Securing data when de-commissioning EDR
search cancel

Securing data when de-commissioning EDR

book

Article ID: 244849

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response Endpoint Detection and Response Hardware

Issue/Introduction

We are in the process of decommissioning the EDR appliances. Ideally we would like to remove all data before turn off the appliances.

 

Environment

Release : 4.3.0

Component :

Resolution

  1. In EDR UI, on Settings> Global, removing each SEPM Controller connection, then remove each SEP DB connection and waiting 24 hours will remove the SEP client data.
  2. In EDR UI on the Settings> Global page, delete every other setting except for DNS and IP address.
  3. After removing the SEPM Controller connections and SEP DB connections to prevent new events entering the event database, leave the EDR booted up and running for the vm or physical machine. EDR will automatically prune data due to age.
      https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-5/Settings/how-purges-data-from-the-database-v106460598-d38e46998.html

  4. At the CLI, use the list --all command to list all the files you can delete manually, then use the delete command to delete them.
      list command:
      https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-5/using-the-command-line-interface-v109281349-d38e71236/list-command-v117597611-d38e72055.html

      delete command:
      https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-5/using-the-command-line-interface-v109281349-d38e71236/delete-command-v117597607-d38e71689.html

  5. Reboot the machine and enter BIOS. Remove and re-add the RAID array to delete everything. This step requires physical presence for S550, or DRAC access for 8880
         Configuring the iDRAC using a monitor, keyboard, and optional mouse:
         https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-4/about-v96380626-d38e6/configuring-the-idrac-using-a-monitor-keyboard-and-v101750735-d38e10177.html

         (8880):How to boot into the BIOS or the Lifecycle Controller on your PowerEdge Server:
         https://www.dell.com/support/kbdoc/en-us/000176910/how-to-boot-into-the-bios-or-the-lifecycle-controller-on-your-poweredge-server

  6. Physically remove and shred the hard disks

 

 

Powered by Wolken Software