Code42 Incydr brings together three dimensions to quickly and accurately detect and help you respond to insider risks and potential threats:
- Data: What intellectual property (IP) is most valuable to the business?
- Vector: When, where, and how is your IP moving?
- User: Who is moving it?
Incydr monitors data movement to provide details and context for file events that occur on endpoints as well as in corporate cloud and email services. Incydr:
- Monitors all files for file activity, not just those that have been labeled sensitive.
- Detects exposure and exfiltration by web browser, cloud sync, file sharing, and the use of removable media.
- Adds highly-visible flags to file events that have elevated risk, such as those that occur during off-hours for a particular employee or file mismatches where a file extension may have been changed to conceal exfiltration.
To use Incydr, you must:
- Have an Incydr product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial. If you do not know your CSM, please contact our Customer Champions for support.
- Have either the Customer Cloud Admin role or Security Center User role.
- Enable endpoint monitoring or configure endpoint data collection.
To protect your data and help detect, investigate, and respond to insider risks, Incydr provides the following features and abilities:
Risk Exposure dashboard
When you first log in to the Code42 console, the Risk Exposure dashboard appears. The Risk Exposure dashboard gives you a visible representation of where and how your data is moving so that you can quickly grasp file events that need your attention. Use the risk indicators to further help you focus your initial investigations on more risky file activity. For more information, see Review unusual file activity with the Risk Exposure dashboard.
Alerts give you visibility into when important data may be leaving your company. Alerts automatically notify you about file activity occurring along a number of exposure vectors. You can create multiple alert rules to alert you for different exposure types, severities, and users causing the file activity.
Additional monitoring for high-risk and departing employees
Adding an employee to the High Risk Employees and Departing Employees lists allows you to more closely monitor their file events. The risk detection lists have alerts built in to notify you of any risky behavior. For more information, see Secure data throughout employee tenure.
Cases allow you to compile, document, and share details about insider risks. This helps you assemble evidence to make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.
Recover and view file contents
Incydr can also recover files, including deleted files and previous file versions. During an investigation you can restore a single file, multiple files, or even an entire device, allowing you to inspect the contents of the files involved.
Additionally, you can download the file from Forensic Search while conducting an investigation into an event to immediately view its contents and better assess risk.
Adding a user to a legal hold backs up a separate copy of the user's files and retains them for as long as you specify. This enables you to preserve files separately from the user-facing backup and retain files indefinitely for additional investigation or future legal action.
How Incydr works
Incydr monitors file activity via a light-weight agent on endpoints and integrations with corporate cloud and email services, mitigating file exposure and exfiltration risks without disrupting legitimate collaboration. Incydr can identify the difference between everyday collaboration and the events that represent real risk. It filters out the noise of harmless activity, like sharing files between trusted domains, to reveal only the risks that could harm your business.
Watch the video below for an overview of how Incydr monitors file activity. For more videos about Incydr, visit the Code42 University.
Endpoint file event detection
The agent, running on either Windows, Mac or Linux endpoints, logs all file events (like file creation, deletion, and modification) and captures critical metadata including file name, owner, size, category and MD5 hash. The agent monitors:
- Files moved to removable media (such as flash drives, hard drives, and cards that connect via USB, eSata, or Thunderbolt), collecting the vendor, name, and serial number of the devices used.
- Files synced with Dropbox, iCloud, Google Drive, Google Backup and Sync, OneDrive, and Box.
- Files that have been read or uploaded by browsers such as Internet Explorer, Chrome, Firefox, Safari, Edge, Chromium, and Opera. For such activity, the agent logs the browser name, the tab title, and the URL used to upload the file.
- Files that have been read by web applications such as FileZilla, Windows Secure Copy, Slack, SFTP, FTP, cURL, and Secure Copy.
Cloud and email file event detection
Incydr integrates with corporate cloud services such as Box, Google Drive, and OneDrive to detect when files saved in corporate cloud drives are shared publicly or with external users by employees.
Likewise, Incydr integrates with corporate email services like Gmail and Office 365 to detect potential data exfiltration of file attachments sent to untrusted recipients.
In general, you can see the following information about each file event in Forensic Search.
- Event details: Includes the type of file event observed, the time the event was observed, the source of the event, and location data for events that take place outside of your trusted domains. Incydr also flags any activity that may be a greater risk.
- File details: Includes the filename, path, owner, and other details such as the MD5 and SHA265 hashes.
- Device details: Includes information about where the event happened, including things like the hostname and IP address.
- Cloud service details: If a file on your corporate drive in a cloud service is shared, the unique directory ID, the actor, the sharing permissions, and the users who have access are listed.
Each event may have different metadata depending on the data available and the type of exposure it presents. For example, an exposure event involving removable media has different details than an event involving an email attachment.
For full details, see the Forensic Search reference guide.
Traditional data-loss prevention (DLP) attempts to obstruct data movement in real time, but the system is only as good as your rules. Make rules too sensitive and you block legitimate work. Make rules too specific and high-value data slips past your defenses. DLP can only see what it's looking for and that can leave blind spots in your security stack.
We believe that the new path to data loss prevention and security compliance starts with one core principle: monitor everything, regardless of its sensitivity or perceived value.
Incydr leverages broad and deep visibility into ALL data activity and user behavior to better understand true risk. Incydr does not rely on classification of data to identify exfiltration events, but instead correlates data, vector, and user information to improve signal.
For the times you feel compelled to block, we recommend you take action on the user, not the data. For example, you can use identity and access management to put users in groups to restrict access based on the alerts and information Incydr provides.
For more information about why we don't block, download our guide.
To set up Incydr, see Detect and respond to insider risks.
Want to learn more? See a demo of Incydr.
- Detect and respond to insider risks
- Implement Incydr: Introduction
- Enable endpoint monitoring and file metadata collection
- Forensic Search reference guide
- Review unusual file activity with the Risk Exposure dashboard
- Detect and respond to insider risks
- Code42 joint solution brief: Code42 Incydr + Okta Identity Cloud