Finding Malware that Prevention Tools Miss (Video)

Hunting for known malware

All security teams have their go-to industry intel sources for brand-new indicators of compromise (IOCs), and like you, we’re continually on the lookout for new threat intel tools to look for the footprints of malicious activity. But once you’ve identified a suspicious file or confirmed a malicious MD5 hash, the challenge for your security team is finding all the hosts in the organization that have the affected files. This kind of visibility is critical for mitigating any potential malware impacts, but it’s also critical to avoid wasting time cleaning uninfected hosts. Without this visibility, organizations are forced to take a “better safe than sorry” approach — and that leads to the frustrating situation where endpoint re-images or remediations are performed without knowing whether devices were actually infected.

A simple search bar changes everything

Security teams deal with questions — big and small — all day long. The simple search bar of Code42 Forensic File Search is a powerful tool for answering some of the most important questions, including, “Does known malware have a foothold in my environment?” But the usefulness of Code42 Forensic File Search isn’t limited to just finding malware. In the Code42 security team, we use Code42 Forensic File Search for malware investigations and monitoring. When our antivirus and EDR tools identify malware threats, we use Code42 Forensic File Search to validate those findings across the environment and dig deeper. After malware has been located on a device and remediated, we continue to monitor files on that device with Code42 Forensic File Search to ensure there are no further signs of infection.

With the ability to instantly search for known malicious MD5 hashes across every host in your environment, you can shave days off investigating and remediating malware events. More importantly, this complete, instant visibility gives you the assurance that you’ve identified and addressed the threat to the full extent.

Happy threat hunting!

Code42 13 Tips for Situational Awareness

Tips From the Trenches: 13 Situational Awareness Questions

A key aspect of responding to security events is situational awareness: knowing what is happening in your environment and why. Standard data security tools like firewalls, proxies, email filters, anti-virus reports and SIEM alerts are all common sources of data for situational awareness. However, it’s also important to have visibility into business operations. Only with a holistic view of your entire organization can you have true situational awareness.

For example, as a software company, writing and deploying software is a significant and complex part of our business operations. Naturally, this work is supported by development, test and staging environments, which are used by our engineers to create and test product features. Security teams need to be aware of all non-production environments in their organizations. Open non-production environments (or environments that re-use credentials between production and non-production systems) can be a vulnerability that attackers can exploit.

“ No matter what business your organization is in, you should know where your important data can be found as well as what activities are normal and what is not normal. ”

Asking questions is the key to knowledge. Here are 13 questions I have used to help paint a full view of internal operations at Code42. They are divided into four separate categories based on major categories of concern for most organizations. I hope they will help you improve your situational awareness and overall data security.

Development Environments:

  1. Where are your development environments?
  2. Do you have the appropriate level of logging in those environments?
  3. How is access handled and are there controls that prevent the reuse of credentials across environments?
  4. Are there forgotten dev environments that need to be cleaned up?

Build Process:

  1. Where is your code built?
  2. Where is your code stored?
  3. If somebody maliciously inserted code into your environment, would you be able to detect who, when and what?
  4. Where are your build/CICD servers?

Deployments:

  1. Do you know what your typical deploy schedule is?
  2. Are you involved in the change management process and other governance bodies so you know when major changes are occurring in your environment?

Decommissioning:

  1. What systems and environments are going away?
  2. Is there a plan to keep information such as logs from those environments after the environment itself goes away, in accordance with your data retention policies?
  3. Will any infrastructure be reused, and if so, has it been processed properly?

While these questions are specific to software development and deployment, the data security issues they raise are relevant to businesses of all types. No matter what business your organization is in, you should know where your important data can be found as well as what activities are normal and what is not normal. Ensuring that tools are in place to answer these questions is vital.

Here’s one tool I use to answer these questions in our environment: Code42 Forensic File Search. It provides the visibility I need into all activity in our organization. With it, we can quickly and accurately take stock of data movement, data security risks and countless other activities. It makes it easier and faster to know what is happening in our environment and why. It provides the situational awareness that is critical for any modern organization.

Until next time, happy threat hunting!

Managing User Authentication in the Cloud

How do you manage user identities and permissions in your organization?

If you’re like 95 percent of enterprise companies, you’re using Microsoft’s Active Directory Domain Services, otherwise known as Active Directory or simply AD. This is the system that allows your employees to use the same username and password to access any domain-bound internal system, and allows your administrators to manage user identities, rights and permissions at scale. Since its introduction in the late ‘90s, AD has become the most robust, dominant and ubiquitous directory service utility in the technology world.

Before the advent of the cloud, AD was all most companies needed for identity management and authentication. AD managed the services, tools and data stores employees needed on-premises. To access these services with their AD credentials, employees needed direct local network access via an on-site device or a virtual private network.

Today, cloud-based Software as a Service (SaaS) solutions are replacing on-premises solutions of all kinds, including tools for collaboration and data sharing, office productivity, creative production work and data security.

As companies transition their data security to the cloud, identity management and authentication architectures have to transition, too. It can be difficult to keep track of where their AD data lives as it moves between clouds, data centers and endpoints. It can be hard to answer “who, what, when, where and how” data moved, so determining “why” can feel next to impossible.

As a long-time data security solutions provider, we’ve worked with hundreds of organizations as they make this journey. From those experiences, we’ve developed a set of recommendations to help you navigate this change to identity management and authentication systems while maintaining your data security and minimizing user hassle.

“ We’ve developed a set of recommendations to help you navigate this change to identity management and authentication systems while maintaining your data security and minimizing user hassle. ”

Identity management in the cloud

There are many benefits to using cloud-based SaaS services, including reduced costs for platform management and increased scalability. Of course, there are also challenges. One of the biggest problems to solve is integrating an existing on-premises AD identity management structure with these external tools. How can you leverage that existing structure so that users can access new SaaS tools with the same login credentials they’re accustomed to?

Single Sign-On

For security reasons, exposing your local AD server to the internet is not recommended. You could set up a lightweight AD server in a network DMZ that syncs with the internal AD domain controller and thus provides authentication for external requests. However, many cloud-based SaaS services don’t support querying AD, so this method could limit the services you can integrate into such a setup.

Enter single sign-on (SSO). Essentially, SSO is an authentication system that allows users to access multiple unrelated systems after just one login, because that initial login gives them an authentication token that’s trusted by those systems. For example, your company may use separate SaaS solutions in the cloud for human resources, training, CRM and project management. SSO allows users to log in to each of these systems through one central portal, because they all trust the SSO identity provider.

SSO solutions are widespread and compatible with the vast majority of cloud-based SaaS technologies because of the near-universal adoption of the Security Assertion Markup Language (SAML). SaaS technologies that use SAML 2.0 can seamlessly integrate with most SSO providers, as the majority “speak the language” of SAML 2.0.

SSO and AD: a bridge to cloud authentication

All of the major SSO identity platforms, such as Okta Identity Cloud, Google Identity Platform, Azure Active Directory and Ping Identity, have a variation on the concept of the “AD Connector” — a tool that synchronizes your AD user data with the SSO Identity provider. With such a tool, your employees use their AD username and password to log into a cloud-based SaaS tool via your SSO provider. AD makes a secure connection to your SSO identity provider but is otherwise safely walled off from the outside world. All your SaaS applications are able to leverage authentication via SSO because of the ubiquity of the SAML 2.0 standard.

Provisioning users

By utilizing a SAML 2.0-compliant SSO identity provider, you can easily solve the “login question.” The next step is to address provisioning. How do you make SaaS tools aware of those users in the first place? How can you organize the users so the permissions and organizational structure you’ve carefully set up in AD is mirrored in your SaaS tools? Finally, how can you automatically deactivate users in a SaaS tool when you deactivate them in AD?

This is where the System for Cross-domain Identity Management (SCIM) comes in. SCIM is an open standard for communicating user attributes, such as group membership, org membership and permissions, between distinct services. For example, SCIM shares user attributes between AD and an SSO identity provider, or between an SSO provider and a SaaS tool.

SCIM 2.0 is a much newer standard than SAML 2.0 and isn’t quite as ubiquitous. Some SSO providers, such as Okta and Google, use SCIM integrations to make provisioning users a snap. However, Google does not have an interface for setting up provisioning rules in a custom app (for example, a SAML 2.0 SaaS tool that you configured yourself without an official Google app). Some SAML 2.0 identity providers, such as Microsoft’s Active Directory Federation Services, do not support SCIM 2.0 at all.

To solve the “SCIM 2.0 isn’t always available” problem, some cloud-based SaaS applications have developed synchronization tools. For example, Code42’s User Directory Sync synchronizes AD user information via direct one-way communication from the customer’s AD server to the SaaS provider. In this example, Code42 still leverages SSO for user authentication, but user provisioning is made possible via a secure one-way sync.

Embrace the cloud era

The SSO market is fairly crowded, with behemoths like Microsoft and Google going head to head with startups like Okta that focus exclusively on SSO. The fact that these services all speak the same language and endeavor to solve the same problem — leveraging your existing identity management system for cloud authentication — means that tackling this problem has never been easier. The plethora of secure, robust SSO providers makes it easy to transition from your on-prem past to a future in the cloud. With this problem solved, you’ll have time to focus on the other complexities of digital transformation to the cloud, like gaining visibility into where your all of your data is created, stored and shared.

Better EDR and Threat Intel with Code42

The bright lights of Las Vegas are still flashing in my eyes after Black Hat 2018, and I observed a distinct trend: Data security technology vendors increasingly align themselves in one of two categories: threat intelligence or endpoint detection and response (EDR). The most common question I got at Black Hat 2018 was, “How does Code42 fit?” My answer is, quite simply, “Extremely well.”

Threat intelligence and EDR — where Code42 fits

It was easy to tell if you were at a threat intel or EDR vendor booth at Black Hat 2018:

  • The threat intelligence vendors wanted to talk to you about their orchestration framework, how many data feeds they pull in and their glitzy dashboards.
  • The EDR vendors showed you how easy it is to install their endpoint agent — and told you how they’ll alert your security team every time a hoodie-clad hacker in a basement runs exploits on your endpoints.

Code42 provides separate, complementary value to both threat intelligence and EDR solutions by applying a unique, historical file content and context perspective — as opposed to an action- or event-oriented perspective. Here’s why the combination of Code42 and threat intelligence and/or EDR is so powerful:

“ Code42 provides separate, complementary value to both threat intelligence and EDR solutions by applying a unique, historical file content and context perspective. ”

Code42 + threat intelligence

Let’s say your journey starts with a threat intelligence solution. You get an alert that a DNS request was initiated from a transient address in your Wi-Fi network to a newly registered domain or domain associated with known malware. How can you act on this alert?

Well, the threat intel report describes the domain in question as associated with a fake ad-blocker Chrome extension. That report also gives you the file name of the Chrome extension. You can then leverage Code42 Forensic File Search to search for that filename. In less than a second, you can build a unique list of all endpoints in your environment that have this undesirable Chrome extension. You can even sort these results and quickly find the first users to “fall” for the malware trick and give them additional training to help avoid this type of fire drill in the future.

Code42 + EDR

Imagine that an EDR solution sends an alert triggered by a maliciously crafted PDF document found on an endpoint. This suspicious file ran some arbitrary and potentially unknown code at an elevated privilege level. How would your organization react?

First, you may want to see who else has this same document. Using Code42 Forensic File Search, you could look for the checksum or filename of that questionable PDF. In less than a second, you have a complete list of your affected devices and users — whether they are online or not and without impact to the user’s machine or the network.

Now let’s say you want to examine the suspicious file — but the malicious payload deleted the PDF after execution. With Code42’s Backup + Restore  product, you could pull an archived copy and hand it to forensic investigators.

Providing deeper visibility and context

Threat intel and EDR solutions focus on identifying malicious activity or abnormal application behaviors on an endpoint. They’re really good at detecting things like a process attempting a privilege escalation or scanning memory to pilfer credentials. Alerts to these activities are valuable, but they give only one dimension of insight into a complex problem. Code42 is focused on a much bigger picture — providing comprehensive visibility into every action, movement and revision of every file — while simultaneously securing and preserving valuable digital assets. And our powerful search capability cuts through the noise to give you exactly the information you need without overwhelming you with data.

Our unique approach to providing visibility and ensuring availability means Code42 doesn’t fit neatly into a category created by industry analysts. But that doesn’t diminish its value. Rather, it affirms that the value of Code42 cuts across the entire data security stack, regardless of what you do, or what tools or vendors you may already be working with. In fact, Code42 Forensic File Search, coupled with Code42 Backup + Restore, provide a comprehensive, contextually rich and easily searchable service. Combined, they complement not only threat intel and EDR, but almost any other data security solution, providing clear, direct and authoritative results.

Finding Rogue Software in Your Organization (Video)

There are many reasons you may want to locate particular software in your organization. Sometimes it’s because you are trying to catch someone doing something malicious, but sometimes it’s because employees are trying to work around processes to get work done. For example, many employees install software that isn’t yet approved by their company’s IT and security teams.

A true story: MacOS version control

Here’s a true story from Code42’s own IT team about MacOS version control. Code42 blocks the installation of the latest version of MacOS on employees’ laptops until it has been fully tested. While we don’t expect to see any security risks in the newest release, we also don’t want employees running unsupported or untested software. Once upgraded, MacOS can’t be reverted back to the older version—so untested installations are hard to correct.

The Code42 IT team knows when an employee figures out a way to circumvent their endpoint management system’s security controls to download the new version of MacOS. They know this because they’re able to locate the installer on employee endpoints with Code42 Forensic File Search.

A simple search, clear results

Many endpoint management systems block file installation based simply on filename. When the installer file is renamed, the program in question can be downloaded and the endpoint management system won’t catch it. However, Code42 Forensic File Search gives you the ability to search by MD5 hash. If you suspect that employees in your organization are downloading a particular program, you can search for the MD5 hash of the program to find everywhere it exists in your organization, even if it has been renamed. Code42 Forensic File Search locates all instances of the file across all endpoints, even on endpoints that are offline.

“ If you suspect that employees in your organization are downloading a particular program, you can search for the MD5 hash of the program to find everywhere it exists in your organization, even if it has been renamed. ”

Human behavior affects everyone

We upgrade all of our Mac users to the latest version of MacOS as quickly as we can. If employees break policy and install MacOS early, we recognize that it’s not out of malice—they just want to have access to the best and most current tools. This is likely the case at your organization as well. As the 2018 Data Exposure Report explains, employees want to work in ways that make them more productive even if that means violating IT policy.

This could be true of anyone in your organization, from the most junior employee to the CEO. In fact, according to the report, 59 percent of CEOs admit to downloading software without knowing whether it is approved by corporate security. Seventy-seven percent of business leaders believe their IT department would view this behavior as a security risk, but they do it anyway. No wonder that the Data Exposure Report also found that 75 percent of CISOs and 74 percent of CEOs believe their security strategies need to change from prevention-only to prevention-and recovery-driven security.

With Code42 Forensic File Search, you have visibility into what’s happening in your organization that your prevention tools don’t see. You’ll never be able to convince 100 percent of your users to follow your IT and security policies, but you can quickly and accurately locate the rogue software they bring into your organization.

Why Local Deduplication Is the Key to Faster Restores

Tips From the Trenches: Hunting Endpoint Threats at Scale

A big part of “walking the talk” about proactive data security here at Code42 is our “Red Team vs. Blue Team” internal simulations. Today, I’d like to share a few ways I’ve used the Code42 Forensic File Search API to give me completely new threat-hunting capabilities during these exercises.

Endpoint devices are still one of the big blind spots for the modern threat hunter. It’s often nearly impossible to search files on endpoints that are offline or were reimaged due to an incident. This is one reason I’m so excited about the Code42 Forensic File Search API: it doesn’t suffer from this limitation; it truly sees every version of every file on all endpoints, whether online or offline. And since we use our backup product, we also have every file that ever existed.

“ Leveraging Code42 Forensic File Search, I’m able to identify potentially unwanted applications that have slipped past antivirus and other traditional security tools. ”

Locating EXE files in download directories

Leveraging Code42 Forensic File Search, I’m able to identify potentially unwanted applications that have slipped past antivirus and other traditional security tools. To find these previously undetected threats, I’m forwarding output from the Code42 Forensic File Search API (hashes) to the VirusTotal Mass API for further enrichment. Here are some of the high-value searches I’ve used within Code42 Forensic File Search, along with the corresponding JSON files for reproducing the searches in your environment:

  • Search all macro-enabled Word documents
  • Search all DLL files in download directories
  • Search all Dylib files
  • Search all DMG files in download directories

Parameters for customizing FFS search results

Once you have your raw JSON results, here are a few parameters I’ve found useful in customizing Code42 Forensic File Search queries:

  • fileName:The fileName parameter can take a wildcard with a file extension at the end to list all DLL files in this example:   {“operator”:”IS”,”term”:”fileName”,”value”:”*.dll”},
  • filePath:Another useful parameter for searches is the filePath parameter, especially when you are searching for filetypes typically found in specific locations. The example below captures the Windows download directory of all users, as well as all paths below the downloads directory — hence the two wildcards: {“operator”:”IS”,”term”:”filePath”,”value”:”c:/users//Downloads/“}

Hash-check best practice

After you have configured your JSON file, the Code42 Forensic File Search search results should look something like this: 

Python ./ffs_search.py –username –search_type raw –in_file ./hunt.json –out_filter md5 | awk ‘!seen[$0]++’ | tr -d ‘”, []’ | sed ‘/^\s*$/d’

With an output that appears below:

Code42 Security Tips from Trenches Hash-check

Piping the results to awk and tr simply removes duplicate MD5 hashes and cleans up the JSON output, so you avoid the cost of submitting the same MD5 hash to a service like VirusTotal multiple times. Once we have the hashed file results, we can search those hashes across any threat intel or data enrichment tool.

One quick note: The public VirusTotal API key is rate-limited to four queries a minute. I would recommend using a private API key, since searching across hundreds of unique hashes can take quite a long time.

Code42 Security Tips from Trenches Hash-check 2

In our case, we leveraged Virustotal-api-hashcheck to give us a user-friendly view of the hashes we’re seeking. There are many VirusTotal API tools on GitHub and you can use whichever one suits your use case.

Finding malicious files—examining your exposure

In my example, while searching for Excel documents, we uncovered one malicious result that ties back to a document lure that contained a zero-day exploit being used in a targeted attack as discovered by icebrg. You can read more about the specifics of the file on their website.

Code42 Security Tips from the Trenches Hash Analysis 3

I then took the VirusTotal results and searched back in FFS to determine the extent of our exposure. Fortunately, the malicious file was only on two researchers’ systems, and we confirmed that they had been using the file for analysis and demonstration purposes.

Code42 Security Tips from Trenches Forensic File Search

Leveraging Code42 Backup + Restore for file analysis

I’ve also leveraged Code42 to recover unknown files for automated (sandbox) or manual analysis. In the previous example, there was one Excel document that VirusTotal didn’t recognize:

Code42 Security Tips from Trenches Backup Restore

Instead of uploading a potentially sensitive file to VirusTotal, I can do initial triage and analysis by recovering the file with the Code42 application and uploading it to my sandbox analysis tool. Below is a screenshot of the XLSM file running in a sandbox:

Code42 Security Tips from Trenches Virus Total

After doing initial triage and analysis, the file looks safe and not sensitive. At this point, the file could be uploaded to VirusTotal or kept private.

I hope this article has given you a few ideas of how you can use the Code42 Forensic File Search tool to gain powerful new threat-hunting capabilities in defending your organization. Since I first began using the tool, I’ve continually discovered new ways to gain greater visibility in detecting threats. I hope you’re as excited as I am about the current and future ways that security teams can leverage Code42 Forensic File Search internally to enhance security at scale.

Happy threat hunting!

Cure for the Windows 10 Migration Migraine

Keep precious data safe during an enterprise-wide OS upgrade

One-to-one device migrations, when an IT worker spends hours migrating a device to the Windows 10 platform, aren’t fun for anyone. They drain IT’s time and money and render workers idle as they wait for their devices. More importantly, they put the company at risk for data loss.

Gartner estimates that enterprises using one-to-one migration processes for Windows 10 upgrades could spend up to $445 per device. For a large organization with 2,500 employees, that can add up to more than $1.1 million. And that’s not even counting the loss of productivity as workers wait to get their devices back from IT. Some remote employees may even need to ship their device back to headquarters for the migration, adding additional time and cost.

With 2018 shaping up to be a peak year for Windows 10 migration, how can companies avoid the cost and disruption of a large-scale institutional operating system upgrade? And how can they protect valuable company IP while doing it?

“ By using Code42’s migration solution, companies can save time and money while allowing users to control their experience. ”

Faster, easier, safer

Luckily, savvy companies are turning to user-driven migration for Windows 10. By using tools such as Code42, these organizations are making migrations more scalable and repeatable, cutting costs while keeping their data safe. Using Code42’s migration solution speeds the Windows 10 migration from three hours to 30 minutes on average.

Code42 recommends two different Windows 10 migration processes for companies, based on their needs:

  • Classroom-style migration. For organizations not ready to give up full control to users, this one-to-many process can provide a good interim step on the journey to automation. As its name suggests, in this process, IT hosts events during which multiple users bring their devices and perform the migration themselves, with IT walking them through the process. As in any classroom, if a single user has a specific issue come up during the session, the IT “teacher” can provide some one-to-one guidance while the other users are self-migrating.
  • User-driven migration. Organizations can largely eliminate IT involvement in the Windows 10 migration—the dream of many IT teams—by implementing a fully user-driven process. Using Code42’s migration solution, users simply follow instructions and get in touch with IT only when a specific issue comes up. This approach can speed migrations by 75 percent and leave IT more time to focus on critical issues. Users also benefit by remaining in control of their data and making the migration when it’s convenient for their schedules.

A migration tool that works

To make either of these options work requires the right tool: a simple, intuitive, user-friendly system. Code42 provides this through:

  • Automatic, continuous endpoint backup. Any backup solution that requires manual user activity is doomed to fail because not all users will follow the protocol. Implementing Code42 lays the foundation for a successful migration to Windows 10 because we back up every version of every file, every 15 minutes. No matter how reliable—or not—users are, their endpoint data will be safe.
  • Clear, simple instructions for users. Organizations typically have users who run the gamut of comfort with technology. Code42’s system is powerful enough to facilitate a complex migration like one from Windows 7 to Windows 10, but easy enough for even the least technically savvy employee to walk themselves through the process.
  • Access to data during migration. For certain high-profile users, not being able to access their data for even an hour during migration is unacceptable. Code42 makes it easy for users to access their most recently used files while the other files are migrating.
  • Migration of profiles and device settings. After the Windows 10 migration, users will be up and running more quickly if their device looks, feels and performs as it did before the migration. Code42 migrates device settings so users don’t have to spend precious time doing it themselves.

From dreaded to done

IT teams and users often dread the process and aftermath of an operating system upgrade. By using Code42’s migration solution, companies can save time and money while allowing users to control their experience. More critically, Code42 ensures the security of valuable endpoint data during the Windows 10 migration. IT can focus on more mission-critical tasks and users can continue doing their jobs.

Code42 Diversity and Code42 Inclusion

Code42 is Committed to Diversity and Inclusion

What makes a company a great place to work? In our diverse world, having engaged and empowered employees requires more than just good pay and benefits. At Code42, we believe that employee satisfaction is enhanced when we go beyond just business goals, truly listen to who people are and make concrete efforts to include them. This is why we launched Belong at Code42, a team dedicated to creating a culture of inclusivity within the company.

Belong at Code42

Belong at Code42 is a group of 14 people from across all departments, skill levels, backgrounds and identities. The team comes together regularly to help the company fulfill three key goals for our employees: ensuring everyone is a resource, everyone has a place, and everyone thrives at Code42.

“We’re focused on the current state of diversity and inclusion in the company, how we hope to see things change, and what we can do to affect that change,” said Derek Sung, Code42 committee member and senior designer. “Our goal is to help employees feel like they can be their authentic self at work. It feels good to be a part of this, because it doesn’t feel like it’s just an HR exercise.”

“Previous companies I’ve worked at didn’t have much interest in inclusion,” said Code42 committee member and senior talent acquisition business partner, Heidi Daumen. “But focusing on diversity and inclusion is such a big part of building a culture. As a group, we work hard to develop goals that are actionable and measurable. It’s very hard to get 14 people in a room and not have it turn into strictly philosophical conversations. But we are doing it.”

Putting focus on inclusion

In its first six months, Belong at Code42 has taken concrete steps to make the company more inclusive for everyone, including hosting outside speakers and panel discussions, and delivering training for Code42 employees on a variety of diversity and inclusion topics. The employee handbook has been rewritten with more inclusive language to make employees of all backgrounds feel welcome. Code42 has signed both the Minnesota Technology Diversity Pledge and the National Tech Inclusion Pledge.

These positive steps have been noticed by the Code42 workforce as a whole. “People are really happy that this is happening,” said Daumen. “This is an environment that is very open to what we’re doing. Making sure that everyone feels comfortable and welcome when they come to work is only going to make the company better for all.”

One outward sign of success: Code42 was recently named one of Minnesota’s Top 150 Workplaces for 2018 by the Star Tribune. Of course, we don’t work to achieve an inclusive culture simply to win awards. We firmly believe that creating and maintaining an environment that supports authenticity and celebrates what makes us different ultimately benefits our customers. We have a big job here at Code42. The customers we support, the ideas we protect and the trust we maintain with our customers is the backbone of our company. When employees are happy and comfortable at work, they can better focus on meeting the needs of our customers. We all do our best work when we’re in a place where we feel like we truly belong.

For information about careers at Code42, visit code42.com/careers.

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure – Stockpiling Cryptocurrency? Save Your Money.

For years, organizations have heard the drumbeat of building digital security perimeters to protect their data. And to the best of their ability, they’ve listened to the experts, followed best practices and spent billions on strategies to prevent data losses and breaches.

Unfortunately, that strategy is no longer working and companies know it. In an increasingly complex digital threat landscape, cybercriminals are constantly evolving, waging successful ransomware attacks even on organizations that have well-established breach-prevention profiles. Our recently released Data Exposure Report, which surveyed nearly 1,700 security, IT and business leaders across the U.S., U.K. and Germany, tells this story in stark relief.

Playing defense in an unpredictable threat landscape

I wasn’t surprised to read in the report that 64 percent of CISOs believe their company will have a breach in the next 12 months that will go public. Furthermore, 61 percent say their company has already been breached in the last 18 months. What is surprising to me is the narrow window of time in which these breaches are happening, demonstrating the increasing severity of the threat.

Even more concerning is the growing number of companies that are reacting to ransomware by purchasing cryptocurrency. Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. Worse yet, 79 percent of them have actually paid ransoms to regain access to their corporate data.

“ Nearly three-quarters of the CISOs we surveyed admitted to stockpiling or having stockpiled cryptocurrency in the last 12 months to pay off cybercriminals. ”

Get hit, get back up

Security and IT leaders estimate that 39 percent of their organization’s data is only held on endpoint devices — making it more difficult to track. As we discussed in our previous blog, “The Risks of Playing Data Hide-and-Seek,” this lack of visibility over endpoint-only data puts valuable company IP at risk — and updating a company security policy will not change the outcome because some employees simply don’t follow the rules.

In business, time is money. This is especially true in the seconds, minutes, days and weeks after a security breach. Yet according to about one-third of security and IT leaders, it would take up to one week to enact their recovery plan.

There is another way

While companies might think that they have no choice but to pay cybercriminals, they do actually have other options. And the overwhelming majority of CISOs agree. Nearly three-quarters (72 percent) reported that their company must improve its breach recovery ability in the next 12 months. And 75 percent stated that their company needs to shift the focus away from prevention-only security to a prevention-and-recovery strategy.

So what does that mean?

Recovery and prevention

From an IT perspective, prevention is only a single facet of a robust security approach. Possessing the capability to find out how a breach occurred — then being able to recover in real time — is the ultimate definition of resilience. With a comprehensive data recovery tool that includes visibility and recovery for endpoints, companies wouldn’t have to a pay a ransom to regain access to their data. They would simply restore their data using their recovery solution.

Code42 can help organizations regain control post-breach. To find out more, click here.

In case you missed them, get the full Code42 Data Exposure Report blog series:

Code42 Data Exposure Report: A must-read for security and business decision-makers

Data Exposure–The Risks of Playing Data Hide-and-Seek

With cybersecurity threats continuing to evolve, even organizations wielding security tools and policies are at risk from a potential breach. In fact, 20 percent of security and IT leaders admit they do not have full visibility to where their data lives and moves—leaving their organizations with a data security blind spot.

According to the findings of our new Data Exposure Report, which surveyed nearly 1,700 security, business and IT leaders, 80 percent of CISOs agree that, “You cannot protect what you cannot see.”

It seems business leaders, on the other hand, are not always aware of the challenges security and IT leaders face to protect data. The overwhelming majority (82 percent) of business leaders believe IT can protect data they cannot see. This disconnect has major implications for data security, as business leaders often determine the budgets that security and IT need to do their jobs.

“ Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud. ”

Data at risk

With the rise of flexible working practices and the ongoing digitization of information, the importance of data visibility and forensics across employee endpoints cannot be underestimated. In modern enterprises, with data flowing freely in and out of the organization, traditional security perimeters are no longer enough to prevent breaches.

Without the right tools, endpoint data is particularly vulnerable. In fact, 86 percent of security and IT leaders believe saving files outside of company storage—for example on an employee laptop—puts their organization at risk. This is a significant concern considering that 73 percent of security and IT leaders believe that some company data only exists on endpoints. And this is critical data: Security leaders revealed that losing endpoint-only could be business-destroying.

Data hide-and-seek

Keeping track of company data is not as straightforward as it may initially seem. Today, it goes beyond simply monitoring traditional sanctioned storage—even in the cloud.

While business leaders recognize that saving their data outside official storage causes unnecessary risk for their organization, they aren’t going to change their work habits. More than two-thirds (68 percent) of CEOs think there’s a risk to their company if they store data on devices such as laptops without keeping a copy in centralized storage—but they do it anyway.

Security must include recovery

Businesses need a safety net that will allow them to keep track of data stored on endpoints, regardless of employee behavior or communication breakdowns. To minimize risk to valuable IP, companies should have a security strategy that includes not only data recovery in the event of a breach, but also prevention tools to help prevent breaches from happening.

Coming up in the final post in this four-part series, we will explore why companies must shift their security strategy away from prevention-only to a prevention-and-recoverystrategy that effectively deals with an increasingly unpredictable threat landscape. To read the Code42 Data Exposure Report in its entirety, go to code42.com/2018DataExposureReport.

In case you missed them, get part one and two of Code42’s Data Exposure Report blog series.

Facebook Twitter Google LinkedIn YouTube