What does Spirion do exactly?
Spirion’s endpoint application scans the endpoint for potential restricted or sensitive data, collates the results, and sends the results to the console (and potentially the endpoint user) in an encrypted format. It is possible to take actions through the application such as shredding files, ignoring false positives, or quarantining files.
How long will a Scan take?
Scan time will change depending on the scan configuration (locations scanned, file types scanned, match types scanned for), the computer hard drive, and processing power. Scans can take from 1 minute to several hours depending on the above variables. Typically, scans on a workstation take 1 - 3 hours if configured appropriately (not scanning system files and Appdata) Most servers take 6 - 12 hours to scan, so the most common practice is to run the scan overnight or on a weekend.
File servers, databases, and other large storage space take longer to scan, and require more processing power than the machine you need to scan. Scanning on this scale requires a Discovery Team, a group of computers working together, to complete the scan. As of this writing, The Office of Cybersecurity initiates scans that require a Discovery Team. If you need to scan a large server or database, send an email to cybersecurity@cio.wisc.edu with the subject line of either "Spirion Database Scan" or "Spirion Scan of Large Server" as appropriate.
*The new Mac OS requires an advanced installer that became available 12/1/2023. Check the data on your installer before using it on a Mac that runs Sonoma.
How do I go about getting set up with Spirion?
Please reach out to us at cybersecurity@cio.wisc.edu if you’d like to get set up on the Spirion Console and obtain installers for your IT department.
What is the console URL?
The url for the administrative console is datadiscovery.cybersecurity.wisc.edu.
It's too good to be true. Are there any disadvantages of doing this?
Without proper configuration such as filepath exclusions Spirion will often flag numerous false positives. This can be fixed by the IT administrator if they adjust their policies to exclude searching system files, appdata, and program files. Please feel free to reach out to us at cybersecurity@cio.wisc.edu if you have any questions regarding this process.
What are my options if I find what appears to be Sensitive Data in a search?
Your first step should be to verify whether the sensitive data is legitimate. Examine the filepath for the match. If the filepath for the file with the match is in the System or Appdata folder, it is likely a false positive. However, if the filepath leads to a user's data file, it is likely to indicate sensitive data. Best practice in most cases is to coordinate with the end user to determine whether the file is sensitive/restricted, and if the data is need for business purposes. Depending on those factors, the next step may be to delete the data or move it to a secure encrypted drive.
Can I schedule recurring scans? Can I set scans to search for different data types depending on the endpoints being scanned?
You can schedule scans to run on a one time, daily, weekly, or monthly basis. Results from these scans will come in to the console as they complete. You can create policies to apply to specific endpoints or endpoint tags – which allows you to change the types of data scans on those machines search for. This can be useful if you have a subset of machines on your environment that are more likely to handle restricted data – you can set the scans to search for additional data types that you wouldn’t necessarily want to search for across your entire environment.
Hey! I’m certain this match is a false positive!
If you believe a match to be a false positive you can select to ignore it (either within the Endpoint Application or from within the Console). If you wish to prevent this match from occurring on other machines you could add the filepath to the list of excluded search locations in your search policy as defined in the console.
Will the endpoint agent consume a lot of resources on users' endpoints?
Generally, the endpoint client uses minimal resources, but significant processing power is used when a scan in running. Users who worked with Spirion 11 or older versions remember a major impact on computer performance during a scan - but this does not happen with Spirion 12. The new version uses only recourses that are not needed for user activity, so there is no impact on performance. When doing processor-intensive work, the scan will slow significantly and may stop, but will resume when resources are available.
Will DoIT Cybersecurity staff be able to see any sensitive information or restricted data found on my endpoints?
DoIT Cybersecurity can see the same items that you can see in the console. For this reason, and others, we do not recommend configuring your policies to send full matches to the console (there is an option to send partial matches and one to send no match, just the match file location).
What if I have additional questions?
If you have additional questions, please email us at cybersecurity@cio.wisc.edu.