Enterprise Recon 2.0.31

All Documentation > ER 2.0.31 > Scanning Overview > Remediation

Remediation

Remediation is permanent
Remediation can result in the permanent erasure or modification of data. Once performed, remedial actions cannot be undone.

Matches found during scans must be reviewed and, where necessary, remediated. ER2 has built-in tools to mark and secure sensitive data found in these matches.

Remediating matches is done in two phases:

Review Matches
Remedial Action

Review Matches

When matches are found during a scan, they are displayed in the Remediation page as match locations. To help you review these matches, the Remediation page displays:

List of Matches
Match Filter: Matches based on a specified criteria.
Search Matches: Search for specific matches.
Inaccessible Locations: Files, folders and drives that could not be reached during the scan.

List of Matches

You can view a list of matches from a specified target and evaluate the remediation options.

To view the list of matches:

Log into the Web Console.
Expand the navigation menu, ENTERPRISE RECON . Go to the TARGETS page.
On the TARGETS Page, click on a Target to go to the Target details page.
(Optional) Sort the list of displayed matches by:
- Location: Full path of the match location.
- Owner: User with Owner permissions.
- Types: Number of matches and test data.

Click on a match to bring up the match inspector window.
Match inspector window displaying the list of matches, match details and encoding for a location.

Component	Description
Data type matches	Displays the list of matches detected in the match location, sorted by data type.
Match details	Displays samples and contextual data for the match. Click on View all info to see the metadata and a breakdown of data type matches for the match location.
Match sample encoding	Select the encoding format to use for displaying contextual data for the match. Encoding options: Plain text (ASCII), EBCDIC (used in IBM mainframes), Hexadecimal.

Contextual data is the data surrounding the matches found in a match location. Reviewing contextual data may be helpful in determining if the match itself is genuine, since matches are always masked dynamically when presented on the Web Console.

To display contextual data around matches, make sure this option is selected when you schedule a scan.

Scanning EBCDIC-based systems can be enabled in Data Type Profiles.

Match Filter

You can filter matches by entering a search criteria or selecting an option in the Filter sidebar.

To filter matches:

On the top-right hand of the Target details page, click Filter to display the Filter sidebar.
On the left of the page, the Filter section displays matches found in the Target location sorted by type.
To filter your view, select one or more match types to be displayed.

Remediate Specific Data Types
Apply data type filters to remediate specific data types for a selected match location.

For example, File A has one Personal Names (English) and two Mastercard matches. Only Mastercard matches will be remediated if Mastercard is the only data type filter that was selected when remedial action was taken.

If no data type filters are selected, all data type matches will be remediated for a selected match location.

Trash Scan Results

You can use the Trash function to remove scan results for specific data types from a Target.

Using the Trash button to remove scan results does not delete the actual match data on the Target. If no remedial action was taken, the scan results that were removed would be detected as match locations if a scan is executed again on the Target.

To remove scan results from a Target:

On the top-right hand of the Target details page, click Filter to display the Filter sidebar.
In the Filter section on the left of the page, select one of more data types.
Click the Trash button to remove scan results for the selected data types.

The Trash feature removes scan results across all match locations for data types that are selected using the data type filter. The Trash feature is not applicable if:

One or more match locations are selected for remediation.
One or more Advanced Filters are selected.
Match locations are filtered using the Search Location function.

Search Matches

To display a list of matches based on a search term:

On the top-right hand of the Target details page, next to the Filter button; enter a search term to search for in a file name or path.
Press ENTER.

Inaccessible Locations

Inaccessible Locations are files, folders and drives on a Target which cannot be reached during a scan.

On the bottom-left corner of the Target details page, click ⊘ Inaccessible Locations to view a log of these locations. List of Inaccessible Locations with Notice severity for a Target.

Remedial Action

If a match is found to contain sensitive data, ER2 provides tools to report and secure the match location.

Remedial actions are categorized by:

Act directly on selected location: Remedial actions that directly modify match locations to secure your data.
Mark locations for compliance report: Flag these items as reviewed but does not modify the data. These options do not secure your data.

To remediate a match location:

On the Target details page, select the match location(s) that you want to remediate.

Click Remediate and select one of the following actions:

Remediation	Remedial Actions
Act directly on selected location	Mask all sensitive data Quarantine Delete Permanently Encrypt file
Mark locations for compliance report	Confirmed Remediated manually Test Data False Match Remove Mark

Only remedial actions that are supported across all selected match locations will be available for selection in the Remediate dropdown menu. See Remediation Rules for more information.

Remediate Specific Data Types

Apply data type filters to remediate specific data types for a selected match location.

For example, File A has one Personal Names (English) and two Mastercard matches. Only Mastercard matches will be remediated if Mastercard is the only data type filter that was selected when remedial action was taken.

If no data type filters are selected, all data type matches will be remediated for a selected match location.

Enter a name in the Sign-off field.
(Optional) Enter an explanation in the Reason field.
Click Ok.

The Target details page displays the results of remedial action taken for match locations in the Status column.

All remedial actions are captured in the Remediation Log. When attempting to remediate a match location, you are required to enter a name in the Sign-off field.

Act Directly on Selected Location

This section lists available remedial actions that act directly on match locations. Acting directly on selected locations reduces your Target’s match count.

Target A has six matches: after encrypting two matches and masking three, the Target A’s match count is one.

Exercise caution when performing remedial actions that act directly on a selected location. For example, masking data found in the C:\Windows\System32 folder may corrupt the Windows operating system.

Action	Description
Mask all sensitive data	Masking data is destructive. It writes over data in the original file to obscure it. This action is irreversible, and may corrupt remaining data in masked files. Masks all found sensitive data in the match location with a static mask. A portion of the matched strings are permanently written over with the character, "x" to obscure the original. For example, '1234560000001234' is replaced with '123456XXXXXX1234'. File formats that can be masked include: XPS. Microsoft Office 97-2003 (DOC, PPT, XLS). Microsoft Office 2007 and above (DOCX and XLSX). Files embedded in archives (GZIP, TAR, ZIP). Not all files can be masked by ER2; some files such as database data files and PDFs do not allow ER2 to modify their contents.
Quarantine	Moves the files to a secure location you specify and leaves a tombstone text file in its place. Performing a Quarantine action on "example.xlsx" moves the file to the user-specified secure location and leaves "example.xlsx.txt" in its place. By default, tombstone text files will contain the following text: `Location quarantined at user request during sensitive data remediation.` For match locations with very small file sizes, the tombstone message may be truncated to ensure the tombstone file size does not exceed the original file size of the match location. For example, the default tombstone message may be truncated to "Location quarantined at" when Quarantine remedial action is performed on a match location that is 16 bytes in size. To change the message in the tombstone text file, see Customize Tombstone Message.
Delete permanently	Securely deletes the match location (file) and leaves a tombstone text file in its place. Performing a Delete permanently action on "example.xlsx" removes the file and leaves "example.xlsx.txt" in its place. By default, tombstone text files will contain the following text: `Location deleted at user request during sensitive data remediation.` For match locations with very small file sizes, the tombstone message may be truncated to ensure the tombstone file size does not exceed the original file size of the match location. For example, the default tombstone message may be truncated to "Location deleted at" when Delete permanently remedial action is performed on a match location that is 16 bytes in size. To change the message in the tombstone text file, see Customize Tombstone Message. Attempting to perform a Delete permanently action on files already deleted by the user (removed manually, without using the Delete permanently remedial action) will update the match status to "Deleted" but leave no tombstone behind.
Encrypt file	Secures the match location using an AES encrypted zip file. You must provide an encryption password here. Encrypted zip files that ER2 makes on your file systems are owned by root, which means that you need root credentials to open the encrypted zip file.

Customize Tombstone Message

You can customize the contents of the tombstone text file that is left in place of a location that has been remediated using the Quarantine or Delete Permanently methods.

The message in the tombstone text file can be customized to provide useful information when someone tries to access the remediated locations. Separate messages can be configured for Quarantine and Delete Permanently tombstone text files.

You must have Global Admin or System Manager permissions to modify the contents of the tombstone text file.

In the REMEDIATION > TOMBSTONE TEXT EDITOR page, go to the Quarantine Tombstone File or Delete Permanently Tombstone File section.
Click on Edit to customize the message in the tombstone text file. The character limit for the text is 1000.

If an empty tombstone message is saved, the tombstone message will automatically revert back to default ER2 tombstone message. For example, for Quarantine remediation, "Location quarantined at user request during sensitive data remediation".

Using non-ASCII characters may cause the tombstone message to be displayed incorrectly for users on unsupported platforms.
To ensure that users view meaningful content, configure a message with minimal non-ASCII characters, or set up a tombstone message that contains multiple languages.
Once done, click on Save. The new tombstone message will be applicable to all Targets.

For match locations with very small file sizes, the tombstone message may be truncated to ensure the tombstone file size does not exceed the original file size of the match location.

Names, email addresses, contact numbers or other PII data contained within the tombstone message will be detected as matches if the remediated locations are scanned again. You can set up Global Filters to exclude the contents of tombstone text files from future scan results.

Mark Locations for Compliance Report

Flag these items as reviewed but does not modify the data. Hence, the sensitive data found in the match is still not secure.

Action	Description
Confirmed	Marks selected match location as Confirmed. The location has been reviewed and found to contain sensitive data that must be remediated.
Remediated manually	Marks selected match location as Remediated Manually. The location contains sensitive data which has been remediated using tools outside of ER2 and rendered harmless. Marking selected match locations as Remediated Manually deducts the marked matches from your match count. If marked matches have not been remediated when the next scan occurs, they resurface as matches.
Test Data	Marks selected match location as Test Data. The location contains data that is part of a test suite, and does not pose a security or privacy threat. To ignore such matches in future, you can add a Global Filter when you select Update configuration to classify identical matches in future searches
False match	Marks selected match location as a False Match. The location is a false positive and does not contain sensitive data. You can choose to update the configuration by selecting: Update configuration to classify identical matches in future searches to add a Global Filter to ignore such matches in the future. Update configuration to ignore match locations in future scans on this target to add a Global Filter to ignore this specific location/file when performing subsequent scans. To send data to Ground Labs to help improve future matches, select Send encrypted false match samples to Ground Labs for permanent resolution.
Remove mark	Unmarks selected location. Unmarking locations is captured in the Remediation Log.

Marking PCI data as test data or false matches
When a match is labeled as credit card data or other data prohibited under the PCI DSS, you cannot add it to your list of Global Filters through the remediation menu. Instead, add the match you want to ignore by manually setting up a new Global Filter. See Global Filters for more information.

Remediation Rules

While remediation happens at individual file level, remediation action that can be taken is dependent on both the Target platform and file type.

Platform / File Type	Masking	Delete Permanently	Quarantine	Encryption
Unix Share Network File System	✓	✓	✓	✓
FileA.ppt	✓	✓	✓	✓
FileB.pdf	-	✓	✓	✓

The table above describes the supported remediation actions that act directly on location for a Unix Share Network File System (NFS) Target and two file types (File A.ppt and FileB.pdf).

File A.ppt is found as a match during a scan of a Unix Share NFS, therefore the all remediation action that act directly on locations are possible for File A.ppt. FileB.pdf is another match location found on a Unix Share NFS, therefore it can be remediated via deletion, encryption or quarantine.

If both File A.ppt and FileB.pdf are selected for remediation, the possible remedial actions that can be taken are Delete Permanently, Quarantine or Encryption.

Remediation Log

The Remediation Log captures all remedial actions taken on a given Target.

Remediation Log displaying the details for remediated match locations on MY-UBUNTU-MACHINE.

To view the remediation log:

Go to the Target details page.
On the bottom-right corner of the page, click Remediated Logs.

You can sort remediation logs by:

Property	Description
Location	Location of file that has had remedial action taken.
Remediation Status	Indicates whether the file has been successfully remediated.
Match Count	The number of matches in the file.
Timestamp	Month, day, year, and time of the remedial event.
Sign-off	Text entered into the Sign-off field when remedial action is taken. ER2 uses two properties to log the source of remedial action: the Sign-off, and the name of the user account used. The name of the user account used for remediation is not displayed in the Remediation Logs, but is still recorded and searchable in the Filter by… panel.

In the Filter by… panel, you can filter remediation logs by:

Field	Description
Date	Set a range of dates to only display logs from that period.
User	Display only Remedial events from a particular user account. Use the following format for Manually added users: <username> Users imported using the Active Directory Manager: <domain\username>
Reverse order	By default, the logs display the newest remedial event first; check this option to display the oldest event first.
↺ Reset Filters	Click this to reset filters applied to the logs.
Export Log	Saves the filtered results of the Remediation Logs to a CSV file.