What if security could stop blocking productivity while still protecting from data loss? That was the mission we set out to accomplish five years ago. It required us to think differently about data loss prevention and about how people work today. It required us to think differently about how to change the security culture at a company. It required speed and precision. It required innovation. It mostly required conviction. It became Incydr™ & Instructor™ – the Code42 Insider Risk platform.
I love Incydr. I love how intuitive and easy it is to use. I love that Incydr is cloud-native: born in the cloud and where processing and analytics only happen in the cloud allowing for a stunningly light agent. I love that we can innovate instantaneously. Don’t like the way something is working in Incydr? We will improve that in the next release…often in 3 days. Wow.
But beyond its architecture, what’s really powerful is how Incydr can both detect insider threats and respond automatically to the full spectrum of incidents – from the accidental and erroneous to the downright malicious and intentional. And Incydr can automatically stop the most malicious threats and educate the users to do better on the unintentional risks.
Incydr detects insider threats using a combination of Insider Risk Indicators and our Trust Model. As a result, we can instantly flag:
- Source code exfiltration to unsanctioned GIT applications
- Customer lists download from Salesforce to a personal device
- Documents uploaded to a personal (vs corporate) GDrive
And in addition to seeing file metadata information, including source, MD5 and SHA 256 hashes, owner, size, path, created and modified dates, Incydr gives the security team the actual copy of the exfiltrated file to assess its value in seconds.
Incydr responds to Insider Risk using a combination of:
- Just-in-time micro-learnings that are automatically sent to employees when they move files incorrectly (such as creating a public link or using a personal Dropbox)
- Integrated case management capabilities to easily aggregate all information and events related to an incident for collaboration with stakeholders in legal and HR
- Containment capabilities, leveraging our integrations with the leading XDR players, to prevent further activities during an investigation
- Blocking capabilities to stop high risk exfiltrations such as those created by departing employees or contractors
Incydr is revolutionary in its technology. But what I love most is the way Incydr represents a point of view. Salesforce didn’t just copy Siebel, they had a point of view twenty years ago. CrowdStrike didn’t just copy McAfee and Symantec, they had a point of view. At the beginning, everyone said they were crazy – that’s not how it is done. Elon Musk once said, “Good ideas are always crazy until they’re not.”
Many of you will think we are crazy. I think we just have a point of view. Relying on security technology (read: DLP) designed for an on-premises world to protect your data in today’s cloud and mobile world simply isn’t sustainable.
For starters, we don’t believe in data classification. Why spend a year trying to figure out what data is important in your environment when that data is constantly changing? The entire process is inherently inadequate. It simply doesn’t work. Instead of watching the data classified as important, Incydr watches all data. Sure, Incydr can include your data tags in our metadata repository but only to overcome your objection – not because we believe it is a smart way to protect your data. Classification systems don’t catch the most harmful exfiltrations because users don’t and won’t classify data as important before they take it.
Some other players on the market say the best way to skip classification is to trace the lineage of your files – to look at their source. We capture source detail too; it’s a valuable piece of context when applied correctly. But it’s not the answer you’ve been searching for. It’s more of the same. It forces security analysts to define high-value data sets for all employees. It forces them to keep up with ever changing use cases.
We believe there is a better way. Down the street from where I live, local authorities have installed a speed camera on Massachusetts Avenue. Nobody speeds on Massachusetts Avenue anymore. The speed camera prevents speeding by creating accountability and consequences. Our approach is to prevent data exfiltration by watching all data, all vectors and all users, and creating consequences for people who exfiltrate data. This upstream approach assumes positive intent, lets users collaborate and work together, and gets security people focused on actual cases of risk, not on normal business. A good insider threat program will be transparent about the data monitoring so that users know what is expected of them. That is what Incydr represents. It is a new and better way.
Some proponents of old-school DLP have asked me: “Can’t you work alongside DLP to improve visibility? Isn’t it fair to say that you are ‘better together’ when used with existing DLP systems?” No. We are not better together. Incydr attacks the same problem they’ve been trying to solve – it just does it better. Sure, you can run Incydr and DLP side by side if you want, but only to prove how bad your existing DLP is. We are not better together. DLP doesn’t make Incydr better in any way.
This is our conviction. This is Incydr. Some people won’t agree. That’s what happens when you trailblaze. Our customers allow employees to freely share data and collaborate while still preventing data loss. And they are reaping the value in the speed advantage this gives them over their competitors. We are on the right side of history on this one and the market has spoken. We have the courage of our conviction and we’re sticking to it. Come join companies like Crowdstrike, Okta, Rakuten and Splunk. We aren’t crazy; we just have a point of view.