As Egnyte Secure & Govern continues to improve our issue remediation process, we need to also provide best practices when remediating all issue types. These best practices will be crucial to improving our future AI/ML detection capabilities and direction. Secure & Govern issue remediation definitions and processes are explained below.
For more information regarding Egnyte’s issue remediation improvements, refer to Secure & Govern - Upcoming Issue Remediation Improvements
Issue Detection Definitions
True Positive: A true positive is an outcome where the ML model or detection mechanism correctly predicts the anomalous activity of a user. Issue is generated in Secure & Govern.
False Positive: A false positive is an outcome where the ML model or detection mechanism incorrectly predicts the anomalous activity of a user. Issue is generated in Secure & Govern.
Reducing false positives rates are critically important to Egnyte. The best way to reduce false positive rates is to have direct feedback from our customers. It is important for our customers to properly remediate false positive detections using the process described below.
True Negative: A true negative is an outcome where the ML model or detection mechanism correctly predicts there is no anomalous activity of a user. No issue is generated in Secure & Govern and no customer action is required.
False Negative: A false negative is an outcome where the ML model or detection mechanism does not predict the anomalous activity of a user. No issue is generated in Secure & Govern.
Preventing any false negatives is the most important scenario for any ML model or detection process. The tradeoff for lower false negative rates may be higher false positive rates. But missing an anomalous activity is detrimental to any threat management solution. False negatives should very rarely or possibly never occur. However, if one does, it is critical for our customers to immediately report a false negative using the process described below.
Egnyte Secure & Govern’s Threat Management detection solutions are always cautiously designed and implemented to prevent false negatives. This may result in slightly higher false positive rates, but will limit any possibility of a false negative.
Determine If Detection is a True or False Positive
As explained above, both true and false positives will be detected by Secure & Govern. Determining whether a detected issue is true or false positive, is different for state-based issues (Public Links, Individual Permissions, etc..) and event-based issues (Probable Ransomware, Suspicious Login, Probable Ransomware).
Determining whether an event-based issue is true or false positive will require some initial investigation. This investigation typically involves reaching out to the end user and/or doing some initial review of the issue details provided by Secure & Govern. Once the initial investigation is completed and the issue is identified as a true or false positive, the proper remediation process defined below should be followed.
All state-based issues should always be considered true positives. However, even though all state-based issues are always true positives, how they are treated will depend on a company’s policy. For example, some companies may consider that Public links to non-sensitive files are acceptable per company policy. In this case, the public link would be considered a false positive detection and the false positive remediation process should be followed. Please review and understand your company’s policies prior to determining whether or not a detection is a true or false positive.
False Negative Detection Remediation Process
If any customer feels they have experienced a false negative, immediately contact support by emailing support@egnyte.com
False Positive Detection Remediation Process
Egnyte Secure & Govern has enhanced the issue remediation process. All issue types support “Dismissed” status and our remediation workflow supports providing a “reason” when closing an issue within Secure & Govern.
The following process should be followed when “Dismissing” an issue within Secure & Govern.
False Positive Remediation for Event-Based Issue Types
For Ransomware, Unusual Access, and Suspicious Login issues, the following process should be followed.
- From the Close dropdown select Dismiss This Occurrence
- The Dismiss Remediation Modal appears
- Enter Expected Behavior for the Reason
- Enter any desired Comments
- Select the Dismiss button and the issue is dismissed. The following will appear prior to moving the issue to Dismissed Status
False Positive Remediation for State-Based Issue Types
For Public Link, External Sharing, Open Access, Individual Permissions, Malformed Permissions, Empty Group, and Unused Group issues, the following process should be followed
- Select Dismiss
- The Dismiss Remediation Modal appears
- Enter Expected Behavior for the Reason
- Enter any desired Comments
- Select the Dismiss button and the issue is dismissed. The following will appear prior to moving the issue to Dismissed Status
True Positive Detection Remediation Process
As described above, a true positive detection is something that was accurately detected and an issue has been created within Secure & Govern. The remediation policy will vary by the type of issue detected as well as your company's policy for each detection type. Remediation process best practices for true positive detections are described below.
True Positive Remediation for Event-Based Issue Types
For Ransomware, Unusual Access, and Suspicious Login issues, the following process should be followed.
- From the Fix dropdown select either Deactivate User Account or Reset User Password (Suspicious Login only). Different Fix options will be provided based on issue type.
- The user is deactivated or a password reset request is sent to the user. The appropriate action will be taken based on the issue type.
- Complete a full investigation using the issue details provided in Secure & Govern.
- Suspicious Logins - Review the issue detail information and Analyze the login information provided
- Unusual Access - Review the issue detail information and review the detected file exports
- Probable Ransomware - Review the issue detail information and review the detected file exports
- After completing the investigation, take necessary internal steps to prevent the malicious behavior from recurring
- User Education
- Limit User’s Access
- Limit User’s permissions
- Improve/Enhance Internal Security Processes and Applications (MFA, Endpoint protection, etc.)
- Once the remediation action have been taken, the issue can be closed
- From the Close dropdown select Mark as Resolved
- The issue will be resolved. The following will appear prior to moving the issue to Resolved Status
True Positive Remediation for State-Based Issue Types
For Public Link, External Sharing, Open Access, Individual Permissions, Malformed Permissions, Empty Group, and Unused Group issues, the following process should be followed
- Select Fix,then choose the dropdown fix action provided (this varies by issue type)
- The appropriate action will be taken and the issue will be automatically resolved. The following will appear prior to moving the issue to Resolved Status