SSProtect :Respond addresses some of the most challenging aspects of Security Incident Response with both Data Integrity (and Content Remediation) Analysis and also Disclosure Risk Analysis.
This article describes general behavior associated with execution of either Analysis Type, with specific details for each in the articles, Using Data Integrity and Using Risk Analysis. For a more general overview, refer to the :Respond Introduction.
:Respond is an optional component, available to Organization Administrators/ Delegates and configured Individual Accounts. To request :Respond functionality, refer to the, License and Components Interface article.
User InterfaceThe :Respond UI is accessible from the SSProtect notification icon's context menu, which displays the interface for all Analysis Types:
Choose one of the two Analysis types using the dropdown control at the top left:
- Data Integrity - Performs Data Integrity (and Content Remediation) for select Users
- Disclosure Risks - Performs Data Disclosure Risk Analysis for an Organization
Related features are described in articles specific to each Analysis Type.
The middle section of the dialog provides controls that manage the Period (Timeframe) for a Disclosure Analysis. These controls are not available or required for Data Integrity Analysis.
This section below the Period controls (and above the Analysis Sets) shows Status for in-progress Analysis execution. This provides additional insight into changing state. The Help button, to the right of Status text, redirects back to these articles.
The bottom portion of the interface shows the list of Analysis Reports, or Analysis Sets, that you can review when an Analysis is not in progress. Select one (or more) then Report to view results. This brings data from the cloud and into Microsoft Excel for formatted review.
Choose Remove to delete cloud-stored Analysis data. This removes the corresponding Analysis Set from the list. You can, however, refer back to any Report data you have independently saved, and can also regenerate Analysis results by repeating an operation with the same settings; results will not change.
Owners and Non-Owners
You cannot command or control any Analysis you did not start. This includes any Analysis in the list of Sets that has completed, as well as any in-progress Analysis started by another Privileged User. When this is the case, you will not be able to perform any operations.
Analysis Line-Item Details
Each Analysis Set includes the date/ time (UTC) the Analysis was started, the Account associated with the person who Started the Analysis (an Organization Administrator, Delegate, or Individual Account), and additional information.
The Remediation column shows information associated with Data Integrity (and Content Remediation) results, or N/A if the line-item is for another Analysis Type.
The Org Summary Risk column shows information associated with Disclosure Risk analysis, or N/A if the line-item is for another Analysis Type.
The Src, Scope, Parms column contains a concatenation of shortened monikers to reflect the Analysis Type and associated parameters, as follows:
- Int, Rsk, or 3rdRsk, for Integrity, Disclosure Risk, or 3rd Party Disclosure Risk Analysis
- Org or Host to specify Analysis Scope (associated with Int/ Risk Types)
- 3rd for Disclosure Risk Reports that contain 3rd Party Disclosure Risk Reports
- Rem when Integrity Analysis includes the option to automatically restore damaged content
- Det when the Analysis is configured to display line-item :Assess details in the result
Additional details are described in articles associated with each Analysis Type.
Running an Analysis
Choose the desired Analysis Type, select from the available options by checking or unchecking related items, choose target Users and/ or the target Period/ Timeframe as appropriate, then choose Start. The software will proceed through multiple stages of the Analysis on your behalf, updating the Status. The Start button will be disabled and also contain changing text to show current state. You can leave and return to this interface shortly after starting an Analysis, though the delay varies based on the Type (since certain operations are first carried out on your host computer, and must complete before you navigate away).
Analysis states include the following: Start, Analyze, Repair (for Data Integrity), Summarize, and Report. If a critical error is encountered, the Analysis is Aborted. These states are reflected in various locations, including the Status, host debug logs, Analysis Set results, and Userlist information associated with Data Integrity Users.
If an Analysis execution encounters a non-critical error, the Start button will reflect last state, and the error will be displayed in the Status area. Once you address the error, you can command the Analysis through remaining states by pressing the Start button (which will have been renamed). This manually transitions through remaining states. Continue until you reach the final state and the Analysis is Closed, as described below, or Aborted, for fatal errors. Use Abort to abandon a progression - this will place the Aborted Analysis in the Analysis Set list, though you will not be able to review Report data, since the Analysis didn't Close.
Starting with v6.4.0, you will see an Auto-Report checkbox beneath the OK button. This determines whether or not execution continues past the Report state, which relieves you from the need to specifically command the Analysis through the final steps. This is suitable for some and not for others; when not using 2-factor authentication, it may be easier to check this option and permit Analysis to run all the way through completion without any additional required interaction. Those with 2-factor authentication will be prompted at the Report stage, before execution can complete.
This option is associated with Global Configuration that persists for all SSProtect use with each Windows Profile, i.e. Windows login (Username).
Analyzing Your Own Account
When executing an Analysis, state will (most often) proceed to the Report phase, reflected by a renamed Start button. You must click the Start/ Report button to download the resulting Report and Close the Analysis. This displays data in Microsoft Excel and adds the result to the Analysis Set list, resetting controls (and re-enabling the Analysis Set controls) for another execution.
Email Notification for Report Readiness
If after starting an Analysis you choose to navigate away from this interface, you will receive email notification when the Analysis completes - even if you Logout or Exit the :Foundation Client. This will not take place if you are viewing the interface when execution completes.
Concurrent Use During Analysis
If you access managed content and convert data between Analysis Start and Summarize states, it will be difficult to determine if concurrent actions are included in the final results. Future versions will hard-stop the Analysis at the start date/time, though as of v6.3.2, each Analysis gets performed with the latest information available - which may or may not include any concurrent action you (and/ or other scoped Users) perform.
See LOCKDOWN in the article, Administering Client Resources, for information on how you can stop all data access operations for an entire Organization. This capability should only be used for extreme circumstances, though when working with an active Breach and looking for specific Disclosure Risk, it may be suitable.
For More Information
Analysis is a complicated operation that can help you and your team discover details critical to effective and efficient Incident Response management. For questions, or to schedule an in-depth discussion, send email to email@example.com. Otherwise, call the number listed at the right to have our team work with you on more pressing matters.
This article was updated w/ v6.4.0 of the :Foundation Client