Code42 Forensic File Search: from Endpoints to the Cloud

Code42 Forensic File Search: from Endpoints to the Cloud

Think of your favorite bank heist movie. Ocean’s Eleven, The Italian Job, Die Hard — they all revolve around elaborate schemes to evade and overcome security: guards, metal detectors, badge and lock systems, and the imposing physical safe itself. It happens in real life, too. Thousands of bank robberies are reported to the FBI every year.

Now imagine you’re a bank manager and someone breaks into your safe. What’s one of the first things you’ll do? Look at your security camera footage. These recordings are the fastest and most reliable way to see what happened, who did it and what they took — so you don’t waste another precious minute while the thieves are making their getaway.

“ Now, we’re expanding the powerful investigation capabilities of Code42 Forensic File Search to follow your files into the cloud — starting with Microsoft OneDrive and Google Drive. ”

Code42 Forensic File Search: your cyber security camera

Today, organizations have a wide array of sophisticated cyber security tools designed to prevent and mitigate data loss. But any security pro who is being honest knows it’s a question of when a data breach will happen, not if. When a data loss event occurs, Code42 Forensic File Search is like a security camera for your entire digital environment. With Code42 Forensic File Search, you can “go to the tapes” to see exactly what happened, who was involved, what was taken and where it went. Code42 Forensic File Search is simply the quickest, most effective way to jumpstart your investigation efforts — so you can get your valuable assets back sooner.

Code42 Forensic File Search expands from endpoints to the cloud

We’re constantly looking for new ways to give businesses and security teams greater visibility to their data. We’ve pioneered capabilities that have brought unprecedented visibility to users’ endpoint devices. Now, we’re expanding the powerful investigation capabilities of Code42 Forensic File Search to follow your files into the cloud — starting with Microsoft OneDrive and Google Drive, and adding other leading cloud services platforms, like Box and Slack, in the near future.

Find any file, no matter where it lives — in seconds

As more and more enterprise workflows touch the cloud, there is a growing technology disconnect for security teams. There are tools that give them visibility to data that lives on-premises and on endpoint devices; and there are separate CASB tools that provide visibility to data that lives in cloud accounts. Code42 has bridged that gap by extending Code42 Forensic File Search to cover cloud services. That means you’ll now be able to use the product to easily and instantly search across your entire environment: your users’ endpoint devices and enterprise cloud accounts — whether users are online or offline.

You no longer need to spend weeks sifting through piles of data from multiple tools. Now you have a simple search bar that allows you to “go to the tapes” to find any file, no matter where it lives and moves — in seconds.

Tips from the Trenches: Multi-Tier Logging

Tips From the Trenches: Multi-Tier Logging

Here’s a stat to make your head spin: Gartner says that a medium-sized enterprise creates 20,000 messages of operational data in activity logs every second. That adds up to 500 million messages — more than 150 GB of data — every day. In other words, as security professionals, we all have logs. A lot of logs. So, how do we know if our log collection strategy is effectively meeting our logging requirements? Unfortunately, a one-size-fits-all logging solution doesn’t exist, so many leading security teams have adopted a multi-tier logging approach. There are three steps to implementing a multi-tier logging strategy:

“ A one-size-fits-all logging solution doesn’t exist, so many leading security teams have adopted a multi-tier logging approach. ”

1. Analyze your logging requirements

A multi-tier logging strategy starts with analyzing your logging requirements. Here’s a simple checklist that I’ve used for this:

Who requires access to the organization’s logs?

  • Which teams require access?
  • Is there unnecessary duplication of logs?
  • Can we consolidate logs and logging budgets across departments?

What logging solutions do we currently have in place?

  • What is the current health of our logging systems?
  • Are we receiving all required logs?
  • Have we included all required log source types?
    • Do we need public cloud, private cloud, hybrid cloud and/or SaaS logs?
  • How many events per second (EPS) are we receiving?
  • How much log storage (in gigabytes) are we using now?
  • What are our logs of interest?
    • Create alerts and/or reports to monitor for each.

What time zone strategy will you use for logging? 

  • How many locations are in different time zones across the organization?
  • Will you use a single time zone or multiple time zone logging strategy?

How much storage capacity will be needed for logging for the next 3-5 years?

Do we have a log baseline in place?

  • Where are our logs stored now?
  • Where should they be stored in the future?

Are we collecting logs for troubleshooting, security analysis and/or compliance?

  • What are our compliance requirements?
    • Do we have log storage redundancy requirements?
    • What are our log retention requirements?
    • Do we have log retention requirements defined in official policy?
  • What logs do we really need to keep?
    • Identify those that are useful.
    • Drop those that are not.

2. Digest log information

After all of this information is gathered, it’s time to digest it. It’s important to align your logging infrastructure to log type and retention needs — so you don’t end up inserting a large amount of unstructured data that you will need to be able to quickly search in an SQL database, for example. Most organizations have multiple clouds, many different devices that generate different log types and separate required analysis methods. In other words, one solution usually does not meet all logging needs.

3. Implement multi-tier logging

If, after analyzing your logging requirements, you find that one logging strategy does not meet all of your requirements, consider this tiered logging flow:

Code42 Tiered Logging Flow Example

In this example logging flow, there are three different logging flow types and five different log repositories. There are SIEM logs, application logs and system log flow types. The repositories are the SIEM database, ELK (elasticsearch, logstash and kibana) stack, two long-term syslog archival servers and cloud storage. The repositories each have a unique role:

  • The SIEM correlates logs with known threats.
  • The ELK stack retains approximately 30-60 days of logs for very fast searching capabilities.
  • The two syslog archival servers store the last three to seven years of syslog and application logs for historical and regulatory purposes. One syslog archival server is used for processing logs, the other is a limited-touch, master log repository.
  • Cloud storage also stores the last three to seven years of logs for historical and regulatory purposes.

Simplify your log activity

This is just one quick example of an innovative solution to simplifying log activity. Regardless of whether multi-tier logging is the right solution for your organization, the most critical step is making sure you have a clearly defined logging strategy and an accurate baseline of your current logging state. This basic analysis gives you the understanding and insights you need to simplify log activity — making it easier to accomplish the complex logging goals of your organization.

Using “Honey Files” to Stop Data Exfiltration (Video)

The honeypot is a simple security concept: something so sweet and enticing that the “bad guy” just can’t help but walk right into your trap. In the world of data security, honeypots are typically systems or resources that appear legitimate, but are actually isolated and monitored. Honeypots have been around for almost 30 years, but they’re enjoying a recent resurgence. As security teams increasingly realize that they can’t completely prevent malicious actions, the honeypot gives them a tool to identify who the malicious actors are, how they’re working and what they’re doing.

Creating a “honey file” to track malicious insiders

The honeypot concept is hardest to apply for data exfiltration, insider threat and other events where the malicious actor has authorized access to the network or resource. Fortunately, Code42 Forensic File Search enables a new type of lure: the honey file, a single, attractive (but not actually valuable) file that a security team can use to identify and track malicious insiders. Here’s how a honey file workflow would look:

  1. The security team places a honey file — in this case an Excel file named “employee salary data 2018.xlsx” — in a shared OneDrive account. The security team knows both the file name and MD5 hash.
  2. After a few days or weeks, the security team can log onto the Code42 web console and use Code42 Forensic File Search to execute a simple search for the file’s MD5 hash.
  3. The search results show any traces of the original honey file on any user or host in your environment.
  4. Digging into the search results, the security team can not only see who touched the honey file, but also what that person did with it. For example, if a user copies the honey file, renames it and then deletes the original in an attempt to cover his tracks, every step in this “coverup” is able to be seen through Code42 Forensic File Search.
  5. Using this insight, the security team can quickly take steps to investigate and remediate effectively.

“ Digging into the search results, the security team can not only see who touched the honey file, but also what that person did with it. ”

Watch the video above to see how to create a honey file and track data exfiltration with Code42 Forensic File Search.

The Synergy of SIEM and Code42

I’ve been a user of security information and event management (SIEM) software for over a decade now. I loved it back in 2006, and it’s been incredible to watch SIEM tools evolve into a data security tool category that brings together a powerful community of administrators and a rich ecosystem of vendors, integrators and enhancements that continue to redefine adaptive response.

When I joined Code42, I was pleased to see that the company was already partnering with SIEM providers. Together, we are providing our customers an even more expanded view into the data that is living on their devices.

Code42 + SIEM: We’re both in the business of business resiliency

Code42 has always been a natural complement to SIEM solutions — and vice versa. In fact, to a large extent, Code42 and SIEM software share the same goals:

  • Securing your digital environment and protecting your data.
  • Monitoring activities in your environment and detecting threats —whether it’s an external attack or an insider threat.
  • Ensuring resiliency through rapid incident response and guaranteed recovery.
  • Enabling advanced investigation and forensics.

Or, to put it simply: We both help you prevent bad things from happening to your data and your ideas — and if something bad does happen, we help you see it quickly and recover faster.

“ By integrating directly into your ecosystem and your SIEM, the same data auditing functions you use today can be applied to your Code42 solution. ”

A powerful integration for visualization

As SIEM technology has evolved, Code42’s ability to integrate into SIEM ecosystems has also grown, allowing you to take the comprehensive data collection and data visibility you get from Code42 and feed it into your analytics-driven SIEM tool.

What’s that really mean for you? Code42-specific dashboards within SIEM applications, so you can easily visualize some of the things that matter most, such as:

In other words, you get real-time feedback on how we’re protecting your information and any risks that exist. And by integrating directly into your ecosystem and your SIEM, the same data auditing functions you use today can be applied to your Code42 solution. Your existing alerting and workflow pipeline can drive the Code42 alerts. That means we’ve made it easier for you to get up and running, easier for you to stay secure and faster for you to respond to events.

  • Prioritizing alerts: Leverage your SIEM’s smart monitoring capabilities for an at-a-glance look at your most critical alerts — failed backups, server issues, data exfiltration, etc. — so you can prioritize action.
  • Validating backups: Get a real-time look at how many users, how many devices and how much data are covered by Code42.
  • Monitoring endpoint data storage: See exactly how much data is being stored in each device — so you can see if that number changes drastically or unexpectedly.
  • Classifying endpoint data: Know what kinds of files you’re backing up —how much of your storage is made up of Word docs, emails, Excel files, coding files, etc.

Synergistic visibility

Like any good partnership, this one’s all about synergy. In this case, it’s synergistic visibility (say that five times fast!). Code42 brings deeper visibility to SIEM applications, so the powerful tools can see all the data living on all your devices. And SIEM tools give you an intuitive visualization of Code42 —both how Code42 is protecting your data, and what your users are doing with your data. All that adds up to identifying risks sooner and enabling faster remediation, so you can keep risks from becoming irreparable damage. Together, we’re helping you make smarter, better decisions in less time.

Finding Malware that Prevention Tools Miss (Video)

Hunting for known malware

All security teams have their go-to industry intel sources for brand-new indicators of compromise (IOCs), and like you, we’re continually on the lookout for new threat intel tools to look for the footprints of malicious activity. But once you’ve identified a suspicious file or confirmed a malicious MD5 hash, the challenge for your security team is finding all the hosts in the organization that have the affected files. This kind of visibility is critical for mitigating any potential malware impacts, but it’s also critical to avoid wasting time cleaning uninfected hosts. Without this visibility, organizations are forced to take a “better safe than sorry” approach — and that leads to the frustrating situation where endpoint re-images or remediations are performed without knowing whether devices were actually infected.

A simple search bar changes everything

Security teams deal with questions — big and small — all day long. The simple search bar of Code42 Forensic File Search is a powerful tool for answering some of the most important questions, including, “Does known malware have a foothold in my environment?” But the usefulness of Code42 Forensic File Search isn’t limited to just finding malware. In the Code42 security team, we use Code42 Forensic File Search for malware investigations and monitoring. When our antivirus and EDR tools identify malware threats, we use Code42 Forensic File Search to validate those findings across the environment and dig deeper. After malware has been located on a device and remediated, we continue to monitor files on that device with Code42 Forensic File Search to ensure there are no further signs of infection.

With the ability to instantly search for known malicious MD5 hashes across every host in your environment, you can shave days off investigating and remediating malware events. More importantly, this complete, instant visibility gives you the assurance that you’ve identified and addressed the threat to the full extent.

Happy threat hunting!

Code42 13 Tips for Situational Awareness

Tips From the Trenches: 13 Situational Awareness Questions

A key aspect of responding to security events is situational awareness: knowing what is happening in your environment and why. Standard data security tools like firewalls, proxies, email filters, anti-virus reports and SIEM alerts are all common sources of data for situational awareness. However, it’s also important to have visibility into business operations. Only with a holistic view of your entire organization can you have true situational awareness.

For example, as a software company, writing and deploying software is a significant and complex part of our business operations. Naturally, this work is supported by development, test and staging environments, which are used by our engineers to create and test product features. Security teams need to be aware of all non-production environments in their organizations. Open non-production environments (or environments that re-use credentials between production and non-production systems) can be a vulnerability that attackers can exploit.

“ No matter what business your organization is in, you should know where your important data can be found as well as what activities are normal and what is not normal. ”

Asking questions is the key to knowledge. Here are 13 questions I have used to help paint a full view of internal operations at Code42. They are divided into four separate categories based on major categories of concern for most organizations. I hope they will help you improve your situational awareness and overall data security.

Development Environments:

  1. Where are your development environments?
  2. Do you have the appropriate level of logging in those environments?
  3. How is access handled and are there controls that prevent the reuse of credentials across environments?
  4. Are there forgotten dev environments that need to be cleaned up?

Build Process:

  1. Where is your code built?
  2. Where is your code stored?
  3. If somebody maliciously inserted code into your environment, would you be able to detect who, when and what?
  4. Where are your build/CICD servers?


  1. Do you know what your typical deploy schedule is?
  2. Are you involved in the change management process and other governance bodies so you know when major changes are occurring in your environment?


  1. What systems and environments are going away?
  2. Is there a plan to keep information such as logs from those environments after the environment itself goes away, in accordance with your data retention policies?
  3. Will any infrastructure be reused, and if so, has it been processed properly?

While these questions are specific to software development and deployment, the data security issues they raise are relevant to businesses of all types. No matter what business your organization is in, you should know where your important data can be found as well as what activities are normal and what is not normal. Ensuring that tools are in place to answer these questions is vital.

Here’s one tool I use to answer these questions in our environment: Code42 Forensic File Search. It provides the visibility I need into all activity in our organization. With it, we can quickly and accurately take stock of data movement, data security risks and countless other activities. It makes it easier and faster to know what is happening in our environment and why. It provides the situational awareness that is critical for any modern organization.

Until next time, happy threat hunting!

Finding Rogue Software in Your Organization (Video)

There are many reasons you may want to locate particular software in your organization. Sometimes it’s because you are trying to catch someone doing something malicious, but sometimes it’s because employees are trying to work around processes to get work done. For example, many employees install software that isn’t yet approved by their company’s IT and security teams.

A true story: MacOS version control

Here’s a true story from Code42’s own IT team about MacOS version control. Code42 blocks the installation of the latest version of MacOS on employees’ laptops until it has been fully tested. While we don’t expect to see any security risks in the newest release, we also don’t want employees running unsupported or untested software. Once upgraded, MacOS can’t be reverted back to the older version—so untested installations are hard to correct.

The Code42 IT team knows when an employee figures out a way to circumvent their endpoint management system’s security controls to download the new version of MacOS. They know this because they’re able to locate the installer on employee endpoints with Code42 Forensic File Search.

A simple search, clear results

Many endpoint management systems block file installation based simply on filename. When the installer file is renamed, the program in question can be downloaded and the endpoint management system won’t catch it. However, Code42 Forensic File Search gives you the ability to search by MD5 hash. If you suspect that employees in your organization are downloading a particular program, you can search for the MD5 hash of the program to find everywhere it exists in your organization, even if it has been renamed. Code42 Forensic File Search locates all instances of the file across all endpoints, even on endpoints that are offline.

“ If you suspect that employees in your organization are downloading a particular program, you can search for the MD5 hash of the program to find everywhere it exists in your organization, even if it has been renamed. ”

Human behavior affects everyone

We upgrade all of our Mac users to the latest version of MacOS as quickly as we can. If employees break policy and install MacOS early, we recognize that it’s not out of malice—they just want to have access to the best and most current tools. This is likely the case at your organization as well. As the 2018 Data Exposure Report explains, employees want to work in ways that make them more productive even if that means violating IT policy.

This could be true of anyone in your organization, from the most junior employee to the CEO. In fact, according to the report, 59 percent of CEOs admit to downloading software without knowing whether it is approved by corporate security. Seventy-seven percent of business leaders believe their IT department would view this behavior as a security risk, but they do it anyway. No wonder that the Data Exposure Report also found that 75 percent of CISOs and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.

With Code42 Forensic File Search, you have visibility into what’s happening in your organization that your prevention tools don’t see. You’ll never be able to convince 100 percent of your users to follow your IT and security policies, but you can quickly and accurately locate the rogue software they bring into your organization.

Why Local Deduplication Is the Key to Faster Restores

Tips From the Trenches: Hunting Endpoint Threats at Scale

A big part of “walking the talk” about proactive data security here at Code42 is our “Red Team vs. Blue Team” internal simulations. Today, I’d like to share a few ways I’ve used the Code42 Forensic File Search API to give me completely new threat-hunting capabilities during these exercises.

Endpoint devices are still one of the big blind spots for the modern threat hunter. It’s often nearly impossible to search files on endpoints that are offline or were reimaged due to an incident. This is one reason I’m so excited about the Code42 Forensic File Search API: it doesn’t suffer from this limitation; it truly sees every version of every file on all endpoints, whether online or offline. And since we use our backup product, we also have every file that ever existed.

“ Leveraging Code42 Forensic File Search, I’m able to identify potentially unwanted applications that have slipped past antivirus and other traditional security tools. ”

Locating EXE files in download directories

Leveraging Code42 Forensic File Search, I’m able to identify potentially unwanted applications that have slipped past antivirus and other traditional security tools. To find these previously undetected threats, I’m forwarding output from the Code42 Forensic File Search API (hashes) to the VirusTotal Mass API for further enrichment. Here are some of the high-value searches I’ve used within Code42 Forensic File Search, along with the corresponding JSON files for reproducing the searches in your environment:

  • Search all macro-enabled Word documents
  • Search all DLL files in download directories
  • Search all Dylib files
  • Search all DMG files in download directories

Parameters for customizing FFS search results

Once you have your raw JSON results, here are a few parameters I’ve found useful in customizing Code42 Forensic File Search queries:

  • fileName:The fileName parameter can take a wildcard with a file extension at the end to list all DLL files in this example:   {“operator”:”IS”,”term”:”fileName”,”value”:”*.dll”},
  • filePath:Another useful parameter for searches is the filePath parameter, especially when you are searching for filetypes typically found in specific locations. The example below captures the Windows download directory of all users, as well as all paths below the downloads directory — hence the two wildcards: {“operator”:”IS”,”term”:”filePath”,”value”:”c:/users//Downloads/“}

Hash-check best practice

After you have configured your JSON file, the Code42 Forensic File Search search results should look something like this: 

Python ./ –username –search_type raw –in_file ./hunt.json –out_filter md5 | awk ‘!seen[$0]++’ | tr -d ‘”, []’ | sed ‘/^\s*$/d’

With an output that appears below:

Code42 Security Tips from Trenches Hash-check

Piping the results to awk and tr simply removes duplicate MD5 hashes and cleans up the JSON output, so you avoid the cost of submitting the same MD5 hash to a service like VirusTotal multiple times. Once we have the hashed file results, we can search those hashes across any threat intel or data enrichment tool.

One quick note: The public VirusTotal API key is rate-limited to four queries a minute. I would recommend using a private API key, since searching across hundreds of unique hashes can take quite a long time.

Code42 Security Tips from Trenches Hash-check 2

In our case, we leveraged Virustotal-api-hashcheck to give us a user-friendly view of the hashes we’re seeking. There are many VirusTotal API tools on GitHub and you can use whichever one suits your use case.

Finding malicious files—examining your exposure

In my example, while searching for Excel documents, we uncovered one malicious result that ties back to a document lure that contained a zero-day exploit being used in a targeted attack as discovered by icebrg. You can read more about the specifics of the file on their website.

Code42 Security Tips from the Trenches Hash Analysis 3

I then took the VirusTotal results and searched back in FFS to determine the extent of our exposure. Fortunately, the malicious file was only on two researchers’ systems, and we confirmed that they had been using the file for analysis and demonstration purposes.

Code42 Security Tips from Trenches Forensic File Search

Leveraging Code42 Backup + Restore for file analysis

I’ve also leveraged Code42 to recover unknown files for automated (sandbox) or manual analysis. In the previous example, there was one Excel document that VirusTotal didn’t recognize:

Code42 Security Tips from Trenches Backup Restore

Instead of uploading a potentially sensitive file to VirusTotal, I can do initial triage and analysis by recovering the file with the Code42 application and uploading it to my sandbox analysis tool. Below is a screenshot of the XLSM file running in a sandbox:

Code42 Security Tips from Trenches Virus Total

After doing initial triage and analysis, the file looks safe and not sensitive. At this point, the file could be uploaded to VirusTotal or kept private.

I hope this article has given you a few ideas of how you can use the Code42 Forensic File Search tool to gain powerful new threat-hunting capabilities in defending your organization. Since I first began using the tool, I’ve continually discovered new ways to gain greater visibility in detecting threats. I hope you’re as excited as I am about the current and future ways that security teams can leverage Code42 Forensic File Search internally to enhance security at scale.

Happy threat hunting!

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure – Stockpiling Cryptocurrency? Save Your Money.

For years, organizations have heard the drumbeat of building digital security perimeters to protect their data. And to the best of their ability, they’ve listened to the experts, followed best practices and spent billions on strategies to prevent data losses and breaches.

Unfortunately, that strategy is no longer working and companies know it. In an increasingly complex digital threat landscape, cybercriminals are constantly evolving, waging successful ransomware attacks even on organizations that have well-established breach-prevention profiles. Our recently released Data Exposure Report, which surveyed nearly 1,700 security, IT and business leaders across the U.S., U.K. and Germany, tells this story in stark relief.

Playing defense in an unpredictable threat landscape

I wasn’t surprised to read in the report that 64 percent of CISOs believe their company will have a breach in the next 12 months that will go public. Furthermore, 61 percent say their company has already been breached in the last 18 months. What is surprising to me is the narrow window of time in which these breaches are happening, demonstrating the increasing severity of the threat.

Even more concerning is the growing number of companies that are reacting to ransomware by purchasing cryptocurrency. Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. Worse yet, 79 percent of them have actually paid ransoms to regain access to their corporate data.

“ Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. ”

Get hit, get back up

Security and IT leaders estimate that 39 percent of their organization’s data is only held on endpoint devices — making it more difficult to track. As we discussed in our previous blog, “The Risks of Playing Data Hide-and-Seek,” this lack of visibility over endpoint-only data puts valuable company IP at risk — and updating a company security policy will not change the outcome because some employees simply don’t follow the rules.

In business, time is money. This is especially true in the seconds, minutes, days and weeks after a security breach. Yet according to about one-third of security and IT leaders, it would take up to one week to enact their recovery plan.

There is another way

While companies might think that they have no choice but to pay cybercriminals, they do actually have other options. And the overwhelming majority of CISOs agree. Nearly three-quarters (72 percent) reported that their company must improve its breach recovery ability in the next 12 months. And 75 percent stated that their company needs to shift the focus away from prevention-only security to a prevention-and-recovery strategy.

So what does that mean?

Recovery and prevention

From an IT perspective, prevention is only a single facet of a robust security approach. Possessing the capability to find out how a breach occurred — then being able to recover in real time — is the ultimate definition of resilience. With a comprehensive data recovery tool that includes visibility and recovery for endpoints, companies wouldn’t have to a pay a ransom to regain access to their data. They would simply restore their data using their recovery solution.

Code42 can help organizations regain control post-breach. To find out more, click here.

In case you missed them, get the full Code42 Data Exposure Report blog series:

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure–The Risks of Playing Data Hide-and-Seek

With cybersecurity threats continuing to evolve, even organizations wielding security tools and policies are at risk from a potential breach. In fact, 20 percent of security and IT leaders admit they do not have full visibility to where their data lives and moves—leaving their organizations with a data security blind spot.

According to the findings of our new Data Exposure Report, which surveyed nearly 1,700 security, business and IT leaders, 80 percent of CISOs agree that, “You cannot protect what you cannot see.”

It seems business leaders, on the other hand, are not always aware of the challenges security and IT leaders face to protect data. The overwhelming majority (82 percent) of business leaders believe IT can protect data they cannot see. This disconnect has major implications for data security, as business leaders often determine the budgets that security and IT need to do their jobs.

“ Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud. ”

Data at risk

With the rise of flexible working practices and the ongoing digitization of information, the importance of data visibility and forensics across employee endpoints cannot be underestimated. In modern enterprises, with data flowing freely in and out of the organization, traditional security perimeters are no longer enough to prevent breaches.

Without the right tools, endpoint data is particularly vulnerable. In fact, 86 percent of security and IT leaders believe saving files outside of company storage—for example on an employee laptop—puts their organization at risk. This is a significant concern considering that 73 percent of security and IT leaders believe that some company data only exists on endpoints. And this is critical data: Security leaders revealed that losing endpoint-only could be business-destroying.

Data hide-and-seek

Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud.

While business leaders recognize that saving their data outside official storage causes unnecessary risk for their organization, they aren’t going to change their work habits. More than two-thirds (68 percent) of CEOs think there’s a risk to their company if they store data on devices such as laptops without keeping a copy in centralized storage—but they do it anyway.

Security must include recovery

Businesses need a safety net that will allow them to keep track of data stored on endpoints, regardless of employee behavior or communication breakdowns. To minimize risk to valuable IP, companies should have a security strategy that includes not only data recovery in the event of a breach, but also prevention tools to help prevent breaches from happening.

Coming up in the final post in this four-part series, we will explore why companies must shift their security strategy away from prevention-only to a prevention-and-recoverystrategy that effectively deals with an increasingly unpredictable threat landscape. To read the Code42 Data Exposure Report in its entirety, go to

In case you missed them, get part one and two of Code42’s Data Exposure Report blog series.

Facebook Twitter Google LinkedIn YouTube