Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Secure & Govern - Upcoming Issue Remediation Improvements

Follow

Egnyte is committed to providing a robust issue remediation process within Secure & Govern. We have a multi-phased initiative planned to revamp and improve our existing issue remediation workflow. The changes will include frontend UI updates as well as backend workflow changes for improved issue remediation and processing.

What Can Users Expect to See and When?

The first changes will start showing up in the Secure & Govern UI on September 8, 2022. Following the initial release, users should expect to see additional updates on roughly a monthly basis. The goal is to have the issue remediation improvement initiative completed by the end of 2022.

What Can Users Expect to See on September 8, 2022?

The initial changes will involve UI changes within the Secure & Govern Issues View. No backend workflow changes will be completed as part of this release.

Changes Impacting All Issue Types

We are changing the ‘Ignored’ status to ‘Dismissed’ to be more accurate. You will see this in the filters on the left side of the Issues tab.

sg_issue_remediation_5.png

Changes Impacting State-Based Issue Types

For Public Link, External Sharing, Open Access, Individual Permissions, Malformed Permissions, Empty Group, and Unused Group issues, you will see the ‘Ignore’ button has been replaced by a ‘Dismiss’ button. The ‘Dismiss’ action will have the same effect as the previous ‘Ignore’ action: the dismissed issues will be viewable by selecting ‘Dismissed’ status in the filter on the left side of the issues tab and can be re-opened by clicking the ‘Reopen’ button.

sg_issue_remediation_2.png

Changes Impacting Event-Based Issue Types

For Ransomware, Unusual Access, and Suspicious Login issues, you will see the ‘Ignore’ button has been replaced by a ‘Close’ button.

sg_issue_remediation_7.png

For Ransomware, Unusual Access, and Suspicious Login issues, the options under the ‘Fix’ and ‘Close’ button have changed. Under ‘Fix’ you will still be able to choose to ‘Deactivate User Account’ or ‘Reset User Password’, but now users will also see any other actions previously available under the ‘Ignore’ button under the ‘Fix’ button. For example, ‘Whitelist File Extension’ for Ransomware issues.

Current

sg_issue_remediation_1.png

Future

sg_issue_remediation_3.png

Under ‘Close’ you will be able to choose to ‘Dismiss the Occurrence’ or ‘Mark as Resolved’.

Current

sg_issue_remediation_4.png

Future

sg_issue_remediation_6.png

Milestone 1 - Completed

Egnyte Secure & Govern now enforces entering a “reason” when dismissing all issue types and remediation actions such “Add User Exception”. The “reason” will help enhance issue auditing as well as provide a feedback loop to Egnyte for ML model improvements. ML feedback will be crucial to improving detection accuracy and reducing false positive detections

Support Remediation “Reason”

Secure_and_Govern_Issue_Remediation_Improvements_1.jpeg

  • Select “Dismiss” or “Dismiss this Occurrence” . The dismiss issue modal appears

    Secure_and_Govern_Issue_Remediation_Improvements_2.jpeg

  • Select Reason:  “Expected Behavior” or “Other”

    “Expected Behavior” should be selected for false positive detections

  • Enter comments

    Secure_and_Govern_Issue_Remediation_Improvements_3.jpeg

  • Select “Dismiss” to dismiss the issue. The issue is dismissed

    Secure_and_Govern_Issue_Remediation_Improvements_4.jpeg

Milestone 2 - Completed

Egnyte Secure & Govern now supports “Dismiss” status for Unusual Access and Suspicious Login issues. Prior to the 17.9 release, Unusual Access and Suspicious Login issues would be removed from the issues view entirely. Now these issue types will be moved to “Dismissed” status, the same as all other issue types, for Administrators to review at a later date or reopen.

In order to support this behavior, the issue creation process, for Unusual Access and Suspicious Login issues, also needed to be updated. The original and new issue creation processes are described below.

Original Issue Creation Process

  • Issues are generated on a per user basis
  • New detections, for the same user, use the same issue number and are recorded individually under the issue details

    Secure_and_Govern_Issue_Remediation_Improvements_11.png

  • As you can see in the screenshot above, multiple detections, for the same user, occurring on different days are captured within a single issue

New Issue Creation Process

  • Issues are generated on a per user basis
  • New detections, for the same user, will be generated using a new issue number. Unusual Access and Suspicious Logins will look like the following. No past detections will appear.

Unusual Access:

Secure_and_Govern_Issue_Remediation_Improvements_13.png

Suspicious Logins:

Secure_and_Govern_Issue_Remediation_Improvements_14.png

  • As you can see in the screenshots above, one issue, per user, will be used to capture detections on a daily basis.

Initially the new issue creation process could lead to more Unusual Access and Suspicious Login issues. However, “Dismiss” status support will allow for the proper remediation of these issue types and offset the potential increase in issues created.

Reopen a Dismissed Issue

  • Go to filters, on the far left side of the issues view, and select “Dismissed” under the Issue Status filter

    Secure_and_Govern_Issue_Remediation_Improvements_15.png
  • Select the desired Suspicious Login or Unusual Access issue and select Reopen”

    Secure_and_Govern_Issue_Remediation_Improvements_16.png

  • The issue will move to “Open” status for further review and remediation

“Dismissed” status is also supported for artifact-based Ransomware detections, it is still not supported behavior/entropy-based Ransomware detections still. This will supported in Milestone 4

Milestone 3 - Completed

The issue remediation workflow has been improved by introducing a new “In progress” status. Now when certain actions are taken on an existing “Open” issue, the issue will be moved from “Open” status to “In progress” status. Prior to the 18.4 release, “Deactivate User” and “Reset User Password” remediation actions would automatically resolve Unusual Access, Suspicious Login and Probable Ransomware issues which didn’t support the investigation process needed to properly resolve these event-based issues. The new workflow process now aligns and supports the required remediation steps by moving the issue from “Open” to “In progress” status. This allows Administrators to take the initial preventive actions (Deactivate User or Reset Password), complete the issue investigation process, take the necessary internal remediation steps and then close/resolve the issue. 

The following issue actions will move a “Open” issue to “In progress”:

  • Issue is delegated to a user
  • Deactivate User Account
  • Reset User Password
  • Whitelist File Extension
  • Restore Content

 

Issues can now be filtered using the following issue statuses: 

As part of the feature rollout, we have also renamed the “Fix” button to “Remediate”

 

Key Milestones and Target Completion Dates

Milestone

Target Completion

Status

Milestone 1:

Enforce "Reason" when “Dismissing” issues to improve audit and provide ML feedback

December 2022

Completed

Milestone 2:

Support “Dismiss” status for Unusual Access and Suspicious Login issues

January 2023

Completed

Milestone 3:

Change ‘Fix” to ‘Remediate’ and Introduce "In progress" issue remediation status

April 2023

Completed

Milestone 4:

Improve backend processing of Probable Ransomware issues

July 2023

Completed

Milestone 5:

Improve issue updates by providing issue update reasons

Q4 2023

TBD

Milestone 6:

Automatically assign user during issue remediation’

Q1 2023

TBD

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.