8e6 Technologies ER HL/SL manual Use Enterprise Reporter to conduct an investigation

CONFIGURE, TEST THE ENTERPRISE REPORTER USE ENTERPRISE REPORTER TO CONDUCT AN INVESTIGATION

Use Enterprise Reporter to conduct an investigation

Once custom category groups and user groups have been created, administrators can begin running their first reports. In most cases, administrators will employ the Enterprise Reporter as a forensic tool to determine if anomalous Internet behavior exists in their organization. In order to facilitate this process, the Enterprise Reporter menu structure is organized to follow the normal process flow of an inves- tigation.

1.First, the administrator is greeted with a dashboard of high-level reports called “Canned Reports.” By viewing these canned reports, an administrator can quickly determine if there is any anomalous behavior that needs investigation.

For example, a high level of spyware site activity might be found under a specific username, or a high rate of traffic identified in the “PornographyAdult Content” category. If something is detected that warrants further investigation, one would then proceed to the “Drill Down Report” section.

2.The next stage of the investigation is to select the Drill Down Report menu. The Drill Down Report is a multi-dimensional database that allows the user to drill down to the source of any Internet threat.

For example, if there is unusually high page count in the “Pornography/Adult Content” category, the administrator can drill down into the Category/User section to determine who is viewing this material. Once a specific end user is identified, the administrator can then delve into the detail page view section to see the exact pages that end user has been visiting.

This detailed information provides a wealth of information on the exact time the page was visited, the user’s IP address, whether the site was blocked by the R3000 filter, how it was blocked (e.g. in URL library, blocked keyword, proxy pattern blocking, etc), and the full-length URL. By viewing this detail, the admin- istrator can obtain an accurate gauge of the user’s intent—whether the user repeatedly attempted to go to a forbidden site or whether it was an isolated inci- dent.

3.The last stage of an investigation is to document the long-term activity of a policy violator, since most organizations require more than one or two events to reprimand a user. Once the administrator determines the name of the user and the Web sites visited in the Drill Down Report, the next step is to run a custom report. The administrator can run a specific search of the policy violator for a custom time period by selecting the Custom Report Wizard option in the Custom Reports menu. When generating this report, a custom time scope, specific category, and name of a specific end user can be specified.

As an example, the administrator would probably run a custom report for the policy violator by specifying the category “Pornography/Adult Content” and all activity within that category within the last month. The administrator can then save a PDF version of the report for documentation purposes. This custom report provides the necessary forensic information to support any internal repri- mand and to protect the organization in the event the incident goes to court.

To summarize, the aforementioned steps were provided to give the user a most- likely use case for the 8e6 Enterprise Reporter. The next section provides a more in-depth view of how to navigate within each of the main sections of the Enterprise Reporter: Canned Reports, Drill Down Reports, and Custom Reports.