Egnyte is committed to providing a robust issue remediation process within Secure & Govern. We have a multi-phased initiative planned to revamp and improve our existing issue remediation workflow. The changes will include frontend UI updates as well as backend workflow changes for improved issue remediation and processing.
What Can Users Expect to See and When?
The first changes will start showing up in the Secure & Govern UI on September 8, 2022. Following the initial release, users should expect to see additional updates on roughly a monthly basis. The goal is to have the issue remediation improvement initiative completed by the end of 2022.
What Can Users Expect to See on September 8, 2022?
The initial changes will involve UI changes within the Secure & Govern Issues View. No backend workflow changes will be completed as part of this release.
Changes Impacting All Issue Types
We are changing the ‘Ignored’ status to ‘Dismissed’ to be more accurate. You will see this in the filters on the left side of the Issues tab.
Changes Impacting State-Based Issue Types
For Public Link, External Sharing, Open Access, Individual Permissions, Malformed Permissions, Empty Group, and Unused Group issues, you will see the ‘Ignore’ button has been replaced by a ‘Dismiss’ button. The ‘Dismiss’ action will have the same effect as the previous ‘Ignore’ action: the dismissed issues will be viewable by selecting ‘Dismissed’ status in the filter on the left side of the issues tab and can be re-opened by clicking the ‘Reopen’ button.
Changes Impacting Event-Based Issue Types
For Ransomware, Unusual Access, and Suspicious Login issues, you will see the ‘Ignore’ button has been replaced by a ‘Close’ button.
For Ransomware, Unusual Access, and Suspicious Login issues, the options under the ‘Fix’ and ‘Close’ button have changed. Under ‘Fix’ you will still be able to choose to ‘Deactivate User Account’ or ‘Reset User Password’, but now users will also see any other actions previously available under the ‘Ignore’ button under the ‘Fix’ button. For example, ‘Whitelist File Extension’ for Ransomware issues.
Current
Future
Under ‘Close’ you will be able to choose to ‘Dismiss the Occurrence’ or ‘Mark as Resolved’.
Current
Future
Milestone 1 - Completed
Egnyte Secure & Govern now enforces entering a “reason” when dismissing all issue types and remediation actions such “Add User Exception”. The “reason” will help enhance issue auditing as well as provide a feedback loop to Egnyte for ML model improvements. ML feedback will be crucial to improving detection accuracy and reducing false positive detections
Support Remediation “Reason”
- Select “Dismiss” or “Dismiss this Occurrence” . The dismiss issue modal appears
- Select Reason: “Expected Behavior” or “Other”
“Expected Behavior” should be selected for false positive detections
- Enter comments
- Select “Dismiss” to dismiss the issue. The issue is dismissed
Milestone 2 - Completed
Egnyte Secure & Govern now supports “Dismiss” status for Unusual Access and Suspicious Login issues. Prior to the 17.9 release, Unusual Access and Suspicious Login issues would be removed from the issues view entirely. Now these issue types will be moved to “Dismissed” status, the same as all other issue types, for Administrators to review at a later date or reopen.
In order to support this behavior, the issue creation process, for Unusual Access and Suspicious Login issues, also needed to be updated. The original and new issue creation processes are described below.
Original Issue Creation Process
- Issues are generated on a per user basis
- New detections, for the same user, use the same issue number and are recorded individually under the issue details
- As you can see in the screenshot above, multiple detections, for the same user, occurring on different days are captured within a single issue
New Issue Creation Process
- Issues are generated on a per user basis
- New detections, for the same user, will be generated using a new issue number. Unusual Access and Suspicious Logins will look like the following. No past detections will appear.
Unusual Access:
Suspicious Logins:
- As you can see in the screenshots above, one issue, per user, will be used to capture detections on a daily basis.
Initially the new issue creation process could lead to more Unusual Access and Suspicious Login issues. However, “Dismiss” status support will allow for the proper remediation of these issue types and offset the potential increase in issues created.
Reopen a Dismissed Issue
- Go to filters, on the far left side of the issues view, and select “Dismissed” under the Issue Status filter
- Select the desired Suspicious Login or Unusual Access issue and select Reopen”
- The issue will move to “Open” status for further review and remediation
“Dismissed” status is also supported for artifact-based Ransomware detections, it is still not supported behavior/entropy-based Ransomware detections still. This will supported in Milestone 4
Milestone 3 - Completed
The issue remediation workflow has been improved by introducing a new “In progress” status. Now when certain actions are taken on an existing “Open” issue, the issue will be moved from “Open” status to “In progress” status. Prior to the 18.4 release, “Deactivate User” and “Reset User Password” remediation actions would automatically resolve Unusual Access, Suspicious Login and Probable Ransomware issues which didn’t support the investigation process needed to properly resolve these event-based issues. The new workflow process now aligns and supports the required remediation steps by moving the issue from “Open” to “In progress” status. This allows Administrators to take the initial preventive actions (Deactivate User or Reset Password), complete the issue investigation process, take the necessary internal remediation steps and then close/resolve the issue.
The following issue actions will move a “Open” issue to “In progress”:
- Issue is delegated to a user
- Deactivate User Account
- Reset User Password
- Whitelist File Extension
- Restore Content
Issues can now be filtered using the following issue statuses:
As part of the feature rollout, we have also renamed the “Fix” button to “Remediate”
Key Milestones and Target Completion Dates
Milestone |
Target Completion |
Status |
Milestone 1: Enforce "Reason" when “Dismissing” issues to improve audit and provide ML feedback |
December 2022 |
Completed |
Milestone 2: Support “Dismiss” status for Unusual Access and Suspicious Login issues |
January 2023 |
Completed |
Milestone 3: Change ‘Fix” to ‘Remediate’ and Introduce "In progress" issue remediation status |
April 2023 |
Completed |
Milestone 4: Improve backend processing of Probable Ransomware issues |
July 2023 |
Completed |
Milestone 5: Improve issue updates by providing issue update reasons |
Q4 2023 |
TBD |
Milestone 6: Automatically assign user during issue remediation’ |
Q1 2023 |
TBD |