Code42 Incydr brings together three dimensions to quickly and accurately detect and help you respond to insider risks and potential threats:
- Data: What intellectual property (IP) is most valuable to the business?
- Vector: When, where, and how is your IP moving?
- User: Who is moving it?
Incydr monitors data movement to provide details and context for file events that occur on endpoints as well as in corporate cloud and email services. Incydr:
- Monitors all files for file activity, not just those that have been labeled sensitive.
- Detects exposure and exfiltration by web browser, cloud sync, file sharing, and the use of removable media.
- Adds highly-visible flags to file events that have elevated risk, such as those that occur during off-hours for a particular employee or file mismatches where a file extension may have been changed to conceal exfiltration.
To use Incydr, you must:
- Have an Incydr product plan. Contact your Customer Success Manager (CSM) for assistance with licensing. If you do not know your CSM, please contact our Customer Champions for support.
- Have roles that give you access to Incydr features. See Roles for Incydr.
- Enable endpoint monitoring or configure endpoint data collection (Incydr Basic and Advanced only).
To protect your data and help detect, investigate, and respond to insider risks, Incydr provides the following features and abilities:
Risk Exposure dashboard
The Risk Exposure dashboard gives you a visible representation of where and how your data is moving so that you can quickly grasp file events that need your attention. Use the risk indicators to further help you focus your initial investigations on more risky file activity. For more information, see Review unusual file activity with the Risk Exposure dashboard.
Insider Risk Trends dashboard
The Insider Risk Trends dashboard shows how risk in your organization changes over time. The dashboard shows fluctuations in the number of users causing risky file events, the departments that cause the most untrusted events, the types of files involved in exfiltration events, and the vectors by which that untrusted activity occurs.
You can use these trends to identify where to focus controls, training, and engagement to improve your organization's risk profile. For more information, see View Insider Risk Trends for your organization.
Alerts give you visibility into when important data may be leaving your company. Alerts automatically notify you about file activity occurring along a number of exposure vectors. You can create multiple alert rules to alert you for different exposure types, severities, and users causing the file activity.
All Users list
The All Users list shows all of the users in your Code42 environment sorted by the highest number of critical-severity file events, then by high-severity file events. On this list, you can see the risk indicators associated with a user's file events and see more details about their most recent file activity. For more information, see All Users reference.
Adding an employee to a watchlist allows you to more closely monitor their file events. Each watchlist can have its own set of alerts to notify you of any risky behavior. For more information, see Secure data throughout employee tenure.
Cases allow you to compile, document, and share details about insider risks. This helps you assemble evidence to make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.
Recover and view file contents
Incydr can also recover files, including deleted files and previous file versions. During an investigation you can restore a single file, multiple files, or even an entire device, allowing you to inspect the contents of the files involved.
Additionally, you can download the file from Forensic Search while conducting an investigation into an event to immediately view its contents and better assess risk.
Adding a user to a legal hold backs up a separate copy of the user's files and retains them for as long as you specify. This enables you to preserve files separately from the user-facing backup and retain files indefinitely for additional investigation or future legal action.
How Incydr works
Incydr monitors file activity via a light-weight agent on endpoints and integrations with corporate cloud and email services, mitigating file exposure and exfiltration risks without disrupting legitimate collaboration. Incydr can identify the difference between everyday collaboration and the events that represent real risk. It filters out the noise of harmless activity, like sharing files between trusted domains, to reveal only the risks that could harm your business.
Watch the video below for an overview of how Incydr monitors file activity. For more videos about Incydr, visit the Code42 University.
Endpoint file event detection
The agent, running on either Windows, Mac or Linux endpoints, logs all file events (like file creation, deletion, and modification) and captures critical metadata including file name, owner, size, category and MD5 hash. The agent monitors:
- Files moved to removable media (such as flash drives, hard drives, and cards that connect via USB, eSata, or Thunderbolt), collecting the vendor, name, and serial number of the devices used.
- Files in cloud sync folders for Dropbox, iCloud, OneDrive, and Box.
- Files that have been read or uploaded by browsers such as Internet Explorer, Chrome, Firefox, Safari, Edge, Chromium, and Opera. For such activity, the agent logs the browser name, the tab title, and the URL used to upload the file.
- Files that have been read by web applications such as FileZilla, Windows Secure Copy, Slack, SFTP, FTP, cURL, and Secure Copy.
Cloud and email file event detection
Incydr integrates with corporate cloud services such as Box, Google Drive, and OneDrive to detect when files saved in corporate cloud drives are shared publicly or with external users by employees.
Likewise, Incydr integrates with corporate email services like Gmail and Office 365 to detect potential data exfiltration of file attachments sent to untrusted recipients.
Expected time ranges for events to appear
The following time ranges are what is typically seen for most file activity, though your times may vary:
- Data connections: Typically report activity to Incydr within 15 minutes
- Code42 app: Typically reports activity to Incydr within 5 minutes
- Forensic Search
- For uploads and downloads: File events can take up to 45 minutes before being available in Forensic Search after being reported to Incydr
- All other file events: File events typically appear about 15 minutes in Forensic Search after being reported to Incydr
- Risk Exposure dashboard, Insider Risk Trends dashboard, All Users list, User Profiles, Watchlists: File events may take about 60 minutes to appear
- Alerts: File events take about 15-45 minutes to generate an alert, depending on the activity type
- For uploads and downloads: File events can take up to 45 minutes before generating an alert after being reported to Incydr
- All other file events: File events typically take about 15 minutes before generating an alert after being reported to Incydr
For example, if you have file activity on one of your data connections:
- An alert notification would be sent about 15-45 minutes after the event occurred, depending on the activity type.
- You could expect that event to appear in Forensic Search as soon as 15 minutes or as late as 60 minutes after the event, depending on the activity type.
- This event would appear on the Risk Exposure dashboard about 60 minutes after the event occurred.
In general, you can see the following information about each file event in Forensic Search.
- Event details: Includes the type of file event observed, the time the event was observed, the source of the event, and location data for events that take place outside of your trusted domains. Incydr also flags any activity that may be a greater risk.
- File details: Includes the filename, path, owner, and other details such as the MD5 and SHA265 hashes.
- Device details: Includes information about where the event happened, including things like the hostname and IP address.
- Cloud service details: If a file on your corporate drive in a cloud service is shared, the unique directory ID, the actor, the sharing permissions, and the users who have access are listed.
Each event may have different metadata depending on the data available and the type of exposure it presents. For example, an exposure event involving removable media has different details than an event involving an email attachment.
For full details, see the File event metadata reference.
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.
Incydr leverages broad and deep visibility into ALL data activity and user behavior to better understand true risk. Incydr does not rely on classification of data to identify exfiltration events, but instead correlates data, vector, and user information to improve visibility and provide context.
For the times when you need to respond to insider risk, use Incydr to respond appropriately. For example, you can use identity and access management to put users in groups to restrict access based on the alerts and information Incydr provides. For more information about response options, see Introduction to Incydr Flows.
For more information about how Incydr prevents data loss without blocking productivity, download our guide.
To set up Incydr, see Detect and respond to insider risks.
Want to learn more? See a demo of Incydr.