Educause Security Discussion mailing list archives
Re: Identity Finder
From: David Escalante <david.escalante () BC EDU>
Date: Fri, 18 Dec 2009 10:15:52 -0500
Flynn, Gerald wrote:
Read the Identity Finder manual and understand how individual settings impact what is found in a scan. Understanding how to govern false positives is important for the remediation of the report.Can a lay person sort the grain from the chaff?
This is a great question. In terms of knowing whether something is a false positive or not, our experience is "yes, a lay person can figure it out." The bigger problem we've run into is the person knowing how to navigate the file system or IMAP/Outlook local folders/files to properly get rid of the data, NOT the person figuring out if the scan results are legit.
How time consuming is it?
The trite but true answer is, "It depends on how many results there are in the scan, and how you approach remediation." I could give detailed examples, but I don't wish to on a public listserv. So instead let me cite an example from Randy's earlier message -- if you have some mechanism for throwing all the positives into an encrypted area and dealing with them later, then it might not take much time at all. If you have 1,000+ results (yes, this does happen) that you wish to go through individually, then obviously it can be a huge time sink. The remediation part needs management to be successful -- running the scans is just a technical task. Figuring out what to DO with the data that's flagged is a management problem.
The time to do data analysis and false positive elimination prevents us from rolling out our current product to a wider audience. We're doing all the analysis ourselves at this point rather than the end user or department and it's a significant labor expenditure.
The approach we're taking is to point Identity Finder (Windows) at a central configuration file on a server. When a user reports a false positive, we investigate, and if it seems like a legit false positive that will affect multiple users, we adjust the configuration (and our custom reporting tool, sometimes) as needed to ensure that other users won't see, and complain about, that same false positive. This is more of a collaborative approach to the issue, sort of "You help us by reporting problems, we'll help you by propagating fixes." Spreads the labor around. -- David Escalante Boston College
Attachment:
david_escalante.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Identity Finder, (continued)
- Re: Identity Finder Flynn, Gerald (Dec 17)
- Re: Identity Finder Gary Dobbins (Dec 17)
- Re: Identity Finder Willis Marti (Dec 17)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Allison Dolan (Dec 18)
- Re: Identity Finder Richard Miller (Dec 18)
- Re: Identity Finder Flynn, Gerald (Dec 18)
- Re: Identity Finder Flynn, Gerald (Dec 18)
- Re: Identity Finder randy marchany (Dec 18)
- Re: Identity Finder Chris Vakhordjian (Dec 18)
- Re: Identity Finder David Escalante (Dec 18)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Gary Dobbins (Dec 18)
- Re: Identity Finder Brad Judy (Dec 18)
- Re: Identity Finder Peterman, Martin (mdp4s) (Dec 18)
- Re: Identity Finder Harold Winshel (Dec 18)
- Re: Identity Finder Paul Lepkowski (Dec 18)
- Re: Identity Finder Ben Woelk (Dec 18)
- Re: Identity Finder Felecia Vlahos (Dec 19)