Documentation Version: er2.0.28-docs-1.1

Remediation

Remediation is permanent

Remediation can result in the permanent erasure or modification of data. Once performed, remedial actions cannot be undone.

Matches found during scans must be reviewed and, where necessary, remediated. ER2 has built-in tools to mark and secure sensitive data found in these matches.

Remediating matches is done in two phases:

  1. Review Matches
  2. Remedial Action

Review Matches

When matches are found during a scan, they are displayed in the Remediation page as match locations. To help you review these matches, the Remediation page displays:

List of Matches

You can view a list of matches from a specified target and evaluate the remediation options.

To view the list of matches:

  1. On the Targets Page, click a Target to display its list of matches.
  2. You can sort the list of displayed matches by:
    • Location: Full path of the match location.
    • Owner: User with Owner permissions.
    • Types: Number of matches and test data.
  3. Click on a match to view:
    1. Match type filter: List of matches sorted by type.
    2. Match sample view: Sample of the match. To view a detailed summary, click View all info .
    3. Match sample view encoding: Contextual data for matches in a match location in these encoding formats:
      Plain text (ASCII), EBCDIC (used in IBM mainframes), Hexadecimal.
Contextual data is the data surrounding the matches found in a match location. Reviewing contextual data may be helpful in determining if the match itself is genuine, since matches are always masked dynamically when presented on the Web Console.

To display contextual data around matches, make sure this option is selected when you schedule a scan.

Scanning EBCDIC-based systems can be enabled in Data Type Profiles.

Match Filter

You can filter matches by entering a search criteria or selecting an option in the Filter sidebar.

To filter matches:

  1. On the top-right hand of the Target details page, click Filter to display the Filter sidebar.

  2. On the left of the page, the Filter section displays matches found in the Target location sorted by type.

    To filter your view, select one or more match types to be displayed.

You can use data type filters to remediate specific data types for a selected match location.
For example. File A has one Personal Names (English) and two Mastercard matches. Only Mastercard matches will be remediated if Mastercard is the only data type filter that was selected when remedial action was taken.
If no data type filters are selected, all data type matches will be remediated for a selected match location.

Search Matches

To display a list of matches based on a search term:

  1. On the top-right hand of the Target details page, next to the Filter button; enter a search term to search for in a file name or path.
  2. Press ENTER.

Inaccessible Locations

Inaccessible Locations are files, folders and drives on a Target which cannot be reached during a scan.

On the bottom-left corner of the Target details page, click ⊘ Inaccessible Locations to view a log of these locations.

Remedial Action

If a match is found to contain sensitive data, ER2 provides tools to report and secure the match location.

Remedial actions are categorized by:

  1. Act directly on selected location: Remedial actions that directly modify match locations to secure your data.
  2. Mark locations for compliance report: Flag these items as reviewed but does not modify the data. These options do not secure your data.

The Target details page displays the results of remedial action taken for match locations in the Status column.

To remediate a match location:

  1. On the Remediation page, select the match location(s) that you want to remediate.
  2. Click Remediate and select one of the following actions:
All remedial actions are captured in the Remediation log. When attempting to remediate a match location, you are required to enter a name in the Sign-off field.

Act directly on selected location

This section lists available remedial actions that act directly on match locations. Acting directly on selected locations reduces your Target's match count.

Target A has six matches: after encrypting two matches and masking three, the Target A's match count is one.
Exercise caution when peforming remedial actions that act directly on a selected location. For example, masking data found in the C:\Windows\System32 folder may corrupt the Windows operating system.

Action

Description

Mask all sensitive data
Masking data is destructive. It writes over data in the original file to obscure it. This action is irreversible, and may corrupt remaining data in masked files.

Masks all found sensitive data in the match location with a static mask. A portion of the matched strings are permanently written over with the character, "x" to obscure the original. For example, '1234560000001234' is replaced with '123456XXXXXX1234'.

File formats that can be masked include:
  • XPS.
  • Microsoft Office 97-2003 (DOC, PPT, XLS).
  • Microsoft Office 2007 and above (DOCX and XLSX).
  • Files embedded in archives (GZIP, TAR, ZIP).

Not all files can be masked by ER2; some files such as database data files and PDFs do not allow ER2 to modify their contents.
Quarantine

Moves the files to a secure location you specify and leaves a tombstone text file in its place.

Performing a Quarantine action on "example.xlsx" moves the file to the user-specified secure location and leaves "example.xlsx.txt" in its place.

Tombstone text files will contain the following text:

Location quarantined at user request during sensitive data remediation.
Delete permanently

Securely deletes the match location (file) and leaves a tombstone text file in its place.

Performing a Delete permanently action on "example.xlsx" removes the file and leaves "example.xlsx.txt" in its place.

Tombstone text files will contain the following text:

Location deleted at user request during sensitive data remediation.
Attempting to perform a Delete permanently action on files already deleted by the user (removed manually, without using the Delete permanently remedial action) will update the match status to "Deleted" but leave no tombstone behind.
Encrypt file Secures the match location using an AES encrypted zip file. You must provide an encryption password here.
Encrypted zip files that ER2 makes on your file systems are owned by root, which means that you need root credentials to open the encrypted zip file.

Mark locations for compliance report

Flag these items as reviewed but does not modify the data. Hence, the sensitive data found in the match is still not secure.

Action Description
Confirmed Marks selected match location as Confirmed. The location has been reviewed and found to contain sensitive data that must be remediated.
Remediated manually Marks selected match location as Remediated Manually. The location contains sensitive data which has been remediated using tools outside of ER2 and rendered harmless.
Marking selected match locations as Remediated Manually deducts the marked matches from your match count. If marked matches have not been remediated when the next scan occurs, they resurface as matches.
Test Data Marks selected match location as Test Data. The location contains data that is part of a test suite, and does not pose a security or privacy threat.

To ignore such matches in future, you can add a Global Filter when you select Update configuration to classify identical matches in future searches
False match Marks selected match location as a False Match. The location is a false positive and does not contain sensitive data. You can choose to update the configuration by selecting:
  • Update configuration to classify identical matches in future searches to add a Global Filter to ignore such matches in the future.
  • Update configuration to ignore match locations in future scans on this target to add a Global Filter to ignore this specific location/file when performing subsequent scans.

To send data to Ground Labs to help improve future matches, select Send encrypted false match samples to Ground Labs for
permanent resolution
Remove mark Unmarks selected location.
Unmarking locations is captured in the Remediation Log.
Marking PCI data as test data or false matches

When a match is labelled as credit card data or other data prohibited under the PCI DSS, you cannot add it to your list of Global Filters through the remediation menu. Instead, add the match you want to ignore by manually setting up a new Global Filter. See Global Filters for more information.

Remediation log

The Remediation Log captures all remedial actions taken on a given Target.

To view the remediation log:

  1. On the bottom-right corner of the Remediation page, click Remediated Logs.
  2. You can sort the remediation logs by
    • Location: Location of file that has had remedial action taken.
    • Remediation Status: Whether the file has been successfully remediated.
    • Match Count: The number of matches in the file.
    • Timestamp: Month, day, year, and time of the remedial event.
    • Sign-off: Text entered into the Sign-off field when remedial action is taken.
      ER2 uses two properties to log the source of remedial action: the Sign-off, and the name of the user account used. The name of the user account used for remediation is not displayed in the Remediation Logs, but is still recorded and searchable in Filter by…
  3. In the Filter by... section. you can filter the logs by:
    • Date: Set a range of dates to only display logs from that period.
    • User: Display only Remedial events from a particular user account.
    • Reverse order: By default, the logs display the newest remedial event first; check this option to display the oldest event first.
    • ↺ Reset Filters: Click this to reset filters applied to the logs.
    • Export Log: Saves the filtered results of the Remediation Logs to a csv file.