Code42 News

The Incydr™ Scoop: Recognize & Prioritize Insider Risk Signals

5 min Read

Mark Wojtasiak

Vice President, Portfolio Marketing

Our customers are innovators, trailblazers and the leaders of tomorrow. Their source code, customer lists and 2021 go-to-market strategies are the lifeblood of their organizations. While our customers’ employees work together to design products, VR systems, conduct research, and so much more, their security teams are working to balance collaborative cultures with the overwhelming amount of risk that organizations experience. Incydr helps to make this balance possible by enabling security teams to pinpoint specific insider risk indicators amidst the incredible amount of data exposure experienced on a daily basis.  

What data is exposed: the files

Let’s be honest, you could care less about a file being exfiltrated if you can determine with certainty that the contents of the file are not important. This is obvious and simple; yet, this is the part where we see too many organizations overestimate the efficacy of their current technology, processes and policies. High-value data —the crown jewels and IP— is being exposed every day. On average, a typical employee causes 20 file exposure events per day.  The numbers don’t lie. We found that in the past 30 days alone, literally millions of files were exposed:

  • 37% were business documents 
  • 8% were source code files 
  • 5% were zip files 

What is even more concerning—and when high-value data leaks demand prioritization—is when a high-value file type, such as a business document containing the product roadmap, is concealed as a low value file named HawaiiPics.jpg. This occurrence is a risk indicator that Incydr signals, which is known as suspicious file mismatch. Incydr detected 97 instances of suspicious file mismatch in the past 30 days. While file mismatch events are not the most common type of data exfiltration that Incydr detects, it is one of the most alarming because it is indicative of malicious intent and requires data risk detection and response.

Who and where data exposure is happening: the users and vectors

At the end of the day, data risk is all around us. It can occur on the weekend or the day before an employee quits to work for a competitor. When the sheer volume of data risk is measured in the millions, additional user and vector context is critical in order to recognize and prioritize the risks that require immediate investigation and response.

For example, data exposure at 1:30 pm on a Tuesday is not as alarming as data exposure that occurs outside of a given user’s normal working hours – say on a weekend. Or, consider other user context like two days before they resign or after they are put on a performance improvement plan. Here, in order to recognize and prioritize insider risk, user context matters as much as file context. 

Correlating user context around when they work with vector context around how data is moving paints an even clearer picture of insider risk. For example, what if we knew that over one-third (34%) of the data exposure events occurring over a weekend involve a removable media device? Within the context of a weekend and remote work being the new normal, this alone may not be alarming (unless you have a strict policy against removable media use), but when coupled with the fact the user never works on the weekend and the files copied contained source code, this would be a high indicator of insider risk and/or exfiltration. 

The bottom line

Today, organizations are moving faster than ever. They’re connecting people, technology, and data to drive productivity, teamwork, innovation and speed to transform the employee and customer experience. And they are doing it largely as a remote workforce. We call this phenomenon the collaboration culture. In the collaboration culture, the faster, more productive and innovative organizations are, the more dynamic, pervasive and urgent breaches to sensitive information (crown jewels) and intellectual property (IP) become.  We call this problem Insider Risk. In order to both manage and mitigate Insider Risks to your crown jewels, faster more accurate risk recognition, prioritization and thus remediation is needed and it cannot disrupt the very productivity, teamwork, innovation and speed – the collaboration culture – that is in place.  Let’s face it, millions of data exposure events – Insider Risks – are happening on a daily basis. To cut through the noise, security teams need to correlate file, vector and user context. More data is not the answer. Better signal, simplicity and speed is the only way security is going to keep pace with the Insider Risks that is the collaboration culture.

And that’s the Incydr Scoop. 

Mark Wojtasiak

As vice president of portfolio marketing at Code42, Mark leads the market research, competitive intelligence and product marketing teams. Mark joined Code42 in 2016 bringing more than 20 years of B2B data storage, cloud and data security experience with him, including several roles in marketing and product management at Seagate.