By accessing the Anomaly Detection app, you have already established the timeline for the cyber attack. You are already aware that the attackers have encrypted files for Haverford. The legal team would like to know what kind of sensitive information the attackers have access to and encrypted.

• To get started, navigate to Sensitive Data from the top ribbon (A).

• Click haverford-webapp-01 (B).

• Click Sensitive hits to change the order from ascending to descending (C).

• You will observe that there are 0 sensitive files at this moment.

Now, let's change the snapshot to before the attack. From the dropdown menu for time, select the 1st snapshot (be sure to select the first day and first time for the snapshot).

You can see that there were sensitive files present in the var folder, which the attackers now encrypted!

You can download the list of files with hits by using the Download CSV For Files With Hits button on the top right.

Now you have provided the legal and compliance team with the ammunition to get to the bottom of the data access issues.

Having access to this kind of information is invaluable. Keeping track of where you have sensitive data in your environments means that you can take the actions required to secure it - maybe you need to move it to secure locations in your filesystems, or maybe you shouldn't be holding that data at all. Visibility into the what and where of sensitive data is a major challenge.

• You can now create a report for the legal team, so they know what sensitive data is held, where it resides, and who has access to it.

• Navigate to Objects, then select zaffre-webapp-01.

• From this screen, click Download CSV For Files With Hits, and you'll notice that Rubrik creates the file in the background for you.

• When it's ready, you can click the Download button to download the file.

You can also create a little more in-depth report, by using the Reports function. Browse there now.

Click Create Report.

To the left of the screen, you can see the various different types of workloads that Sensitive Data Discovery can analyze: vSphere, AHV, and Hyper-V VMs and also NAS, Windows, and Linux filesets. You can also select across multiple Rubrik CDM clusters. Finally, at the bottom, you can select from the policies defined in this environment.

Create a report for vSphere VMs (A), on the Rubrik-Demo1 cluster (B), for US Financial, PCI-DSS, and GLBA (C). Click Create (D).

Once this report is saved, click on the ellipsis button. Generate and download the PDF, which you can ship to the legal team!

From the Sensitive Data Monitoring dashboard, you can see at a high level what the tool has discovered. On the top row, we can see a summary of all the sensitive files over the past 7 days.

Next, on the top right, the Open Access card displays the summary of files with open access. You can click here to get info on sensitive data stored in files with no access restrictions.

The bottom row with the Top Risk Objects card displays the top hits by policy and the top risk objects to you.

The Legal and Compliance department wants to understand if the attackers have exfiltrated or had access to any customer information such as PII or PCI data, containing credit card info. They want to understand if you can help them identify if attackers have access to any sensitive data.

You have access to the Rubrik Enterprise edition, so let's start with Sensitive Data Monitoring to see how you can help the Legal team.

Sensitive Data Monitoring

As organizations adopt a hybrid model for their infrastructure, they grapple with massive data fragmentation, making it impossible to know where sensitive data resides. At the same time, the increasing risk of data privacy breaches and non-compliance with regulations can impose serious financial penalties. Sensitive Data Monitoring is an application in the Rubrik Security Cloud that discovers, classifies, and reports on sensitive data without any impact on production. By leveraging their existing Rubrik deployments, customers get up and running in just a few minutes with zero additional infrastructure required.

Sensitive Data Monitoring is available in the Rubrik Security Cloud as an application.

Accessing Sensitive Data Monitoring

If you haven't already connected to the Rubrik Security Cloud, head back to the lab environment.

Once you're logged in, click the app-tray icon in the top right of the user interface, then select Data Security Posture.

On the left side of your screen, click the Analyzers tab. You can see all of the predefined analyzers that Rubrik includes.

As you can see, there are multiple predefined analyzers, and Rubrik keeps adding new ones quite frequently.

You've now seen that Sensitive Data Monitoring can help identify where sensitive data resides in your environment during war and peace. You may need to keep track of many different types of data, and Rubrik ships with a number of policies available out of the box to search for these. Click on the Policies tab at the top of the dashboard.

Policies define the data types you want to identify, and they're built from one or many Analyzers.

You can click through one of the predefined policies to see which objects are covered by this policy or which Analyzers are used by this policy.

You can click back to the Management tab at the top of the screen to look at the building blocks of policies: Analyzers.

Well, after the cyber incident response, you shouldn't be surprised to receive a call from the Legal and compliance teams during business as usual times. The compliance team never sleeps! With so much data, they always need to ensure that ZFG complies with the required regulatory bodies and that files do not have open access.

Let's look at how you can use the same tool to keep your legal and compliance team happy.

Click Sensitive Data from the top ribbon. Click Windows File Share > C > File Shares.

You must have noticed that Departments, HR Share, and Public share folders have open access and sensitive hits. Click HR Share (A). You can drill down to find the exact affected object and what kind of violations the object has, along with which users have access to the files (B).

From the top right, download the files with hits. You can attach the file which has the list of all the files which have sensitive hits and/or open access.

One thing is for sure HR shares should never be accessible by everyone!

With open access to files, especially sensitive data, you are exposing your data to attackers and failing compliance mandates.

Based on the report, you can select the proper access control and location of sensitive data to protect your ZFG assets!

Every business is different and has different needs, so Rubrik also provides you with the tooling to build your own Analyzers and Policies. Let's take a look at how that works.

Click Add Analyzer. Select to specify the patterns that you're looking for using either a regular expression or a dictionary; specify what you're looking for (either the regex or set of dictionary words), for example: see below and give your Analyzer a name. Click Add.

'^d{b}[c]??{}_0$%'

You now see your newly created custom Analyzer in the list for selection, but you'll notice that it's not associated with any policies. Click back to the Policies tab to add a new, custom Policy and tie your custom Analyzer in.

Navigate to Policies. Click Create Policy. Select any number of Predefined analyzers, as well as your Custom analyzer, then click Next.

Name your policy, and optionally add a description. Confirm that you're using the Analyzers that you want to use, then click Next.

Select the objects that you want to scan with this new policy. In this lab, all objects are vSphere VMs but notice the other object types that can also be scanned. Check the boxes for each object that you wish to scan. Select the Rubrik-Demo1 cluster, then click Next.

Confirm that the objects you wish to scan with this new policy are correct, then click Confirm.

A complete initial analysis will automatically take place on the objects you specified, in line with the newly defined custom Analyzer and Policy. Progress of this scan can be monitored on the Policies dashboard.

This might take a short while, so move on to the next section - you can come back and check on this later in the lab.