Enterprise Recon 2.6.0
Remediation
This section covers the following topics:
Overview
Remediation can result in the permanent erasure or modification of data. Once performed, remedial actions cannot be undone.
Matches found during scans must be reviewed and, where necessary, remediated. ER2 has built-in tools to mark and secure sensitive data found in these matches.
Remediating matches is done in two phases:
Review Matches
When matches are found during a scan, they are displayed in the Investigate page as match locations. The results grid, location filters and match inspector are some of the features available to help user review and verify the scan results.
Reporting resource permissions are required to review match results in the Investigate page. See the Permissions Table for more information.
Remedial Action
If a match is found to contain sensitive data, ER2 provides tools to report and secure the match location.
There are two categories of remedial actions:
- Act Directly on Selected Location
- Users with Remediate - Act Directly on Location resource permissions can perform remedial actions that directly modify match locations to secure sensitive data.
- Mark Locations for Compliance Report
- Users with Remediate - Mark Location for Report resource permissions can flag these sensitive data matches as acknowledged and reviewed. These set of remediation options do not modify or secure the sensitive data.
To delegate remediation tasks to another user, see Delegated Remediation.
Remediate from Investigate
To remediate a match location from the Investigate page:
- (Optional) Select one or more filters in the Filter Locations by panel and click Apply Filter to display Targets and match locations that fulfill specific criteria in the results grid.
- Select the Targets and match locations that you want to remediate.
-
Click Remediate and select one of the following actions:
Remediation Remedial Actions Act directly on selected location - Mask all sensitive data
- Quarantine
- Delete Permanently
- Encrypt file
Mark locations for compliance report - Confirmed
- Remediated manually
- Test Data
- False Match
- Remove Mark
Only remedial actions that are supported across all selected match locations will be available for selection in the Remediate dropdown menu. See Remediation Rules for more information.Remediate Specific Data TypesApply data type filters to remediate specific data types for a selected match location.
For example, File A has one Personal Names (English) and two Mastercard matches. Only Mastercard matches will be remediated if Mastercard is the only data type filter that was selected when remedial action was taken.
If no data type filters are selected, all data type matches will be remediated for a selected match location.
- Enter a name in the Sign-off field.
- Enter an explanation in the Reason field.
- Click Ok.
The remediation dialog box progress bar reaches 100% once remediation operations are completed. The Status column in the Investigate page will be updated to indicate if the remedial action taken was successful for each match location.
Act Directly on Selected Location
This section lists available remedial actions that act directly on match locations. Acting directly on selected locations reduces the Target's match count.
A match location is fully remediated when:
- The match location is quarantined, encrypted, or secure-deleted, or
- Sensitive data matches for all data types within the match location are masked.
If subsequent scans result in new matches for a file of the same name in the same location (path), this will be identified as a new match location by ER2.
Action | Description |
---|---|
Mask all sensitive data | Masking data is destructive. It writes over data in the
original file to obscure it. This action is irreversible, and may corrupt
remaining data in masked files.
Masks all found sensitive data in the match location with a static mask. A portion of the matched strings are permanently written over with the character, "x" to obscure the original. For example, '1234560000001234' is replaced with '123456XXXXXX1234'. File formats that can be masked include:
Not all files can be masked by ER2; some files such as database data files and PDFs do not allow ER2 to modify their contents. |
Quarantine |
Moves the files to a secure location you specify and leaves a tombstone text file in its place. The specified path will be created automatically if it does not exist. Performing a Quarantine action on "example.xlsx"
moves the file to the user-specified secure location and leaves
"example.xlsx.txt" in its place.
By default, tombstone text files will contain the
following text: Quarantine remedial action can only be performed if
all selected match locations belong to a single Target.
For match locations with very small file sizes, the
tombstone message may be truncated to ensure the tombstone file size does not
exceed the original file size of the match location.
For example, the default tombstone message may be truncated to "Location quarantined at" when Quarantine remedial action is performed on a match location that is 16 bytes in size. To change the message in the tombstone text file, see Customize Tombstone Message. |
Delete permanently |
Securely deletes the match location (file) and leaves a tombstone text file in its place. Performing a Delete permanently action on
"example.xlsx" removes the file and leaves "example.xlsx.txt" in its place.
By default, tombstone text files will contain the
following text: For match locations with very small file sizes, the
tombstone message may be truncated to ensure the tombstone file size does not
exceed the original file size of the match location.
For example, the default tombstone message may be truncated to "Location deleted at" when Delete permanently remedial action is performed on a match location that is 16 bytes in size. To change the message in the tombstone text file, see Customize Tombstone Message. Attempting to perform a Delete permanently action on
files already deleted by the user (removed manually, without using the
Delete permanently remedial action) will update the match status to
"Deleted" but leave no tombstone behind.
|
Encrypt file |
Secures the match location using an AES encrypted zip file. You must provide an encryption password here. Encrypted zip files that
ER2 makes on your file
systems are owned by root, which means that you need root credentials to open
the encrypted zip file.
|
Customize Tombstone Message
You can customize the contents of the tombstone text file that is left in place of a location that has been remediated using the Quarantine or Delete Permanently methods.
The message in the tombstone text file can be customized to provide useful information when someone tries to access the remediated locations. Separate messages can be configured for Quarantine and Delete Permanently tombstone text files.
You must have Global Admin or System Manager permissions to modify the contents of the tombstone text file.
- Log in to the ER2 Web Console.
- Go to the Settings > Remediation > Tombstone Text Editor page.
- Go to the Quarantine Tombstone File or Delete Permanently Tombstone File section.
-
Click on Edit to customize the message in the tombstone text file. The character limit for the text is 1000.
If an empty tombstone message is saved, the tombstone message will automatically revert back to default ER2 tombstone message. For example, for Quarantine remediation, "Location quarantined at user request during sensitive data remediation".Using non-ASCII characters may cause the tombstone message to be displayed incorrectly for users on unsupported platforms.
To ensure that users view meaningful content, configure a message with minimal non-ASCII characters, or set up a tombstone message that contains multiple languages. - Once done, click on Save. The new tombstone message will be applicable to all Targets.
Mark Locations for Compliance Report
Flag these items as reviewed but does not modify the data. Hence, the sensitive data found in the match is still not secure.
Action | Description |
---|---|
Confirmed | Marks selected match location as Confirmed. The location has been reviewed and found to contain sensitive data that must be remediated. |
Remediated manually | Marks selected match location as Remediated Manually. The location contains sensitive data which has been remediated using tools outside of ER2 and rendered harmless.
Marking selected match locations as Remediated Manually deducts the marked matches from your match count. If marked matches have not been remediated when the next scan occurs, they resurface as matches.
|
Test Data |
Marks selected match location as Test Data. The location contains data that is part of a test suite, and does not pose a security or privacy threat. To ignore such matches in future, you can add a Global Filter when you select Update configuration to classify identical matches in future searches |
False match |
Marks selected match location as a False Match. The location is a false positive and does not contain sensitive data. You can choose to update the configuration by selecting:
|
Remove mark | Unmarks selected location.
Unmarking locations is captured in the Remediation Log.
|
When a match is labeled as credit card data or other data prohibited under the PCI DSS, you cannot add it to your list of Global Filters through the remediation menu. Instead, add the match you want to ignore by manually setting up a new Global Filter. See Global Filters for more information.
Remediation Rules
While remediation happens at individual file level, remediation action that can be taken is dependent on both the Target platform and file type.
Platform / File Type | Masking | Delete Permanently | Quarantine | Encryption |
---|---|---|---|---|
Unix Share Network File System | ✓ | ✓ | ✓ | ✓ |
FileA.ppt | ✓ | ✓ | ✓ | ✓ |
FileB.pdf | - | ✓ | ✓ | ✓ |
The table above describes the supported remediation actions that act directly on location for a Unix Share Network File System (NFS) Target and two file types (File A.ppt and FileB.pdf).
File A.ppt is found as a match during a scan of a Unix Share NFS, therefore the all remediation action that act directly on locations are possible for File A.ppt. FileB.pdf is another match location found on a Unix Share NFS, therefore it can be remediated via deletion, encryption or quarantine.
If both File A.ppt and FileB.pdf are selected for remediation, the possible remedial actions that can be taken are Delete Permanently, Quarantine or Encryption.