Enterprise Recon 2.1

ER 2.1 Release Notes

The Release Notes provide information about new features, platforms, data types, enhancements, bug fixes and all the changes that have gone into Enterprise Recon 2.1.

For a quick view of the changes since the last Enterprise Recon release, see Summary of Changes.

Contents:

  1. Highlights
  2. Important Notes
  3. Changelog
  4. Features That Require Agent Upgrades

Introducing Enterprise Recon PCI and PII

Enterprise Recon PCI Enterprise Recon PII

The latest Enterprise Recon comes in two solutions: Enterprise Recon PCI and Enterprise Recon PII. Enterprise Recon PCI core functionality includes scanning of all supported Target types, generating compliance reports and powerful remediation options to secure sensitive cardholder data found across your organization's environment. Enterprise Recon PII includes all the features from Enterprise Recon PCI and offers access to the full suite of built-in data types including the capability to create custom data types, along with advanced features such as the Enterprise Recon API Framework.

This release also introduces Enterprise Recon NOW, a complimentary, time-limited edition of Enterprise Recon PII sans full remediation support, compliance reporting or API access. Enterprise Recon NOW supports remediation on desktops or workstations to give organizations confidence that data security is not compromised when employees are required to work remotely.

To find out more, see our Enterprise Recon product page, or check out the Feature Comparison table to determine the Enterprise Recon solution that meets your organization's needs.

Enhanced License Management Architecture

Enterprise Recon 2.1 comes with enhanced license management and reporting features. Global Admins and System Managers can easily view and export a detailed ledger of data allowance usage from within the Web UI. The ledger provides a breakdown by Target, Target location and license pool for you to monitor and understand the data consumption across your organization. The approach for calculating this data usage has been simplified by taking the physical size of data on disk, whether it's plain text files, PDFs, or multi-layer nested archives.

Notifications in the Web UI have also been enhanced to alert you when 80% of the Enterprise Recon license limits have been reached, to ensure your organization can continue performing compliance activities smoothly without disruptions.

See Licensing for more information.

New Features

API Integration with Enterprise Recon PII

NEW The Enterprise Recon API is now officially released in Enterprise Recon PII. The comprehensive API framework provides direct access to key resources and data sets in the Master Server, giving you the flexibility to transform how your organization interacts with Enterprise Recon.

Using the Enterprise Recon API, you can generate custom reports that display scan results to suit your organization's specific requirements, or retrieve detailed information on match locations to perform custom remediation actions on non-compliant Targets. Business as usual (BAU) compliance processes can also be automated. For example, develop a script to easily add thousands of Targets to the Master Server via the API, or export weekly activity logs to monitor Master Server events.

To get started on your Enterprise Recon API journey, check out our API Documentation.

New Platform Integrations

InterSystems Caché Target for HIPAA Compliance

NEW The healthcare industry has seen a surge in the number of cyber-attacks over the years. In 2019, over 41 million sensitive patient records were exposed in the U.S. alone, an alarming 48.6% increase from 2018. Medical records would typically contain a patient's full name, Social Security Number (SSN), date of birth, healthcare insurance data and more, constituting an attractive "information package" that can fetch hackers up to 1,000 US dollars per record.

Understanding the value and vulnerability of healthcare data, Enterprise Recon 2.1 introduces support for InterSystems Caché, a popular database management platform, specially catered to the healthcare and financial sector. With Enterprise Recon 2.1, you can enable the "USA Protected Health Information (PHI)" data type profile and organization-specific custom data types when scanning the relational model of your InterSystems Caché instance to ensure that electronic Protected Health Information (e-PHI) is securely stored, allowing your organization to achieve and maintain HIPAA compliance.

An Agent Upgrade is required to scan InterSystems Caché Targets. See InterSystems Caché for more information.

Easily Scan Groups with Exchange Online

NEW The Exchange Online Target in Enterprise Recon 2.1 simplifies compliance management by allowing you to identify, remediate and report results according to predefined Groups in your organization's Exchange Online mail environment. This is particularly useful if users in your organization are typically assigned Group memberships in Microsoft 365 by business unit, department or team, and you require the capability to segregate and present scan reports in the same manner.

Operations can also be streamlined by granting users access to specific Exchange Online mailboxes. For example, using the Enterprise Recon permissions framework, Head of Departments who are authorized to review and remediate non-compliant mailboxes in certain Groups can be given Reporting and Remediation permissions for just those Groups.

The capability to scan Exchange Online mailboxes by user account remains fully supported with the enhanced Exchange Online Target. Exchange Online supersedes the Exchange Online (EWS) module as Basic Authentication with Exchange Web Services (EWS) will no longer be supported by Microsoft from October 13, 2020. The Ground Labs Support Team is available to assist customers who wish to migrate their existing Exchange Online (EWS) Targets.

An Agent Upgrade is required to scan Exchange Online Targets. See Exchange Online and Resource Permissions for more information.

Official Support for MongoDB NoSQL Database and Dropbox Business

NEW MongoDB is the first non-relational database available as a scannable Target in Enterprise Recon and is highly popular for data intensive applications in the finance, government, retail and gaming sectors.

NEW Dropbox Business, a popular cross-team collaboration service commonly used for sharing and storing highly sensitive internal data, is also officially supported in Enterprise Recon 2.1, growing the list of cloud storage platforms that can be scanned out-of-the-box with Enterprise Recon.

An Agent Upgrade is required to scan MongoDB and Dropbox Business Targets. See MongoDB and Dropbox Business for more information.

New and Improved Data Types

NEW From Enterprise Recon 2.1, you can scan for Greek Passport Number and US Passport Number data types. The US Passport Number has been added to the "USA Personal Information" built-in data type profile to complement other personal identifiable information (PII) data types to help your organization comply with United States data privacy laws.

Important Notes

CRITICAL: One Way Upgrade to Enterprise Recon 2.1

Certain data sets for the Master Server have been updated from 32-bit to 64-bit storage formats in Enterprise Recon 2.1. Therefore once the Master Server is updated from ER 2.0.31 (and below) to ER 2.1 (and above), the datastore is not backward compatible.

Enterprise Recon Master Server Upgrade to CentOS 7

From Enterprise Recon 2.0.28, new installations of Enterprise Recon utilize CentOS 7, which features an updated kernel, improved security features and support for operating system patches and updates until June 2024.

If your existing Master Server installation is based on CentOS 6, Ground Labs strongly recommends that you upgrade to CentOS 7 promptly as CentOS 6 reached end of life on November 30, 2020. The Ground Labs Support Team is available to assist customers who wish to migrate their existing installations to CentOS 7.

Ground Labs will continue to support existing Enterprise Recon installations based on CentOS 6 until its end of life date on November 30, 2020.

Changelog

The Changelog is a complete list of all the changes in Enterprise Recon 2.1.

What’s New?

  • New Data Types
    • NEW Greek Passport Number
    • NEW US Passport Number
  • New Platform Integrations
    • NEW InterSystems Caché
    • NEW Exchange Online
    • NEW Dropbox Business
    • NEW MongoDB
  • Added:

    • NEW The API Framework is now officially supported in this release of ER2. See API Documentation for more information.

Enhancements

  • Improved Features:
    • The navigation menu in ER2 has been revamped to a mega menu with reorganized grouping of Web UI pages by functionality to improve page navigation and accessibility.
    • ER 2.1 has an updated Dropbox Business and Dropbox Personal module which requires the latest access token for authentication. Previous access tokens will no longer be supported by ER2 from 30 September, 2020. To continue scanning Dropbox Business and Dropbox Personal Targets without interruption, (i) upgrade the Master Server, and (ii) update Dropbox credential sets added in earlier versions of ER2 by performing re-authentication. See Re-authenticate Dropbox Credentials for more information.
    • Scanning macOS Catalina workstations is now officially supported in ER 2.1. See Agentless Scan and Remote Access via SSH for more information.
    • The dropdown list of built-in data types used to add predefined rules in the "Add Custom Data Type" window is now alphabetically sorted.
    • Improved handling of CORS requests for increased application security.
    • ER2 has been enhanced to allow automatic backups to proceed if the backup location (i) has sufficient free disk space for a backup, and (ii) is not the same drive or volume where the datastore resides.
    • Maestro is now part of the "PCI Compliance" data type profile.

    • The OneDrive Business module has been updated to use the User Principal Name instead of Display Name as the unique identifier for OneDrive Business user accounts.

    • The updated OneDrive Business module now requires the domain instead of the full service account email when adding a OneDrive Business Target. See Set OneDrive Business as a Target Location for more information.
    • Agent Group management has been enhanced to prevent the creation of Agent Groups with blank or duplicate names, and to allow the reuse of old Agent Group names as long as there are no duplicates.
    • Updated TLS protocol library to use SHA-256 in pseudorandom functions and finished message hashes, along with expanded support for authenticated encryption ciphers for improved encryption security.

    • Distributed Scanning has been enhanced to dynamically reallocate scheduled sub-scans to idle or newly connected Proxy Agents to improve overall scan time.
    • Upgraded image processing library for improved OCR accuracy.
    • Clearer error message is displayed when the specified Rackspace region name contains the invalid backslash "\" character.

    • LDAP over SSL (LDAPS) authentication is now supported for Exchange Domain Targets.

    • Kerberos authentication is now supported for Hadoop Targets.
    • The Web UI has been enhanced to trigger a warning when the overall system memory is below a certain threshold, which may cause a degradation in the Master Server system performance.
    • User account security has been enhanced by requiring old password verification before users are permitted to create a new password.
    • Minor UI enhancements.

Bug Fixes

  • Adding or probing a SharePoint Online Target that contained special characters such as the hash "#" or percentage "%" would result in a "400 Bad Request" error.

  • The Target details page would only display one match location if sensitive data matches were found in multiple files with the same name within the same Google Drive location or folder.
  • Azure Queue Targets could not be scanned successfully and would return different critical error messages depending on the platform of the Proxy Agent used in the scan schedule.

  • In certain scenarios, scanning XLSX files would result in slower scans and larger scanned bytes value than expected.
  • The Target details page and the Target report did not display the full file paths of Amazon S3 Buckets match locations found in folders nested more than a certain depth.
  • Adding or probing a Network Storage location that contained the hash "#" character would result in a "No such file" error.

  • Scanning SharePoint Online Targets with a large number of files would result in a "Pool memory limit reached" error.
  • Scanning Oracle database tables with table names that contain special characters would result in the "ORA-00942: <column name> table or view does not exist" error.
  • The Targets page and Global Summary Report displayed the incorrect last scan date if the Master Server was restarted, or if any trashing or remediation activities were performed on a Target.
  • The web UI would restart and incorrectly load the Dashboard when trying to access the Scan History page of a SharePoint Online Target.
  • The Targets page did not indicate the correct total matches for a Target Group if the sum of matches across all Targets exceeded 4.3 billion matches.
  • In certain scenarios, performing masking remediation on ZIP archives would result in an "Out of buffer space while decoding stream" error and cause the remediation to fail.

  • Sensitive data matches may not be properly detected when scanning certain rare PDF format variants, such as PDF files with multiple layers of compressed indices.
  • The Targets page still displayed the Inaccessible Locations error for a Windows Share Target even though the Target was rescanned successfully with the required permissions.
  • Cardholder data in specific versions of PDF files were not properly detected.
  • Incorrect number of "Unremediated Matches" was indicated in scan notification emails.
  • Performing any remedial action for remote Targets via SSH would return an error stating that the master server did not have sufficient match location information.
  • The "Owner" column in the Target Details page did not display the owner information for match locations.
  • The start or end time for the Automatic Pause Scan Window would default to "12:00am" if the time value specified included the seconds component in HH:MM:SS format.
  • Scanning certain PDF files with scaled fonts could result in false positive cardholder data type matches.
  • The web UI would generate a failure and restart when attempting to modify a recurring scheduled scan with multiple Target Groups in the Schedule Manager.

  • The Target report did not contain complete primary key information for Oracle Databases that have a large amount of data, but only a low number of matches.
  • Scanning Oracle database tables with column names of a certain length would result in the "ORA-00904 : Invalid Identifier" error. This only impacted Oracle database version 12.2 and above.
  • The Robust Search configuration did not take effect if data types were selected from the "All Predefined Datatypes" category when creating or modifying data type profiles.
  • In the Targets page, applying any of the Groups, Targets, or Types filter resulted in the rest of the filters containing options that did not honor the first filter selection.
  • The "Credential Label" was not saved when adding a new credential set for an unlisted Target in the "New Scan" workflow, or when updating credentials from the "Edit Target > Change Credentials" workflow.
  • The maximum length for an Agent Group name is now 256 characters.
  • A Proxy Agent that was deleted from an Agent Group did not get updated as an available Agent in the "Add new agent" dropdown list on the Agent Group Details page.

  • Scanning or probing Box Enterprise Targets would result in "URL redirected" errors. The Box Enterprise module now has an updated Box API for handling invalid or expired refresh tokens during authentication operations with Box Enterprise.

  • In certain scenarios, SharePoint Server and SharePoint Online Target locations that could be probed successfully would return a "404 Not Found" error and be logged as Inaccessible Locations with the first letter missing from the name of the site.
  • The Web UI would return to the "Select Locations" page if an incorrect date format was entered when scheduling a future scan in the "New Scan" workflow.

  • Scanning certain cloud Targets (e.g. SharePoint Online, Exchange Online etc.) would sometimes result in "bad_weak_ptr" errors.

  • Probing Google Calendar Targets that contained the hash "#" character in the Calendar ID would result in "404 Not Found" errors.

  • ER2 would only return match results for a single Google Task location if there were multiple Google Tasks with the same title, or no title at all.
  • In certain scenarios, scanning Oracle database tables would result in a "Caught platform exception 0xc0000005" error if location exclusion filters were applied to exclude columns that came before a column with the unique constraint rule.

  • The Target report would contain corrupted data for Targets with an immense number of match locations and/or very long file paths.

  • Scanning a Box Enterprise Target would result in an "Authentication credentials required" or "401 Unauthorized" error. This fix improves support for handling invalid or expired refresh tokens during authentication operations with Box Enterprise.

  • In certain scenarios, scanning a OneDrive location would result in a "Caught platform exception 0xc0000005" error. This fix improves the handling of retrying failed query attempts with UI enhancements to properly reflect the scanning progress.
  • Scanning Azure Blobs for activity logs would result in a "409 The type of blob in the container is unrecognized by this version" error. The Azure Storage module now has an updated Azure API and includes support for scanning activity log Azure Blobs.
  • Scanning Azure Blobs would result in a "404 The specified blob does not exist" error if specific files were selected when setting up the scan schedule.
  • The Target details page and consolidated report did not indicate the correct match count if match locations were deleted manually for Targets that used Distributed Scanning mode.
  • Bank Account data type matches could not be remediated.

  • Scanning Rackspace Cloud locations within folders nested more than 3 levels that were selected from the probing Target workflow would result in a "404 Not Found" error.
  • The list of Targets in the Targets page would be cleared if a user with only Scan or Reporting permissions for all Targets attempted to use the Groups, Targets or Types filter.

  • Primary key columns were not properly detected when scanning Microsoft SQL database tables with table names that contained the underscore "_" character.

Features That Require Agent Upgrades

Agents do not need to be upgraded along with the Master Server, unless you require the following features in Enterprise Recon 2.1:

  • NEW Users can now scan InterSystems Caché databases. Requires Windows Agent with database runtime components.
  • NEW Users can now scan Dropbox Business.
  • NEW Users can now scan MongoDB databases. Requires Windows or Linux Agent with database runtime components.
  • NEW Easily scan Microsoft 365 mailboxes by Group with the new and improved Exchange Online Target.
  • Adding or probing a SharePoint Online Target that contained special characters such as the hash "#" or percentage "%" would result in a "400 Bad Request" error.
  • The Target details page would only display one match location if sensitive data matches were found in multiple files with the same name within the same Google Drive location or folder.
  • In certain scenarios, scanning XLSX files would result in slower scans and larger scanned bytes value than expected.
  • Scanning SharePoint Online Targets with a large number of files would result in a "Pool memory limit reached" error.
  • Sensitive data matches may not be properly detected when scanning certain rare PDF format variants, such as PDF files with multiple layers of compressed indices.
  • The Target report did not contain complete primary key information for Oracle Databases that have a large amount of data, but only a low number of matches.
  • The OneDrive Business module has been updated to use the User Principal Name instead of Display Name as the unique identifier for OneDrive Business user accounts.
  • The updated OneDrive Business module now requires the domain instead of the full service account email when adding a OneDrive Business Target. See Set OneDrive Business as a Target Location for more information.
  • Scanning or probing Box Enterprise Targets would result in "URL redirected" errors. The Box Enterprise module now has an updated Box API for handling invalid or expired refresh tokens during authentication operations with Box Enterprise.
  • In certain scenarios, SharePoint Server and SharePoint Online Target locations that could be probed successfully would return a "404 Not Found" error and be logged as Inaccessible Locations with the first letter missing from the name of the site.
  • Scanning certain cloud Targets (e.g. SharePoint Online, Exchange Online etc.) would sometimes result in "bad_weak_ptr" errors.
  • Probing Google Calendar Targets that contained the hash "#" character in the Calendar ID would result in "404 Not Found" errors.
  • ER2 would only return match results for a single Google Task location if there were multiple Google Tasks with the same title, or no title at all.
  • Distributed Scanning has been enhanced to dynamically reallocate scheduled sub-scans to idle or newly connected Proxy Agents to improve overall scan time.
  • The Target report would contain corrupted data for Targets with an immense number of match locations and/or very long file paths.
  • Scanning a Box Enterprise Target would result in an "Authentication credentials required" or "401 Unauthorized" error. This fix improves support for handling invalid or expired refresh tokens during authentication operations with Box Enterprise.
  • In certain scenarios, scanning a OneDrive location would result in a "Caught platform exception 0xc0000005" error. This fix improves the handling of retrying failed query attempts with UI enhancements to properly reflect the scanning progress.
  • Scanning Rackspace Cloud locations within folders nested more than 3 levels that were selected from the probing Target workflow would result in a "404 Not Found" error.
  • LDAP over SSL (LDAPS) authentication is now supported for Exchange Domain Targets.
  • Kerberos authentication is now supported for Hadoop Targets.
  • The Web UI has been enhanced to trigger a warning when the overall system memory is below a certain threshold, which may cause a degradation in the Master Server system performance.

For a table of all features that require an Agent upgrade, see Agent Upgrade.


Ensuring we are delivering the best technology for our customers is a core value at Ground Labs. If you are interested in future early builds of Enterprise Recon with forthcoming features, please email your interest to product@groundlabs.com.