Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

View Insider Risk Trends for your organization

Overview

The Insider Risk Trends dashboard shows how risk in your organization changes over time. The dashboard tracks fluctuations in these important metrics:

  • The number of users causing critical or high severity file events
  • The departments in your organization that cause the most untrusted events
  • The types of files involved in exfiltration events
  • The sources of company data being put at risk
  • The vectors or destinations on which the most untrusted activity commonly occurs

You can use these trends to identify where to focus controls, training, and engagement to improve your organization's risk profile.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings allows Incydr to show only untrusted file events on security event dashboards, user profiles, and alerts, reducing your total file event volume. All file activity is still visible in Forensic Search.

  • The dashboard aggregates the data Code42 collects over time and requires at least 30 days of data. If your dashboard is empty, you may need to enable endpoint monitoring, connect your cloud services, and allow Code42 enough time to aggregate that data.

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the security event dashboards, All users list, watchlists, and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts elsewhere. For more information about how long it takes for events to show up in Incydr, see Expected time ranges for events to appear.

The Insider Risk Trends dashboard

To access the dashboard:

  1. Sign into the Code42 console.
  2. Select Dashboards > Insider Risk Trends.
    The dashboard opens.
    Insider Risk Trends dashboard
    Click any of the links below for more information.
    1. Trust settings: Indicates that your trust settings apply to this dashboard. Code42 excludes trusted file activity as defined by these settings and any cloud data connections monitored by Code42.
    2. Risk settings: Click to open Risk settings where you can set the score of each risk indicator. These scores are used to calculate the severity of each file event.
    3. Risk in my environment: The number of users who have caused critical or high severity events over the specified time frame.
    4. Users putting data at risk: The departments whose users have caused the most untrusted events over the specified time frame.
    5. Files being exfiltrated: The types of files (organized by category) involved in the most untrusted events over the specified time frame.
    6. Sources being put at risk: The sources of data from company sources involved in the untrusted or exflitration events that occurred over the specified time frame.
    7. Vectors for untrusted activity: The vectors (or destinations) on which the most untrusted events commonly occur over the specified time frame.
  3. In the graphs on any panel, hover the mouse over the graph for more detail regarding those totals.
  4. Use any of the controls to change the view on that panel.
    1. Click Sort to sort the view in either ascending or descending order, based on your selection from the menu that opens.
    2. Click Filter to view only specific departments, file types, or destinations on the corresponding panel.
    3. Click an item in the legend at the bottom of the graph to show or hide that detail in the panel.
    4. Use the controls at the bottom of the graph to view more categories in the panel or to scroll to other hidden pages on the panel.
    5. On the Vectors for untrusted activity panel, click a linked category name (or its graph) to drill down and view more detailed information. Click Back to return to the top-level category view.

Risk in my environment

This panel shows the number of users who have caused critical or high severity events over the specified time frame. This total captures unique users only, meaning that users are counted only once even if they've caused multiple critical or high severity events.

Use this panel to form a holistic view of how all users in your organization are handling risk. An ascending trend may indicate that you need to increase awareness of your organization's security program through outreach or education. A descending trend may indicate that all facets of your security program are helping reduce your organization's risk exposure. "Blips" in the graph may be associated with events in which your employees are sharing a lot of information in a short amount of time, such as for product releases, training classes or conferences, or project kickoffs.

Users putting data at risk

This panel uses the department data imported from your identity provider when you use provisioning. If you have not set up your provisioning provider to import user attributes into Code42, this panel indicates that there is no department data to use to aggregate event activity.

After you have set up provisioning to import user attributes, this panel shows the amount of untrusted events over the specified time frame, organized by the department whose users caused those events. Users who cause untrusted events but who do not have an associated department from provisioning are grouped into a No department found category on the graph.

Files being exfiltrated

This panel shows the files involved in untrusted activity organized by file category. You can use this detail to see what types of files may be leaving your organization to identify where better controls, training, or engagement are needed.

Sources being put at risk

This panel shows the sources by which files may be leaving your organization. When combined with the other panels, this information can help fine-tune your trusted activity settings to better identify risky activity.

You can drill down to view more details:

  • Click a category name (or its graph) view more information about activity on the sources that make up that category.
  • After drilling down, click Back to return to the top-level category view.

Vectors for untrusted activity

This panel shows the vectors by which files may be leaving your organization, organized by destination category. When combined with the other panels, this information can help fine-tune your trusted activity settings to better identify risky activity.

You can drill down to view more details:

  • Click a category name (or its graph) view more information about activity on the vectors that make up that category.
  • After drilling down, click Back to return to the top-level category view.

The "corporate" destinations on this panel identify Code42's monitoring of your organization's business tools (such as Salesforce), cloud storage services (like Box, Google Drive, or OneDrive), or email services (Gmail and Microsoft Office 365).

You must connect Code42 to at least one corporate business, cloud storage, or email service to see this download, file sharing, or attachment activity. 

Use cases

The panels on the Insider Risk Trends dashboard all work together to help you refine your organization's security program and improve your risk posture over time.

  • Use the entire dashboard to measure the effectiveness of all facets of your organization's security program. If your security program is in development, this dashboard can help you identify where best to focus additional attention to improve your risk posture. For robust security programs, these trends can help you determine whether reminders or additional engagement and training might be needed.
  • Use the Risk in my environment panel along with the Users putting data at risk panel to correlate increased event totals to your organization's events, such as product releases, conference appearances, or project kickoffs. You can then plan to update trusted activity settings for approved sharing platforms or increase security training outreach for specific departments for similar events in the future to filter out approved sharing or proactively prevent such events.
  • Use the users, files, and vectors panels together to identify approved sharing and fine-tune trusted activity settings. For example:
    • The Users putting data at risk panel shows that your Software Development department has the highest amount of untrusted activity.
    • The Files being exfiltrated panel indicates that source code files are often involved in untrusted events.
    • The Vectors for untrusted activity panel shows that source code repositories are a frequent vector for exfiltration events.
    This combination may indicate that developers are causing a high number of security events as they check source code files in and out of your corporate repository as part of day-to-day work. By adding your corporate repository to your trusted activity settings, you identify such activity as trusted and prevent it from appearing on dashboards.
  • Was this article helpful?