Skip to main content

Incydr™ Demo on Risk Prioritization


Hi. I'm Aimee Simpson from Code42, and I'm here to give you a tour of risk prioritization within Incydr. This is the methodology Incydr uses to prioritize the users and activities that matter most, so you know exactly what to focus your time and attention on. Our approach to prioritization is context-driven, holds up to real-world use cases, and is also adaptable to your unique risk tolerance where necessary. So let's dive in.


We are at the Incydr dashboard. The first thing you should know is that all prioritization is powered by Incydr's library of Insider Risk Indicators, which we'll discuss in detail later. First thing you can see is this Top Users by Critical Activity list. This shows a prioritized view of the users associated with the most critical and high severity of file events that occurred outside of your trusted destinations.


You can also navigate to the list of All Users from here. Without even digging in, you can see some of the risk indicators that are associated with these user events to help you determine what you want to look at first. The risk indicators you see throughout the product are activities and characteristics that we know increase the risk level of an event. And they're based on context associated with the file, vector and user.


At the top here, I can see Sean is a departing employee. And there are a few concerning risk indicators listed here, but I'm most interested in the fact that he's moving a zip file and that there's an instance of file mismatch. A file mismatch is when a high-value file has been changed to look like a low-value file, and it often indicates someone is attempting to conceal their activity. When I click into these additional details, I can view a summary of all of Sean's activity by risk severity. I can also sort by the date observed or by the risk score of the events detected. Here, I see the event I was noticing.


It looks like Sean moved something to removable media, what appears to be a personal vacation photo. Only, Incydr tells me it's actually a zip file that has been mismatched. If I want to confirm this, I can investigate further in Forensic Search.


Here, I'm actually able to download an exact match of the file that was exfiltrated to confirm it is, in fact, a zip file. And I'm also able to add this activity to a case for long-term reporting and retention, or to send this information to Sean's manager. If I want to know who Sean's manager is, I can actually click into his profile to get that information, as well as an understanding of all his last 90 days of activity and context and his highest risk activity.


Now that you've seen how Incydr shows you what to look at first, let's talk about how this actually all works. We've built our risk prioritization model to provide you with value on day one without any configuration by pre-populating all the risk scores in our risk settings drawer. All the risk scores have been set based on significant analysis of our product telemetry data, as well as interviews with security professionals like yourself. And we've set these defaults to strike the ideal balance so you're not bogged down by alerts, but also don't miss what you need to look at.


In this drawer, you can see our growing library of risk indicators grouped by user, destination, and file indicators. Every risk indicator is given a risk score. And all of these scores on an event are totaled to determine the event severity.


We're transparent about our scoring so that you can have confidence in how the model works. And most of our customers find Incydr has harnessed their intuition. And the risks reflected in here is similar to what they would have done alone. Only now, they don't have to.


So we've made this adaptable if needed. And you can edit the scores to your own risk tolerance if different from what Incydr recommends. For example, if you run a production studio where video files comprise most of your IP, you'll likely want to increase the risk score for video files.


And when it comes to alerting, you can set rules based on specific risk indicator criteria, or we recommend a severity-driven rule that leverage the assigned severity by Incydr. Doing this already encompasses the risk indicators that are most meaningful to you. So there you have it. I hope this tour helps you to understand how Incydr helps you to focus your attention on the user's activities that matter most, so you can respond more quickly rather than spending your time triaging alerts.


About the Author

As a manager of product marketing for Code42, Aimee is responsible for product launch and technical content. She joined Code42 in 2013, having previously worked at Dell and Compellent Technologies.

Profile Photo of Aimee Simpson