When a DLP Policy is violated, a SOC administrator is required to investigate each incident. Often, the admin doesn't have the context to resolve the incident immediately, and the admin must contact the user for more information. End User Remediation allows admins to involve users in the remediation process via email so they can provide information directly, which reduces the number of incidents that admins must investigate, and also educates the user on corporate DLP policies.
The End User Remediation email sent to the user includes information about the file, location where the violation occurred, and provides buttons that allow the user to respond directly. From the email, the user is logged into the End User Remediation application via SSO. On the Data Security Violation page, the user can provide information about the violation, mark it as a false positive, delete the offending file, or enter a business justification for the incident, all without admin intervention. On this page, the user can also view their Open Incidents and Resolved incidents on separate tabs.
After the incident is remediated, the admin can log into MVISION Cloud and review the user's actions in the Policy Incident Cloud Card.
To use End User Remediation, make sure the following prerequisites are configured:
- Enable SSO SAML. You can enable SSO and configure SAML for MVISION Cloud Users or for End-Users.
- MVISION Cloud Users. For details, see Configure MVISION Cloud Login for SSO. For End User Remediation, make sure to authorize all users, not just admin users. If you only have basic authentication for the MVISION Cloud dashboard, End User Remediation cannot be enabled.
- End-Users. Enable SSO and configure SAML for end users if you have enabled End User Input for Policy Incidents.
- Configure data storage for remediation. (McAfee data storage cannot be used for End User Remediation.). This is required because users can leave justification notes in free text with each incident. All data on the data storage is encrypted. For details, see Data Storage.
- In Policy Settings > Policy Incident Remediation, make sure End-User Input is enabled.
- Create a DLP Policy with the Response of Default End User Remediation. (See example in the following sections.)
- Configure an Email Template to be sent to the user from the category End User Remediation.
- Tokenization should not be enabled with End User Remediation.
Example End User Remediation Workflow
To use this example, make sure your Policy Settings > Policy Incident Remediation > End-User Input selections are set to:
- Low Severity incidents set to Change Status to Resolved.
- Medium Severity incidents set to Change Status to Opened.
- High Severity incidents set to Don't Update Status.
DLP Policy Example
Create a DLP policy with the following details:
- Go to Policy > DLP Policies > DLP Policies.
- From Actions > Create New Policy.
- Configure a Credit Card Number DLP policy:
- Name. Credit Card Data
- Services. Select SharePoint, Exchange, and OneDrive.
- Type. API.
- Active. ON.
- Create two rules:
- Severity High > Data Identifier Credit Card Number > Match Count 10.
- Severity Low > Data Identifier Credit Card Number > Match Count 1.
- Configure the Response per the image below
- If Low severity then User Email Notification Using Default End User Remediation.
- If High severity then Delete using Default End User Remediation.
- If Medium severity then Quarantine using Default End User Remediation.
- Click Save.
End User Remediation
- When a policy violation triggers an email to the user, the email includes information about the violation, instructions, and buttons for the end user to respond in MVISION Cloud. In this email example, the user clicks Provide Business Justification.
- The user is logged into the End User Remediation application via SSO.
- On the Data Security Violation page, the user can select the response on the Open Incident tab. In this example, the user will:
- Enter a description.
- Select Provide Business Justification.
- Click Submit.
- On the Data Security Violation page, the incident now appears on the Resolved incidents tab.
- Back in the user's email account, when the user tries to access the file that violated the DLP policy, they see a message that the file was deleted, quarantined, or the appropriate configured response.
Policy Incidents Page
An admin can see the results of the end user remediation actions in the Policy Incidents page.
- In the MVISION Cloud dashboard, go to Incidents > Policy Incidents.
- Find and select the appropriate policy violation.
- In the Policy Incidents Cloud Card, you see:
- Incident Status is Resolved > Per End User Remediation Policy.
- Collaborators are listed.
- Business Justification has the user's justification.