Educause Security Discussion mailing list archives

Re: Identity Finder

From: David Escalante <david.escalante () BC EDU>
Date: Fri, 18 Dec 2009 10:15:52 -0500

Flynn, Gerald wrote:

Read the Identity Finder manual and understand how individual settings
impact what is found in a scan.  Understanding how to govern false
positives is important for the remediation of the report.


Can a lay person sort the grain from the chaff?

This is a great question.  In terms of knowing whether something is a
false positive or not, our experience is "yes, a lay person can figure
it out."  The bigger problem we've run into is the person knowing how to
navigate the file system or IMAP/Outlook local folders/files to properly
get rid of the data, NOT the person figuring out if the scan results are
legit.

How time consuming is it?

The trite but true answer is, "It depends on how many results there are
in the scan, and how you approach remediation."  I could give detailed
examples, but I don't wish to on a public listserv.  So instead let me
cite an example from Randy's earlier message -- if you have some
mechanism for throwing all the positives into an encrypted area and
dealing with them later, then it might not take much time at all.  If
you have 1,000+ results (yes, this does happen) that you wish to go
through individually, then obviously it can be a huge time sink.  The
remediation part needs management to be successful -- running the scans
is just a technical task.  Figuring out what to DO with the data that's
flagged is a management problem.

The time to do data analysis and false positive elimination
prevents us from rolling out our current product to a wider
audience. We're doing all the analysis ourselves at this
point rather than the end user or department and it's a
significant labor expenditure.

The approach we're taking is to point Identity Finder (Windows) at a
central configuration file on a server.  When a user reports a false
positive, we investigate, and if it seems like a legit false positive
that will affect multiple users, we adjust the configuration (and our
custom reporting tool, sometimes) as needed to ensure that other users
won't see, and complain about, that same false positive.  This is more
of a collaborative approach to the issue, sort of "You help us by
reporting problems, we'll help you by propagating fixes."  Spreads the
labor around.
--
David Escalante
Boston College

Attachment: david_escalante.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Identity Finder, (continued)
- Re: Identity Finder Flynn, Gerald (Dec 17)
- Re: Identity Finder Gary Dobbins (Dec 17)
- Re: Identity Finder Willis Marti (Dec 17)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Allison Dolan (Dec 18)
- Re: Identity Finder Richard Miller (Dec 18)
- Re: Identity Finder Flynn, Gerald (Dec 18)
- Re: Identity Finder Flynn, Gerald (Dec 18)
- Re: Identity Finder randy marchany (Dec 18)
- Re: Identity Finder Chris Vakhordjian (Dec 18)
- Re: Identity Finder David Escalante (Dec 18)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Gary Dobbins (Dec 18)
- Re: Identity Finder Brad Judy (Dec 18)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Harold Winshel (Dec 18)
- Re: Identity Finder Paul Lepkowski (Dec 18)
- Re: Identity Finder Ben Woelk (Dec 18)
- Re: Identity Finder Felecia Vlahos (Dec 19)