This article explains :Respond Analysis and Report v1.0 details.
SSProtect :Respond provides, at the touch of a button, Sabotage Remediation for protected content together with Data Disclosure Risk Analysis. This article enumerates and explains details for each of the different available Analysis Types.
You can create one of three different :Respond Analysis executions, each described in the following paragraphs. These choices are in the primary UI's Analysis Type dropdown listbox control.
When required, the software first dispatches requests to participating Users. For all, the software then enumerates items to be analyzed, performs the analysis, and creates a final report for review. Details for each are included in related sections of this article.
Integrity Check and Remediation
This Analysis enumerates protected content, hashes each of the identified files, and compares each resulting hash to information managed by KODiAC Cloud Services. When :Recover is active for an item, it can be Restored if corrupted or missing, when the option is enabled for the Analysis.
Restored data items replace corrupted content - or at the very least get placed in the expected location where missing content should be. Existing items are renamed with a, ".old" extension, which allows you to return to the original data item when necessary.
Files used in this Analysis match those found in each participating User's Protected Files display, however only when Double Encrypted for :Recover usage. Those that utilize Optimized Offloading will be ignored. Host debug logs explain reasons for skipping items.
Note that Archived and moved items no longer in the Protected Files display will not be included, and will not be noted in local debug logs or the final Report.
When the Analysis is dispatched to the entire Organization, participating Users are notified on next SSProtect Login that an Analysis is required, and must wait for execution to complete. This will be marked with a small popup dialog and prompt for 2nd-factor authentication, when appropriate.
In some cases, on-disk content does not match expectations that you would see in a Protected Files display. When there is a disconnect, the software will check on-disk and attempt to match it with an existing Version. This allows Integrity checks to succeed when data items are updated, but not yet opened by the participating User.
Finally, while enumerating data items and checking hashes, Users should refrain from converting items. This is only a valid concern for the privileged User executing the Analysis, since all others are blocked while the Analysis proceed after Login.
This Analysis Type represents Phase 2 of a :Respond execution, specifically the Data Disclosure and Risk Analysis proceedings. This Analysis enumerates all data items with events during the Analysis Period, and subsequently uses this set of identified items for further data disclosure checks.
Analysis is performed in the cloud, in the background, and does not inhibit use of the software. Results indicate whether or not plaintext content has been exposed, for each item, for an attacker present during the Analysis Period. This takes into account leftover plaintext remnants that may be present in third party applications or supporting system resources. For this reason, Analysis often goes beyond events in the noted Period, though only for the data items scoped within the Period.
For details, refer to the article, Definitive Disclosure Risk.
This Analysis performs both Phase 1 and Phase 2 Analysis, first performing the tasks noted in the Phase 1 description, above, then Phase 2. Remember that Phase 1 Integrity Checks require execution by each individual User, whereas Phase 2 Analysis can be carried independent of host state.
Analysis with Multi-Host Profiles
When performing Phase 1 Integrity Checking, results will vary if any User utilizes the software on more than one Host. This is not encouraged and generally not supported, though Users can deploy Profiles to new Host computers to support migration when responding to issues with resources. Any disconnect between one Host and another will not be resolved by the Analysis - scope is only determined by the set of Protected Files on the host used for the Analysis, i.e. the host on which a participating User performs SSProtect Login.
Report output fields include a subset of an :Assess File Detail Report, though with additional fields described below.
Integrity Check and Remediation Report Fields
Phase 1 Report Fields are added to the standard :Assess File Report, as follows:
The Corrupted field indicates whether or not the file reflected by the line-item was found to be different than expected (or missing), else this field contains, "No". You will see, "N/A" if for some reason included in a report that does not execute Phase 1 Analysis (future).
If the file was found to be improper, this field includes the date/ time of the discovered file. Note that this may not reflect reality, since file date/ time can be changed independent from modifying data.
The Remediated field will include, "Not Required" if the file is not corrupted, or can reflect the date/ time at which the proper version was Restored (when you choose Restore Corrupted Files from the UI, which requires :Recover). The field will hold, "N/A" if the Analysis is not run (future).
In some cases, a file may be skipped. This happens if the file cannot be read during initial enumeration. In other cases, Remediation fails, which is also reflected in this column.
Disclosure Risk Report Fields
Phase 2 Report Fields are added to the standard :Assess File Report, as follows:
The Risk field includes one of the pre-defined Risk values for the Analysis, along with the Reason which refers to the last Action that is performed on the file resulting in the disclosed risk. Details for these type fields can be better understood by referring to the article, Definitive Disclosure Risk.
Detail vs. Summary Reports
When executing an Analysis, if you choose List Event Details from the UI, the resulting report will include the Summary item that reflects either the Integrity Check and Remediation and/ or Disclosure Risk and Reason, followed by details that reflect file events that take place during the course of the Analysis Period. Use the resulting .CSV to manipulate data as you see fit, and supplement this information with additional reports that can provide further evidence of interaction during other timeframes.
Though Disclosure Analysis often requires review of events outside the target Analysis Period, even when choosing to show Details, these items will not be listed. Use the File Report for an expanded time range, or other Reports, to investigate.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v5.0.2 of the :Foundation Client