Implement Incydr: Start implementation

• Review watchlists for data exfiltration. Also review incidents triggered by the employees in other systems not tracked by Incydr. 
• Review removable media use by employees. If the files that are placed on removable media are of high value, add the employees to a watchlist.
• Review browser/app usage for large exfiltrations. If files are of high value, add the employees to a watchlist.
• Identify files that have public link access and let owners know they need to change the link access. If owners are repeat offenders, consider adding them to a watchlist.

Escalate to the employee's manager based on the value of the data and the frequency of data exfiltration. Escalate to HR and legal if the employee is exfiltrating valuable intellectual property or personally identifiable Information (PII) that can result in fines or other penalties for mishandling.

Use the CLI tool to generate a list of web activity that the client is observing and export a list of all browser/app usage to .xls.

Determine which applications, sites , and IP addresses are sanctioned. (For example, compare activity against your trusted domain list; Incydr will only alert you for activity outside your trusted domains.) For unsanctioned sites, review with the responsible parties what the need and justification is for using the site. 

• In Forensic Search, search for:
  • Keywords like "resumé" to identify departing employees. (Note: You can also use an alert to look for keywords in a file name.)
  • Names of critical internal projects and new products
  • Names of financial reports, employee data, compensation data, merger and acquisition documents, and executive/board communications
  • Keywords for customer lists, price lists, and customer contracts

Save any helpful searches for future use.

Use the New hire watchlist to monitor new employees for file downloads during the first 30 days of employment.

Determine if unauthorized intellectual property was downloaded into your environment.

Consider using honeypot files.

If a honey pot file is copied or moved, then add the employee to a watchlist. for closer monitoring.

Identify all sanctioned external platforms for data exfiltration. Set-up searches and alerts for unsanctioned activity.

Utilize a data handling matrix to map out approved and unapproved exfiltration activity.

• Send file activity data recorded by Incydr to the tools you use for incident management and response, such as your Security Information and Event Management (SIEM) system, or your Security Orchestration, Automation, and Response (SOAR) system. For information about SIEM and SOAR applications that provide ready-made integrations to Incydr, see Code42 integrations resources.
• Identify valuable data in your SIEM and SOAR implementations that is obtained from other systems than Incydr (for example, email security gateway, endpoint detection and response (EDR), URL filtering, network session monitoring). Create correlation between that data and the information obtained from Incydr to provide better incident lifecycle perspective.
• Create playbooks for SOAR usage where available.
• Provide data for User and Entity Behavior Analytics (UEBA) modeling and anomaly detection where available.

Contact your Customer Success Manager (CSM) to engage Advisory Services for assistance.

Automate the process of uncovering valuable data about people in watchlists.

Use the Code42 command-line interface (CLI) to ingest file event data and alerts into a SIEM tool.

Automate the process of adding people to watchlists.

Identify a source closest to the human resources information system (HRIS), if not the HRIS system itself. Use information from that system and provide it to the Code42 command-line interface (CLI) to add people a watchlist.

Ingest user information from a directory service (for example, from Azure Active Directory) to populate critical contextual data about employees, such as their job title, department, and manager.

Use Code42 User Directory Sync or Code42 provisioning (including from Azure AD, Okta, and PingOne) to populate critical contextual data about employees.