All files have metadata associated which provides descriptive information about a document (file\data). This metadata provides the characteristics of a document which facilitate the ability to categorize it. Metadata such as an author, date created, and topic are typical examples of metadata. For corporate documents, additional common metadata can include information such as Data Classification which Spirion provides.
The Spirion Data Classification process imbeds a friendly name, associated GUIDS, and other tags as indicated from the below metadata extract. The Spirion metadata tag for classification can be resolve in many ways. You can view this directly through the metadata properties of the files such as Word as highlighted in the Doc properties.
From a metadata view perspective, the following table contains all XML metadata found using a program like "exif" viewer such as this useful online tool located at https://www.get-metadata.com.
When I ran the same document to extract the metadata I received the following snippet:
ApplicationMicrosoft Office Word
Characters With Spaces 26
Create Date 2013:07:08 18:32:00Z
Doc Security None
File Modification Date/time 2018:02:07 22:56:31+01:00
File Name Foreign_Doc.docx
File Size 10 kB
File Type DOCX
File Type Extension docx
Heading Pairs Title, 1
Hyperlinks Changed No
Ifclassification Flags 16384
Ifclassification Flags Type 1
Ifclassification Name Type 1
Ifclassification Type 1
Ifclassification Version 43ee0c5f-e038-421c-8a3e-ab4eB1166124
Ifclassification Version Type 1
The highlighted section is the GUID and the friendly name as tagged by the Spirion data classification process. The GUID attribute "Ifclassification" can be used in many ways such as surfacing Classification for DLP or viewing the XML and ADS extract utilities should be able to locate this any many other attributes. For example when using this attribute for a DLP, this process allows integration using the Data Classification Friendly Name and associated GUID.
When I view the ACL list for data discovery in the results tab, why are these blank?
This setting must be enabled to view the ACL's, this can be done using the following.
Specializing in security architecture and data management. SANS certifications and (ISC)² Member and certifications. 20 years as an IT professional with focus in data security and operational data security risk reduction. Real world solutions implementation experience in large and complex environments.
Will discuss the fundamentals meeting GDPR compliance beyond the traditional interviews with the application or process owners. Narrowing the project scope and creating data awareness is critical for any security programs success. Will discuss an approach to meeting compliance and implementing technical automation to help drive information worker security awareness and concentrating resources to protecting critical subject data.
The following illustrate the steps needed to update the license in the Console and Endpoint Software.
This is a fantastic article on mapping DFARS 7012 and NIST SP 800-171 Regulatory Compliance Requirements with Spirion I authored.
This link provides additional information about the Spirion web API.
Any SIEM tool being integrated with Spirion will require the ability to authenticate into Spirion via the REST interface either through developed middleware (such as Splunk), or the capability of scripting a login directly through Spirion's REST interface.
Please refer to the following kb article: Installing and configuring the Spirion Web API for Splunk
Splunkbase Spirion user guides
The Spirion client and console logs provide the following log levels.
"Default Logging" is customer consumable and explains information, errors, and other behaviors that are meaningful for the purposes of operation of Spirion. All messages above the Default Logging level are designed only for consumption by the Spirion Support team. Spirion does not provide inventory of log messages as many of them are dynamically created. Those which are static, the circumstances to describe how they can manifest can be extraordinarily complex and/or reveal trade secret information.
Spirion provides functioinality to limit the number of sessions used or that remain open after a file is accessed when searching for PII. When an application makes a remote connection to authenticate (access file resources) it will create a session. Under normal circumstances, all sessions are closed when a search is completed. If an application exits unexpectedly then the session is orphaned. The operating system should close these during its normal clean up process however its possible that sessions could remain open.
Spirion strives to mitigate any behavior that could cause undesirable behavior and has a policy option to control this behavior. These are Policy Settings available in the latest 10.5.2 version Console and Client:
When searching remote machines, the endpoint will create connections to those resources. If there is a sufficient connection available when the application is started, that connection will be used. By default, the application will not close that connection. To close existing connections, set the desired value:
0: Existing connections will not be closed1: If the search is run as localsystem, close any existing connections used by the endpoint2: If the search is run as a user, close any existing connections used by the endpoint3: Close all existing connections used by the endpoint, regardless of user context
When remote file locations are searched, file handles are opened by the endpoint and after the text from the file has been extracted, the endpoint requests that the operating system release the file handle. If there are delays in closing file handles and new file handles continue to be opened, the remote system can become unresponsive. To enable tracking of remote sessions, set this to Enable (1)
As part of a search of remote machines specified in the Remote Computer List (RCL), connections are repeatedly opened and closed as necessary. Under normal circumstances, all connections will be closed by the operating system after a request from the endpoint. In certain circumstances, it is possible that the operating system will not close remote sessions in a timely manner. In these cases, it is possible to forcibly close each session when the endpoint application is closed. For each remote resource specified in the RCL, for the corresponding user specified for that connection - all sessions created by that user to that resource (including any connections for that user to the resource created outside of Spirion) will be termined.
When remote file locations are searched, file handles are opened by the endpoint and after the text from the file has been extracted, the endpoint requests that the operating system release the file handle. If there are delays in closing file handles and new file handles continue to be opened, the remote system can become unresponsive. By default, the maximum number of remote sessions that will be opened is 100. If the MaxSessionCount is reached, the endpoint will wait up to the SessionCloseDelay minutes for the number of sessions to decrease before opening new sessions. To allow a greater or fewer number of open handles, change this setting. To allow a longer or shorter delay, change the SessionCloseDelay setting.
When MaxSessionCount is reached, indicating that the maximum number of allowable concurrent sessions to a remote system have been opened, the endpoint will wait the specified number of minutes before moving on to the next file to search. If the SessionCloseDelay is reached 5 times without the session count dropping below MaxSessionCount, no additional files on that remote system will be searched. To allow a longer or shorter delay, change this setting to the desired number of minutes.
Spirion is pre-configured to utilize all available CPU and Disk I/O with Normal priority. These settings can be configured separately for single policies or groups of machines as a default system policy.
UseMultipleCores – The number of CPUs utilized for searching from a Windows Endpoint can be configured.The valid values are:
RunLowPriority – Modification of this setting forces Spirion to run in the mode of least priority in the processing chain. Other applications running with priorities of Normal or Elevated will be handled by the OS with higher priority. This setting is typically used on desktops, and laptops where other running applications should receive the highest priority.
RunLowPriority – Modification of this setting sets Spirion's I/O prioritization to the lowest value to minimize the impact on systems being utilized for daily activities. This setting is typically used on desktops, and laptops where other running applications should receive the highest priority.