Enterprise Recon 2.6.0

Risk Scoring and Labeling

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


This section covers the following:

Overview

Not all sensitive data findings are equal. Vulnerable systems that contain prohibited sensitive data need to be secured right away, while some may have already been acted upon and do not need immediate attention.

With the Risk Scoring and Labeling feature, you can create Risk Profiles configured with custom Rules, Labels, and Risk Scores (or Risk Levels) to classify the sensitive data discovered across your organization.

ER2 automatically maps each sensitive data match location with the associated Risk Profiles and displays this information in the Investigate page, empowering you to focus and take action on the sensitive data findings that matter most.

See How Risk Scoring and Labeling Works for more information.

How Risk Scoring and Labeling Works

Enterprise Recon Risk Scoring and Labeling workflow.

ER2 Risk Profiles let you classify "Risk" for each sensitive data location as a combination of four factors:

Category Description
Content
  • Combination of data types
  • Volume of sensitive data matches
Metadata
  • Access permissions
  • File owner, creation or modified date
Actions Taken
  • Remediation and Access Control actions
Storage
  • Target Group or Target
  • Target type

Each risk profile is assigned a risk classification (label) and risk score (e.g. Low, Medium, High), and can be manually reordered to prioritize the profiles that matter most to the organization.

ER2 automatically maps the risk profiles to match locations and displays the corresponding risk label and score in the Investigate page. If a location matches the criteria for multiple risk profiles, the Risk column in the Investigate results grid reflects the risk profile with the highest priority, regardless of the risk level associated with the profile. Nested files or locations within archives are assigned individual risk scores, which will be reflected in the Risk column accordingly.

The "Risk" for a match location is not permanent: the Risk is calculated each time the Investigate page is loaded to reflect the latest Risk status. For example, the risk level associated with a match location may increase in severity when a Global Admin or Risk Admin user modifies the rules for a risk profile, or the match location maps to a newly-created risk profile with a higher priority, or a location may be classified as low risk and is mapped to a different profile once it has been remediated.

See Risk Scoring and Labeling Criteria for more information.

Example

Priority Label Level
1 Risk Profile 1
High
2 Risk Profile 2
Medium
3 Risk Profile 3
High
4 Risk Profile 4
Low

The table above shows a sample Risk Profile page with four risk profiles, ordered by priority. When the Investigate page is loaded, ER2 calculates and maps a match location (File path D:\My-Data-Folder\File-A.text) to two risk profiles: "Risk Profile 2" and "Risk Profile 3".

Based on the priority defined in the Risk Profile page, the Risk column will display with the label of the highest-priority matching risk profile (Risk Profile 2). The highest-priority matching profile will also be reflected in the Match Report exported from the Investigate page.

To check the full set of risk profiles that are mapped to a location, click on:

  • The risk color icon in the Risk column of the match location, or
  • A match location to bring up the Match Inspector view.

Requirements

Requirements Description
License Enterprise Recon PRO license.
Master Server Version 2.3 and above.
User Permissions
  • Manage Risk Profiles

    Risk Admin users have permissions to create, modify, delete or define the priority of Risk Profiles in the Settings > Analysis > Risk Profile page. See Global Permissions for more information.

  • View Risk Profiles

    All users that are assigned any Global or Resource Permission can access the Settings > Analysis > Risk Profile page and view the Risk Profiles configured by Risk Admin users.

  • View Risk Scores and Labels

    Users can view the associated Risk Profile, Risk Label, Risk Score, and Risk Color of locations for which they have Remediate or Report Resource Permissions in the Investigate page.

A Global Admin user has administrative privileges to access and configure all ER2 resources and is therefore not included in the list above.

Managing Risk Profiles

Users with Global Admin and Risk Admin global permissions can create, modify, delete or define the priority of Risk Profiles in the Settings > Analysis > Risk Profile page.

Create a Risk Profile

To create or add a new risk profile:

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Analysis > Risk Profile.
  3. Click the New Profile button in the left panel.
  4. Assign a unique Risk Label to classify the risk profile.
  5. Set the Risk Level or risk score (e.g. High, Medium, Low) for the risk profile.
  6. Configure the rules for the profile. See Risk Scoring and Labeling Criteria for more information.
  7. Click Save to add the new risk profile.

Modify a Risk Profile

To modify or update an existing risk profile:

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Analysis > Risk Profile.
  3. Click to select a risk profile in the left panel.
  4. Click the edit icon in the right panel.
  5. Modify the risk label, risk level and/or risk rules for the profile as required. See Risk Scoring and Labeling Criteria for more information.
  6. Click Save to update the risk profile.

Delete a Risk Profile

To delete or remove a risk profile:

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Analysis > Risk Profile.
  3. Click to select a risk profile in the left panel.
  4. Click the trash icon in the right panel.
  5. Click Delete in the "Delete Risk Profile" dialog box to confirm the deletion.

Prioritize Risk Profiles

In the Investigate results grid, the risk status displayed for a match location is the risk of the highest priority risk profile that maps to the location.

Risk profile priority can be ordered by the user to define the risk profile that takes precedence for reporting. This is managed by sorting the risk profiles in the Risk Profile page.

To set the priority of risk profiles:

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Analysis > Risk Profile.
  3. Click the Edit Priority button in the left panel.
  4. Click and hold a risk profile, and drag it to a new position in the list. The topmost risk profile will have the highest priority, and the bottommost risk profile will have the lowest priority when a match location maps to the criteria of multiple risk profiles, regardless of the risk level.
  5. Click Save to save, or Cancel to discard the changes.
  6. The Priority column will reflect the latest priority of the risk profiles.