Happy Anniversary! GDPR One Year Later

Happy Anniversary! GDPR One Year Later

It’s been a year since we — and many of you — went live with enhancements to our privacy and security programs tied to GDPR, and two years since we started the GDPR journey. That’s why it’s a great time to look back at the impact GDPR has had on the way we do business.

This post is purely for general information purposes and is not intended as legal advice. This blog gives a glimpse into Code42’s early GDPR implementation. We, along with GDPR as well as other national and international privacy rules, will continue to evolve and mature.

“ The GDPR journey shouldn’t be a one-department initiative or the sole responsibility of Legal or Security. It must be a business-driven initiative with Legal and Security providing recommendations and guidance. ”

What we did to get ready for May 2018

We started preparing for GDPR around May 2017. The GDPR journey shouldn’t be a one-department initiative or the sole responsibility of Legal or Security. It must be a business-driven initiative with Legal and Security providing recommendations and guidance. At Code42, we established a cross-functional group comprised of Legal, Security, IT and system subject matter experts. The key activities of this group were to:

  1. Create an inventory of applications in scope for GDPR. We have European employees and customers so we had to look at applications that were both internal and customer-impacting. When outlining in-scope applications for GDPR, we kept in mind that more restrictive data privacy laws seem imminent in the U.S. We also conducted a cost-benefit analysis to determine whether we should keep non-EU PI in scope now or revisit it at a later date.  
  2. Define retention periods for all of the applications in scope. Prior to our GDPR journey, we had a retention program in place, but it was largely focused on data we knew we had legal, regulatory or other compliance obligations around, including financial records, personnel files, customer archives and security logs. GDPR just gave us the nudge we needed to mature what we were already committed to and have better conversations around what other data we were storing and why.
  3. Figure out how to purge personal data from applications. This may be challenging for SaaS organizations. When applications are managed on premise, it’s much easier to delete the data when you no longer need it. But translating that to all your SaaS applications is another story. There are a few areas where SaaS applications are still maturing compared to their on-prem counterparts, and data deletion appears to be one of them. Delete (or anonymize) data, where you can. Otherwise, either add the applications to a risk register, requesting that the application owner do a risk accept and submit a feature request to the vendor, or look for a new vendor who can meet your retention requirements.
  4. Create an audit program to validate compliance with our security program. We are fortunate to have an awesome internal audit program that monitors effectiveness of our security program, among other IT and technology-related audit tasks. So it was logical to test our in-scope applications against our newly defined retention requirements. We review applications periodically.
  5. And lastly, but just as important, define a process for data subjects to request that their information be deleted outside of a standard retention schedule (aka “right to be forgotten”). It is important to remember that this is not an absolute. While we want to honor a data subject’s request as much as possible, there may be legitimate business cases where you may need to maintain some data. The key for us was defining what those legitimate business cases were so we could be as transparent as possible if and when we received a request.

What we’ve learned in the last year

So what have we learned about GDPR one year and two internal audits later? A lot. 

What’s going well

1. A vendor playing nice

We had a really great success story early on with one vendor. When we dug into it, we found that our users were previously set up with the ability to use any email address (not just a Code42 email). We also learned our instance was configured to save PII that wasn’t a necessary business record. Based on that conversation, we were able to make a few configuration changes and actually take that application out of scope for GDPR! 

2. A more robust application lifecycle program and greater insight into the actual cost of a tool

As a technology company that is continually innovating, we want to empower our users to use tools and technologies that excite them and increase productivity. At the same time, we want to ensure we are addressing security, privacy and general business requirements. Users often find tools that are “so cheap” in terms of the cost of user licenses. Our new Application Lifecycle Management (ALM) process, however, gives us a better sense of the actual cost of a new tool when we factor in:

  • Onboarding requirements: Think Legal, Security, IT, Finance. Are there compliance requirements? Do we already have similar tools in place?
  • Audit requirements: Will this be part of the GDPR data retention audit, user access audit or other application audit?
  • Stand-up/stand-down requirements: Will it integrate with single sign-on solution? How does it integrate with other tools? How is data returned or destroyed?
  • Support requirements: Who are users going to contact when they inevitably need help using the tool?

When the person making the request can see all of the added costs going into this “inexpensive” tool, it makes for easier discussions. Sometimes we’ve moved forward with new tooling. Other times we’ve gone back to existing tools to see if there are features we can take advantage of because the true “cost” of a new solution isn’t worth it.

3. A great start toward the next evolution of privacy laws

On the heels of GDPR, there has been a lot of chatter about the introduction of more robust state privacy laws and potentially a federal privacy law. While future regulations will certainly have their own nuances, position yourselves to comply with them in a way that will require just small tweaks versus major lifts like the GDPR effort.

What’s not working

1. What exactly IS personal data?

We have had a lot of conversations about what data was in scope… and I mean A LOT. According to the GDPR, personal data is defined as any information related to an identified or identifiable natural person. That puts just about every piece of data in scope. And while it may seem like an all-or-nothing approach may be easier, consider risks that could affect things like availability, productivity, retention, etc. when implementing controls, then scope programs appropriately to address those risks in a meaningful way. 

2. “Yes, we are GDPR compliant!”

One thing we realized very quickly was that it wasn’t enough to simply ask our vendors if they were “GDPR compliant.” We ended up with a lot of “Yes!” answers that upon further investigation were definite “No’s.” Some lessons learned: 

  • Understand the specific requirements you have for vendors: Can they delete or anonymize data? Can they delete users? 
  • Whenever possible, schedule a call with your vendors to talk through your needs instead of filing tickets or emailing. We found it was much easier to get answers to our questions when we could talk with a technical representative.
  • Ask for a demo so they can show you how they’ll delete or anonymize data and/or users. 
  • Don’t rely on a contractual statement that data will be deleted at the end of a contract term. Many tools still aren’t able to actually do this. It’s important that you know what risks you are carrying with each vendor.
  • Audit your vendors to ensure they are doing what they said they would. 

Would we do it all over again?

Actually, yes. While our GDPR project caused some grumbling and frustration at the beginning, it has now become an integrated part of how we operate. There is no panic and no annoyance. Instead, there are lots of great proactive conversations about data. At the end of the day, we have matured our tool management, and our privacy and security; and our data owners feel a stronger sense of data ownership.

Wanna see a sample of our Application Lifecycle Management (ALM) vetting checklist? 

Legacy_DLP_does_not_work_Code42_Blog

Legacy DLP Doesn’t Work: McAfee Sues Former Employees for Stealing Company Data

If you think your company is immune to departing employees walking out the door with sensitive data, think again.

Case in point: A world leader in data loss security, McAfee, just filed a lawsuit against three former employees for conspiracy and stealing trade secrets before they went to work for Tanium, a market rival. To carry out the alleged heist, the employees did not use the type of sophisticated technology that you might expect. Instead, according to the lawsuit, confidential company information was moved to unauthorized USB devices, private email addresses and cloud-based drives.

“ If a legacy DLP vendor can’t keep a simple breach from occurring in its own company, why would anyone trust legacy DLP software to keep their data safe? Short answer: they shouldn’t. ”

The kicker? A “leader” in data loss prevention didn’t realize that critical data was leaving until months after the damage was already done. And even then, they couldn’t definitively determine what had been taken or how much. 

Thank you, McAfee, for demonstrating what many of your customers must already know — legacy Data Loss Prevention (DLP) doesn’t work. If a legacy DLP vendor can’t keep a simple breach from occurring in its own company (a breach of data that McAfee claims is worth millions of dollars!) why would anyone trust legacy DLP software to keep their data safe? Short answer: they shouldn’t.

The insider threat problem is growing

The insider threat problem is getting worse. Simply put: when people leave jobs, they take lots of data with them. According to McKinsey, 50 percent of breaches involved insiders between 2012 and 2017. It’s no longer a matter of whether data leaves, but when it leaves – and it’s leaving every day.

Part of the problem is that data has never been more portable — so taking it has never been easier. Sales lists, product specs, pricing information, payroll data and even contact lists are just a few examples of small but critically important files that are simple to take. Employees can store hundreds of gigabytes on their mobile devices, put 1TB or more of data on removable media, or quickly transfer data to personal cloud storage services like Dropbox.

Not only is data moving around more, but so are employees. The median tenure of U.S. workers ages 25 to 34 is just 2.8 years. And as they move from company to company, they take data with them. But that’s not all. While they may change companies, many opt to stay within the same industry, making the data that goes with them even more valuable.

“ We are offering all McAfee customers six months of free service when they buy a year of Code42 Next-Gen Data Loss Protection. ”

This is a solvable problem

At Code42 we’ve been working to help our customers face these challenges. Our insider threat solution identifies what data employees are taking as they depart your organization. In fact, we look back for 90 days because we have found the smart employees take important data long before they actually quit. Unlike McAfee and other traditional DLP players, we don’t require policies or classification of data, which means our solutions roll out in days not months. Oh, and unlike traditional DLP, we track all data exfiltration. Our products are designed to tell you before the damage is done so you don’t have to file lawsuits like McAfee’s.

To put our conviction on display, we are offering all McAfee customers six months of free service when they buy a year of Code42 Next-Gen Data Loss Protection*. And yes, that offer even extends to McAfee. After all, their data is valuable too, and they clearly need a better solution. 

*Offer details: If you are a current McAfee DLP customer, Code42 will offer six free months of service to switch to Code42. You must be a new Code42 customer and you must buy a minimum of 12 months of service to qualify for the six free months. This offer is valid through December 31, 2019. Contact Code42 sales at (877) 464-1061, or email mark.blaseck@code42.com.

Gartner’s CARTA Enable a Shift in Data Security

CARTA: What Role will it Play in the Hippy Era of Data Love?

The Gartner Security & Risk Management Summit 2019 is upon us and this year’s theme is all about how you can shift organizational culture to improve cybersecurity, data privacy and business resilience.

When it comes to building a viable data security strategy, organizational culture has easily been one of the more overlooked elements. But that is changing! Today, end users play a key role in shaping security. The ultimate conundrum organizations face is how to embrace cultural shifts that drive  productivity without jeopardizing data protection.

“ CARTA offers a strategic approach to information security that assumes that everyone inside a security perimeter is a threat and all data interactions are a security event. ”

To that end, I’m very interested to learn more about Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) framework. A logical companion to Forrester’s Zero Trust model, CARTA offers a strategic approach to information security that assumes that everyone inside a security  perimeter is a threat and all data interactions are a security event. The approach makes sense. In times where insider threat scenarios are clearly on the rise, a data focused approach to detecting and responding to risk becomes paramount. In my opinion, the best part of the CARTA framework is its approach of continuously adapting to change and learning from each data interaction.

I’ve often joked with security analysts that they have the unenviable task of protecting data in the hippy era of data love. In this new data paradigm, users call the shots. They use their device of choice, work from their location of choice and sometimes select their corporate IP storage destination of choice! Today’s users have rejected the mores of mainstream security. Countering this wave may actually have adverse effects on the business.

One of the key questions for me to answer at this year’s summit will be, “How well can CARTA enable this cultural shift?”

If you are attending the Gartner Security & Risk Management Summit, stop by booth #448. Learn how the Code42 Next-Gen Data Loss Protection solution makes it quicker and easier to detect and respond to data exfiltration and insider threats.

Code42 Blog

Breach Fatigue – And How to Take Action

Since 2005, a staggering 9,033 data breaches have been made public — that averages about 1.77 breaches a day. In the wake of this stream of breaches, a sense of apathy has taken hold, causing both employees and organizations to become numb to their own security risks.

In her latest byline for TechBeacon, Code42 Chief Information Security Officer Jadee Hanson shares the dangers of employees and leadership experiencing breach fatigue and how it leaves an organization open to insider threats, ineffective security strategies and other security vulnerabilities.

Securing Your Software Supply Chain Code42 Blog

Securing Your Software Supply Chain

Software supply chain attacks have hit the news in a big way. In March, hardware maker ASUSTeK Computer, or ASUS, found its auto-update process hijacked to deliver malware and more than a million users may have downloaded a backdoored version of the company’s update software. 

Concerns about these types of attacks are growing. In recent years, we’ve witnessed attackers increasingly leveraging software supply chain attacks to do things, such as corrupt PC utility software and collaborative development tools. 

Supply chain attacks are different from other cyberattacks in a number of ways. In addition to being sophisticated, successful attacks have the ability to impact thousands to millions of users in ways few cyberattacks can. Then there’s the rising complexity of software. Software vendors today are making software self-updating and even self-healing. Because of all this, and the increasing amount of open source and third-party software in use, I expect the supply chain attack vector to become more common.

With this in mind, it’s important to understand the steps your software makers and providers are taking to protect the software and systems they provide you. 

“ One must take the best of precautions, such as conducting due diligence on hardware and software providers and ensuring that they do what they can to keep their systems and customers secure. ”

For instance, to help ensure the integrity of our software, we take a number of precautions here at Code42. We protect our systems with defense-in-depth, and we monitor the integrity of our files. We also encrypt our software certificates, and we make sure they are safe and well protected. We maintain strong file validation, to mitigate the risk that an attacker might inject something nasty and try to deploy software while posing as us to our customers.

Still, these types of attacks are very humbling for security professionals. They highlight the stark reality that no matter how many precautions one takes, everyone is still part of a chain of technology and reliant on third-parties. And if anyone in that chain of technology and services gets compromised, you are also now at significant risk of compromise. One must take the best of precautions, such as conducting due diligence on hardware and software providers and ensuring that they do what they can to keep their systems and customers secure.

While there’s certainly no guarantee of success, there are things one can do to approach the security of your software supply-chain.

First, I’d like to say, broadly, is that you should generally trust your software vendors. When a software provider publishes updates, there is a good reason. Good software development, especially one that includes software security, is a process — a process that certainly doesn’t end when software ships. In fact, the time to be concerned about trusting software vendors is if they’ve never reported a vulnerability. If not, there’s a good chance that they are not being transparent, or they are not looking closely enough. I don’t know which is worse. 

It’s also important to make sure that your software providers engage in secure software best practices. When issuing updates, are they signed? Are application bundles and libraries signed? Do they have a functioning vulnerability reporting process and publicly posted policy related to security patches? Make certain these things are in place.

Finally, don’t think it’s smart to block or skip updates. You could actually “denial-of-service” yourself by blocking updates because your software could stop properly functioning without new code. Some organizations think blocking updates helps improve their systems stability. It doesn’t. If your change controls are too rigid, they need to be updated so that software updates can be tested and then rolled out efficiently. Additionally, software compliance as well as government and industry regulations likely mandate that systems be kept up to date. 

When it comes to defending an organization against software supply chain attacks, it’s crucial that not only security best practices be closely followed, but one also needs to hold the seemingly contradictive assumption that nearly two-thirds of IT security professionals believe a successful cyberattack is imminent in 2019. This is why, in addition to the usual good user authentication practices, data backups, system and network segmentation, and anti-malware, it’s crucial to monitor for file integrity and mysterious traffic patterns. That means making certain that systems and data are persistently monitored for potentially malicious activity, such as unauthorized data exfiltration and other shenanigans. 

That’s certainly not a panacea. But the reality is there isn’t one. Still, every organization needs to be proactive and take the steps necessary to identify any anomalies underway in their environment. And they need to make sure their software providers are, for their own part, taking an aggressive stance themselves when it comes to software security and protecting themselves, and therefore their customers, from attack.

While security-savvy organizations have long thought about the nature of the security of the software they install, it’s time they also think more about the software update process from each of their vendors, and continue to do so for as long as it’s being used.

3 Key Workflows to Build an Insider Threat Program Code42 Blog

3 Key Workflows to Build an Insider Threat Program

We’ve never been shy about beating the insider threat drum at Code42, but the buzz on insider threat is reaching fever pitch. Small to medium-sized enterprise security and IT teams know they need to address this looming risk. But the biggest hurdle is answering the question, “Where do we start?”

For the past few years, the prevailing answer has been, “BUILD A COMPREHENSIVE INSIDER THREAT PROGRAM.” But let’s be honest: This is daunting. It’s time-consuming. It’s expensive. Moreover, these “best practices” often involved creating an entire team dedicated exclusively to insider threat detection and response. That sounds fantastic — but well beyond reality for most of us dealing with strained resources and limited budgets.

Most problematic: The root of this traditional approach is implementing traditional DLP. Just mentioning DLP might make you cringe as you imagine expensive technology and super complex rules that, at the end of the day, often do more harm than good — frustrating users with barriers to productivity and leading to workarounds and exceptions that compromise the whole program.

You need something simpler. We all do, because the insider threat problem is not going away. 

“ Start by focusing on the most common data exfiltration scenarios. These center on a few common use cases that impact nearly every organization — departing employees and high-risk workers, accidental leakage and organizational changes (re-organization, M&A, divestiture, etc.). ”

Here at Code42, we’ve come up with a better approach to building an insider threat program — and it all centers on a simple starting point: the everyday triggers that create your biggest insider threat risks. These are common use cases that happen every day (or every hour) that account for the vast majority of insider threat incidents — departing employees, accidental leakage and organizational changes. Hone-in on these high-risk triggers, and make sure you have the right technologies in place to see the full picture — not just a trail of breadcrumbs after the fact.

With these everyday use case triggers as the foundation, here are 10 critical steps that make it faster, easier and more cost-effective for small to medium-sized enterprises:

Code42’s 10 steps to building an insider threat program

1. Get executive buy-in: Don’t fight this battle on your own. Getting definitive buy-in from leadership is the first and most critical step in defining your security and IT team (and your efforts) as value-adding business partners — instead of frustrating data police. 

2. Identify and engage your stakeholders: Continue the buy-in campaign from the top down. Think about which individuals or teams within your organization stand to lose the most from insider data theft or leakage. Identify and engage line-of-business leaders, HR, legal and other IT leaders as key stakeholders in your insider threat program.

3. Know what data is most valuable: Once you know who you’re protecting, engage those line-of-business stakeholders in conversations about what data is most valuable to them. All data has value, but these conversations are essential to understanding the different types of unstructured data to keep a close eye on — and which types of high-value unstructured data will require more creative means of tracking.

4. Think like an insider: With your valuable data in mind, put yourself in the shoes of an insider. Why would they want to move or take information — and what would they ultimately want to do with it? What tactics or blind spots might they exploit to do it? What workarounds could they use to get work done? We call these actions inside indicators of compromise.

Up to this point, the steps may look very similar to more traditional approaches. You’re figuring out what data you’re protecting — and the indicators or compromise that point to insider incidents. Now, here’s where things get simpler:

5. Define insider triggers: Instead of building a monster program with classification schemes and policies that attempt to monitor every potential scenario (and ultimately fail), start by focusing on the most common data exfiltration scenarios. These center on a few common use cases that impact nearly every organization — departing employees and high-risk workers, accidental leakage and organizational changes (re-organization, M&A, divestiture, etc.). These use cases make up the vast majority of insider threat incidents, and serve as the foundational triggers of your insider threat program.

6. Establish consistent workflows: Investigating suspected data exfiltration can be daunting in itself. Once again, start small by focusing on the key use cases. For example, when an employee departure is triggered, define which activities will be examined — and what activities will trigger in-depth investigation. Exceptions and workarounds are the Achilles heel of insider threat programs. Make sure you clearly define the workflow for each trigger — and consistently execute and improve the steps you establish.

7. Create rules of engagement: Once a workflow has been triggered and potential data exfiltration identified, it should be the key stakeholder’s responsibility to directly engage the employee/actor. For example, departing employee and accidental leakage incidents will likely trigger engagement from HR and the line-of-business manager. A M&A workflow might trigger engagement from internal legal staff — or even a CFO. It’s important that these rules of engagement separate security and IT from any enforcement responsibilities. This allows them to focus on monitoring, detection and remediation — and prevents security and IT from developing an adversarial “data police” relationship with staff.

8. Leverage existing security and IT teams — and train your stakeholders: It doesn’t make sense for most small and medium-sized enterprises to create a fully dedicated insider threat team. Because we’ve honed the insider threat program down to a few key workflows, your existing security and IT teams should be able to handle the monitoring and detection responsibilities. But security and IT teams — who are already wearing multiple hats and managing strained resources — don’t have to shoulder the full burden. It’s also critical that all stakeholders (the HR, legal, line-of-business managers, etc.) be trained so they understand the full scope of the insider threat program: what is being monitored, the specific use case triggers, the investigation workflows, the rules of engagement and the tools used to accomplish all of this. This training should also clearly define their roles and responsibilities, so they’re ready to jump in when an incident response workflow is triggered.

9. Be transparent in communication: Transparency is critical for building a healthy culture that values security. Employees should know — from day one — that your organization tracks file activity. They should understand that the program is applied universally and without privileges or exceptions — and they should understand how the program is designed to support their productivity while protecting the business.

10. Implement true monitoring, detection and response technology: Perhaps most important of all, your insider threat program must start long before a trigger. In other words, you can’t afford to only monitor an employee’s activity after he’s given his notice, or after rumors of organization change have begun rippling through the office. Too many insider threat monitoring solutions are limited to this post-trigger scope — and far too often, the actual exfiltration occurs much earlier. True monitoring, detection and response technology must be continuously running, providing historical context and complete visibility into all data activity. This enables your insider threat team to quickly and effectively see the full picture — and protect all data at all times.

At the end of the day, let’s stop talking about insider threat exclusively as “employees stealing stuff.” This market perception perpetuated by our industry has done more harm than good. In reality, insider threats are the actions (good, bad and indifferent) people take with data (any data) that puts customer, employee, partner or company well-being at risk. The smaller the enterprise, the greater the business risk. That’s the real promise of the workflow-based approach: It gives small and medium-sized organizations a simple starting point — just three or four use cases — that will effectively address 80% or more of your insider threat risks. 

Addressing the Security Talent Shortage From Within - Code42 Blog

Tips From the Trenches: How I Moved From Mattress Sales to Malware

Yeah. You read that right. I’m an information security analyst now, but it wasn’t long ago that I was living in the heart of Silicon Valley…selling mattresses!

So there I was, in my early 20s. I’d missed the first .com gold rush, I had no degree and I basically used my laptop to play World of Warcraft. But, selling mattresses DID give me some advantages. Besides being extremely lucrative at the time, no one bought mattresses online yet, “product testing” consisted of taking naps on expensive beds, making sure the massage chairs worked properly and getting paid to talk to people about sleeping — a favorite pastime of mine to this day. I had a lot of downtime…so, I started studying.

After a short stint in banking, I landed a sales gig at a tech startup. I was 33 and just getting into the technology space. Sales is a hard habit to kick!

Next, I was living in Minnesota and looking for yet another sales gig. This time in Silicon Prairie. At this point, I’d heard of Code42 and knew that’s where I wanted to be. I told my soon-to-be director that I didn’t care what the role was, I wanted in. I knew I could figure things out from there. A week later, I was on an amazing business development team.

“ I’m not saying information security is for everybody, I’m saying information security is for anybody with the drive and passion to self educate, move outside your comfort zone and be brave enough to introduce yourself to perfect strangers! ”

By now you’re asking, “What does any of this have to do with information security?” At least I would be. Hang in there, we’re close. The context here matters. Understand that at this point, I’d been in sales for more than twenty years!

Then, two things happened. First, I attended what we call “Experience Week.” Essentially, it’s a week of getting to know the leadership team, the culture and our co-workers at Code42. Our CEO Joe Payne got up to speak. I’m sure it was informative and truly inspirational but I mostly remember one thing he said, “Here at Code42 we have a value: Get it done. Do it right. And if you’re getting it done and doing it right and you want to do something else, tell us. We’ll help in any way we can.” Sometimes you hear these things from leadership, and it doesn’t actually mean anything. But I decided to put this to the test.

At the same time, I just happened to be reading “Managing Oneself” by Peter F. Drucker (a must-read for any professional BTW). There was one statement that hit me like a ton of bricks: “After 20 years of doing very much the same kind of work, people are very good at their jobs…and yet they are still likely to face another 20 if not 25 years of doing the same kind of work. That is why managing oneself increasingly leads them to begin a second career.” This was becoming a theme for me, so I figured this was my chance to leap out of my comfort zone and reach for something exciting!

I knew, with every bone in my body, I did NOT want to spend the next 20+ years of my professional life generating my income by convincing others to part with theirs. So, now what?

Well, after consulting with my personal board of directors and a whole lot of prayer, I took a look at the digital landscape and knew I wanted to transition into security. The decision was based on learning some key elements of the security space:

  • There is currently 3 million unfilled cybersecurity positions globally. ((ISC)2 Workforce Study)
  • 52% of CISO respondents named “communication & people skills” as a top quality in potential candidates. (Dark Reading)
  • No IT degree required!

Opportunity? Check. Can I talk to people? Double check. No IT degree required? Check. (And, whew!)

Evan Francen of FRSecure is fond of saying, “Get into security! There’s plenty of work to go around.” OK…thanks Evan! Uhhh, how?

“ Luckily, there is an exhaustive amount of resources available in the wild for anyone curious enough to look. ”

Luckily, there is an exhaustive amount of resources available in the wild for anyone curious enough to look. Believe me, I checked out every free resource known to man. But while I was building knowledge, I wondered if it would be enough to get my foot in the door.  My inner sales guru said, “No grasshopper, you need to meet people who can help.” I’d say to anyone at this point — what really makes a difference for someone without the degrees or the experience is your ability to demonstrate passion and enthusiasm for security and a real desire to establish and foster genuine relationships with folks that are already in the security world. My new contacts in security had that passion — and I needed to show I did, too!

With our internal security team I sought out and requested time to chat with anyone who would humor me, peppered them with questions and afterward, made sure to send them each a handwritten ‘thank you’ note.

Second, and probably the most important, I ACTED on their suggestions. The worst thing you can do is ask people for their advice and then completely ignore their recommendations.

By this point I had the bug and I wasn’t going to take no for an answer. I even took my sales skills on a road show. Here’s what I did:

  • I took PTO to attend security conferences and trade shows.
  • I found security happy hours and meetups where I could network with other security professionals.
  • I found no shame in doggedly hounding my CISO to give me a shot.
  • I found opportunities to interact with her and the security team. Even going so far as to show up, front row, to a panel discussion she was speaking on ABOUT the talent shortage in the security field. A bit creepy? Sure. Effective? Well, two months later I was offered a role as an information security analyst.

I’m not saying information security is for everybody, I’m saying information security is for anybody with the drive and passion to self educate, move outside your comfort zone and be brave enough to introduce yourself to perfect strangers! You don’t have to be super technologically savvy (although that certainly helps) or have a masters in computer science, or be some hacker in a basement wearing a black hoodie bent over a keyboard trying to take down “the man.”

Start with taking a look at the industry — do your research, make sure to network with people (security folks are often excited to share their knowledge), be a part of something bigger than yourself and want to be one of the good guys! Teaching people security is easy — it’s having the chops and the drive that’s up to you.

Now, the work begins! Go get ‘em, grasshopper!

Connect with Josh Atkinson on LinkedIn.

Insights From the 2019 Cyberthreat Defense Report Code42 Blog

Insights From the 2019 Cyberthreat Defense Report

This week, I joined Steve Piper, CEO of CyberEdge Group, to review the findings of the 2019 Cyberthreat Defense Report. The Cyberthreat Defense Report is designed to complement Verizon’s annual Data Breach Investigations Report and provides a penetrating look at how IT security professionals perceive cyberthreats and plan to defend against them. This study surveyed 1,200 IT security decision makers and practitioners from 17 countries, six continents and 19 industries.

Among the key findings this year, there are three that are sending a clear signal for the future of information security.

1. Too much security data. This might sound like a negative, but I view it as a good problem to have. After all, if you have all the pertinent data to help you with a security investigation, why wouldn’t you use it? Unfortunately, while the data may exist, the proper tools to decipher and analyze that data doesn’t. This is precisely why 47 percent of respondents acknowledged their organization’s intent to acquire advanced security analytics solutions that incorporate machine learning (ML) technology within the next 12 months.

My take: Having the data is one thing, being able to make quick and visual sense of it is quite another. Quick decision making is paramount and in security, time is emerging as a key factor to mitigating risk.

2. Thirteen percent of overall IT budget is consumed by security. This is up from five percent just two decades ago and will only continue to grow. There also is  a critical shortage of qualified IT security personnel, so I expect continued focus on smart investments in technologies.

My take: Security is rightfully taking center stage from a budget perspective. The challenges around too much security data to analyze, lack of skilled security practitioners and the realization that a cyberattack is imminent are only going to keep trending.

3. Insider threats continue to plague security teams. Detecting insider threats remains an enormous challenge for virtually every IT security organization. Although application development and testing remains atop the list of IT security functions perceived as most challenging, detecting rogue insiders and their insider attacks has risen from third place in 2018 to second place in 2019.

My take: Detecting insider threats comes down to how effective a company is in defining, collecting, correlating, analyzing and reporting on insider indicators of compromise. It’s time to take a proactive approach to protecting data.

“ Detecting insider threats comes down to how effective a company is in defining, collecting, correlating, analyzing and reporting on insider indicators of compromise. It’s time to take a proactive approach to protecting data. ”

Other key takeaways:

  • Hottest security technology for 2019. Advanced security analytics tops 2019’s most wanted list for not just the security management and operations category, but across all technologies in this year’s report.
  • Machine learning (ML) garners confidence. More than 90 percent of IT security organizations have invested in ML and/or artificial intelligence (AI) technologies to combat advanced threats. More than 80 percent are already seeing a difference.
  • Attack success redux. The percentage of organizations affected by a successful cyberattack ticked up slightly this year to 78 percent, despite last year’s first-ever decline.
  • Caving in to ransomware. Organizations affected by successful ransomware attacks increased slightly to 56 percent. More concerning, the percentage of organizations that elected to pay ransoms rose considerably, from 39 percent to 45 percent, potentially fueling even more ransomware attacks in 2019.
  • Container security woes. For the second year, application containers edge mobile devices as IT security’s weakest link.
  • Web application firewalls rule the roost. For the second year, the web application firewall (WAF) claims the top spot as the most widely deployed app/data security technology.
  • Worsening skills shortage. IT security skills shortages continued to rise, with 84 percent of organizations experiencing this problem compared to 81 percent a year ago.
  • Security’s slice of the IT budget pie. On average, IT security consumes 12.5 percent of the overall IT budget. The average security budget is going up by 4.9 percent in 2019.

It’s clear that security teams must ensure their organization’s defenses keep pace with changes both to IT infrastructure and the threats acting against it. The good news, at least for 84 percent of survey respondents, is that their IT security budgets are expected to increase in 2019.

Watch the on-demand webinar or get the full 2019 CyberEdge Cyberthreat Defense Report.

The Best of Evolution19 - Code42 Blog

The Best of Evolution19 (Video)

Wow! What a great time we had at Evolution19 in Denver, April 30 to May 2. The event was jam packed with educational sessions, many opportunities to network and meet other customers, hear about product roadmap and what to expect from Code42 in the coming year. Evolution19 attendees heard about this year’s focus on actionable data insights, including new dashboards and alerting, which are coming soon. In addition, customers can expect new data security applications developed on top of the platform to support insider threat workflows, such as departing employees, workforce reductions and more. Be sure to stay up-to-date on product news by joining the Code42 customer community and registering for our quarterly product webinars.

Watch Evolution19 highlights.

And now, the Evolution19 Top 5:

5. Seattle Police Department Detective Ian Polhemus and Police Dog Bear: Okay, a dog as a keynote? Yes. We heard Ian talk about security and how Bear locates items you can’t easily see. This visibility message hit home for attendees as they thought about how effectively and quickly they can investigate and remediate data following a breach.  If your organization is still challenged to understand the forensics of a breach or attack and recover your data, just think of Code42 as your own personal Bear.

Code42 Evolution19 Keynote

4. Upgrades: Upgrading to a Code42 cloud solution is so easy that one of your peers moved to the cloud while onsite at Evolution19! As you embark on your own digital transformation, an upgrade gives you access to our best security and risk management tools.

It was exciting to see IT teams working hand-in-hand with their partners in Security to develop data protection strategies that really serve their businesses–we had some big teams attend Evolution19 together this year, and they were able to make some key  decisions on site.

3. Education and Training: Knowledge is power and you knocked it out of the park at Evolution19! A total of 35 people successfully became certified Code42 Administrators. We offered two certification classes and certified almost 50 admins and help desk staff. More than 90 customers took part in seven educational workshops that were hosted during the event. Five people also took our new Security Specialist exam that was offered as part of the Code42 Next-Gen DLP workshop.

Code42 Evolution19 Training

2. The Evolutionaries: We love to honor attendees for demonstrating their strength in security and creating a better workplace for the businesses they serve. This year, there were 30 finalists for the Evolutionaries and 10 winners. Watching the winners dance up onto the stage was a true highlight of this year’s Evolutionaries security industry awards.

Code42 Evolution19 Evolutionaries Awards

1. Networking: We heard all over the conference that the best times were when people had time to connect and learn from other Code42 customers. Whether it was dancing at Lucky Strike, earning cash through questions in sessions, meeting others or petting puppies from the Denver Animal Shelter, this group took advantage of this unique chance to network; it was very fun to watch.

But don’t take our word for it. Here’s what Evolution19 attendees had to say:

“Evolution19 has delivered on its promise. From panel sessions, workshops, product training and certification courses, Code42 has once again shown its commitment to its customers.”

Zerin Dube, Code42 customer and HFF Engineering Director

I debated going this year (since I just attended in 2018). So glad I went! Tons of new, valuable information; I reconnected with peers and colleagues; and saw the best doggone keynote speaker ever!”

David Paul, Code42 customer

“Finishing up an awesome few days here in Denver for Evolution19. Thank you to the Code42 team for putting on such a great event. Lots of fun, learning and connecting. Congrats to MACOMs own David Chiang on his Evangelist award! #thankyou #denver #code42 #macomlife”

Lauren Walsh, Code42 customer

Evolution20 has not been announced yet. We look forward to sharing what we have in store for you!


Code42 Blog

Improved Risk Management Through Better Data Insights

Let’s face it: security professionals are overrun with data. Their logs are brimming with it. Their security tools are continually alerting them to potential anomalies, attacks, new vulnerabilities, changes in system configurations and all of the other things that could put enterprise data at risk. It’s safe to say that when it comes to data, security analysts and administrators are beyond overwhelmed. However, when it comes to business executives, the opposite is true: they often aren’t getting the information they need to assess what type of risk their organization’s data is under. 

The problem is, without the right data — data specific to their roles in the organization — neither security analysts nor business leaders can make effective risk management decisions regarding their corporate data. With version 7 of our Code42®Next-Gen Data Loss Protection solution, we’re tackling that challenge head-on. The goal is to get the right type of information, in the right amounts, at just the right time to those who need it so they can make the best decisions they can relevant to their job. 

“ The problem is, without the right data — data specific to their roles in the organization — neither security analysts nor business leaders can make effective risk management decisions regarding their corporate data. ”

What do I mean, exactly, when I say security professionals get too much data and business executives not enough? I’m talking about a signal to noise ratio: security pros typically get flooded with so much data that they have a challenging time finding the risks they need to focus on, yet business executives get so little relevant security information that they can’t make effective data-driven decisions. 

This can, of course, have profound deleterious effects on security. Bad decision making driven by poor access to the right information will negatively impact regulatory compliance; the protection of intellectual property, business plans and confidential customer data. When it comes to security analysts, if they can’t see the data they need to take immediate steps to mitigate danger, then breaches will go unnoticed until it’s too late. It’s one of the reasons enterprise data breaches, more often than not, go undetected for months. To be specific, the latest research tells us it takes an average of 49.6 days to detect a breach, which is up year-over-year. 

Code42 is taking steps to eliminate these barriers to effective security. At Evolution19, we are announcing a series of enhancements when it comes to our alerts, reports and dashboards within our Next-Gen DLP solution. 

“ At Evolution19, we are announcing a series of enhancements when it comes to our alerts, reports and dashboards within our Next-Gen DLP solution. ”

These improvements will help business leaders get the precise information they need about data risks lurking within their organization. Of course, we will also be providing numerous enhancements needed by front-line analysts to do their jobs more effectively. 

These efforts tightly align with Code42’s belief that security’s ability to be successful is directly tied to their ability to quickly detect and respond to data threats. As such, our goal is to demonstrate that security products can be both powerful and easy to use. That’s why we designed our Next-Gen Data Loss Protection solution with ease-of-use in mind. Customers don’t have to spend their time writing complex DLP rules and policies to reduce data risk like they do with traditional DLP — and now we are making it easy to get actionable information whether one is a security analyst or business leader.

What do I mean when talking about security analytics for business leaders? I’m talking about providing them with the insights they need to understand where the data-related risks hide within their organization. This includes attributes such as where their data resides, where it may be inadvertently exposed and show them how and where users are moving that data around the organization. We also will provide other high-level views about their data so they can make better decisions about managing their data, determining their risk level and even investing in security defenses more effectively.   

“ I’m talking about providing business leaders with the insights they need to understand where the data-related risks hide within their organization. ”

I’ll give you some examples. With these enhancements, business leaders will be able to see not only how many files are shared outside of the organization, but also the kinds of data being shared outside the organization. It will reveal how many file exfiltration events are occurring within your environment and show trends and patterns in data movements that business leaders should know.

Let’s consider insider risks. Often when we think of insider risks, the first thing that comes to mind is the nefarious insider. The insider stealing data to sell to competitors, or to take intellectual property to their next job. Employees acting maliciously isn’t the only cause for concern, though. Sometimes employees simply are careless, or make unintentional or uneducated mistakes. They may not follow the rules around data protection because they’re not convenient, or they may not even be aware of what the rules are.  In all cases, it’s crucial that the organization is aware of trends in data usage and movement so that corrective and mitigative actions can be taken. 

Of course, we are prioritizing enhancements that also will help security admins get a better signal when it comes to data visibility. This includes improved alerting so that security analysts and managers will be sure to see the security-related situations they need to investigate. While we have always provided security managers information about where all of their data resides within their environment, where their files are located, and how that data travels, in the future we will provide them with alerts that will bring potentially risky situations to their immediate attention. Situations like:

  • When a file has a shared link that allows public access to an internal file.
  • When a file is shared publicly and indexed on the internet.
  • When a user copies files to removable media.
  • When a user syncs a file to a cloud service.
  • When user browsers or applications read a file from a device.

That’s a lot of powerful information and will help organizations go a long way in reducing their data security risks.

This is an exciting time for us at Code42; we continue to evolve our Next-Gen Data Loss Protection solution. It’s so rewarding to see all of our efforts come to fruition and I can’t wait to see how our customers put these new capabilities to use.