The world will be talking security very soon – the RSA Conference is just around the corner. From February 24 to 27, more than 40,000 information security practitioners, influencers and enthusiasts will descend on the Moscone Center in San Francisco for a week packed with presentations, product demos, breaking news stories and connecting with peers.
Team Code42 will be in the North Hall of the Moscone Center ready to talk to security and IT teams about one of the biggest risks to their data – insider threats. If your challenge is to protect your data from walking out the door when your employees transition out or from careless users, schedule a technical demo now or drop in at our booth, N-6079. We take a new approach to insider threat detection, investigation and response and can protect your most valuable IP, product plans and customer lists without rigid policies and without blocking your employees from collaborating and sharing files. We cut through the noise and give you access to incredible detail about file movements with only a click or two. We’ll be at booth, N-6079:
Feb 24: 4:30-7 p.m.
Feb. 25: 10 a.m. to 6 p.m.
Feb. 26: 10 a.m. to 6 p.m. (Pub Crawl from 4-6 p.m.)
Feb. 27: 10 a.m. to 3 p.m.
If you don’t yet have an expo pass and are having some serious FOMO, we’ll get you in the door for free. Reach out now for a complimentary expo pass.
Code42’s CEO and SVP to Present Feb. 25
We are thrilled to share that CEO Joe Payne and SVP Vijay Ramanthan will co-present from the expo floor of the Moscone Center the afternoon of Feb. 25. Please join them to hear their insights about why insider threat is such a big, unsolved problem for today’s most progressive companies, and how companies can get a leg up on some of the biggest threats to their data.
The Insider Threat –- You’re Flying Blind Speakers: Code42 President and CEO Joe Payne and Senior Vice President Vijay Ramanathan When: Feb. 25: 4:20-4:50 p.m. Where: Moscone Center North – North Briefing Center, booth N-6545 Session Description: Studies show that 90% of data loss that manifests from inside organizations goes undetected. What’s worse, nearly 70% of organizations that were breached from the inside had a data loss prevention solution in place. The brutal truth – prevention solutions are not effective at stopping insider threats. Attend this session to learn from Code42 senior executives about how data risk detection and response ensures you and your organization are not blindsided.
Code42 Customer Theater Presentations Feb. 25 and Feb. 26
This year we are really excited to welcome three of our customers to speak in our booth, N-6079 during RSAC 2020. Security practitioners from BAYADA Home Healthcare, Crowdstrike and Exabeam will share the strategies they’ve used in their successful insider threat programs.
Look Closer: Your Files are Leaving During Employee Departures Speaker: Andrew Jarrett, Senior Manager, Desktop Equipment Services, BAYADA Home Health Care When: Feb. 25: 11 a.m. to 12 p.m. | Feb. 26: 11 a.m. to 12 p.m. Where: Code42 booth N-6079 Session Description: Sixty-three percent of employees brought data with them from their previous employer (Code42 Data Exposure Report 2019). The flip side of this is that employees are taking data with them when they quit, and most organizations do not have the processes or tools in place to detect, investigate or respond when data is put at risk by a departing employee. BAYADA Home Health Care recognized this risk, and took action to mitigate it by defining an internal departing employee process built around the use of Code42’s insider threat solution.
Insider Threat: The Risk your SOC Won’t Catch Speaker: Ryan Bonfadini, Incident Response Analyst, CrowdStrike When: Feb. 25: 1-2 p.m. | Feb. 26: 1-2 p.m. Where: Code42 booth N-6079 Session Description: Don’t let your insider threat program be stuck in the past (or be nonexistent). Learn how to modernize your insider threat program and prepare for next generation attacks. During this session, Ryan Bonfadini will share his expertise gained over the past seven years where he has established and matured insider threat programs at CrowdStrike and Symantec.
Data Security in the Age of Collaboration Speaker: Alex Koshlich, IT InfoSec Manager, Exabeam When: Feb. 25: 2-3 p.m. | Feb. 26: 2-3 p.m. Where: Code42 booth N-6079 Session Description: For many companies, the accelerated pace of their growth doubles as one of their greatest security risks. To maintain security while fostering growth, Exabeam allows employees to use whatever tools are necessary to get the job done, as long as security can maintain visibility into those tools. To accomplish this, Exabeam relies on Code42’s solution to see how files are moving across their endpoints and cloud applications.
After Hours Security Party
Join Code42 for an exclusive, invite-only event at the Minna Gallery with fellow RSAC attendees! Enjoy complimentary drinks, live entertainment and heavy appetizers. Space is limited, so RSVP now.
When: Feb. 25: 7-10 p.m. Where: 111 Minna Gallery, 111 Minna St., San Francisco, CA 94105
3 Ways to Protect Data from Insider Threats
Our eBook includes workflows and how to get insider threat program buy-in from leadership.
Security never stops. As 2019 comes to an end, security professionals are looking to what is in store for the year ahead. To get some answers, we reached out to Code42 leadership and security experts to get a sense of their cybersecurity expectations for the coming year.
While they expect plenty of tough challenges when it comes to protecting data, there is some good news in the mix. The team anticipates that enterprises will take steps toward formalizing (and automating) their security programs where gaps exist.
Here’s what the Code42 team had to say:
Insider threat programs grow more prevalent
Relentless reports of new, high-profile insider breaches will push many more businesses to finally take insider threat seriously enough to formalize programs and allocate a larger budget dedicated to protecting their intellectual property. This year, at least half of data breaches involved an insider, but in 2020, that figure could exceed 60%.
When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. Finally, more than 20% of organizations will begin actively measuring what departing employees take from their organization. – Joe Payne, president and CEO at Code42
“ When it comes to insider threat, companies will begin to lean into new technologies designed distinctly for protecting from insider threats, and they’ll stop shoehorning outdated, ineffective technologies that were never really intended to mitigate insider risks to begin with. ”
The role of security will increasingly integrate within IT
With the continued cybersecurity talent gap, along with increased regulatory demands and security threats, security and IT will have to work more closely together. What I mean by this is traditional IT will be expected to take on security responsibilities, while security roles will evolve to become more hands-on and step into actual problem-solving rather than problem-identification mode.
Security has always been positioned to cover confidentiality, integrity and availability – the well-known security CIA triad. While IT has traditionally been focused on availability, it’s increasingly recognized that data integrity and confidentiality need to be a part of the broader IT strategy. There has always been an opportunity for a natural fit between IT and security, and 2020 will prove to be the year that we recognize the similarities and start to benefit from the combined focus from these two disciplines. – Jadee Hanson, CISO and VP of Information Systems, Code42
Collaborative tools get security department green light
Progressive organizations thrive on collaboration. After all, we are in the midst of a massive culture change that centers on employees’ ability to share ideas, move faster, and collaborate. CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. In 2020, progressive CISOs will stop blocking and will start focusing on enabling collaboration by adopting new approaches that better address insider risk. – Joe Payne, president and CEO at Code42
“ CEOs are requiring that their employees use Slack, Chatter, Box, and OneDrive to work together to be more productive. However, at the same time, CISOs have been busily blocking collaboration by using legacy prevention technology. ”
DevOps teams embrace security
Organizations have adopted DevOps, but security hasn’t always kept pace. As DevOps grows, so does the desire (and the need) for security to become embedded within these teams. In the next year, organizations will increasingly seek ways to build the skills, tools, and knowledge they need to build security directly into DevOps teams. – Michelle Killian, director, information security, Code42
The security talent shortage continues
By nearly all estimates, the industry is millions of cybersecurity jobs short of what’s needed to adequately secure enterprise data. This shortage will push security teams to automate as much as they can to stretch their capabilities. Hopefully, teams will focus on optimizing the basics because it remains true that the vast majority of breaches could have been prevented if security 101 practices were followed. Areas that will be automated include manual operations tasks, application security testing, data monitoring, and more. – Todd Thorsen, senior manager information security, risk management and compliance, Code42
Security ‘solutions’ continue to grow in complexity
The complexity of security vendor solutions remains too high in cybersecurity. Many vendors continue to proudly talk about how sophisticated their products are and how they can solve complex problems. The problem is: using these security tools themselves is an overly complex and unwieldy process. At the same time, the security industry struggles with a serious shortage of skilled cybersecurity personnel. Something has to give.
In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations. – Joe Payne, president and CEO at Code42
“ In 2020, we will see security vendors focus on providing both signal and simplicity. To align with the realities of personnel shortage, solutions will surface highly actionable information and present it in easy-to-use, accessible ways so that security teams can act quickly without being embroiled in endless investigations. ”
Move from reactive to proactive security
Companies are so busy reacting to incidents and putting out fires that they are missing opportunities to proactively reduce risk. One area is how staff and others will continue to be a highly exploited threat vector, yet companies will continue to trail behind mitigating their human risks. One thing is for sure: training alone is not going to work, as companies need to create security-minded cultures in their workplaces. – Chrysa Freeman, program manager, security awareness, training and culture, Code42
Expect a major breach within a federal agency
A federal agency will experience a large-scale data breach at the hands of an insider. This will highlight the growing insider threat blind spot for all large organizations.
Also, foreign hackers and the election take center stage. There will be proposed federal regulations requiring encryption back-doors and FCC regulation of social media in advance of the elections. As the elections approach, there will be reports of hacks and vulnerabilities, many with grand claims. All of these claims will be unsubstantiated, viciously spun, yet cause no direct or measurable harm. But they will create enough doubt and disruption to further the nation’s political divide. – Andrew Moravec, principal security architect, Code42
The return of ransomware
It used to be that cryptojacking—using someone else’s computing to mine cryptocurrency—was a relatively easy path to profit. But as the price of bitcoin continues to fluctuate wildly, those profits are no longer such a sure thing. As a result, adversaries will shift their attacks to optimize their efforts. Once their malware is deployed onto endpoints, they may decide ransomware is the way to go, which would very well lead to a resurgence in ransomware attacks. – Jeff Holschuh, senior manager of identity, Code42
A renewed focus on data privacy
The CCPA (California Consumer Privacy Act) goes into effect at the beginning of 2020. The act will have a substantial impact on companies that don’t yet have mature data security and privacy programs in place. As enforcement actions are brought under this new law, companies will scramble to ensure they are meeting all of the law’s requirements.
Essentially, CCPA focuses on data collection rules, breach disclosure, and the selling of consumer personal data. Expect not only CCPA-driven lawsuits and fines, but also a nationwide rush by companies to ensure they can comply. – Nathan Hunstad, principal security engineer and researcher, Code42
3 Ways to Protect Data from Insider Threats
Our eBook includes workflows and how to get insider threat program buy-in from leadership.
Team Code42 is excited to be at the Orange County Convention Center for the Microsoft Ignite conference this week. We have a ton going on and are ready to talk to security and IT teams about one of the biggest insider threats to their data – employees who quit. Swing by to see us at booth #1141 and find out how we can show you exactly what IP your employees are stashing in their pockets, personal email and cloud. Hint: they probably took the data long before you knew they were leaving.
week, we will be ready to give demos and previews of our Code42(R) Next-Gen Data Loss Protection
solution, which makes it quicker and easier to detect, investigate and respond
to insider threats. Visit with Team Code42:
Nov. 4: 12:30-7:30 p.m.
Nov. 5: 8:30 a.m. to 6 p.m.
Nov. 6: 8:30 a.m. to 6 p.m.
Nov. 7: 8:30 a.m. to 5:15 p.m.
Rob Juncker, SVP, Speaks in Theater C at 2:15 p.m “Employees are Taking Data when They Quit” Sixty percent of departing employees admit to taking data – company trade secrets, customer lists and source code – when they leave their job. Want to know the truth? The other 40% probably are lying and also have taken data. At a time when the data economy is flourishing and your competitive edge hinges on keeping your most innovative ideas under lock and key, we have to find better ways to protect valuable IP and trade secrets when employees and contractors quit and head off to their next gig.That’s why Rob Juncker, our SVP of product, research, operations and development, is leading off the show with a presentation about insider threat called, “Employees are Taking Data when They Quit.” Head over to Theater C on the expo show floor at 2:15 p.m. ET on Monday to catch his talk.
Tuesday and Wednesday:
Code42 Customer MACOM in Booth #1141 Don’t take our word for it. Hear from one of our power users, MACOM’s David Chiang, about how he uses the Code42 solution to hang onto MACOM’s most valuable files. Be sure to spend some time talking to David in Code42 booth #1141 about how he tackles the challenge of data loss from departing employees and protects MACOM’s highly proprietary semiconductor designs and CAD drawings. He’ll be in the booth Tuesday and Wednesday from 9 a.m. to 12 p.m.
Other Activities in Code42 Booth #1141
Monday: Demos and Drinks, 4-7:30 p.m. End your day with a product demo and glass of McSwagger’s Own Ale from local brewery Crooked Can Brewing Company.
Tuesday: Demos and Donuts, 8:30 a.m. to 12 p.m. Grab mini donuts made fresh in our booth while taking in a solution demo.
Wednesday: Midweek Energy Boost, 8:30 a.m. to 12 p.m. Need some more wings mid-week? We’re doing a Red Bull giveaway and solution demos.
Thursday: Thank You, Safe Travels Cookies, 11 a.m. to 3 p.m. Before you finish at Ignite, swing in for a solution demo and fresh-made cookies.
Code42 at Microsoft Ignite
Catch data leaking via Windows, Office 365 and OneDrive. See Code42 Data Loss Protection at Microsoft Ignite in Booth 1141.
With all the scary statistics out there about the growing data security threats in the enterprise world, it’s easy to lose sight of a more optimistic fact: Enterprise data security is getting better — and organizations everywhere are building smarter data loss protection programs. Each year, the Code42 Evolutionary Awards celebrate the smart, innovative and just-plain-cool ways that organizations are protecting their data. This year, we recognized 10 organizations for their extraordinary innovation in data loss protection. Let’s take a look at the 2019 Evolutionary Award winners:
Evolutionary Award: BAYADA Home Health Care
BAYADA Home Health Care won the namesake Evolutionary Award for completely evolving the way their company secures data, protects IP, and enables users. Their data security journey began with safeguarding training videos in the cloud for their mobile workforce, then expanded to protecting data from the threat of lost and stolen laptops. BAYADA’s current project is to ensure that their proprietary and regulated data is secured and monitored for loss and proper usage. “Protecting data is impossible if you don’t have comprehensive visibility into where your data is, and to accomplish this you need the right tools,” says Craig Petrosky, director of Desktop Equipment Services for BAYADA. “That’s why it was critical for us to implement a solution that provides near real-time detection and the ability to respond to cases of data loss, leakage, misuse, or potential exposure.”
Guardian Award: Cisco
Cisco won the Guardian Award for a security team that creatively and effectively fends off an array of threats —from ransomware to malicious insider actors — to protect its valuable data. Cisco has developed countless data protection workflows by using Splunk to develop actionable insights about how data may be infiltrated and exfiltrated from the organization. “In today’s data landscape, it is important to have a solid data collection agent, one that offers insight into where data is, where it’s moving, and where it’s been. A tool that can offer this is an invaluable tool for Insider Threat investigations” says Kevin Currie, investigator CSIRT of Cisco.
Rookie Award: Ironwood Pharmaceuticals
Ironwood Pharmaceuticals won the Rookie Award for an organization that has successfully deployed a new software product within the past year. Deploying new software is never a small feat, Ironwood Pharmaceuticals did so with a de-merger on the horizon, knowing that they would soon have to split their deployment in two. “When our organization was going through the de-merger, we needed a simple and flexible solution to ensure our data is protected,” says Lian Barry, manager, end user support for Ironwood. “We found a solution that has provided constant assurance that our data is protected throughout this period of increased organizational change.
Harmony Award: MacDonald-Miller
MacDonald-Miller won the Harmony Award for striking a balance between data protection and empowering employees to be productive and collaborative in order to deliver results to the company’s bottom line. Two of MacDonald-Miller’s top security priorities are that users never experience downtime from data loss, and that valuable data is not leaving with departing employees. “Our data is our competitive advantage,” said Eddie Anderson, technical business analyst at MacDonald-Miller. “It’s critical for us to protect data from loss, leak and theft, while enabling our employees to collaborate and work at the speed of business.”
Evangelist Award: David Chiang, MACOM
David Chiang, IT system engineer of MACOM, won the Evangelist Award for an individual with expertise in data loss protection who sets industry best practices and actively shares them with peers. Chiang’s passion for software deployment and systems integration began with an intern project and has evolved into deep expertise on protecting data in the midst of a digital transformation. “Digital transformations are exciting, but they can put data at an elevated risk,” says Chiang. “It’s important for organizations to take steps to protect their most important asset — their data — during these times.”
Atlas Award: Proofpoint
Proofpoint won the Atlas Award, honoring an organization for deploying and protecting an expansive global workforce. As the Proofpoint organization grew quickly through M&A, business continuity and user productivity were top priorities set by the CIO. “With help from professional services, we were able to quickly go from nothing to a fully deployed data collection agent that can support our global workforce, ensuring we never experience data loss. We had a very successful deployment and it proved ROI within four months.” says Brock Chapin, systems admin for Proofpoint.
Trailblazer Award: Schneider Electric
Schneider Electric won the Trailblazer Award for improving a critical workflow or process for its organization. The company developed a custom app, used as part of their computer depot service, which collects and recovers data — in order to streamline, expedite and standardize the service. The results: time saved for technicians, reduced end-user downtime and improved user experiences. “As anyone in IT knows, positive user experience is critical to the effectiveness of any technical program. Our custom app not only provides that user experience, but it also lets them get back to work faster through decreased down time,” says Austin Joe, end point solutions senior engineer, enterprise IT of Schneider Electric. “We couldn’t be happier with the results.”
We’re in this together
Join us in giving a virtual round of applause for these successful and innovative organizations. These examples not only represent major achievements for the organizations themselves, but the overall progress of the collective community of enterprise data security professionals. As your security team tackles emerging and evolving data loss challenges, don’t forget that you have a powerful resource in your Code42 peer network. From looking to examples like the customers highlighted here as inspiration or blueprints for your own initiatives, to consulting with other data security professionals to get answers, advice and guidance, we encourage you to leverage this valuable connection to some of the enterprise security world’s best minds and biggest thinkers. While the details differ, we face the same threats, manage the same challenges and share the same goals. We’re in this together.
Learn more about other customer successes in our collection of case studies and videos across different industries and company sizes.
Wherever their sensitive data and IP lives or moves, whether on endpoints, Google Drive or portable hard drives, companies trust us to protect their ideas and most valuable data, and we take that trust seriously. Ensuring their success is our number one mission at Code42.
That’s why it is especially gratifying when we are recognized among the industry’s most innovative and progressive companies for finding new ways to help our customers’ speed their detection and response to insider threats and other data loss and exfiltration events. We are thrilled to announce that in the first half of 2019 our Code42®Next-Gen Data Loss Protection solution has earned a number of industry honors:
Cybersecurity Insiders named Code42 a Gold Winner for Data Leakage Protection and a Silver Winner for Best Cybersecurity Company in the 2019 Cybersecurity Excellence Awards. These awards are produced in partnership with more than 400,000 cybersecurity professionals on LinkedIn to make award selections.
Code42 was twice named a winner in the Cyber Defense Magazine 2019 InfoSec Awards in the categories of Next-Gen Data Loss Prevention and Next-Gen Insider Threat Detection. The Code42 Next-Gen DLP was selected by a panel of security professionals for the honor, which seeks to recognize industry innovators and those poised to become the next generation of industry leaders.
Code42 Next-Gen DLP won the Bronze Stevie® Award in the Endpoint Security Management Solution category as part of the 17thAnnual American Business Awards®. More than 200 professionals worldwide participate in judging the Stevie® Awards.
While we’re proud to make a difference in the businesses of our customers, we also take pride in making Code42 a great place to work for employees.
For the fifth time, Code42 was named one of the Top Workplaces in Minnesota by the Star Tribune, our local Minneapolis newspaper. As a Top Workplace, Code42 joins the ranks of the most progressive companies in Minnesota, based on employee opinions measuring engagement, organizational health and satisfaction.
It’s the dedication and hard work of our employees that enable us to continue to fulfill our customer-first mission. With that said, we want to extend a special thanks to our employees and customers whose passion for what they do has driven us for the last 18 years to become an industry leader in data security.
Since 2005, a staggering 9,033 data breaches have been made public — that averages about 1.77 breaches a day. In the wake of this stream of breaches, a sense of apathy has taken hold, causing both employees and organizations to become numb to their own security risks.
In her latest byline for TechBeacon, Code42 Chief Information Security Officer Jadee Hanson shares the dangers of employees and leadership experiencing breach fatigue and how it leaves an organization open to insider threats, ineffective security strategies and other security vulnerabilities.
Webinar: Policy-Free DLP
Join Code42 CISO Jadee Hanson, to learn how policy-free DLP can work for your organization.
Wow! What a great time we had at Evolution19 in Denver, April 30 to May 2. The event was jam packed with educational sessions, many opportunities to network and meet other customers, hear about product roadmap and what to expect from Code42 in the coming year. Evolution19 attendees heard about this year’s focus on actionable data insights, including new dashboards and alerting, which are coming soon. In addition, customers can expect new data security applications developed on top of the platform to support insider threat workflows, such as departing employees, workforce reductions and more. Be sure to stay up-to-date on product news by joining the Code42customer community and registering for our quarterly product webinars.
Watch Evolution19 highlights.
And now, the Evolution19 Top 5:
5. Seattle Police Department Detective Ian Polhemus and Police Dog Bear: Okay, a dog as a keynote? Yes. We heard Ian talk about security and how Bear locates items you can’t easily see. This visibility message hit home for attendees as they thought about how effectively and quickly they can investigate and remediate data following a breach. If your organization is still challenged to understand the forensics of a breach or attack and recover your data, just think of Code42 as your own personal Bear.
4. Upgrades: Upgrading to a Code42 cloud solution is so easy that one of your peers moved to the cloud while onsite at Evolution19! As you embark on your own digital transformation, an upgrade gives you access to our best security and risk management tools.
It was exciting to see IT teams working hand-in-hand with their partners in Security to develop data protection strategies that really serve their businesses–we had some big teams attend Evolution19 together this year, and they were able to make some key decisions on site.
3. Education and Training: Knowledge is power and you knocked it out of the park at Evolution19! A total of 35 people successfully became certified Code42 Administrators. We offered two certification classes and certified almost 50 admins and help desk staff. More than 90 customers took part in seven educational workshops that were hosted during the event. Five people also took our new Security Specialist exam that was offered as part of the Code42 Next-Gen DLP workshop.
2. The Evolutionaries: We love to honor attendees for demonstrating their strength in security and creating a better workplace for the businesses they serve. This year, there were 30 finalists for the Evolutionaries and 10 winners. Watching the winners dance up onto the stage was a true highlight of this year’s Evolutionaries security industry awards.
1. Networking: We heard all over the conference that the best times were when people had time to connect and learn from other Code42 customers. Whether it was dancing at Lucky Strike, earning cash through questions in sessions, meeting others or petting puppies from the Denver Animal Shelter, this group took advantage of this unique chance to network; it was very fun to watch.
But don’t take our word for it. Here’s what Evolution19 attendees had to say:
“Evolution19 has delivered on its promise. From panel sessions, workshops, product training and certification courses, Code42 has once again shown its commitment to its customers.”
Zerin Dube, Code42 customer and HFF Engineering Director
I debated going this year (since I just attended in 2018). So glad I went! Tons of new, valuable information; I reconnected with peers and colleagues; and saw the best doggone keynote speaker ever!”
David Paul, Code42 customer
“Finishing up an awesome few days here in Denver for Evolution19. Thank you to the Code42 team for putting on such a great event. Lots of fun, learning and connecting. Congrats to MACOMs own David Chiang on his Evangelist award! #thankyou #denver #code42 #macomlife”
Lauren Walsh, Code42 customer
It’s Time to Rethink DLP
See how reframing DLP around protection rather than prevention delivers powerful benefits.
What does McKinsey call one of the largest unsolved issues in cybersecurity today? Insider threat. They noted that a staggering half of all breaches between 2012-2017 had an insider threat component. To make consequential strides in combatting insider threat, the topic must be explored further. Thanks to Verizon’s Threat Research Advisory Center, which produced the Verizon Insider Threat Report, we can take an in-depth look at the role insider threat plays in the broader cyber threat landscape.
The Verizon report draws on statistics from their Data Breach Incident Reports and lessons learned from hundreds of investigations conducted by their internal forensics teams. It highlights the ease with which insiders exfiltrate data, while detection on the other hand often takes far longer.
“ Insider threat should no longer be a taboo subject for internal security teams. Denial has not helped – it has only resulted in time-to-discovery being months-to-years for most inside breaches. ”
A trio of Code42’s leading experts on insider threat shared their reactions to the report. Read on to find out their most compelling takeaways.
Jadee Hanson, CISO and VP Information Systems for Code42 called out:
The top motivations for insider threats include financial gain (48%), which is not surprising. This is followed second by FUN (23%). It’s deeply concerning to think that a colleague would do something detrimental to their own company… just for fun.
Detecting and mitigating inside threats requires a completely different approach than what we (security teams) are used to when it comes to external threats. Insiders are active employees with active access and sometimes the actions these individuals take look completely normal to a security analyst.
Security awareness and education and overall company culture continue to be a very effective way to mitigate the risks of insider threats.
Data theft incidents are driven mostly by employees with little to no technical aptitude or organizational power. Regular users have access to sensitive and monetizable data and unfortunately too often are the ones behind most internal data breaches.
Code42’s Vijay Ramanathan, SVP Product Management, shared these thoughts:
Insider threat should no longer be a taboo subject for internal security teams. Denial has not helped – it has only resulted in time-to-discovery being months-to-years for most inside breaches. This is a massive blind spot for security teams. Also, this is a problem for all sorts of companies. Not just large ones.
The report outlines counter measures that companies should take as part of a comprehensive data security strategy. This is a great starting point. But those measures (outlined on page 7) are nonetheless complex and require skilled staff. This continues to be difficult for many companies, particularly smaller and mid-market organizations, to navigate, especially because of the chronic skills shortage in the security industry.
The “Careless Worker” is called out as one of the harder vectors to protect against. Security teams need to take a proactive, “data hunting” approach to help them understand where data lives and moves, when it leaves the organization, and in what situations data is at risk.
Robust data collection and preservation, along with behavior analytics, are models that can help organizations understand where accidental or deliberate data exposure/exfiltration may be occurring. This need is going to become even more stark in the next 12-36 months as companies come to terms with the reality that current data security tools, technologies and practices (eg. policy management, data classification, user blocking, highly-skilled security staff) are not designed for a much more fluid and unpredictable future.
Mark Wojtasiak, VP Portfolio Marketing highlighted:
Nowhere in the report did Verizon say the goal was to prevent insider threats – the focus was all about detection, investigation and response. Verizon even called out DLP as a monitoring tool, likely to the chagrin of legacy DLP providers.
The single biggest problem relative to insider threat is detecting them in the first place and the length of time it takes to detect one. I argue that most insider breaches go undetected altogether and the number of insider breaches are actually grossly underreported.
Detecting insider threats comes down to how effective a company is in defining, collecting, correlating, analyzing and reporting on insider indicators of compromise. This basically means “machining” a security analyst’s intuition.
Creating insider indicators of compromise is difficult because they rely heavily on what is considered “normal” or “abnormal,” which can vary greatly by company, department, job role, individual and the data itself. It’s a lot of work, so why not just use machine learning to do it?
Once an insider breach is detected and the investigation process starts, it can grow very complex quickly. Oftentimes multiple stakeholders are involved and organizations might hire or outsource digital forensic services, which can be expensive. There has to be a faster, simpler process, especially for small to mid-market companies, which can be devastated by insider threats.
Insider Threat Programs go way beyond the incident response process (detect – investigate – respond – communicate, etc.). Ongoing vulnerability audits and assessments are needed to fine tune the insider indicators of compromise.
I still find it shocking that data classification continues to be a must have – and that employees need to be trained, made aware of and actually take the steps to classify the data they create. Couldn’t it be an indicator of compromise in and of itself if an employee self-classifies data as non-sensitive, then exfiltrates it?
Finally, it is clear that the key to establishing an insider threat program is to start with the data (called “assets” in the report), and then move to people.
The rise of insider threats is a significant threat to every business and one that is often overlooked. While we all would like to think that employees’ intentions are good, we must prepare for malicious (or accidental) actions taken by those from within our organizations. And because up to 80 percent of a company’s value lies in its intellectual property, insiders are in the position to do serious harm to your business. Is your business prepared to minimize the impact of these data threats?
It’s Time to Rethink DLP
See how reframing DLP around protection rather than prevention delivers powerful benefits.
Imagine terabytes of corporate data exposed in the wild by employees sharing publicly available links on the cloud. Sound far fetched? It’s not. According to a recent article from SiliconANGLE, that’s exactly what happened when security researchers uncovered terabytes of data from over 90 companies exposed by employees sharing publicly available links to Box Inc.’s cloud storage platform. And while it’s easy to think that this problem is restricted to Box, it is in fact a problem most cloud services like Dropbox or OneDrive for Business need to address.
“ Cloud security is failing every day due to public file share links – content that users deliberately or accidentally expose to outsiders or to unapproved users within the company. ”
Cloud security is failing every day due to public file share links – content that users deliberately or accidentally expose to outsiders or to unapproved users within the company. This presents significant gaps in cloud security and compliance strategies and raises important questions such as:
What data is going to an employee’s personal cloud?
Who’s making a link public instead of sharing it with specific people?
Are departments or teams using other/non-sanctioned clouds to get their work done?
Are contractors getting more visibility than they should in these clouds?
Compounding the problem, the remedy that most cloud services provide to administrators is to “configure shared link default access” to users. Administrators can configure shared link access so accidental or malicious links can’t be created in the first place, however, there is a clear loss of productivity when users who need the continued collaboration and ability to share are mistakenly denied. This is where IT/security teams need to strike the fine balance between protecting corporate IP and enabling user productivity.
Code42’s approach to DLP doesn’t block users or shut down sharing, giving organizations visibility while there is a free flow of information between partners, customers and users in general. While understanding that a link has gone public in the first place, security protocols should further include:
Identifying files that are going to personal clouds
Understanding who’s sharing links publicly and why
Mitigating instances of non-sanctioned clouds
Gaining visibility into cloud privileges extended to contractors or other third parties
It’s Time to Rethink DLP
See how reframing DLP around protection rather than prevention delivers powerful benefits.
“We’re moving to the cloud.” If you haven’t heard this already, it’s likely you will soon. Moving to the public cloud poses many challenges upfront for businesses today. Primary problems that come to the forefront are security, cost and compliance. Where do businesses even start? How many tools do they need to purchase to fulfill these needs?
After deciding to jump start our own cloud journey, we spun up our first account in AWS and it was immediately apparent that traditional security controls weren’t going to necessarily adapt. Trying to lift and shift firewalls, threat vulnerability management solutions, etc. ran into a multitude of issues including but not limited to networking, AWS IAM roles and permissions and tool integrations. It was clear that tools built for on-premise deployments were no longer cost or technologically effective in AWS and a new solution was needed.
“ It was clear that tools built for on-premise deployments were no longer cost or technologically effective in AWS and a new solution was needed. ”
To remedy these discoveries, we decided to move to a multi-account strategy and automate our resource controls to support increasing consumption and account growth. Our answer to this was Capital One’s Cloud Custodian open source tool because it helps us manage our AWS environments by ensuring the following business needs are met:
Compliance with security policies
AWS tagging requirements
Identifying unused resources for removal/review
Off-hours are enforced to maximize cost reduction
Encryption needs are enforced
AWS Security Groups are not over permissive
And many more…
After identifying a tool that could automate our required controls in multiple accounts, it was time to implement the tool. The rest of this blog will focus on how Cloud Custodian works, how Code42 uses the tool, what kind of policies (with examples) Code42 implemented and resources to help one get started in implementing Cloud Custodian into their own environment.
How Code42 uses Cloud Custodian
Cloud Custodian is an open source tool created by Capital One. You can use it to automatically manage and monitor public cloud resources as defined by user written policies. Cloud Custodian works in AWS, Google Cloud Platform and Azure. We, of course, use it in AWS.
As a flexible “rules engine,” Cloud Custodian allowed us to define rules and remediation efforts into one policy. Cloud Custodian utilizes policies to target cloud resources with specified actions on a scheduled cadence. These policies are written in a simple YAML configuration file that specifies a resource type, resource filters and actions to be taken on specified targets. Once a policy is written, Cloud Custodian can interpret the policy file and deploy it as a Lambda function into an AWS account. Each policy gets its own Lambda function that enforces the user-defined rules on a user-defined cadence. At the time of this writing, Cloud Custodian supports 109 resources, 524 unique actions and 376 unique filters.
As opposed to writing and combining multiple custom scripts that make AWS API calls, retrieving responses, and then executing further actions from the results, the Cloud Custodian simply interprets an easy-to-write policy that then takes into consideration the resources, filters and actions and translates them into the appropriate AWS API calls. These simplifications make this type of work easy and achievable for even non-developers.
“ As a flexible rules engine, Cloud Custodian allowed us to define rules and remediation efforts into one policy. Cloud Custodian utilizes policies to target cloud resources with specified actions on a scheduled cadence. ”
Now that we understand the basic concepts of Cloud Custodian, let’s cover the general implementation. Cloud Custodian policies are written and validated locally. These policies are then deployed by either running Cloud Custodian locally and authenticating to AWS or in our case via CI/CD pipelines. At Code42, we deploy a baseline set of policies to every AWS account as part of the bootstrapping process and then add/remove policies as needed for specific environments. In addition to account specific policies, there are scenarios where a team may need an exemption, as such, we typically allow an “opt-out” tag for some policies. Code42 has policy violations report to a Slack channel via webhook created for each AWS account. In addition, we also distribute the resources.json logs directly into a SIEM for more robust handling/alerting.
Broadly speaking, Code42 has categorized policies into two types – (i) notify only and (ii) action and notify. Notify policies are more hygiene-related and include policies like tag compliance checks, multi-factor authentication checks and more. Action and notify policies are policies that take actions after meeting certain conditions, unless tagged for exemptions. Action and notify policies include policies like s3-global-grants, ec2-off-hours-enforcement and more. The output from the custodian policies are also ingested into a SIEM solution to provide more robust visualization and alerting. This allows the individual account owners to review policy violations and perform the assign remediation actions to their teams. For Code42, these dashboards provide both the security team and account owners the overall health of our security controls and account hygiene. Examples of Code42 policies may be found at GitHub.
What policies did we implement?
There are three primary policy types Code42 deployed; cost-savings, hygiene and security. Since policies can take actions on resources, we learned that it is imperative that the team implementing the policies must collaborate closely with any teams affected by said policies in order to ensure all stakeholders know how to find and react to alerts and can provide proper feedback and adjustments when necessary. Good collaboration with your stakeholders will ultimately drive the level of success you achieve with this tool. Let’s hit on a few specific policies.
Cost Savings Policy – ec2-off-hours-enforcement
EC2 instances are one of AWS’s most commonly used services. EC2 allows a user to deploy cloud compute resources on-demand as necessary, however there are many cases where the compute gets left “on” even when it’s not used, which racks up costs. With Cloud Custodian we’ve allowed teams to define “off-hours” for their compute resources. For example, if I have a machine that only needs to be online 2 hours a day, I can automate the start and stop of that instance on a schedule. This saves 22 hours of compute time per day. As AWS usage increases and expands, these cost savings add up exponentially.
Hygiene Policy – ec2-tag-enforcement
AWS resource tagging is highly recommended in any environment. Tagging allows you to define multiple keys with values on resources that can be used for sorting, tracking, accountability, etc. At Code42, we require a pre-defined set of tags on every resource that supports tagging in every account. Manually enforcing this would be nearly impossible. As such, we utilized a custodian policy to enforce our tagging requirements across the board. This policy performs a series of actions as actions described below.
The policy applies filters to look for all EC2 resources missing the required tags.
When a violation is found, the policy adds a new tag to the resource “marking” it as a violation.
The policy notifies account owners of the violation and that the violating instance will be stopped and terminated after a set time if it is not fixed.
If Cloud Custodian finds tags have been added within 24 hours, it will remove the tag “violation.” If the proper tags are not added after, the policy continues to notify account owners that their instance will be terminated. If not fixed within the specified time period, the instance will terminate and a final notification is sent.
This policy ultimately ensures we have tags that distinguish things like a resource “owner.” An owner tag allows us to identify which team owns a resource and where the deployment code for that resource might exist. With this information, we can drastically reduce investigation/remediation times for misconfigurations or for troubleshooting live issues.
At Code42, we require that all S3 buckets have either KMS or AES-256 encryption enabled. It is important to remember that we have an “opt-out” capability built into these policies so they can be bypassed when necessary and after approval. The bypass is done via a tag that is easy for us to search for and review to ensure bucket scope and drift are managed appropriately.
This policy is relatively straightforward. If the policy sees a “CreateBucket” Cloudtrail event, it checks the bucket for encryption. If no encryption is enabled and an appropriate bypass tag is not found, then the policy will delete the bucket immediately and notify the account owners. It’s likely by this point you’ve heard of a data leak due to a misconfigured S3 bucket. It can be nearly impossible to manually manage a large scale S3 deployment or buckets created by shadow IT. This policy helps account owners learn good security hygiene, and at the same time it ensures our security controls are met automatically without having to search through accounts and buckets by hand. Ultimately, this helps verify that S3 misconfigurations don’t lead to unexpected data leaks.
Just starting out?
Hopefully this blog helped highlight the power of Capital One’s Cloud Custodian and its automation capabilities. The Cloud Custodian policies can be easily learned and written by non-developers, and provides needed security capabilities. Check out the links in the “Resources” section below regarding Capital One’s documentation, as well as examples of some of Code42’s baseline policies that get deployed into every AWS account during our bootstrap process. Note: these policies should be tuned accordingly to your business and environment needs and not all will be applicable to you.
It’s Time to Rethink DLP
See how reframing DLP around protection rather than prevention delivers powerful benefits.
Aakif Shaikh, CISSP, CISA, CEH, CHFI is a senior security analyst at Code42. His responsibilities include cloud security, security consulting, penetration testing and inside threat management. Aakif brings 12+ years of experience into a wide variety of technical domains within information security including information assurance, compliance and risk management. Connect with Aakif Shaikh on LinkedIn.
Byron Enos is a senior security engineer at Code42, focused on cloud security and DevSecOps. Byron has spent the last four years helping develop secure solutions for multiple public and private clouds. Connect with Byron Enos on LinkedIn.