Skip to main content

Respond Faster and Improve Your Insider Risk Posture with Incydr™ + Cortex XSOAR

Author Tony Schwandt

 

Security leaders who responded to the 2021 Data Exposure Report survey told us that their employees are 85% more likely today to leak files than they were pre-COVID. But security teams are blind to the majority of that movement. More than half can't see when users are moving files to untrusted domains or when employees leak files off-network. And 60% of security teams lack historical context into their users' behavior. In other words, security teams have no idea of what an employee may become an Insider Risk.

 

Hi there, I'm Tony Schwandt, Senior Product Manager here at Cod42, here to discuss how Incydr integrates with Palo Alto Networks Cortex XSOAR. We'll take a look at how security teams leveraging Code42's Premium Pack in the Cortex XSOAR marketplace can automate the review of suspicious activity based on preset triggers within Cortex XSOAR, then easily pull in the right stakeholders as part of a streamlined incident response process. I'll show an example of how this can be used in an employee offboarding workflow. You can also tap into Incydr's comprehensive file activity index directly from Cortex XSOAR to perform a file hash search to see how a specific file moved, and how the user who moved the file accessed it in the first place. So instead of wondering how that source code was leaked to a competitor, you'll know in seconds and can remediate the situation before the damage is done.

 

All right, so this is Cortex XSOAR and you can see in the marketplace here, Code42 has two different packs: the free pack and then the Insider Threat Remediation pack. The free pack contains all of the building blocks that you need. It contains all the commands, all the scripts, everything is there and ready to be used. What the Insider Threat Remediation Pack does is it goes one step beyond that and it actually strings those together into full-fledged use cases and playbooks that can be utilized by customers.

 

So to take a look at one of those playbooks, we'll go into the test area I've got set up. So here is the Suspicious Activity Review playbook that we've got in the Premium Pack. So, when the playbook gets triggered, it can be triggered via anything, could be somebody's last day, an alert in a different system, an alert in Code42. But either way, this playbook gets triggered, checks that Code42's available, retrieves exfiltration events for the user that was associated with the playbook triggering. If there were exposure events found in Code42, it converts that table into HTML and then it emails out an email address. It can be the manager, it can be an HR reviewer, it could be a content SME because the security analyst may not always know what they're looking at. So this is the easy way and automated way to get information in front of the person who knows what they're looking at.

 

The manager or content SME gets an email, and basically, they get shown the table of all the exfiltration events and all they have to do is answer one simple question: Does any of this activity seem suspicious, yes or no? Put in reasons. Once they hit submit, then it comes back into Cortex XSOAR. If the recipient said it was not suspicious, then the playbook just ends. If they said it was suspicious, this is where another human task comes in and the security analyst will review the response and can decide on a remediation action. Either block the user, add them to high-risk, add them to legal hold, depending on the severity. So this plays very well into our theme of right-sized response.

 

Once the response is determined, then we call this secondary playbook that is included in the pack the Code42 Suspicious Activity Action playbook, and that actually just takes the action that was decided on in the previous step. So that will actually go through and do that. And the reason we broke it out like that is because then you can take the Suspicious Activity Action playbook and you can plug it into other playbooks. You can plug it into your EDR playbook. If somebody is a very attacked user or there's a lot of malware, you can automatically have it add them to high-risk and legal. So the way that these playbooks are very modular, they're very much able to be plugged in where they're needed.

 

One of the other cool features of the playbook is that we have included scripts in order to do file searches from Code42. And basically what that means is no matter where you are in Cortex XSOAR, if you have a hash, SHA256 or MD5, you can click on it, go to the Actions menu and you can either download the file or search for download. Or you can do a file search and see what has been going on with that file.

 

So what kind of events are related to that file? You can see, this is the output for the download file one, it's just a PNG image and it downloads the file and adds it to the evidence board. We also have commands that you can plug into the playbooks to do these things as well. So if your firewall or CASB system detects that some file was moved, as long as it has the MD5 or SHA256 hash, you can search Code42 and automatically download that file into the evidence board.

 

Cortex XSOAR's playbooks together with Incydr's high fidelity risk indicators enables security teams to detect, prioritize and automate right-sized response actions for Insider Risk throughout the employee life cycle. To take advantage of Code42 Premium Pack within Cortex XSOAR security, teams must have Incydr installed on the endpoint and have endpoint user monitoring enabled.

 

For security teams not using Incydr today, it is 100% cloud-based , works on Mac, Windows and Linux, and deploys within hours with product value realized within days. For more information, including how to start a proof of concept, check out this link: www.code42.com/integrate-xsoar