Transparency, technology, and training, the 3 Ts of Insider Risk Management, are the keys to changing employee behavior when it comes to Insider Risk. At the intersection of these 3 Ts is Incydr + Instructor. Used in conjunction, security teams can automate response to specific security alerts by educating users on security best practices. Austin Wolf, Code42’s Senior Information Security Analyst, implemented an Incydr Flow with Instructor risk reduction education to automatically respond when Code42 employees publicly shared files.
The problem: Publicly shared files
Looking at 2021 data, Austin and his team realized that a third of the time Code42’s security team contacted users was to follow up on publicly shared files. Previously, the security team would review these alerts and contact the user to learn about their intent. They’d find many shares should have lower permissions, some public sharing was legitimate, and many users didn’t even realize that they had shared anything in the first place.
The challenge: Time to response and education gaps
Publicly shared files are a big problem for any company. Like most, Code42’s security team doesn’t want company data to be shared to the public in an uncontrolled way. Reviewing every alert and following up with users about file-sharing activity could take anywhere from a couple of hours to a day, depending on the number of events. Austin and team knew they wanted to shorten response times. There was also the problem with how to educate users on how and what could be shared in order to reduce how many wrongful shares took place in the future. Austin and team knew they needed an automated way to educate employees on the dos and don’ts of how Code42 employees should share data.
The solution: An Incydr Flow with Instructor lessons
Austin introduced the Incydr + Instructor Flow to his team and focused on the use case of publicly shared files. He wanted to educate users on the correct way to share files at Code42.
The automation is triggered by an Incydr alert that a user shared a file publicly. It then sends a message to the user via Slack. It asks the user whether they meant to share a file publicly or not, and depending on their answer sends an Instructor video highlighting the correct way to share these files in the future. It then documents these actions and user responses for security team reporting.
This Incydr Flow has allowed Austin and team to shorten their response times from hours to less than 10 minutes since their manual outreach became an entirely automated process. “It takes a lot for security teams to say, ‘I’m going to trust the data that comes out of a tool enough that I’m going to let it contact users and do things automatically.’ We’ve found Incydr’s detection to be incredibly high-fidelity. An advantage of this automation is that it narrows our response time to this type of risky event. When we’re talking about data available to the public, obviously, the faster the better,” stated Austin.
The Incydr + Instructor flow also allows users to resolve data risks while learning company best practices on how to avoid these security issues in the future.