that there is a name, say, in close proximity.

Fig 02 – Seeker’s dashboard

A useful further feature is that, in addition to discovering sensitive data, Seeker will also identify potentially dangerous permissions: for example, that there are no constraints on who has access to a file that contains sensitive data.

Finally, Seeker provides various reporting options, which can be visualised through the dashboard provided, and illustrated in Figure 2. As can be seen, the software will report on the number of files that contain sensitive data as well as the number of individual records. You can also raise alerts based on specified strings within the path of a file.

We are happy that Seeker scales well, and for discovering sensitive data in file systems it is perfectly capable. Moreover, it has the enormous advantage of being inexpensive (just $4,999 for an annual enterprise subscription). On the other hand relatively few enterprises will not have any Linux-based systems or databases outside of the three that are supported by Seeker. Given that users will not want to have one product for sensitive data discovery for one part of its infrastructure and another product for the remainder of its environment, this will constrain Seeker’s applicability to some extent.

While the sensitive data discovery provided is fine for file systems it is relatively limited from a database perspective and there are competitive offerings with significantly more advanced capabilities. There is also the question of what to do with sensitive data once you have found it: with applications such as GDPR and HIPAA, and the forthcoming CCPA, it is not enough to discover sensitive data, you also have to protect it. This typically means some sort of masking, encryption or tokenisation, and often a combination of two or more of these. A number of Seeker’s rivals offer both discovery and masking in a single solution and in order to compete effectively with these other companies it would make sense if Seeker at least had some partnerships with masking vendors.

The Bottom Line

Seeker will be best suited where your interest is primarily on file systems and you have relatively limited database issues. We imagine that this is commonplace within the educational sector but otherwise Seeker is likely to be limited to the mid-market rather than large enterprises.