Entitlement Reviews are a great way to get feedback from your business owners, and now with StealthAUDIT 7.2 we can now also canvas these same business owners for Sensitive Data Reviews.
There are two optional settings to consider enabling before beginning a Data Review process.
The first option is to enable the collection of File Level Details by the 1-FSAA System Scans query, to record file sizes, last modified times, and ownership and permissions data for the files scanned. This is set within the FSAA Data Collector:
The second option is to have the Store Discovered Sensitive Data option enabled in the 1-SEEK System Scan query. This allows business owners to see the criteria matches during a review and can be enabled within the FSAA Data Collector options as well:
Once both the Systems Scans and Bulk Imports have been running with these new options set, we can then configure the reviews to be distributed in the Access Information Center (AIC). Log into the AIC and select Manage Entitlement Reviews and create a new review. Next, select the Sensitive Data Review category and then pick the desired criteria type to be reviewed:
Check the box to Include sensitive data matches in review. If this option was already enabled, then the final review should show the sensitive data matches in the bottom grid. Now Finish the review as usual and this will send out notifications to the respective business owners that they have a pending review assigned to them.
The recipient business owners will be able to see the list of files matching the criteria picked, their sizes, their last modified dates, and the criteria type. The review options are: Keep, Remove, and False Positive. If the review was previously reviewed and rerun, there will be a tab called Previous Review that shows the files that had change requests as well:
Once completed, the review will show Review Responses on the Manage Entitlement Reviews page. If the administrator accepts a False Positive, the reviewed file will be marked as a false positive for the review’s criteria. (This action will insert the identity of the false positive file into the [SA_SDDExclusionFilters] table in the SA database and thus the file will be excluded from the subsequent results of this review). Accepting a Remove won’t trigger any automatic action on the file, but the file’s identity will be stored in a database table which can be used with action modules for automated cleanup, archiving, or other activities.
Congratulations! You now have in place a feedback loop with your business owners for discovered sensitive data.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.