Enterprise Recon 2.0.27
Remediation can result in the permanent erasure or modification of data. Once performed, remedial actions cannot be undone.
Matches found during scans must be reviewed and, where necessary, remediated. ER2 has built-in tools to mark and secure sensitive data found in these matches.
Remediating matches is done in two phases:
When matches are found during a scan, they are displayed in the Remediation page as match locations. To help you review these matches, the Remediation page displays:
- List of Matches
- Match Filter: Matches based on a specified criteria.
- Search Matches: Search for specific matches.
- Inaccessible Locations: Files, folders and drives that could not be reached during the scan.
List of Matches
You can view a list of matches from a specified target and evaluate the remediation options.
To view the list of matches:
- On the Targets Page, click a Target to display its list of matches.
- You can sort the list of displayed matches by:
- Location: Full path of the match location.
- Owner: User with Owner permissions.
- Types: Number of matches and test data.
- Click on a match to view:
- Match type filter: List of matches sorted by type.
- Match sample view: Sample of the match. To view a detailed summary, click View all info.
- Match sample view encoding: Contextual data for matches in a match location in these encoding formats:
Plain text (ASCII), EBCDIC (used in IBM mainframes), Hexadecimal.
To display contextual data around matches, make sure this option is selected when you schedule a scan.
Scanning EBCDIC-based systems can be enabled in Data Type Profiles.
You can filter matches by entering a search criteria or selecting an option in the Filter sidebar.
To filter matches:
- On the top-right hand of the Target details page, click Filter to display the Filter sidebar.
- On the left of the page, the Filter section displays matches found in the Target location sorted by type.
To filter your view, select one or more match types to be displayed.
If no data type filters are selected, all data type matches will be remediated for a selected match location.
To display a list of matches based on a search term:
- On the top-right hand of the Target details page, next to the Filter button; enter a search term to search for in a file name or path.
- Press ENTER.
Inaccessible Locations are files, folders and drives on a Target which cannot be reached during a scan.
On the bottom-left corner of the Target details page, click ⊘ Inaccessible Locations to view a log of these locations.
If a match is found to contain sensitive data, ER2 provides tools to report and secure the match location.
Remedial actions are categorized by:
- Act directly on selected location: Remedial actions that directly modify match locations to secure your data.
- Mark locations for compliance report: Flag these items as reviewed but does not modify the data. These options do not secure your data.
The Target details page displays the results of remedial action taken for match locations in the Status column.
To remediate a match location:
- On the Remediation page, select the match location(s) that you want to remediate.
- Click Remediate and select one of the following actions:
Act Directly on Selected Location
This section lists available remedial actions that act directly on match locations. Acting directly on selected locations reduces your Target’s match count.
|Mask all sensitive data||
Masking data is destructive. It writes over data in the original file to obscure it. This action is irreversible, and may corrupt remaining data in masked files.
Masks all found sensitive data in the match location with a static mask. A portion of the matched strings are permanently written over with the character, "x" to obscure the original. For example, '1234560000001234' is replaced with '123456XXXXXX1234'.
File formats that can be masked include:
Not all files can be masked by ER2; some files such as database data files and PDFs do not allow ER2 to modify their contents.
Moves the files to a secure location you specify and leaves a tombstone text file in its place.
Performing a Quarantine action on "example.xlsx" moves the file to the user-specified secure location and leaves "example.xlsx.txt" in its place.
Tombstone text files will contain the following text:
Securely deletes the match location (file) and leaves a tombstone text file in its place.
Performing a Delete permanently action on "example.xlsx" removes the file and leaves "example.xlsx.txt" in its place.
Tombstone text files will contain the following text:
Attempting to perform a Delete permanently action on files already deleted by the user (removed manually, without using the Delete permanently remedial action) will update the match status to "Deleted" but leave no tombstone behind.
Secures the match location using an AES encrypted zip file. You must provide an encryption password here.
Encrypted zip files that ER2 makes on your file systems are owned by root, which means that you need root credentials to open the encrypted zip file.
Mark Locations for Compliance Report
Flag these items as reviewed but does not modify the data. Hence, the sensitive data found in the match is still not secure.
|Confirmed||Marks selected match location as Confirmed. The location has been reviewed and found to contain sensitive data that must be remediated.|
|Remediated manually||Marks selected match location as Remediated Manually. The location contains sensitive data which has been remediated using tools outside of ER2 and rendered harmless.
Marking selected match locations as Remediated Manually deducts the marked matches from your match count. If marked matches have not been remediated when the next scan occurs, they resurface as matches.
Marks selected match location as Test Data. The location contains data that is part of a test suite, and does not pose a security or privacy threat.
To ignore such matches in future, you can add a Global Filter when you select Update configuration to classify identical matches in future searches
Marks selected match location as a False Match. The location is a false positive and does not contain sensitive data. You can choose to update the configuration by selecting:
To send data to Ground Labs to help improve future matches, select Send encrypted false match samples to Ground Labs for permanent resolution.
|Remove mark||Unmarks selected location.
Unmarking locations is captured in the Remediation Log.
When a match is labeled as credit card data or other data prohibited under the PCI DSS, you cannot add it to your list of Global Filters through the remediation menu. Instead, add the match you want to ignore by manually setting up a new Global Filter. See Global Filters for more information.
The Remediation Log captures all remedial actions taken on a given Target.
To view the remediation log:
- On the bottom-right corner of the Remediation page, click Remediated Logs.
- You can sort the remediation logs by
- Location: Location of file that has had remedial action taken.
- Remediation Status: Whether the file has been successfully remediated.
- Match Count: The number of matches in the file.
- Timestamp: Month, day, year, and time of the remedial event.
Sign-off: Text entered into the Sign-off field when remedial action is taken.ER2 uses two properties to log the source of remedial action: the Sign-off, and the name of the user account used. The name of the user account used for remediation is not displayed in the Remediation Logs, but is still recorded and searchable in Filter by….
- In the Filter by… section. you can filter the logs by:
- Date: Set a range of dates to only display logs from that period.
- User: Display only Remedial events from a particular user account.
- Reverse order: By default, the logs display the newest remedial event first; check this option to display the oldest event first.
- ↺ Reset Filters: Click this to reset filters applied to the logs.
- Export Log: Saves the filtered results of the Remediation Logs to a csv file.