Feb 20
Spirion File Metadata – Data Classification

All files have metadata associated which provides descriptive information about a document (file\data). This metadata provides the characteristics of a document which facilitate the ability to categorize it. Metadata such as an author, date created, and topic are typical examples of metadata. For corporate documents, additional common metadata can include information such as Data Classification which Spirion provides. 

The Spirion Data Classification process imbeds a friendly name, associated GUIDS, and other tags as indicated from the below metadata extract. The Spirion metadata tag for classification can be resolve in many ways.  You can view this directly through the metadata properties of the files such as Word as highlighted in the Doc properties.

 

From a metadata view perspective, the following table contains all XML metadata found using a program like "exif" viewer such as this useful online tool located at https://www.get-metadata.com.   

When I ran the same document to extract the metadata I received the following snippet:

Application
Microsoft Office Word

Category 
application

Characters 
23

Characters With Spaces 
26

Create Date 
2013:07:08 18:32:00Z

Creator
XXXXXXXXXX

Doc Security
None

File Modification Date/time 
2018:02:07 22:56:31+01:00

File Name 
Foreign_Doc.docx

File Size 
10 kB

File Type 
DOCX

File Type Extension 
docx

Heading Pairs
Title, 1

Hyperlinks Changed
No

Ifclassification
02adfcec-0ea5-44bc-98a9-f5a82c871c00

Ifclassification Flags
16384

Ifclassification Flags Type
1

Ifclassification Name
Internal Data

Ifclassification Name Type
1

Ifclassification Type
1

Ifclassification Version
43ee0c5f-e038-421c-8a3e-ab4eB1166124

Ifclassification Version Type
1  

The highlighted section is the GUID and the friendly name as tagged by the Spirion data classification process. The GUID attribute "Ifclassification" can be used in many ways such as surfacing Classification for DLP or viewing the XML and ADS extract utilities should be able to locate this any many other attributes.  For example when using this attribute for a DLP, this process allows integration using the Data Classification Friendly Name and associated GUID.

Feb 20
Spirion – Access Control List in Results Tab

When I view the ACL list for data discovery in the results tab, why are these blank?

This setting must be enabled to view the ACL's, this can be done using the following.

  1. Navigate to the Console > Policies > Policy (from the Policy List) > Settings> Locations > Files > RetrieveFileACLDuringSearch, this is disabled by Default.

Feb 16
Spirion Security & Sneakers Event with Tevora

Cory Retherford (www.coryretherford.com)

Solutions Engineer, Spirion

Specializing in security architecture and data management. SANS certifications and (ISC)² Member and certifications. 20 years as an IT professional with focus in data security and operational data security risk reduction. Real world solutions implementation experience in large and complex environments.

Abstract

Will discuss the fundamentals meeting GDPR compliance beyond the traditional interviews with the application or process owners. Narrowing the project scope and creating data awareness is critical for any security programs success. Will discuss an approach to meeting compliance and implementing technical automation to help drive information worker security awareness and concentrating resources to protecting critical subject data.

Download the Presentation

SecurityandSneakersPresentation.pdf

Feb 02
Spirion – Update License

The following illustrate the steps needed to update the license in the Console and Endpoint Software.

Console License Update

 

Client License Update

Feb 01
Spirion and NIST

This is a fantastic article on mapping DFARS 7012 and NIST SP 800-171 Regulatory Compliance Requirements with Spirion I authored.

http://info.spirion.com/rs/369-OZQ-876/images/WP-Supporting_DFARS_7012_NIST_800-171_compliance_requirements_with_Spirion.pdf

Feb 01
Spirion Web API

This link provides additional information about the Spirion web API.

Any SIEM tool being integrated with Spirion will require the ability to authenticate into Spirion via the REST interface either through developed middleware (such as Splunk), or the capability of scripting a login directly through Spirion's REST interface.

Splunk API

Please refer to the following kb article: Installing and configuring the Spirion Web API for Splunk

Splunkbase Spirion user guides

 

Jan 29
Spirion Logging

The Spirion client and console logs provide the following log levels.

  • Default Logging
  • Standard Logging
  • Additional Logging
  • Comprehensive Logging
  • Full Logging

 

"Default Logging" is customer consumable and explains information, errors, and other behaviors that are meaningful for the purposes of operation of Spirion. All messages above the Default Logging level are designed only for consumption by the Spirion Support team. Spirion does not provide inventory of log messages as many of them are dynamically created. Those which are static, the circumstances to describe how they can manifest can be extraordinarily complex and/or reveal trade secret information.

Jan 24
Spirion “Limit the number of sessions opened”

Spirion provides functioinality to limit the number of sessions used or that remain open after a file is accessed when searching for PII.  When an  application makes a remote connection to authenticate (access file resources) it will create a session.  Under normal circumstances, all sessions are closed when a search is completed.  If an application exits unexpectedly then the session is orphaned.  The operating system should close these during its normal clean up process however its possible that sessions could remain open.

Spirion strives to mitigate any behavior that could cause undesirable behavior and has a policy option to control this behavior.  These are Policy Settings available in the latest 10.5.2 version Console and Client:

Settings\Locations\Remote\CloseExistingConnections

When searching remote machines, the endpoint will create connections to those resources. If there is a sufficient connection available when the application is started, that connection will be used. By default, the application will not close that connection. To close existing connections, set the desired value:

0: Existing connections will not be closed
1: If the search is run as localsystem, close any existing connections used by the endpoint
2: If the search is run as a user, close any existing connections used by the endpoint
3: Close all existing connections used by the endpoint, regardless of user context

Settings\Locations\Remote\ErrorHandiling\EnableSessionTracking

When remote file locations are searched, file handles are opened by the endpoint and after the text from the file has been extracted, the endpoint requests that the operating system release the file handle. If there are delays in closing file handles and new file handles continue to be opened, the remote system can become unresponsive. To enable tracking of remote sessions, set this to Enable (1)

Settings\Locations\Remote\ErrorHandiling\KillAllRemoteSessionsAtShutdown

As part of a search of remote machines specified in the Remote Computer List (RCL), connections are repeatedly opened and closed as necessary. Under normal circumstances, all connections will be closed by the operating system after a request from the endpoint. In certain circumstances, it is possible that the operating system will not close remote sessions in a timely manner. In these cases, it is possible to forcibly close each session when the endpoint application is closed. For each remote resource specified in the RCL, for the corresponding user specified for that connection - all sessions created by that user to that resource (including any connections for that user to the resource created outside of Spirion) will be termined.

Settings\Locations\Remote\ErrorHandiling\MaxSessionCount

When remote file locations are searched, file handles are opened by the endpoint and after the text from the file has been extracted, the endpoint requests that the operating system release the file handle. If there are delays in closing file handles and new file handles continue to be opened, the remote system can become unresponsive. By default, the maximum number of remote sessions that will be opened is 100. If the MaxSessionCount is reached, the endpoint will wait up to the SessionCloseDelay minutes for the number of sessions to decrease before opening new sessions. To allow a greater or fewer number of open handles, change this setting. To allow a longer or shorter delay, change the SessionCloseDelay setting.

Settings\Locations\Remote\ErrorHandiling\SessionCloseDelay

When MaxSessionCount is reached, indicating that the maximum number of allowable concurrent sessions to a remote system have been opened, the endpoint will wait the specified number of minutes before moving on to the next file to search. If the SessionCloseDelay is reached 5 times without the session count dropping below MaxSessionCount, no additional files on that remote system will be searched. To allow a longer or shorter delay, change this setting to the desired number of minutes.

Example article to explain a similar scnerio

https://thesanguy.com/tag/open-files/

Jan 22
Spirion 10.5.2 Release Notes

Console - Version 10.5

  • Added Exact Match Data Type to support GDPR and Right to be Forgotten
  • Update to improve the status information for Discovery Teams
  • Updates to Spyglass Searches widget to display total number of locations
  • Updates to optimize the results import and index processes to improve performance
  • Added ability to delete user Ignore Lists via console
  • Added new Audit Logging tab and centralized message viewing and configuration
  • Added ability to import additional policy information
  • Added ability to perform Actions on multiple results
  • Added Endpoint Messages and Workflow Rules information to the Status tab
  • Updated Policies UI to visually indicate changes during editing
  • Updates to Database connection input and display
  • Added ability to specify which states are saved in the endpoint activity state history
  • Added ability to configure supported security protocols
  • Update to preserve historical information on Discovery Team members tab until the search is complete
  • Update to improve Results filtering when using timestamps
  • Update to prevent Shred action for local email locations
  • Update to improve display of search progress information for Discovery Team searches
  • Update to tags permissions to prefer explicit permissions
  • Update to restore Results Flat View
  • Update to address an issue when importing large matches
  • Update to address an issue that could display an error in the Spyglass heat map
  • Update to address an issue generating caches
  • Updates to Purge Results and Purge Searches service jobs to provide more granular options for purging searches with and without results
  • Update to address an issue preserving AD forest settings on upgrade
  • Improvements to performance and diagnostic capabilities
  • Added a Support Mode feature to assist with diagnostics
  • Updates to logos and UI elements     

Windows: Endpoint - Version 10.5

  • Added Outlook E-Mail Watcher to search and classify newly arrived messages and attachments
  • Update to add searching of Microsoft OneDrive for Business cloud locations
  • Added the ability to search SharePoint subsites
  • Update to add processing of Workflow actions for cloud locations
  • Update to installer to provide ability to separate explorer integrations
  • Added ability to delete user Ignore Lists via console
  • Update to add session management when searching remote data stores
  • Update to Google cloud search to handle limits and quotas
  • Update to Outlook search to ignore internal Files folder
  • Updates to provide settings for external module timeouts
  • Updates to AnyFind to improve accuracy
  • Update to encryption libraries that remove FIPS compatibility
  • Update to Box cloud authentication methods
  • Update to improve handling of machine name changes
  • Update to improve handling of Access database files
  • Update to improve Endpoint Watcher to better manage reporting of state to Console
  • Update to address several issues with dictionary searching
  • Updates to address issues with Windows Explorer when using add-ins
  • Update to address an issue when adding "/" to the exclude list
  • Update to address several issues with and overall improve Database Search
  • Update to address an issue when exporting settings
  • Update to address an issue when searching and using Redact for certain Office 2007 files
  • Update to address an issue when using Redact from Console
  • Update to address an issue processing Workflow rules that include date times
  • Update to address an issue previewing files with certain high-order Unicode characters
  • Update to address an issue when classifying Access databases, files using XMP metadata, and PST files
    • Updates to UI, logging and diagnostics     

Mac: Endpoint - Version 10.5

  • Update to include compatibility with High Sierra
  • Added ability to delete user Ignore Lists via console
  • Updates to provide settings for external module timeouts
  • Updates to AnyFind to improve accuracy
  • Update to improve handling of machine name changes
  • Update to address an issue when shredding multiple locations
  • Update to address several issues with dictionary searching
  • Update to address an issue when adding "/" to the exclude list
  • Update to address an issue when exporting settings
  • Update to address an issue when searching and using Redact for certain Office 2007 files
  • Update to address an issue when using Redact from Console
  • Update to address an issue processing Workflow rules that include date times
  • Update to address an issue when classifying Access databases, files using XMP metadata, and PST files
  • Update to address an issue when disabling Actions in the UI via policy
  • Updates to UI, logging and diagnostics
Jan 18
Spirion CPU and Disk I/O Handling Options

Spirion is pre-configured to utilize all available CPU and Disk I/O with Normal priority. These settings can be configured separately for single policies or groups of machines as a default system policy.

CPU Configuration

UseMultipleCores – The number of CPUs utilized for searching from a Windows Endpoint can be configured.
The valid values are
:

  • 0: Use only a single CPU core
  • 1 (Default): Use all available cores
  • >1: Use a maximum of this many processor cores. For example, on a system with 8 cores, set this value to 4 to limit the search to a maximum of 4 cores.

Process Prioritization

RunLowPriority – Modification of this setting forces Spirion to run in the mode of least priority in the processing chain. Other applications running with priorities of Normal or Elevated will be handled by the OS with higher priority.
This setting is typically used on desktops, and laptops where other running applications should receive the highest priority.

Disk I/O Prioritization

RunLowPriority – Modification of this setting sets Spirion's I/O prioritization to the lowest value to minimize the impact on systems being utilized for daily activities.
This setting is typically used on desktops, and laptops where other running applications should receive the highest priority.

1 - 10Next
Copyright © | CoryRetherford, LLC | Contact MeNetwork Storage and Security Solutions, LLC, Rights Reserved.®
TLS 1.2, AES with 256 bit encryption

 ‭(Hidden)‬ Blog Tools