Respond Config: Obfuscate Private Data

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Oct 6, 2017
Version 8Show Document
  • View in full screen mode
 

The Data Privacy Officer (DPO) role can identify meta keys that contain sensitive data and should display obfuscated data. This topic explains how the administrator maps those meta keys to display a hashed value instead of the actual value.

The following caveats apply to hashed meta values:

  • NetWitness Suite supports two storage methods for hashed meta values, HEX (default) and string.
  • When a meta key is configured to display a hashed value, all security roles see only the hashed value in the Incidents module. 
  • You use hashed values the same way you use actual values. For example, when you use a hashed value in rule criteria the results are the same as if you used the actual value.

This topic explains how to obfuscate private data in NetWitness Respond. Refer to the Data Privacy Management Overview topic in the Data Privacy Management guide for additional information about data privacy.

Mapping File to Obfuscate Meta Keys

In the NetWitness Respond, the mapping file for data obfuscation is data_privacy_map.js. In it you type an obfuscated meta key name and map it to the actual meta key name.

The following example shows the mappings to obfuscate data for two meta keys, ip.src and user.dst:

'ip.src.hash' : 'ip.src',
'user.dst.hash' : 'user.dst'

You determine the naming convention for obfuscated meta key names. For example, ip.src.hash could be ip.src.private or  ip.src.bin. You must choose one naming convention and use it consistently on all hosts.

Prerequisites

  • DPO role must specify which meta keys require data obfuscation.
  • Administrator role must map meta keys for data obfuscation.

Procedure

  1. Open the data privacy mapping file:
    /var/lib/netwitness/respond-server/scripts/data_privacy_map.js
  2. In the obfuscated_attribute_map variable , type the name of a meta key to hold obfuscated data. Then map it to the meta key that does not contain obfuscated data according to this format:
    'ip.src.hash' : 'ip.src'
  3. Repeat step 2 for every meta key that should display a hashed value. 
  4. Use the same naming convention as in step 2 and use it consistently on all hosts.
  5. Save the file.
    All mapped meta keys will display hashed values instead of actual values.
    In the following figure, a hashed value displays for the destination IP address in the Event Details:
    Incident Details view Event Details panel showing destination IP address hashed

    New alerts will display obfuscated data.

Note: Existing alerts still display sensitive data. This procedure is not retroactive.

You are here
Table of Contents > Additional Procedures for Respond Configuration > Obfuscate Private Data

Attachments

    Outcomes