Identity Finder Metrics

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I am trying to figure out a better way to get some useful metrics out of the Identity Finder Console  and the best I could come up with is a custom report based on Historical unprotected matches trends from the regularly scheduled scans.

My goal of this metric is to see that hopefully over time the number of findings will go down as they continue to be addressed by the user (if they are diligent in using IDF).

I found it difficult to run reports on items like actions (e.g. shred, secure, quarantine, ignore, etc) because the user may not necessarily be using Identity Finder to perform those actions. For example, if the user delete a file manually via recycling bin instead of using Identity Finder's shred functionality then it will never be reported to the console other than not showing up on subsequent Identity Finder scan. Cases like these make it difficult to run good metrics from Identity Finder.

Anybody else trying to collect metrics on Identity Finder? If so, what kind of metrics are you collecting and how?

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
py Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 29 Sep 2011 Status: Offline Points: 13	Post Options Post Reply Quote py Report Post Thanks(0) Quote Reply Topic: Identity Finder Metrics Posted: 02 May 2012 at 4:01pm
	I am trying to figure out a better way to get some useful metrics out of the Identity Finder Console and the best I could come up with is a custom report based on Historical unprotected matches trends from the regularly scheduled scans. My goal of this metric is to see that hopefully over time the number of findings will go down as they continue to be addressed by the user (if they are diligent in using IDF). I found it difficult to run reports on items like actions (e.g. shred, secure, quarantine, ignore, etc) because the user may not necessarily be using Identity Finder to perform those actions. For example, if the user delete a file manually via recycling bin instead of using Identity Finder's shred functionality then it will never be reported to the console other than not showing up on subsequent Identity Finder scan. Cases like these make it difficult to run good metrics from Identity Finder. Anybody else trying to collect metrics on Identity Finder? If so, what kind of metrics are you collecting and how?

Identity Finder Team Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 30 Nov 2010 Status: Offline Points: 59	Post Options Post Reply Quote Identity Finder Team Report Post Thanks(0) Quote Reply Posted: 03 May 2012 at 7:45am
	Hello - in version 6 of the Windows client and console (and Mac client to follow later) - there is a new feature that addresses the issue of users shredding or deleting files outside of Identity Finder. Using this new feature, LiveMode, the results that exist when a search is completed will be automatically saved on the local machine (encrypted with a machine key so they cannot be opened on another computer) and at the start of the next search, files in those previous results will be checked for existence. If they no longer exist, that information will be sent to the console and reflected in a new "Action" - "No longer exists" that can be reported upon (they are categorized as "Protected" matches).

dwoodruff Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 24 Nov 2010 Location: Rochester, NY Status: Offline Points: 71	Post Options Post Reply Quote dwoodruff Report Post Thanks(0) Quote Reply Posted: 08 May 2012 at 4:50pm
	Hi, What we have been doing to work around the issue of users cleaning up matches outside of Identity Finder is expire all match data older than 60 days via a service job. That way stale data will still exist but only for 60 days. To deal with historical accounting, I have a report job to export all match data once a week to csv so that if I have a need to go back and see if a machine had any matches 6 months ago, I can. A caveat is that if you don't have regularly scheduled searches on all endpoints, you'll eventually end up with endpoints in the console showing 0 matches since the old data has expired. This is certainly just a hack though, and I am really looking forward to LiveMode! As for metrics, I can't offer much insight as we are focusing mainly on the single point in time of what still needs to be cleaned up. For historical metrics, we're just using the dashboards that come out of the box. Dan

py Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 29 Sep 2011 Status: Offline Points: 13	Post Options Post Reply Quote py Report Post Thanks(0) Quote Reply Posted: 09 May 2012 at 10:28am
	That does help, with 6.0 being planned to be released soon, I would probably just best wait. Looking forward to this "Live Mode" as well.

rwarner1 Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 30 Nov 2010 Location: Chicago Status: Offline Points: 23	Post Options Post Reply Quote rwarner1 Report Post Thanks(0) Quote Reply Posted: 12 Jul 2012 at 12:29pm
	Hello All! Live Mode sounds great! But is the files that is encrypted with the machine key and saved, accessible to the user, or possibly an Admin User, or is it only readable through the client UI? Reggie.
	"For the things we have to learn before we can do them, we learn by doing them." - Aristotle

Identity Finder Team Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 30 Nov 2010 Status: Offline Points: 59	Post Options Post Reply Quote Identity Finder Team Report Post Thanks(0) Quote Reply Posted: 13 Jul 2012 at 9:00am
	Hello - it can only be accessed through the client UI on the machine that created it. An upcoming version will further restrict its access to the Windows user account that was logged in when it was created.