Getting useful information from a Websense Report

Posted on 2013-01-07
Last Modified: 2013-02-25
I currently have Websense WebSecurity deployed in my environment, and I'm several versions behind, currently on Websense Manager 7.1.

Frequently, we'll have issues with bandwidth being chewed up, or suspicions about inappropriate usage of our bandwidth, but are unable to obtain useful information from reports.  Our largest bandwidth hogs will frequently be reporting as visiting https IP ranges, and we really have no idea what these are, or what's coming across the wire.  Sometimes, we'll be able to run a WHOIS and get something like Limelight, but that still doesn't really tell me what's happening.  More frequently, you'll be unable to determine the destination, what kind of traffic is coming across, or anything else that would give you political reason to investigate the user more thoroughly, or get their manager to actually back you.

So, how can I actually find useful data?  How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?

Attached is a screenshot to show the typical return I get on investigative reports.

If it has any relevance, the Websense server sits on a 2008 server (R1) VM, on an ESX host.  The initial config took multiple days back when Websense was still willing to assist with deployment.  I'm understaffed, and the upgrade project appears sufficiently complex enough to be very intimidating.

Thanks for your time and help.
Question by:jasondimaio
LVL 51

Expert Comment

ID: 38753797
> .. and we really have no idea what these are
use nslookup or whatever your os has to reverse lookup the IP

> .. unable to determine the destination ..
the destination is the IP as written in the report, what else do you expect?

> .. what kind of traffic is coming across, ..
it's https as wriiten in the report

> How can I generate a report that allows me to have any kind of real visibility into where the user is going, or what kind of traffic they're using?
the report already contains "where" the user is going

if you're talking about "what" the user is there looking for, you first need to inform your users that you're monitoring the traffic and ask for permission to do so (depends on the regulations in your country), then you need to use a proxy for https which then obviusly breaks the trust of SSL
LVL 63

Assisted Solution

btan earned 250 total points
ID: 38753907
Are we already looking at all the various type of report not able to meet this needed...below are some categories...

But also suggest that you understand not all site visited are user intended...maybe can check below
LVL 51

Expert Comment

ID: 38754161
> .. not all site visited are user intended ..
assuming "user" means a human, I'd qualify most HTTP(S) requests are not user intended (i.g. all advertising and tracking ;-)
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

LVL 63

Expert Comment

ID: 38754185
Yap as shared in the link ;) which generate such traffic from other embedded links hosted at the fronting website...

Assisted Solution

amatson78 earned 125 total points
ID: 38754307
I would also look into the Websense Content Gateway Integration for your environment as this proxy will decrypt the certificates and header info showing you the destination URL vs the IP as you get now.

Cheers, Alan
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 38754634
fyi, limelight is a cdn (content delivery network) so it could be ANYTHING so unless you break the ssl

Author Comment

ID: 38754803
To the above snarky comments, I'm sorry I was not clear.  Yes, I can see the IP address to which they go.  That's not useful to me, as it doesn't really give me any context for what they're doing.  Whatever the traffic is going across SSL is secured traffic, I get that, but again, not useful to me, as I can't tell if it's streaming media, downloaded data, or something else, so again, not useful to me.  Websense also doesn't tell me (from what I know) what front-end generated the back-end SSL connection/traffic in the first place.  THAT could be useful.

I've had issues with Akamai destinations as well, but I was hoping that someone more versed in Websense could give me some better tips or tools to actually determine what kind of content was being delivered, as actually visiting the IPs, doing a WhoIS, or anything else doesn't really tell me a thing.  Considering how pervasive Akamai is, I can't really block it.

For those of you that tried to help, I do appreciate it.  From what I can tell in this thread, there's not really anything I can do to glean more information or use Websense in a more productive manner without spending more money.  Alan, I'll look at that tool.  Thank you.
LVL 63

Assisted Solution

btan earned 250 total points
ID: 38754917
Reporting tool from content filter will not be simply be accurate by just seeing the url in forward proxy deployment with user surfing the internet. That is why they also preached to Bb supplemented by reputation engine and other network forensic tool before it get encrypted or simply be a MITM or MITB. Akamai purely embedded the url they fronted with tier dynamic DNS host. Even firewall need to configured dynamic address object to detect and block if needed. Not straightforward having this obscurity running through. But I will say application analytics and filter is still something to fish out any anomalies of leakage intentionally. .. Some analytics you may be nterested is solera and lastline or recent rsa security analytic using netwitness. ..just my few cents
LVL 51

Accepted Solution

ahoffmann earned 125 total points
ID: 38755142
hmm, so you simple requirement is to see the URL in your websense?
to do that, your websense need to be the proxy (MiTM) and hence breaking SSL as I already explained in my first comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question