Between original media content, valuable subscriber data and other sensitive business information, media companies have become a prime target for data breaches. But what happens when a company suspects the data leak came from inside? That was the situation for one media production company — and the suspicion was allowing mistrust to fester in an organization where collaboration is key.
The company was tipped off to the insider leaks when they saw confidential, insider information appear in the media without their prior knowledge. Based on the information, they knew it likely came from an employee or a close business partner. In a highly competitive industry where controlling the media conversation and building buzz is critical, this malicious data exfiltration was putting the media company’s competitive advantage at risk and threatening to derail future plans.
A savvy security analyst recognized the urgency of the situation and strongly recommended the company implement a stronger, more proactive approach to stopping the insider data leak. “When it got really bad and there was a trust issue, I recommended Code42,” said the analyst. Having previously rolled out Code42 Incydr to 40,000 laptops without disrupting employee workflows at a different organization, the analyst was confident it would work seamlessly in the media company’s environment. The security analyst knew that “Incydr would help us feel like we at least had visibility into whether our people were responsible for the leaks,” so they could rapidly address the problem and restore internal trust.
The media company implemented Incydr to provide visibility into when, where and how their intellectual property was moving — and who was moving it. The rollout was as quick and simple as the analyst expected. The solution worked across their Windows, Mac, and Linux environments, so there were no holes, exceptions, or multiple consoles to complicate maintaining Incydr.
The company also integrated Incydr within its security stack to add much-needed context to the information provided by their other systems — namely Okta and GSuite logs — in order to get a contextual understanding of insider risk. Incydr’s pre-built integration with Okta allowed them to provision additional user attributes, such as department, manager and employment type, to help the security team focus in on users more likely to put data at risk — such as contractors or departing employees. Since they also integrated Incydr with their corporate cloud storage services, including Google Drive, the security team gained full visibility into files that users create, share, delete or modify within the platform, regardless of device or network. In addition, Incydr’s integration with corporate email services including Gmail allowed their team to monitor browser uploads and downloads to monitor file attachments shared via email–whether personal or corporately sanctioned.
Incydr gave the media company critical visibility into all file activity. But just as importantly, Incydr showed the security team context around that file activity and gave them the ability to quickly respond. That contextual information made it much easier for them to differentiate everyday activity from activity that presents a material risk to data security.
For example, through Incydr’s integration across their security stack, the company is alerted when someone saves a copy of a file and then shares that file externally. A security analyst could then look at the copied file and verify in GSuite logs that the person shared the file with themselves. Then, the security analyst might dig deeper and search for the original file with the file ID or the file title to see exactly when the employee looked at the original file. With all that additional context, the company could reasonably conclude that the employee may have copied and shared the file in an effort to avoid detection by coworkers and peers who also have access to the file-sharing properties.
“Incydr tells a more complete picture of what the individual might be trying to do and whether they’re trying to cover their tracks,” said the media company’s security analyst. “If somebody makes a copy of a confidential script, renames that new document, and then shares that file, that pattern indicates that the employee might know their actions are not allowed and that security should take a closer look and quickly remediate with the employee or their manager.”
That additional context leads to higher fidelity alerts, which, in turn, accelerates a response that’s commensurate with the risk. Incydr gives the security team a clear indication of true insider risks and prioritizes those that require response. Security teams no longer have to worry about endless false positives wasting their time — or with policies that let real data leaks and theft slip by. Security analysts at this media company now have alerts they can trust — and the tools and context they need to investigate quickly and determine a right-sized response.
Prior to implementing a data risk detection and response solution, the media company faced increasing concern about their risk posture, fueled by insider leaks that were eroding trust within the organization. With Incydr, the company’s security team can now clearly see all file activity — including off-network activity, cloud and email activity — and prioritize those events without missing incidents that might slip by a policy-based solution. Their security team uses the deep visibility into the context around that file activity to quickly identify the truly risky insider actions and determine the right-sized response.
Implementing the Incydr product has not only improved the company’s overall risk posture, but also restored trust throughout the organization. The media company can trust their employees to work creatively, collaboratively and efficiently — using the tools and means they choose — without worrying about losing critical intellectual property. Perhaps most importantly, Incydr has helped the media company restore trust among its staff. They’re no longer suspicious of their colleagues, and have regained confidence that their competitive advantage is secure.
“What price do you put on restoring trust?” said the security analyst. “Incydr ends up being pretty priceless.”