Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Implement Incydr: Start implementation

Overview

This article recommends activities to start implementing Incydr at your company. It is not intended as a how-to, but rather a checklist of actions to ensure that you configure Incydr to yield the greatest value.

For a how-to article about implementing Incydr at your company, see Detect and respond to insider risks.

Considerations

Code42 Professional Services can help you implement Incydr. Contact your Customer Success Manager (CSM) to engage Professional Services.

Insider risk model

As your employees and other insiders perform their jobs in your company, the technology you implement should work continuously to monitor their activities. It should anticipate problems before they happen, detect them if they occur, and help you respond to incidents in a timely way. When you implement Incydr with the recommended actions in this article, it works more effectively at all steps in the insider flow.

Insider threat model

Image source: Carnegie Mellon Software Engineering Institute's Maturing Your Insider Threat Program into an Insider Risk Management Program.

High-level workflow using Incydr

Following is a high-level workflow using Incydr at a typical company. 

The flow starts with file events collected using Incydr. Next, examine the events to determine if they reveal a security incident. If you determine that a security incident occurred, open a case and route it for followup.

High-level workflow using Incydr

Incydr top daily activities guide

Following are activities we recommend you perform daily.

Activities Incident next step

Escalate to the employee's manager based on the value of the data and the frequency of data exfiltration. Escalate to HR and legal if the employee is exfiltrating valuable intellectual property or personally identifiable Information (PII) that can result in fines or other penalties for mishandling.

Use the CLI tool to generate a list of web activity that the client is observing and export a list of all browser/app usage to .xls.

Determine which applicationssites , and IP addresses are sanctioned. (For example, compare activity against your trusted domain list; Incydr will only alert you for activity outside your trusted domains.) For unsanctioned sites, review with the responsible parties what the need and justification is for using the site. 

Other high-value activities

Activities Incident next step
  • In Forensic Search, search for:
    • Keywords like "resumé" to identify high risk or departing employees. (Note: You can also use an alert to look for keywords in a file name.)
    • Names of critical internal projects and new products
    • Names of financial reports, employee data, compensation data, merger and acquisition documents, and executive/board communications
    • Keywords for customer lists, price lists, and customer contracts

Save any helpful searches for future use.

Escalate to the employee's manager based on the value of the data and the frequency of data exfiltration. Escalate to HR and legal if the employee is exfiltrating valuable intellectual property or data (like PII) that can result in fines or other penalties for mishandling.

Monitor new employees for file downloads during the first 30 days of employment.

Determine if unauthorized intellectual property was downloaded into your environment.

Consider using honey pot files.

If a honey pot file is copied or moved, then add the employee to the High Risk Employees list for closer monitoring.

Identify all sanctioned external platforms for data exfiltration. Set-up searches and alerts for unsanctioned activity.

Utilize a data handling matrix to map out approved and unapproved exfiltration activity.

Top platform integration activities

Activities Guidance
  • Send file activity data recorded by Incydr to the tools you use for incident management and response, such as your Security Information and Event Management (SIEM) system, or your Security Orchestration, Automation, and Response (SOAR) system. For information about SIEM and SOAR applications that provide ready-made integrations to Incydr, see Code42 integrations resources.
  • Identify valuable data in your SIEM and SOAR implementations that is obtained from other systems than Incydr (for example, email security gateway, endpoint detection and response (EDR), URL filtering, network session monitoring). Create correlation between that data and the information obtained from Incydr to provide better incident lifecycle perspective.
  • Create playbooks for SOAR usage where available.
  • Provide data for User and Entity Behavior Analytics (UEBA) modeling and anomaly detection where available.

Contact your Customer Success Manager (CSM) to engage the Insider Risk Success Team (IRST) for assistance.

Automate the process of uncovering valuable data about people in the High Risk Employees list.

Use the Code42 command-line interface (CLI) to ingest file event data and alerts into a SIEM tool.

Automate the process of adding departing employees.

Identify a source closest to the human resources information system (HRIS), if not the HRIS system itself. Use information from that system about departing employees and provide it to the Code42 command-line interface (CLI) to add people to the Departing Employees list.

Ingest user information from a directory service (for example, from Azure Active Directory) to populate critical contextual data about employees, such as their job title, department, and manager.

Use Code42 User Directory Sync or Code42 provisioning (including from Azure AD, Okta, and PingOne) to populate critical contextual data about employees.

Build visualizations and alerts using your SOAR or SIEM tool, or use an existing Code42 app for your tool. For more information, see Code42 integrations resources. A member of the Insider Risk Success Team (IRST) can assist with dashboard development. Contact your Customer Success Manager (CSM) to engage the IRST.

Resources

  • Was this article helpful?