Redaction Technology

by Shimon Modi

Introduction

TruSTAR's redaction technology is powered by our redaction algorithm. The core features of this algorithm are:

  • Categorical redaction
  • Wildcard matching
  • Performant for large datasets

Core Functionality

TruSTAR’s redaction algorithm at it’s core is a function that operates on two inputs: A TruSTAR Incident Report and a map of redaction descriptors known as the redaction map. Let’s define these two inputs.

TruSTAR Incident Report

Incident reports are generated by users in the TruSTAR Station. Technically an incident report is a map-like data structure that contains both metadata about the report and the report contents. For example, here is a simplified version of what an incident report looks like in the Station.

Map {
  metadata: Map {
    title: "Network Intrusion Detected",
    region: "North America"
  },
  content: "Network intrusion was detected at our branch in..."
}

Redaction Map

The redaction map is they key to removing attributable information from an incident report. After all, the algorithm can't remove what it doesn't know to look for.

A redaction map describes everything we want to redact from a report. A simple redaction map might look like this:

Map {
  company-name: List [
    "Superb Security Corp",
    "Superb Subsidiary"
  ],
  ip-address: List [
    "8.8.8.8"
  ],
  email-address: List [
    "*@superb-security.co"
  ]
}

In this redaction map we are defining a number of things to redact from incident reports:

  • Our company name "Superb Security Corp" and the name of our subsidiary "Superb Subsidiar"
  • An IP address that we don't want to share ("8.8.8.8")
  • Every email address that ends in "@superb-security.co"

This is the gist of how our Redaction technology works. You can arbitrarily add redaction terms to the redaction list and they will all be programmatically stripped from every part of your report, even the metadata.


How Did We Do?