Who is this article for?
Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, no.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Course introduction
For visibility into exposure and file exfiltration activities, you need data. Lots of data. And the foundation of Code42 Incydr's ability to speed insider risk detection and response comes from its ability to capture all file activity: on endpoints, corporate cloud, and email services. So in this overview video, we're going to show what Incydr can capture and from where.
In this course, we'll show you how to:
- Detect risk in the Risk Exposure dashboard
- Review alerts
- Review departing employees
- Review high-risk employees
- Review a specific user
- Run an ad-hoc search for file exfiltration activity
Time to complete course: 30 minutes
Module 1: Detect risk in the Risk Exposure dashboard
Most insider threats don't intentionally make themselves known. So how does a security team know whether an investigation is required, or even where to begin? Code42 Incydr's Risk Exposure dashboard provides an overview of the different types of file activity in your environment, both on the endpoint and in the cloud. The main purpose of the dashboard is to help you identify when unusual activity is happening so you can investigate further in Forensic Search.
In this video we'll look at what the dashboard looks like and how to use it.
Module 2: Review alerts
Code42 Incydr's alerts can streamline your monitoring workflow by alerting you when specific file activity behaviors and thresholds are met. Alerts can be sent as emails, appear on dashboards, or both.
In this video, we'll look at investigating an alert with the Incydr console.
Module 3: Review departing employees
An essential part of the off-boarding process is making sure departing employees aren't taking anything they shouldn't. With Code42 Incydr, when an employee gives notice, you can add them to a list so their activity is more visible in your monitoring workflows.
In this video, we'll look at how to review such file activity and quickly identify suspicious file movement.
Module 4: Review high-risk employees
Some users pose a great insider risk than others. They may have elevated permissions, or are on a performance improvement plan, or have a history of poor security practices. With Code42 Incydr, when an employee is considered high risk, you can add them to a list so their activity is more visible in your monitoring workflows.
In this video, we'll look at how to view such file activity and quickly identify any suspicious file movement.
Module 5: Review a specific user
During your investigation workflow, there may come a time when you need additional information about a single user's activity. Code42 Incydr makes this easy by using something called a user profile, which is built on a user's file activity over the last 90 days.
In this video, we'll look at how to pull that view up and what information it provides.
Module 6: Ad-hoc activity searches
Forensic Search is a key component of Code42 Incydr's investigation capabilities. After gathering current and historical file events and metadata across both endpoints and cloud services, Forensic Search lets you investigate those events across your entire organization.
In this video, we'll look at how Forensic Search works, and what it can show you.
Module 7: Use cases
The videos in this module present scenarios for using Incydr to uncover suspicious file activity.
Removable media
If you're like me, you've probably got a drawer of these little USB flash drives. They're convenient, hold lots of data, and fit in your pocket. What's not to love? Well, when it comes to insider risk, removable media is a pretty common exfiltration vector. You've got your USB drives, external hard drives, SD cards... and sure, you can try to block their use. But there are legit uses for these too.
Regardless of your policies, do you have the visibility you need to determine if there's a misuse of removable media in your organization? Well, Code42 Incydr gives you that visibility. Check this out.
File mismatch
So today I was using Code42 Incydr to review the activity of a departing employee. See, when people change jobs it can be tempting to take company data on the way out. Some just want to make their next job easier. Others believe the files belong to them. Sometimes it's accidental. Other times, it's definitely not, like when an employee attempts to conceal a file exfiltration attempt by changing the file extension so it doesn't match the file's contents. Check this out.
