Implement Incydr: Best practices for data sources

Last updated
Save as PDF

Implement Incydr: IntroductionImplement Incydr: Introduction
Implement Incydr: Develop an insider risk programImplement Incydr: Develop an insider risk program
Implement Incydr: Start implementationImplement Incydr: Start implementation
Implement Incydr: Use watchlists and alertsImplement Incydr: Use watchlists and alerts
Implement Incydr: Best practices for data sourcesImplement Incydr: Best practices for data sources
Implement Incydr: Determine incident responseImplement Incydr: Determine incident response
Implement Incydr: ResourcesImplement Incydr: Resources

Implement Incydr Step 5 of 7

Overview

When you first set up Incydr, you enable endpoint monitoring for file exfiltration detection. This captures file activity occurring on your employees' computers, including files moved to removable media and web browsers. This article provides best practices for adding other data sources such as cloud sharing applications and email.

We have other articles that show you how to add data sources to Incydr. Here are just a few:

Considerations

Check your product plan to ensure it includes cloud and email services.
Set up a separate Code42 administrator user account for each data source to be used for login and authorization. The account should not be controlled by single sign-on to allow for recovery in the event of an issue with SSO.
Code42 Professional Services can help you add data sources, including Incydr flows. Contact your Customer Success Manager (CSM) to engage Professional Services.

Best practices for cloud services

Connect cloud services

Add the data source connector for the supported cloud services your employees use.
Set up trusted domains for your approved cloud services.
Add trusted Slack workspace names for your corporate Slack.

Review cloud exposures

Review exposures generated by the cloud connectors using the Risk Exposure dashboard, User Profile, and Forensic Search.

Address unauthorized exposures:

Identify public links. If a link is not supposed to be public, communicate public link existence to the file owner and request the link be changed to a more secure option. Determine the means by which to communicate and track outcome.
Determine if any file movements tracked by the cloud connectors are caused by individuals who are not employees. For example, this could occur if third parties have cloud access and the ability to share company resources. Address authorized third-party exposures.

Best practices for email services

Connect email services

Add the data source connector for the supported email services your employees use and set up trusted domains for the email services you want to allow access to.

Review email events

In Forensic Search, review email events generated by the email services. Also evaluate other user- or file-specific activity that is part of an ongoing investigation. Correlate email activity with other user activity to get a holistic view of user activity across all exfiltration vectors in your platforms for security information and event management (SIEM); security orchestration, automation, and response (SOAR); or user and entity behavior analytics (UEBA).

It may be beneficial to split out email events in your Forensic Search query so that you can track all the emails sent from one email address to another.

Resources

Code42 University: Insider Risk Management Training