All security teams have their go-to industry intel sources for brand-new indicators of compromise (IOCs), and like you, we’re continually on the lookout for new threat intel tools to look for the footprints of malicious activity. But once you’ve identified a suspicious file or confirmed a malicious MD5 hash, the challenge for your security team is finding all the hosts in the organization that have the affected files. This kind of visibility is critical for mitigating any potential malware impacts, but it’s also critical to avoid wasting time cleaning uninfected hosts. Without this visibility, organizations are forced to take a “better safe than sorry” approach — and that leads to the frustrating situation where endpoint re-images or remediations are performed without knowing whether devices were actually infected.
A simple search bar changes everything
Security teams deal with questions — big and small — all day long. The simple search bar of Code42 Forensic File Search is a powerful tool for answering some of the most important questions, including, “Does known malware have a foothold in my environment?” But the usefulness of Code42 Forensic File Search isn’t limited to just finding malware. In the Code42 security team, we use Code42 Forensic File Search for malware investigations and monitoring. When our antivirus and EDR tools identify malware threats, we use Code42 Forensic File Search to validate those findings across the environment and dig deeper. After malware has been located on a device and remediated, we continue to monitor files on that device with Code42 Forensic File Search to ensure there are no further signs of infection.
With the ability to instantly search for known malicious MD5 hashes across every host in your environment, you can shave days off investigating and remediating malware events. More importantly, this complete, instant visibility gives you the assurance that you’ve identified and addressed the threat to the full extent.
Every day, your organization faces a variety of data security challenges. Many come from outside your organization, but a significant number also come from within. There are countless reasons why someone may take sensitive data from your organization, many of which are purely opportunistic. For example, what if a file with sensitive financial information is mistakenly emailed to an entire company? That may prove too tempting an opportunity for some. How can your organization respond when this happens? In this post, I’ll discuss how the response process often works today—and how it can be streamlined with Code42 Forensic File Search.
A true story
Here’s a true story of an IT team working through just such a challenge: At this organization, the HR team used Microsoft Excel for management of financial information such as bonus structures and payout schedules. By mistake, a member of the team sent an email containing an Excel file with compensation information for the entire staff to the whole company, instead of the select few who were supposed to receive it. Over 6,000 employees worldwide received the email.
Fortunately, the most sensitive information was contained on a hidden tab in the Excel file, and most employees never even opened the file. The IT team was able to recall the email, but the legal team needed to know who in the company had downloaded and opened it, in case the information within was ever used in a lawsuit. The IT and Security teams were tasked with finding every copy of the file in the organization.
A painful two-month process
While recalling the email cut the number of potential endpoints to search to around 1,000, the IT team still had to search all those devices—many of which belonged to individuals at the organization’s international offices. The IT team used a Windows file searching utility to crawl the user endpoints in question, searching for the name of the file. However, Outlook’s email client can scramble names of files, so the IT team also had to scan for any Excel file in the Temp folder of each machine, and open those files to visually confirm that it wasn’t the file in question.
Each scan would take between one and eight hours, depending on the size of the drive—and the scan could only be run when the target endpoint was online. If a laptop was closed during the scan, the process would have to be restarted. If a device was located in an international office, the IT team would have to work nights in order to run the scan during that office’s working hours.
The process was a tremendous hit to productivity. The IT team tasked fully half its staff to running the scans. Two of the organization’s five security team members were tasked with overseeing the process. Even the legal team’s productivity was affected. Since the IT team had to open every version of the file to verify the sensitive financial data within, the legal team had to draw up non-disclosure agreements for every person working on the project.
All told, the search for the mistakenly distributed financial file took the organization two months, and the IT team estimated that they had only recovered 80 percent of the instances of the file.
“ With Code42 Forensic File Search, administrators can search and investigate file activity and events across all endpoints in an organization in seconds. ”
A better way: Code42 Forensic File Search
Fortunately, there is a better method for locating critical files in an organization. With Code42 Forensic File Search, administrators can search and investigate file activity and events across all endpoints in an organization in seconds. In the case of this Excel file, the IT team could have used Code42 Forensic File Search to search for the MD5 hash of the file. By searching for the MD5 instead of the file name, Code42 Forensic File Search would locate all instances of the file across all endpoints, including versions that had been renamed in the Temp folder or renamed to intentionally disguise the file. This single search would find all copies of the file, even on endpoints that are offline.
The feature video demonstrates Code42 Forensic File Search in action. The IT team member that shared this story is confident that it would have played out very differently with Code42 Forensic File Search. “Had we had Code42 Forensic File Search deployed, that project was probably done in a couple hours,” he said. “We would have cut two months to a couple hours.”
Data breaches that compromise critical customer information are the worry that keeps IT people up at night. Unfortunately, what’s considered critical customer information and what you must do to safeguard it has changed dramatically, thanks to GDPR. IT stakeholders at American companies who’ve assumed GDPR does not apply to them may want to take a closer look at what the implications are for U.S.-based companies. GDPR-regulated data can be found in places you might not expect, and the tools you’ve been using to keep track of that data may not provide the visibility you need in case of a breach.
Where does GDPR apply?
First off, don’t think because you’re an American company only doing business in the U.S. that you’re exempt. If you capture any data about an E.U. citizen, like one who stumbles across your website and sends a question through a contact form, you’re on the hook for GDPR.
So where does the data regulated by GDPR live in your organization? The short answer: everywhere your customer data lives and travels within your organization. That doesn’t just mean your CRM system. Employees routinely download and use personal customer information on their endpoint devices, even when company regulations forbid it. You may or may not be surprised to learn that the C-suite is the worst offender at this.
The scope of what is considered “personal information” under GDPR is much broader than you might expect. While most companies already take steps to protect sensitive information like credit card information or social security numbers, GDPR takes it much further and could signal a sea change in data collection. Specifically, any information that can be used to identify a person, like IP addresses and names, is covered under the regulation; however, GDPR is expanding the definition of sensitive data to include any data that could potentially identify a person. So, if you’re capturing it, it’s worth protecting.
What does data encryption protect against?
Many IT directors hit the pillow every night with the misguided confidence that their data encryption will prevent any GDPR-related problems. Unfortunately, that’s not always the case.
Data encryption is a useful tool if your data compromise doesn’t include credentials that unlock the encryption. But if your data is compromised because of stolen credentials, then encryption doesn’t matter. This can happen with stolen laptops, a common occurrence with company-issued employee laptops. It can also happen with malicious employee activity – if employees with valid credentials decide to exfiltrate data, encryption won’t do a thing to stop them.
What happens after a data breach?
Talk about sleepless nights for an IT director. For companies that experience a data breach, the hours and days after discovery are usually a mad scramble to assess what’s been compromised and by whom. The time and money spent to unravel the tangles of compromised data in an organization can add up fast. And GDPR doesn’t give you much time. You have 72 hours after discovery of a breach to notify GDPR authorities if personal information has been affected.
The problem for most companies is that they don’t really know where all their customer data is stored. A lot of it can end up on employee laptops and mobile devices. To truly protect their data assets, companies must have a firm understanding of where all their data travels and lives.
Being able to immediately and clearly locate customer data is critical to surviving a breach of GDPR-regulated data. A strong endpoint visibility tool can provide a quick understanding of all the data that has traversed through an environment—and importantly for GDPR, whether that data contains personal information.
An endpoint visibility tool can also tell you with confidence if compromised data does not include personal information that would fall under GDPR. That would prevent you from unnecessarily alerting the authorities.
Unfortunately, data breaches continue to happen, and there’s no sign of that abating any time soon. When the collection of consumer data is necessary, companies should consider it sensitive and use endpoint visibility tools to protect it.
The GDPR 72-hour reporting requirement has notable similarities to the insane ultra-marathons elite athletes run in the same time period. The 72-hour time limit requires companies to cover ground they’d typically take weeks or even months to traverse—kind of like running more than 300 miles in three days.
With data stored in unexpected places, that 72 hours can get eaten up quickly in trying to sort through where compromised data is stored. But with a robust endpoint visibility tool, which allows a response team to see the content of endpoint data clearly, the GDPR clock doesn’t have to spell doom.
What should you do if you discover a data breach?
Round up your response team. Depending on the size of your business, your data breach response team may include several dedicated personnel in addition to other key company stakeholders, or it may be a few individuals who do this along with their other duties.
Gather key information. Figure out what happened, what was the cause of the breach, and what type of data was compromised. This step is where companies that don’t have an endpoint visibility tool will see precious hours of their GDPR clock tick away as they try to determine what data was compromised. An endpoint visibility tool that provides clarity on the content of data will answer that question with confidence.
What if no personal information was compromised?
If, after using an endpoint visibility tool or another assessment process, you ascertain that no GDPR-regulated data was involved, breathe a sigh of relief. You don’t need to notify the GDPR authorities. You should, however, continue through your plan: clean up the data breach, close the holes that caused it, and notify any impacted customers.
What if GDPR-regulated data was affected?
Then the clock retroactively starts ticking from the moment you first discovered the data breach, and you notify the GDPR authorities. When you alert the regulators, it’s best to have all your ducks in a row. If you can tell the authorities exactly what happened, who was involved and your plan to remediate it, you will be better positioned to resolve the issues. An endpoint visibility tool will provide you with the information necessary to make reporting to the authorities a much smoother step.
What happens after GDPR authorities are alerted?
You continue the process of cleaning up, plugging the holes, and notifying the consumers affected by the breach. So far, the GDPR authorities have only specified that consumer notification happens “without reasonable delay.”
A data breach is always fraught with uncertainties, which is part of why companies typically take a long time to sort through the details and make public statements. With GDPR, companies no longer have the luxury of time, so it’s important to remove as much uncertainty as possible from the situation, to gain clarity quickly. An endpoint visibility tool can help speed up the process and provide confidence in a company’s findings after a breach.
There’s no way around it: the aftermath of a data breach with GDPR-regulated data will feel like a marathon. Having an endpoint visibility tool in place before the breach happens is like cutting that 300 miles down to a much more manageable 26.2 miles. It’s still a race you need to prepare for, but it’s a far more sane and feasible experience.
When we were young, most of us held the belief that what we couldn’t see couldn’t hurt us. We huddled in bed with the covers over our heads so we couldn’t see the monsters in the darkness, and somehow limiting our vision this way helped us feel safe.
As adults, we understand that ignorance isn’t protection, and being unaware of what’s out there doesn’t keep us safer. And yet, too many IT organizations can’t tell you what data lives on their employee’s devices. “Well, that doesn’t matter,” some IT leaders will say. “All of the valuable data in our company is on the network.”
Code42’s CTRL-Z study showed that over 60 percent of corporate data is stored on user endpoints. With the enactment of the General Data Protection Regulation (GDPR) drawing closer every day, turning a blind eye to the data on your employee endpoints could have disastrous results. To protect company assets and meet GDPR compliance standards, organizations need to have a firm understanding of where personal customer data is stored and how it moves through their system. In other words, IT teams need to be able to see where all of their data is created, stored and shared.
GDPR is concerned with the movement of customer personal data, which is broadly defined by the regulation. It’s true that your average employee may not have customer social security numbers on their laptop, but personal information can be anything that might identify an individual, down to phone call metadata. If there’s a one percent chance a piece of data could identify a customer, GDPR requires you to treat it as carefully as you would a credit card number. And like it or not, this type of data does leave your corporate firewalls. Employees take their work home with them all the time; think about the sales rep who brings home background info on a customer to prepare for a big sales pitch.
Your leadership team does this as well. In fact, according to the CTRL-Z report, C-suite executives are the most likely to violate company data security policies. These policies are crucial, but they can’t overcome human nature. You need a data visibility tool to track data no matter where it moves, so if you do get breached, you can account for what information was impacted–and where and how.
Without that kind of data visibility, staying in compliance with GDPR will be a challenge. According to GDPR, companies only have 72 hours to report an incident once it is detected. But if you don’t know where your data lives, you have no way to gauge the impact of a breach. In the event that data is compromised, knowing exactly what has been exposed will make interactions with the regulatory agency much smoother.
It might be tempting to pull a blanket over your head, ignore the data that lives on employee endpoints, and hope for the best. That may have kept you safe from the monster under the bed, but it won’t keep you safe from potential fines for GDPR non-compliance: up to €20 million or four percent of annual revenue, whichever is greater. It’s time to recognize that data protection starts with data visibility.