Behind the Scenes of Code42 Incydr™: Let’s Get Technical
5 MIN READ
As a kid, every time my parents took me to a movie theatre I would inevitably be the one who needed to know how every effect was pulled off. Any interest in the effect itself evaporated in favor of knowing how it worked. As I grew, gradually that interest shifted into how the technology that we all rely on daily worked. Instead of wanting to know what composition of gunpowder was used to spray sparks from someone’s hands, I wanted to know which function allowed for rate limiting or matchmaking in the game that I was playing. All of which inevitably leads us here; to Code42 and how the software we’ve developed protects our customers’ data.
If you’ve seen any part of our product, you’ve probably seen this:
This is our Risk Exposure Dashboard and it doubles as the landing page of the product. The dashboard shows aggregated information about data risk across a variety of fronts: high-risk users, departing users, movement to various exfiltration vectors across your organization, and activity by users that are remote. All of this information has been gathered from a variety of data sources, including users’ endpoints, and integrations with corporate cloud services and email.
Let’s very quickly examine the mechanism for each in turn:
Endpoints: The Code42 Incydr agent on your users’ endpoints monitors file activity and captures file content when files are moved to a number of exfiltration vectors, including cloud sync agents (Dropbox, Box, iCloud, etc), web browser uploads and movement to removable media.
Clouds: Using connections directly into your cloud platform, Incydr monitors file activity, including creation, modification, deletion, access and sharing. All of this gets added alongside the endpoint data to provide a holistic view of a user’s file activity.
Email: Using your cloud email service, Incydr is able to provide visibility into which files are attached to emails and to whom they were sent.
Once all of this information has been gathered, it’s time for Incydr to start doing the real work; figuring out which of the (in some cases) billions of file events that happen each day across your organization actually represent data risk, which is when it’s time to dig deeper than the dashboard.
By clicking on any of the available graphs and aggregations, it’s possible to access drawers with breakdowns of the data that made up an individual graph:
To Continue Reading…
Share a few pieces of information and we’ll personalize your experience with us
Once within the drawers, you have the opportunity to interact with the data events themselves, through our forensic search interface, and dig into an individual user’s data activity over the past ninety days using their user profile:
The user profile offers you contextual information about the user’s status within your organization, including job title, location, manager and particular risk indicators, such as whether the user is on a performance improvement plan or has elevated system permissions. From the user profile, a security analyst can rapidly triage potentially risky behaviors, such as mass or aberrant file movement to cloud services.
Once the analyst has determined that a particular spike or category of activity is problematic, it’s possible to view the events themselves using our Forensic Search interface:
The interface allows you to stack search filters on top of each other to ascertain which events indicate risk to your organization. Then, once you have identified a potentially problematic (such as this Yahoo mail file upload), you can dig into the full file contents:
Full metadata is available for every file event, including information on where the file was sent, where it came from, hashes for the associated files and, most importantly in the case of browser uploads, the URL and tab title the file was uploaded to. While metadata is important for triage, Incydr also allows your team to have one-click access to the full content of a file to either confirm suspicions or use as evidence for any corrective action taken by your organization. In just a couple of clicks, it’s possible to go from a view of organizational level risk to specific risky events, with access to the full content of the associated file.
Unfortunately for all of us, I don’t have any theatrical elements in my back pocket to set off, which would indicate that we have reached the end of our time together. However, at this point, I hope you have a decent idea about how Incydr works. If you’re interested in learning more about Incydr and digging deeper into how it can help protect you from data risk within your organization, get in touch with one of our insider threat experts. I will now exit stage left.
Riley is Technical Product Marketing Manager at Code42 where he enjoys educating Security and IT teams through engaging technical content and presentation. Previously, Riley served in both customer support and customer education roles at Code42. In his spare time, he enjoys photography, travel and relaxing at the lake in northern Wisconsin with his pug Mimi.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.