Spirion (Identity Finder) - Administrator FAQ
This document contains frequently asked questions for the Spirion endpoint application and console.
- What does Spirion do exactly?
Spirion’s endpoint application scans the endpoint for potential restricted or sensitive data, collates the results, and sends the results to the console (and potentially the endpoint user) in an encrypted format. It is possible to take actions through the application such as shredding files, ignoring false positives, or quarantining files.
- How long will a Scan take?
Scan time will change depending on the scan configuration (locations scanned, file types scanned, match types scanned for), the computer hard drive, and processing power. Scans can take from 1 minute to several hours depending on the above variables. Typically, scans on a workstation take less than an hour if configured appropriately (not scanning system files and Appdata) Most servers take 6 - 12 hours to scan, so the most common practice is to run the scan overnight or on a weekend.
File servers, databases, and other large storage space take longer to scan, and require more processing power than the machine you need to scan. Scanning on this scale requires a Discovery Team, a group of computers working together, to complete the scan. As of this writing, The Office of Cybersecurity initiates scans that require a Discovery Team. If you need to scan a large server or database, send an email to email@example.com with the subject line of either "Spirion Database Scan" or "Spirion Scan of Large Server" as appropriate.
What Operating Systems are compatible with Spirion?
- Windows 8.1
- Windows 10
- Windows Server 2012 r2, 2016, 2019
- MacOS 11 Big Sur: limited functionality
- macOS 10.15: Catalina
- macOS 10.14: Mojave
- macOS 10.13: High Sierra
- macOS 10.12: Sierra
- OS X 10.11: El Capitan
- OS X 10.10: Yosemite
- OS X 10.9 Mavericks
- Red Hat Enterprise 64 Bit, versions 5.1 and later
How do I go about getting set up with Spirion?
Please reach out to us at firstname.lastname@example.org if you’d like to get set up on the Spirion Console and obtain installers for your IT department.
- What is the console URL?
The url for the administrative console is datadiscovery.cybersecurity.wisc.edu.
- It's too good to be true. Are there any disadvantages of doing this?
Without proper configuration such as filepath exclusions Spirion will often flag numerous false positives. This can be fixed by the IT administrator if they adjust their policies to exclude searching system files, appdata, and program files. Please feel free to reach out to us at email@example.com if you have any questions regarding this process.
- What are my options if I find what appears to be Sensitive Data in a search?
Your first step should be to verify whether the sensitive data is legitimate. Examine the filepath for the match. If the filepath for the file with the match is in the System or Appdata folder, it is likely a false positive. However, if the filepath seems to lead to a legitimate file containing Sensitive Data, it is best to coordinate with the end user to determine whether the file is real, and to take next steps going forward. Some of these steps might include deleting the data or moving it to a secure encrypted drive.
- Can I schedule recurring scans? Can I set scans to search for different data types
depending on the endpoints being scanned?
You can schedule scans to run on a one time, daily, weekly, or monthly basis. Results from these scans will come in to the console as they complete. You can create policies to apply to specific endpoints or endpoint tags – which allows you to change the types of data scans on those machines search for. This can be useful if you have a subset of machines on your environment that are more likely to handle restricted data – you can set the scans to search for additional data types that you wouldn’t necessarily want to search for across your entire environment.
- Hey! I’m certain this match is a false positive!
If you believe a match to be a false positive you can select to ignore it (either within the Endpoint Application or from within the Console). If you wish to prevent this match from occurring on other machines you could add the filepath to the list of excluded search locations in your search policy as defined in the console.
- Will the endpoint agent consume a lot of resources on users' endpoints?
Generally, the endpoint client consumes minimal resources, but resource intensity can increase greatly when a scan is running. This is particularly noticeable on older, less powerful machines – on new machines there is generally little to no performance impact during scans. There are settings you can configure to reduce resource consumption, but this will increase scanning time. Often, a better option is to leave the machine to run a scan overnight, or at another time when resources are not otherwise in use.
- Will DoIT Cybersecurity staff be able to see any sensitive information or restricted
data found on my endpoints?
DoIT Cybersecurity can see the same items that you can see in the console. For this reason, and others, we do not recommend configuring your policies to send full matches to the console (there is an option to send partial matches and one to send no match, just the match file location).
- What if I have additional questions?
If you have additional questions, please email us at firstname.lastname@example.org.
- What does Spirion do exactly?