This article provides information common to all :Respond Analysis/ Report Types.
SSProtect :Respond addresses some of the most challenging aspects of Security Incident Response with both Data Integrity (and Content Remediation) Analysis and also Disclosure Risk Analysis.
This article describes general behavior associated with execution of either Analysis Type, with specific details for each in the articles, Using Integrity Remediation and Using Risk Analysis. For a more general overview, refer to the article, :Respond Introduction.
:Respond is an optional component, available to Organization Administrators/ Delegates and configured Individual Accounts. To request :Respond functionality, refer to the article, License and Components Interface.
The :Respond UI combines both Disclosure Risk and Integrity Analysis/ Remediation together. As a result, there are two notification icon context menu items, with Disclosure Risk Analysis shown:
Choose one of the two Analysis types using the dropdown control at the top left:
- Data Integrity - Performs Data Integrity (and Content Remediation) for select Users
- Disclosure Risks - Performs Data Disclosure Risk Analysis for an Organization
Related features are described in articles specific to each Analysis Type.
The middle section of the dialog provides controls that manage the Period (Timeframe) for a Disclosure Analysis. These controls are not available or required for Data Integrity Analysis.
This section below the Period controls (and above the Analysis Sets) shows Status for in-progress Analysis execution. This provides additional insight into changing state. The Help button, to the right of Status text, redirects back to these articles.
The bottom portion of the interface shows the list of Analysis Reports, or Analysis Sets, that you can review when an Analysis is not in progress. Select one (or more) then View Report to view results. This brings data from the cloud and into Microsoft Excel for formatted review.
Choose Remove to delete cloud-stored Analysis data. This removes the corresponding Analysis Set from the list. You can, however, refer back to any Report data you have independently saved, and can also regenerate Analysis results by repeating an operation with the same settings; results will not change.
Owners and Non-Owners
You cannot command or control any Analysis you did not start (though you can View it). This includes any Analysis in the list of Sets that has completed, as well as any in-progress Analysis started by another Privileged User.
Analysis Line-Item Details
Each Analysis Set includes the Created (UTC) date/ time, a unique Analysis ID assigned to the progression, the Owner who launched the Analysis, Results/ Risk specific to results, and Parameters.
The presence of (Unknown) in Results/ Risk is the likely result of an unfinished Analysis.
Results/ Risk for Disclosure Risk Reports
Disclosure Risk Results indicate findings from an average of all Disclosure Risks, in the form:
xx -> yy (zz)
...where xx is the base Risk Level, yy is the next Risk Level, and zz is a percentage of the way from xx to yy. For example, High -> Exp (23) would be 23% of the way from High exposure to Exposed. As you can see from the included Report List, there are times that the resulting Risk lands exactly on a boundary, i.e. Exposed, in which case it is noted. More details are provided in the article, Definitive Disclosure Risk.
Results/ Risk for Integrity Analysis/ Remediation
Integrity Analysis results indicate the number of files analyzed together with the count of items identified as lacking Integrity, i.e. found to be corrupted, changed, missing, or not as expected, in the form:
x of y/ z
...where x is the count of Remediated (Restored) items, y is the count of corrupted/ missing/ unexpected findings, and z is the total count of analyzed items.
Parameters provide some insight into the type of Analysis and its' options:
- Int - Integrity/ Remediation progression
- Org - Integrity/ Remediation progression included Org Users
- Host - Integrity/ Remediation progression was for the caller
- Rem - Integrity/ Remediation progression executed Remediation
- Rsk - Disclosure Risk Analysis that did not include 3rd Party Reports
- 3rdRsdk - Disclosure Risk Analysis that included 3rd Party Reports
- NPP - Disclosure Risk Analysis precluding pre-period details
- Rgen - Disclosure Risk Analysis that regenerated Sequencing Data
- Seq - Disclosure Risk Analysis that included Sequencing Data Details
Additional details are described in articles associated with each Analysis Type.
Running an Analysis
Choose the desired Analysis Type, select from the available options by checking or unchecking related items, choose target Users and/ or the target Period/ Timeframe as appropriate, then choose Start. The software will proceed through multiple stages of the Analysis on your behalf, updating the Status. The Start button will be disabled and also contain changing text to show current state. You can leave and return to this interface shortly after starting an Analysis, though the delay varies based on the Type (since certain operations are first carried out on your host computer, and must complete before you navigate away).
Analysis states include the following: Start, Analyze, Repair (for Data Integrity), Summarize, and Report. If a critical error is encountered, the Analysis is Aborted. These states are reflected in various locations, including the Status, host debug logs, Analysis Set results, and Userlist information associated with Data Integrity Users.
If an Analysis execution encounters a non-critical error, the Start button will reflect last state, and the error will be displayed in the Status area. Once you address the error, you can command the Analysis through remaining states by pressing the Start button (which will have been renamed). This manually transitions through remaining states. Continue until you reach the final state and the Analysis is Closed, as described below, or Aborted, for fatal errors. Use Abort to abandon a progression - this will place the Aborted Analysis in the Analysis Set list, though you will not be able to review Report data, since the Analysis didn't Close.
Starting with v6.4.0, you will see an Auto-Report checkbox beneath the OK button. This determines whether or not execution continues past the Report state, which relieves you from the need to specifically command the Analysis through the final steps. This is suitable for some and not for others; when not using 2-factor authentication, it may be easier to check this option and permit Analysis to run all the way through completion without any additional required interaction. Those with 2-factor authentication will be prompted at the Report stage, before execution can complete.
This option is associated with Global Configuration that persists for all SSProtect use with each Windows Profile, i.e. Windows login (Username).
Analyzing Your Own Account
When executing an Analysis, state will (most often) proceed to the Report phase, reflected by a renamed Start button. You must click the Start/ Report button to download the resulting Report and Close the Analysis (when Auto-Report is unchecked). This displays data in Microsoft Excel and adds the result to the Analysis Set list, resetting controls (and re-enabling the Analysis Set controls) for another execution.
Email Notification for Report Readiness
If after starting an Analysis you choose to navigate away from this interface, you will receive email notification when the Analysis completes - even if you Logout or Exit the :Foundation Client. This will not take place if you are viewing the interface when execution completes.
Concurrent Use During Analysis
If you access managed content and convert data between Analysis Start and Summarize states, it will be difficult to determine if concurrent actions are included in the final results. Future versions will hard-stop the Analysis at the start date/time, though as of v6.3.2, each Analysis gets performed with the latest information available - which may or may not include any concurrent action you (and/ or other scoped Users) perform.
See LOCKDOWN in the article, Administering Client Resources, for information on how you can stop all data access operations for an entire Organization. This capability should only be used for extreme circumstances, though when working with an active Breach and looking for specific Disclosure Risk, it may be suitable.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to email@example.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v9.8.0 of the :Foundation Client