Implement Incydr: Best practices for data sources
When you first set up Incydr, you enable endpoint monitoring for file exfiltration detection. This captures file activity occurring on your employees' computers, including files moved to removable media and web browsers. This article provides best practices for adding other data sources such as cloud sharing applications and email.
We have other articles that show you how to add data sources to Incydr. Here are just a few:
- Check your product plan to ensure it includes cloud and email services.
- Set up a separate Code42 administrator user account for each data source to be used for login and authorization. The account should not be controlled by single sign-on to allow for recovery in the event of an issue with SSO.
- Code42 Professional Services can help you add data sources, including Incydr flows. Contact your Customer Success Manager (CSM) to engage Professional Services.
Best practices for cloud services
Connect cloud services
- Add the data source connector for the supported cloud services your employees use.
- Set up trusted domains for your approved cloud services.
- Add trusted Slack workspace names for your corporate Slack.
Review cloud exposures
Review exposures generated by the cloud connectors using the Risk Exposure dashboard, User Profile, and Forensic Search.
Address unauthorized exposures:
- Identify public links. If a link is not supposed to be public, communicate public link existence to the file owner and request the link be changed to a more secure option. Determine the means by which to communicate and track outcome.
- Determine if any file movements tracked by the cloud connectors are caused by individuals who are not employees. For example, this could occur if third parties have cloud access and the ability to share company resources. Address authorized third-party exposures.
Best practices for email services
Connect email services
Add the data source connector for the supported email services your employees use and set up trusted domains for the email services you want to allow access to.
Review email events
In Forensic Search, review email events generated by the email services. Also evaluate other user- or file-specific activity that is part of an ongoing investigation. Correlate email activity with other user activity to get a holistic view of user activity across all exfiltration vectors in your platforms for security information and event management (SIEM); security orchestration, automation, and response (SOAR); or user and entity behavior analytics (UEBA).
It may be beneficial to split out email events in your Forensic Search query so that you can track all the emails sent from one email address to another.
Code42 University: Insider Risk Management Training
Other articles in this series: