Product

Inferred Trust Available as a New Technology to Help Security Teams Detect Data Exfiltration

4 min Read

Olga Hout

Product Marketing Manager

Smartphones have long since become an extension of our hands. That’s a fact. From running work-related errands to staying in touch with our friends, nothing is left unnoticed and unregistered by this device.

Digitization made data the most valued and, subsequently, vulnerable asset. Now, ask yourself, how confident are you that your company has instilled sound data management hygiene across the workforce?

Current state of data affairs

In search of truth, we needed more information. That’s why we reached out to 100 information security leaders to learn if and how they ensure their workforce isn’t exfiltrating company data to personal phones. The findings were quite stark. A staggering 91% of respondents believe employees are likely to exfiltrate data from corporate systems through mobile phones.

Having identified such an obvious blindspot, a lot of security leaders are looking to close that gap and gain transparency into how their employees handle company data.

Insider Risk meets Inferred Trust

Solid information governance is integral to a mature security risk posture. But how can you achieve that? Security analysts are drowning in the sea of user data and file movement. They are challenged to sift through myriad alerts and data threads to understand where the real risk will strike next. In fact, 72% of the time, security professionals do not have the necessary context to know if they should close or pursue an investigation. However, more than half of them are making this risk a top or moderate priority to assess.

Analysts have to make tradeoffs between burnout and blindspots. Do they accept too much risk and under-notify, or do they force themselves to triage too many false positives? If every alert is critical, no alert is critical.

Security teams need technology to help effectively and systematically filter out trusted activity, without overhauling BYOD policies, issuing employee phones (a mere 13% of our respondents admitted to issuing corporate devices to more than 50% of their employees), or implementing new network layer technology.1

At Code42, our teams work hard to provide business intelligence to establish security controls, reduce the noise and streamline risk prioritization. By introducing Inferred Trust to Incydr’s current Trust methodology, we’re making it possible to intelligently and automatically differentiate between activity that’s just noise and the activity that puts your business data at risk.

What is Trust?

Before we talk about Inferred Trust, let’s define “trust.” Trust is the process Incydr uses to establish the boundary of trusted devices and destinations for an organization. Trust is about determining whether a file remains within a boundary of corporate ownership (trusted), or has been moved outside of the corporate environment (untrusted). The latter is what needs to be further investigated by analysts.

Inferred Trust is accomplished through a comparative audit of activity on the monitored endpoint (Windows, macOS, or Linux) with activity in monitored cloud systems (OneDrive, Google Drive, and Box). When events between systems match (for instance when we see a send event to Google Drive from the endpoint followed by a received event from the corporate Google Drive for a given file), Incydr infers the event is trusted because it remains within a monitored, controlled destination. However, if files leave one trusted location and do not appear in another trusted location, Incydr can infer they went to an employee’s personal account or device, and security should be notified because that event was untrusted.

Inferred trust operates as a filter within Incydr so that sanctioned activity doesn’t generate false-positive alerts. It significantly reduces the noise that inevitably leads to burnout for security analysts.

Filtering noise, delivering peace-of-mind

Coming later this year, Incydr’s new Inferred Trust technology will be expanded to detect when a file is downloaded from corporate systems such as SalesForce, OneDrive, Google Drive and Box. This means you’ll know if files are landing on your corporate-managed devices, or being exfiltrated to unmonitored devices, such as mobile phones.

When untrusted activity is detected, Incydr prioritizes it for analysts using IRIs so they know exactly what they need to look at first.

Incydr delivers the high-fidelity signal needed to filter trusted activity, prioritize what needs attention and quickly respond with the controls needed to contain, resolve and educate on those risks that matter.

Get ahead of data leaving with Incydr

Ready to see Incydr in action? Try a Proof of Value (POV) to experience Incydr in your own environment, or contact us to learn more.

1: Which will likely miss activity taking place on home networks anyway.

Olga Hout

Olga Hout is product marketing manager at Code42 where she focuses on product technology.