Enterprise Recon 2.0.27

Remediation

Matches found during scans must be reviewed and, where necessary, remediated. ER2 has built-in tools to mark and secure sensitive data found in these matches.

Remediating matches is done in two phases:

  1. Review Matches
  2. Remedial Action

Review Matches

When matches are found during a scan, they are displayed in the Remediation page as match locations. To help you review these matches, the Remediation page displays:

List of Matches

You can view a list of matches from a specified target and evaluate the remediation options.

To view the list of matches:

  1. On the Targets Page, click a Target to display its list of matches.
  2. You can sort the list of displayed matches by:
    • Location: Full path of the match location.
    • Owner: User with Owner permissions.
    • Types: Number of matches and test data.
  3. Click on a match to view:
    1. Match type filter: List of matches sorted by type.
    2. Match sample view: Sample of the match. To view a detailed summary, click View all info.
    3. Match sample view encoding: Contextual data for matches in a match location in these encoding formats:
      Plain text (ASCII), EBCDIC (used in IBM mainframes), Hexadecimal.
      er2-match-location.png

Match Filter

You can filter matches by entering a search criteria or selecting an option in the Filter sidebar.

To filter matches:

  1. On the top-right hand of the Target details page, click Filter to display the Filter sidebar.
  2. On the left of the page, the Filter section displays matches found in the Target location sorted by type.
    To filter your view, select one or more match types to be displayed. er2-match-filter.png

To display a list of matches based on a search term:

  1. On the top-right hand of the Target details page, next to the Filter button; enter a search term to search for in a file name or path.
  2. Press ENTER.

Inaccessible Locations

Inaccessible Locations are files, folders and drives on a Target which cannot be reached during a scan.

On the bottom-left corner of the Target details page, click ⊘ Inaccessible Locations to view a log of these locations. er2-inaccessible-locations.png

Remedial Action

If a match is found to contain sensitive data, ER2 provides tools to report and secure the match location.

Remedial actions are categorized by:

  1. Act directly on selected location: Remedial actions that directly modify match locations to secure your data.
  2. Mark locations for compliance report: Flag these items as reviewed but does not modify the data. These options do not secure your data.

The Target details page displays the results of remedial action taken for match locations in the Status column.

To remediate a match location:

  1. On the Remediation page, select the match location(s) that you want to remediate.
  2. Click Remediate and select one of the following actions:

Act Directly on Selected Location

This section lists available remedial actions that act directly on match locations. Acting directly on selected locations reduces your Target’s match count.

Action Description
Mask all sensitive data

Masks all found sensitive data in the match location with a static mask. A portion of the matched strings are permanently written over with the character, "x" to obscure the original. For example, '1234560000001234' is replaced with '123456XXXXXX1234'.

File formats that can be masked include:

  • XPS.
  • Microsoft Office 97-2003 (DOC, PPT, XLS).
  • Microsoft Office 2007 and above (DOCX and XLSX).
  • Files embedded in archives (GZIP, TAR, ZIP).

Not all files can be masked by ER2; some files such as database data files and PDFs do not allow ER2 to modify their contents.

Quarantine

Moves the files to a secure location you specify and leaves a tombstone text file in its place.

Tombstone text files will contain the following text: Location quarantined at user request during sensitive data remediation.

Delete permanently

Securely deletes the match location (file) and leaves a tombstone text file in its place.

Tombstone text files will contain the following text: Location deleted at user request during sensitive data remediation.

Encrypt file

Secures the match location using an AES encrypted zip file. You must provide an encryption password here.

Mark Locations for Compliance Report

Flag these items as reviewed but does not modify the data. Hence, the sensitive data found in the match is still not secure.

Action Description
Confirmed Marks selected match location as Confirmed. The location has been reviewed and found to contain sensitive data that must be remediated.
Remediated manually Marks selected match location as Remediated Manually. The location contains sensitive data which has been remediated using tools outside of ER2 and rendered harmless.
Test Data

Marks selected match location as Test Data. The location contains data that is part of a test suite, and does not pose a security or privacy threat.

To ignore such matches in future, you can add a Global Filter when you select Update configuration to classify identical matches in future searches

False match

Marks selected match location as a False Match. The location is a false positive and does not contain sensitive data. You can choose to update the configuration by selecting:

  • Update configuration to classify identical matches in future searches to add a Global Filter to ignore such matches in the future.
  • Update configuration to ignore match locations in future scans on this target to add a Global Filter to ignore this specific location/file when performing subsequent scans.

To send data to Ground Labs to help improve future matches, select Send encrypted false match samples to Ground Labs for permanent resolution.

Remove mark Unmarks selected location.

Remediation Log

The Remediation Log captures all remedial actions taken on a given Target.
er2-remediation-log.png

To view the remediation log:

  1. On the bottom-right corner of the Remediation page, click Remediated Logs.
  2. You can sort the remediation logs by
    • Location: Location of file that has had remedial action taken.
    • Remediation Status: Whether the file has been successfully remediated.
    • Match Count: The number of matches in the file.
    • Timestamp: Month, day, year, and time of the remedial event.
    • Sign-off: Text entered into the Sign-off field when remedial action is taken.

  3. In the Filter by… section. you can filter the logs by:
    • Date: Set a range of dates to only display logs from that period.
    • User: Display only Remedial events from a particular user account.
    • Reverse order: By default, the logs display the newest remedial event first; check this option to display the oldest event first.
    • ↺ Reset Filters: Click this to reset filters applied to the logs.
    • Export Log: Saves the filtered results of the Remediation Logs to a csv file.