Preventing data exfiltration while facing DLP roadblocks
Lending to small businesses is no small matter. For more than a decade, an A+ rated lender has provided more than $13 billion in small business loans to customers in 700 different industries across the U.S., Canada and Australia.
Managing and safeguarding customers’ personal identifiable information (PII) comes with the territory in all of these sensitive financial transactions. And like most organizations today, the lender was increasingly focused on the growing data exfiltration risks presented by employees.
On various occasions, the lender had suspected that departing employees and other high-risk staff had maliciously exfiltrated data — evading the organization’s legacy data loss prevention (DLP) technology. Unfortunately, that legacy DLP tool was limited in scope. The DLP tool only had visibility to data that had been manually classified for monitoring, and could only see user actions that violated the defined policies. Data outside this scope went unprotected and activity outside these policies went undetected.
Building the foundation for a strong Insider Risk strategy
These legacy DLP limitations came to a head as the lender prepared for a bank charter. Their internal audit team cautioned that moving forward without stronger controls around data movement exposed the lender to too much insider data risk. “Our legacy DLP had become aged and atrophied, and we didn’t have a good foundation for our program to really thrive,” said the lender’s security analyst. “We wanted to know what users were doing with our files and is it a problem for our company? Is it putting us at risk?”
Gaining visibility and context without blocking productivity
The lender set its sights on finding technology that provided endpoint visibility, context around data activity, and automated prioritization to quickly determine if user activity presented significant Insider Risk worthy of a security response. But the company also wanted a solution that eliminated the all-too-frequent workflow disruptions they experienced as their legacy DLP solution blocked their employees’ legitimate, authorized activity.
On the back end, the lender wanted a simple, cloud-based solution that didn’t require on-premises infrastructure and was easy to set up, administer and use. The need for a cloud-based solution became even more critical when the COVID-19 pandemic suddenly shifted all employees to remote work and off their corporate network.
IMPLEMENTATION AND DEPLOYMENT
A simple rollout and supportive team
After evaluating DLP solutions like Digital Guardian and Gamma, the lender partnered with Code42 to implement the Incydr™ data risk detection and response product. Code42 helped the lender leverage Incydr for comprehensive monitoring of all data activity (including remote and off-network activity), automated, high-fidelity alerting on Insider Risks and immediate access to deep context to accelerate investigations and help their team determine a right-sized response.
Initial deployment of Incydr was easy and seamless — and adding new machines continues to be a simple process for their security team as the lender grows and adds staff. The lightweight Incydr endpoint agent caused no disruptions or slowdowns for employees’ machines, and they were easily able to monitor data movement on all endpoints during their shift to remote work.
Beyond the Incydr solution itself, the lender recognized the expertise and responsive support of the Code42 team in guiding their design and deployment of their Insider Risk Management strategy. “We have never had an Insider Risk program, so we were looking for as much expertise as Code42 could offer,” said the lender’s security analyst, “I don’t have a lot of time just to dedicate to crafting, managing and articulating everything that goes into an Insider Risk program. Code42 was a good partner for that.”
Faster detection and response where nothing falls through the cracks
Implementing Incydr empowered the lender to rapidly improve its risk posture, without disrupting or impeding the productivity and collaboration of its employees. With employees working remotely — and the increased data risk remote work presents — the security team now has comprehensive visibility into data activity on remote endpoints, cloud-based apps and even off-network data activity. This deep visibility and context enables them to accurately identify and rapidly investigate Insider Risks, determining events that require high-priority response (such as malicious data exfiltration) and events that merit a more strategic response (such as targeted training on best practices for cloud-based sharing and productivity apps).
They also leverage the built-in lenses within Incydr to focus on their biggest areas of Insider Risk, including data activity among departing and high risk employees. “The ability to get a quick view into what type of activity has been going on with an individual through the Incydr console has been really powerful,” said the security analyst.
Incydr gave the lender’s security team capabilities that go well beyond their legacy DLP tool, helping them mitigate exfiltration risk that isn’t easily classified or identified with policy-based logic. This reflects the complicated nature of modern Insider Risk Management: “It’s more nuanced and requires context to understand the risks around it,” said the security analyst. For example, the security team can now leverage the forensic search capabilities of Incydr’s investigation feature, which gives them the ability to query file events over the last 90 days to enable faster, more thorough investigations and get actionable context around data in their environment. “It allows an analyst like myself to go back through, pull those files out, review them and make sure that information is not being sent out that shouldn’t be sent out,” said the security analyst.
While having Incydr would have been a game-changer in stopping past malicious exfiltration events that their legacy DLP tool missed — not to mention the employee frustration that came from “false positive” blocking — the lender’s security team is confident that they’re now equipped to support and enable the company’s business growth plans. “Before, we had no way to figure out what some employees were doing, but we thought something was going on,” said the IT security analyst. “That activity has stopped since we deployed Incydr.”