Macom Data Loss Protection Blog - Code42

MACOM Uses Code42 to Stop Departing Employee Data Loss

MACOM is truly a great place to work. But, like every company, the unavoidable reality is that people leave. And, like every company, we’re faced with the challenge of making sure our trade secrets — in our case, highly proprietary semi-conductor designs and CAD drawings — don’t leave with them. I am part of a three-person security team, and we are tasked with overseeing around 1,500 employees spread across 50 sites worldwide. Today, I’d like to share how we’re using Code42® Next-Gen Data Loss Protection to tackle the challenge of data loss from departing employees — protecting our most valuable files and protecting our business.

A Better Process for Detecting, Investigating and Responding to Data Loss Risks

About a year ago, we chose to implement Code42’s solution as the foundation of our comprehensive data loss protection strategy. We’re leveraging the solution in a number of ways, but one of the simplest and most valuable use cases is detecting when departing employees put data at risk — and accelerating investigation and response to data loss incidents.

Here’s what a typical workflow looks like with departing employees:

  1. HR Notice: Our HR team understands how we’re trying to focus on the unique data loss risk presented by departing employees. Having their buy-in ensures that HR informs us as soon as an employee gives notice that they’re leaving the company. This kick-starts the entire workflow.
  2. Past Activity Examined: As soon as we know an employee is leaving, we look back at the last 90 days of their file activity to see if they’ve done anything risky.
  3. Employee Added to Watchlist: Going forward, that employee is added to a watchlist within Code42 for enhanced monitoring. We watch their file activity closely for potentially risky data movement.
  4. Activity Alerts for File Movement: Code42 automatically generates activity notifications when an employee on our watchlist exceeds our defined file activity thresholds (moving too many files, moving too much data, moving files in specific ways, etc.).
  5. Forensic Investigation: Once again, since we’re able to track all file activity over the last 90 days, we’re able to rapidly investigate any alerts to assess whether the activity represents a data loss risk.
  6. Response: Our strong partnerships with Legal and HR allow us to quickly bring them in to execute an appropriate response to an identified risk. This also means we’re not left being the bad guys; our staff see us as the brand-value and idea protectors instead of the police.

How Cross-Functional Support Makes Our Security Team Smarter

It wasn’t as hard as you’d think it would be (or I thought it would be) to get to the point that we are at today with our data loss protection program. But it really all started with the security team building partnerships with our line-of-business (LOB) leaders. They helped us identify:

  • Our most valuable and vulnerable files and data: Our semi-conductor designs, our manufacturing CAD drawings, our marketing plans, our customer lists, etc.
  • What normal vs. abnormal file movement looks like: If someone from marketing is using a USB to transfer data, that’s not that unusual — it’s common for collaborative marketing projects. But if an engineer is removing design files or an executive is taking customer lists, it might be risky. We have different alert profiles set up based on the type of employee, because we recognize that “normal” looks different for different types of employees.
  • What action is required: Just as different files constitute different kinds of risk, different risks require different kinds of action. We worked with our LOB leaders to identify what corrective actions should be taken to protect files and prevent damage when a departing employee attempts to take data with them.

Once we had these things figured out, we worked to develop protocols where possible. This standardized our definition of what risk looks like when an employee is leaving — and defines what action should be taken based on the identified risk.

Focusing on Data — Not People

Like all security teams, we’re trying to focus on our biggest risks. But it’s the data — not the people — that we’re watching. Thanks to our LOB partnerships, we know what our most vulnerable and valuable data is. Thanks to Code42, we know where this data lives and we can see how it moves. When we detect that something’s unusual, we have the forensic depth to look closely at files that we detect as having left — so we know immediately if it’s something we need to address.

Moreover, by first narrowing our scope to focus on departing employees, we can more fully leverage this broad and deep file visibility to efficiently and effectively protect our data. And because we have this streamlined process in place, we are able to expand our team’s focus to monitor data in other potentially high-risk situations. We’re able to look more closely — while simultaneously being smarter and more efficient about how we spend our time.

A Rapid Learning Curve

I’ve mentioned that we run a lean security operation. In fact, we only recently added the third member of our security team, hiring a security analyst to help our director of IT security and me in better protecting the company. Our new security analyst came in with very little experience using enterprise data security tools, but he was able to jump in and begin using Code42 almost immediately. He’s taken a very hands-on role in using Code42 to actively protect our data, and it’s expanded what we can do — our capabilities, our use cases, etc. — as a security team.

This experience stands in stark contrast to most legacy data security tools, which are complex, require weeks of training — and years to become really proficient. Using these complex tools is no problem for more seasoned security pros. But most of us are familiar with the increasing shortage of security people — even as data security becomes more high-profile and demand rises. This was a popular topic at Black Hat USA 2019, and the consensus is that we need tools that don’t require extensive training and allow even rookie security analysts to hit the ground running.

Giving Us Confidence to Protect Our Business

Code42 has already proven its value in myriad ways, and our process for monitoring departing employees has already helped us catch risky data movement and take action. Because of successes like these, HR and Legal understand and appreciate the capabilities our security team has — and this fosters a deeper collaborative partnership as we tackle other data security challenges in our organization. Code42 is giving us the confidence to proactively protect our valuable files and data across our global environment, and to take rapid action to protect our business.

Visit Me at Microsoft Ignite

I’ll be joining Code42 in Booth #1141 at the upcoming Microsoft Ignite conference. If you’d like to hear more about how we’re using Code42 to proactively protect our files and our business, or if you have questions about using Code42 Next-Gen Data Loss Protection, stop by the Code42 booth and we’ll chat.

Code42 Blog about macOS Catalina compatibility with legacy DLP

macOS Catalina Creates Kernel Crisis for Legacy DLP

Apple released the new macOS Catalina on October 7, setting IT and security teams abuzz about the logistics of upgrading their users, excitement about new features and concerns about the pains that always come with change. But security experts have revealed a troubling impact: macOS Catalina entirely disallows kernel extensions (kexts). This isn’t just another instance of “kernel panic” — this is a full-blown kernel crisis: Legacy DLP products will cease to work in the Mac environment going forward.

“ Legacy DLP products will cease to work in the Mac environment going forward. ”

Catalina goes read-only — disallows kexts

With the release of Catalina, Apple shifts the entire macOS to read-only, regardless of permissions. Kernel extensions are completely disabled. This change strengthens the overall security stance of the macOS. But it’s a major problem for legacy DLP products like Symantec and McAfee, which depend on kernel extensions for their core functionality.

Legacy DLP simply won’t work in Catalina

Disallowing kernel extensions disables the blocking functionality of legacy DLP products. The products will technically still “run” on Catalina (with the usual kernel panics and other pains), but they’ll no longer be able to work the way they have — no more blocking risky user actions. In effect, legacy DLP will cease to work altogether. At a time when insider threat continues to escalate, companies simply can’t afford to risk leaving their data exposed.

You can’t afford not to upgrade

Most legacy DLP vendors are approaching the kernel crisis carefully. They’re reaching out to customers with one-to-one communications, trying to convince them not to upgrade to Catalina so they can retain the functionality of their DLP products (for example, reference the table on Symantec’s support page). But not upgrading is not viable in the long-term. You need to give your users access to the latest features of Catalina; moreover, your users will demand the upgrade. And your security team can’t afford the security risks of lagging behind.

Code42 Blog about macOS Catalina not working with legacy DLP
Current recommendation found on the Symantec support page. The latest Catalina release makes the security gap evident for legacy DLP customers.

There’s not a ton of time to waste, either. Apple will end updates, security patches and support of macOS Mojave in less than 24 months. That means most organizations need to begin planning their upgrades—including how they’ll fill the enormous security gap — now.

DLP for Macs has always been painful

Running legacy DLP on macOS has always been frustrating—a “square-peg-round-hole” problem that creates more work for security teams and increases the potential for dangerous gaps in visibility and protection. But the clear trend is that Apple is making it even harder for DLP to function in macOS — leading to more kernel panics, frustrations and potential security gaps. So the “kernel crisis” of the Catalina upgrade isn’t coming out of nowhere. The reality is that legacy DLP was not built with Macs in mind, and this disconnect is coming to an urgent head.

Code42 is next-gen data loss protection built for Macs

At Code42, we know the pains of legacy DLP for Macs firsthand — and built our Code42® Next-Gen Data Loss Protection solution to mesh seamlessly with macOS. We understand macOS better, so we approach things differently by:

  • Working at the file-system level to focus on what really matters — your file data         
  • Monitoring the applications that access, interact with and touch those files
  • Giving you deeper, broader visibility into all file activity — across your endpoints, in the cloud and in applications

We don’t have to muck around at the kernel level, playing the whack-a-mole game of activity-blocking. All of this means that the robust functionality of Code42 Next-Gen Data Loss Protection is completely unimpacted by the security improvements of the Catalina upgrade.

Providing the business-critical push to move to next-gen data loss protection

Most security pros already know the many pains of running legacy DLP products on Macs. So, the good news is that the Catalina kernel crisis will give many security teams the final push they need, providing a business-critical reason to move to a better data loss protection solution. In fact, several of the world’s leading tech companies anticipated the Catalina kernel crisis and have turned to Code42 Next-Gen Data Loss Protection: not just to fill the gap created by the Catalina upgrade — but to help them build a more forward-thinking, future-ready data loss protection strategy.

Code42 Evolutionary Awards 2019

2019 Evolutionary Award Winners Showcase Innovation in Data Loss Protection

With all the scary statistics out there about the growing data security threats in the enterprise world, it’s easy to lose sight of a more optimistic fact: Enterprise data security is getting better — and organizations everywhere are building smarter data loss protection programs. Each year, the Code42 Evolutionary Awards celebrate the smart, innovative and just-plain-cool ways that organizations are protecting their data. This year, we recognized 10 organizations for their extraordinary innovation in data loss protection. Let’s take a look at the 2019 Evolutionary Award winners:

Evolutionary Award: BAYADA Home Health Care

BAYADA Home Health Care won the namesake Evolutionary Award for completely evolving the way their company secures data, protects IP, and enables users. Their data security journey began with safeguarding training videos in the cloud for their mobile workforce, then expanded to protecting data from the threat of lost and stolen laptops. BAYADA’s current project is to ensure that their proprietary and regulated data is secured and monitored for loss and proper usage. “Protecting data is impossible if you don’t have comprehensive visibility into where your data is, and to accomplish this you need the right tools,” says Craig Petrosky, director of Desktop Equipment Services for BAYADA. “That’s why it was critical for us to implement a solution that provides near real-time detection and the ability to respond to cases of data loss, leakage, misuse, or potential exposure.”

Guardian Award: Cisco

Cisco won the Guardian Award for a security team that creatively and effectively fends off an array of threats —from ransomware to malicious insider actors — to protect its valuable data. Cisco has developed countless data protection workflows by using Splunk to develop actionable insights about how data may be infiltrated and exfiltrated from the organization. “In today’s data landscape, it is important to have a solid data collection agent, one that offers insight into where data is, where it’s moving, and where it’s been. A tool that can offer this is an invaluable tool for Insider Threat investigations” says Kevin Currie, investigator CSIRT of Cisco.

Rookie Award: Ironwood Pharmaceuticals 

Ironwood Pharmaceuticals won the Rookie Award for an organization that has successfully deployed a new software product within the past year. Deploying new software is never a small feat, Ironwood Pharmaceuticals did so with a de-merger on the horizon, knowing that they would soon have to split their deployment in two. “When our organization was going through the de-merger, we needed a simple and flexible solution to ensure our data is protected,” says Lian Barry, manager, end user support for Ironwood. “We found a solution that has provided constant assurance that our data is protected throughout this period of increased organizational change. 

Harmony Award: MacDonald-Miller 

MacDonald-Miller won the Harmony Award for striking a balance between data protection and empowering employees to be productive and collaborative in order to deliver results to the company’s bottom line. Two of MacDonald-Miller’s top security priorities are that users never experience downtime from data loss, and that valuable data is not leaving with departing employees. “Our data is our competitive advantage,” said Eddie Anderson, technical business analyst at MacDonald-Miller. “It’s critical for us to protect data from loss, leak and theft, while enabling our employees to collaborate and work at the speed of business.”

Evangelist Award: David Chiang, MACOM

David Chiang, IT system engineer of MACOM, won the Evangelist Award for an individual with expertise in data loss protection who sets industry best practices and actively shares them with peers. Chiang’s passion for software deployment and systems integration began with an intern project and has evolved into deep expertise on protecting data in the midst of a digital transformation. “Digital transformations are exciting, but they can put data at an elevated risk,” says Chiang. “It’s important for organizations to take steps to protect their most important asset — their data — during these times.”

Atlas Award: Proofpoint

Proofpoint won the Atlas Award, honoring an organization for deploying and protecting an expansive global workforce. As the Proofpoint organization grew quickly through M&A, business continuity and user productivity were top priorities set by the CIO. “With help from professional services, we were able to quickly go from nothing to a fully deployed data collection agent that can support our global workforce, ensuring we never experience data loss. We had a very successful deployment and it proved ROI within four months.” says Brock Chapin, systems admin for Proofpoint.  

Trailblazer Award: Schneider Electric 

Schneider Electric won the Trailblazer Award for improving a critical workflow or process for its organization. The company developed a custom app, used as part of their computer depot service, which collects and recovers data — in order to streamline, expedite and standardize the service. The results: time saved for technicians, reduced end-user downtime and improved user experiences. “As anyone in IT knows, positive user experience is critical to the effectiveness of any technical program. Our custom app not only provides that user experience, but it also lets them get back to work faster through decreased down time,” says Austin Joe, end point solutions senior engineer, enterprise IT of Schneider Electric. “We couldn’t be happier with the results.” 

We’re in this together

Join us in giving a virtual round of applause for these successful and innovative organizations. These examples not only represent major achievements for the organizations themselves, but the overall progress of the collective community of enterprise data security professionals. As your security team tackles emerging and evolving data loss challenges, don’t forget that you have a powerful resource in your Code42 peer network. From looking to examples like the customers highlighted here as inspiration or blueprints for your own initiatives, to consulting with other data security professionals to get answers, advice and guidance, we encourage you to leverage this valuable connection to some of the enterprise security world’s best minds and biggest thinkers. While the details differ, we face the same threats, manage the same challenges and share the same goals. We’re in this together.

Today’s Five Biggest Overlooked Data Security Trends

In the weeks following Black Hat USA 2019, I’ve done a little traveling from conference to conference – and, in between all that, met with a few customers. In those conversations, I’ve noticed that the key themes that emerged at this year’s Black Hat (all of which I’ve outlined below) have been holding strong throughout customer conversations. I believe these will be the trends we’ll continue to see throughout the last leg of this year, and well into 2020.

1: Complex Solutions

The first trend that stuck out is how complexity remains too high in cybersecurity. Many vendors continue to talk about how sophisticated their products are and how they can solve complex problems. In doing so, these tools become inherently very complex and unwieldy themselves. There’s a large and relevant inconsistency here: on one hand, the security industry, and really all enterprises, struggle with a serious shortage of skilled cybersecurity personnel. On the other hand, the complexity of the toolsets continues to rise. Something has to give.

Of course, these tools are aimed at people who are assumed to be masters of their trade, and who are able to make informed decisions as they examine data subtleties. Finding people with such talents continues to be one of the biggest challenges in the security industry, and without such staff, these tools end up being misused, or even unused.

2: Skills Gap

The second trend is how vendor complexity exacerbates the skills gap. As more organizations look to hire security staff who are less skilled and experienced with the hopes of quickly training these personnel, security vendors still need to provide the market with products that enable newcomers to be as effective as experienced security professionals.

If we want to get information security right in the next 10, 15 or 20 years, the industry must make products and tools that are easier for this next generation of security professionals to consume. Innovative technologies like machine learning and AI are indeed exciting, but they need to be coupled with easy and prescriptive solutions that new security professionals can start using right away without having to be experts first.

3: Communication is Key

The third trend: security vendors need to improve how they communicate their value. By walking the show floor at Black Hat and engaging with various security vendors, you’ll quickly realize that they don’t communicate their value propositions very clearly. It’s a real challenge to determine what many vendors actually do and make sense of whether or not these “solutions” actually solve specific challenges.

This is an area where the entire security industry can improve. The focus needs to be on how to better communicate the value of products and services, and how they provide better business outcomes. However, it’s not just security vendors that should be thinking about how they impact business outcome versus just tools and technologies; security engineers, architects, directors and CISOs must also do a better job of discussing business outcomes and how their investments will improve those outcomes.

4: Management Challenges

The fourth trend is that the challenges associated with managing data loss remain high. There is a considerable amount of continued frustration when it comes to managing data loss.

In fact, all of the leading data loss prevention vendors still talk about how they use AI to help classify data and automatically create data-loss policies. However, none have crossed the threshold where they can help security teams that don’t have the wherewithal to undertake a monumental project lasting several months or years to classify all of their data so that they can begin to deploy DLP.

Related to this is how understaffed and stressed most security teams seem to be. At the conference, I met with growing enterprises that have staffing ratios so low that one internal person supports 100+ employees. That ratio is far too low, and it’s why it doesn’t matter how cool the technology is; if it doesn’t help security teams that are under constant stress, then it simply doesn’t matter.

“ Making data-loss protection seamless and able to be managed by security teams of any size is something that we think a lot about at Code42. We focus on solving real-world cases, such as dealing with data loss risk by departing employees and high-risk employees in ways that don’t require hundreds to thousands of staff work hours to get right. ”

5: Product Consolidation

The final trend is the continued high level of technological and product consolidation occurring within the security market. This has been going on for some years now, and it’s continuing to accelerate. Security vendors continue to expand to adjacent problem spaces with complementary solutions – be it a DLP vendor acquiring CASB products, or a next-gen firewall solution adding EDR and SOAR capabilities to their portfolio. Elevating the business value to customers is one of the biggest drivers to increase user adoption of these new products and technologies.

These are the trends I noticed while exploring the show floor, speaking with vendors about the issues they are trying to solve, as well as meeting with customers and prospects. While the challenges are steep, I’m convinced that the industry and security professionals alike are motivated to learn, adapt and improve in order to solve the intricate obstacles we face, such as insider threat. We should expect to see solid progress in these areas in the next year.

Zero Trust Starts with Data Security

Recently, I joined co-presenter Chase Cunningham from Forrester for a webinar titled, “Zero Trust starts with Data Security.” You can’t be in security and not have heard of Zero Trust. It’s become marketing fodder to a lot of folks, so our goal was to present a very real-world scenario of what was driving the Zero Trust movement. Recently, Code42 commissioned Forrester Consulting to evaluate challenges that organizations face using traditional data loss prevention solutions. They surveyed 200+ security budget decision makers in the U.S. at organizations with 1,000 to 4,999 employees.

Here is a summary of the key takeaways from the webinar: 

It’s war! 

Make no mistake, we are living in a warfighting domain in cyberspace. In fact, in 2010 the U.S. Department of Defense declared cyberspace a warfighting domain. Simply put, your business and its associated data is in the middle of a war zone.

Compliance is more than a checkbox!

You can be compliant or you can be secure. Often organizations that choose to just be compliant are still setting themselves up for major security breaches. The analogy Chase used to explain this idea in the webinar is reason enough to watch the replay.

DLP isn’t the second coming. Prevention isn’t enough.

There is plenty of market frustration about the current state of DLP. Users have essentially checked out and are recognizing that there is a critical protection layer missing from the security stack.

Insider threat is on the rise. 

Here’s a stat to ponder: Ninety percent of insider data loss, leak and theft goes undetected internally.

Departing employees are taking your data.

Fifty percent of the labor force is already looking for new employment, half of which have been with their current employer for less than a year. They are quitting at alarming rates, and they are taking your data when they go! 

Workflows don’t exist.

We asked a very simple question of today’s organizations: Do you have a departing employee workflow? While badge and device collection are standard HR protocols, we heard crickets when it came to “collecting the data.” Simply put, organizations do not have a process for protecting corporate data when employees leave. 

Data is no longer the core focus. Everything else is.

Solutions and training have shifted the focus away from the core problem of the “data” itself. Prevention-oriented solutions are so focused on policies, classification and blocking, etc., that they are ignoring data altogether, which is a critical element in the Zero Trust approach. 

Zero Trust is a timely reminder…

To focus on the data! 

All data matters

At the core of Zero Trust is an approach rooted in collecting all data, not culling it out. 

It’s about data loss protection 

You have to complement a prevention-focused approach with protection measures because ultimately it is imperative to reduce the time to detect, investigate and respond to a data breach. 

Follow the data, not the employee!

While it can be easy to get suckered into a “Big Brother” mindset of monitoring employee movement patterns, all you really need to do is understand data movement patterns. After all, it’s the data the employee is after! 

To dive into the details of this webinar some more, catch the entire on-demand version here.

YMCA Twin Cities Takes a Next-Gen Approach to Data Loss Protection

The Y connects with youth, adults, families and seniors of all backgrounds to explore and enjoy opportunities to learn, grow and thrive. In order to strengthen the community, which is our cause, it’s important that we make it easy for our employees and volunteers to do their work in supporting our programs and services — and data security plays a vital role.

The importance of data security for us lies in our ability to keep our data safe while enabling our users to get their jobs done efficiently and fast, without hindering what they’re trying to do. If our users aren’t able to access their data, it impedes their ability to accomplish the mission of the YMCA of the Greater Twin Cities. Specifically, data loss means time wasted in redoing work; it means time spent researching where that data went; it means determining whether that data movement created a new risk for the organization; and ultimately, it means not being able to serve our community so all can thrive.

People want to embrace technology and expect that it will allow them to get their jobs done quicker. As a security director, it is my responsibility to layer in security in a way that enables employees to use technology the way they want to. That’s critical, because if we don’t, they’ll stop using the organization sponsored technology entirely. Providing for this flexibility requires strong governance, and faster detection and response to data loss incidents.

I don’t think traditional data loss prevention (DLP) works. Policy sets with traditional DLP are hard to tune, and it takes months or maybe even a year or two to get to the point where you can enforce policy rather than just monitor. I am not willing to accept the risk associated with imperfect policies, resulting in blind spots. Instead, to enhance the security of the YMCA of the Greater Twin Cities, I prioritize faster detection and response.

When our existing DLP solution was due for an upgrade, we took a cloud-first approach to looking for a replacement. We also wanted to get away from the burden that traditional DLP places on user productivity when policies block the movement of data for legitimate workflows.  Considering this, we found that it made sense fiscally, strategically and technologically, to replace our legacy DLP solution with Code42 Next-Gen Data Loss Protection.

Code42 Next-Gen Data Loss Protection gives us the visibility we need across our endpoints and cloud applications — visibility that I haven’t had through other tools. We can create alerts to help us find any data exfiltration attempts so we can quickly take action, in the event of insider threats. It also helps us detect, respond and recover should there be an incident where a departing employee takes data.

“ The simplicity of the Code42 deployment was amazing. It’s been invaluable for us to be able to deploy efficiently and in such a short time because it freed us to work on other projects. ”

And, we were able to replace more than 10 on-premise servers with a cloud deployment, bringing financial savings. Code42 Next-Gen Data Loss Protection accelerates our detection and response to data loss and leak, at a fraction of the cost of alternatives, all without impeding users from accomplishing the YMCA of the Greater Twin Cities’ mission.

From advocacy to aquatics, child care to camps, mentoring to multicultural experiences, sports to safe spaces, water safety to wellness, the Y strengthens the community with life-changing programs and services. With Code42, we’ve been able to advance our data security program to support these efforts.

Building a Security-Minded Organization

Tips from the Trenches: Building a Security-Minded Organization

As a security software company, it’s essential that everyone at Code42 thoroughly understands the security industry. This is true for nearly every position. Our sales teams need to fully understand the needs of our customers—and human resources need to understand security as they recruit candidates in the security industry, where it’s highly competitive to find the requisite talent. 

Marketing clearly needs to understand not only the big-picture security needs of our customers, but also the daily life and day-to-day challenges of a security analyst. Furthermore, as security becomes an integral component in DevSecOps, developers need to better understand application security, which means that security folks also need to up their code writing skills.

Of course, not everyone requires the deep depth-of-knowledge one would expect to find with a professional security team, but everyone who works at a security software company should understand security basics. With that goal in mind, we have created the new Security Ninja program designed to teach security and enable employees to earn new belts as their mastery progresses. These belts start with a white belt and culminate with a black belt, which requires a security certification to earn. These Code42 security ninjas will become our security ambassadors within the company.  

This self-driven program, which begins when an employee registers to earn a belt, can be completed per an employee’s individual schedule. Credits are allocated by time spent learning and consist of a mix of free training that can be found online, including through YouTube videos, attending a security lunch, and learning and sharing their learnings on our company’s Slack channel. When an employee does share his or her lessons learned on our internal Slack channels, it makes me smile because we now have employees who are teaching each other what they know about information security. 

For security awareness teams, watching employees gain more security knowledge that exceeds what is required for compliance, is literally a dream come true. These trainings are no cakewalk, mind you: The belts require the applicant to not be late on any of his/her security or privacy trainings, and the applicants must not have clicked on a link in a test phishing email. If they do, they can apply to continue their training in the following quarter. Since we implemented the Ninja program last January, we’ve seen our training completions rise and fewer links in phishing tests clicked. This is a huge win.

To keep engagement high, we’ve built the program to be competitive and also fun and lighthearted. We regularly communicate about the program on our company-wide Slack channel. Some managers have set goals for their teams to gain their belts and initiate a bit of friendly competition in the process. Our sales teams are thrilled to expand their security expertise to better understand our customers and prospects and to speak their language.

Here’s how applicants earn their belts: First, they must provide evidence of completion on the learning activities they chose, even if it’s just a screenshot. Once they’ve gained the required amount of training credits, applicants can then take an online exam in our Learning Management System (LMS). At the end of the quarter, the LMS list of successful exam completions becomes my starting list to check off evidence submitted by each applicant. I check evidence “audit style” by randomly selecting people to audit; the truth is, however, that I’m so thrilled at the work they are all doing that I tend to review all evidence submitted, especially the “lessons learned.” There is no greater sense of satisfaction for a security awareness professional. 

Each quarter, we celebrate all of the new ninjas and award them their “belt,” i.e., a colored badge with an outline of a ninja. The ninjas can attach the belt to their badge holder or lanyard to proudly display their ninja level status. Of course, we have fun with this, too, by inviting everyone to our main meeting area and provide donuts for their accomplishments. We call it “Donuts in the Dojo,” and our CISO is there to congratulate everyone on their newfound security expertise.

This is not only a win for the security team, it’s also a win for the employees. They can more confidently navigate the world of security professionals and better understand our customers. All of this means it’s a huge win for Code42.

Code42 Helps Accelerate the Alert Data Pipeline for Ping Identity through Enhanced Detection and Response

Code42 Helps Accelerate the Alert Data Pipeline for Ping Identity through Enhanced Detection and Response (Video)

At Ping Identity, our whole business is built around security. Our unified platform provides intelligent access for customers, employees and partners so they can securely connect to cloud, mobile, SaaS and on-premises applications and APIs. With more than 2 billion identities under management, data security is critical to our mission. 

Data security comprises three critical areas: detection, protection and response. And no one solution can focus on all areas. Just like there’s no one tool you’d use to work on a car, different tools focus on different areas of security. Using them together enables a security team to deliver the greatest protection for their company. 

Code42 Next-Gen Data Loss Protection is one of the solutions that Ping uses to help detect and respond to data threats. Code42 has always been a data organization. Now with their next-gen solution, they’re evolving into a tool that handles a wide level of alerting, no matter where data lives and moves. At Ping, like many other companies, our data lives in many places: endpoints, cell phones, servers and cloud applications. Data is always moving, and detecting its movement as it exits the organization is critical. 

I would argue that the biggest challenge for security professionals today is managing a collection of disparate security tools along with the sheer volume of alerts that they drive.  While coordinating all these tools is a challenge, it would be impossible to secure an organization without them. This is why it is critical to bring alert data onto a central plane, where it can be seen by all security professionals and business partners in a singular manner. 

To achieve this at Ping Identity, I built an alert data pipeline. This highly scalable pipeline enables us to act quickly by routing the alerts directly to the individual accountable for responding. For example, in a situation where a departing employee moves data onto a USB, an alert would be automatically sent to Human Resources. Code42 is one of the security tools that fits into our alert data pipeline solution. It provides visibility to potentially risky data movement and accelerates our detection and response. 

For Ping, adding Code42 Next-Gen Data Loss Protection to our security toolkit has been critical in helping us achieve our mission — to keep our customers’ data safe.

I’m Taking Data, and DLP Can’t Stop Me (Video)

Here’s my confession: I plan to take data with me whenever I leave my employment at Code42. I know exactly what data I will take and how I will take it. Am I concerned about getting caught? Not really. Most data loss prevention products won’t even see me doing it, let alone prevent me.

I’m not alone in my data scheming. Code42’s 2018 Data Exposure Report revealed that up to 72 percent of employees admit to taking data from their previous employer to their new one­—and that’s just those who will admit to the data theft. On top of that, 90 percent of companies feel vulnerable to insider threat.

Thankfully, in my case, all of the data on my list consist simply of pictures of me and my dog. But when I’m taking data with me upon my departure, shouldn’t the company security team be able to tell? Ideally, yes. The challenge is that humans are unpredictable, and prevention toolsets don’t take our chaotic nature into account.

“ At its core, data loss prevention (DLP) isn’t new. In fact, the desire to prevent data from disappearing is universal. Sadly, the failures to prevent data loss are as common as they are ancient—just ask the librarians at Alexandria how well their plans to prevent data loss worked. ”

While Code42 isn’t in the business of securing burning libraries, we do focus on data loss protection. Unfortunately, data loss prevention as a software category has experienced innumerable failures. Whether it’s trying to prevent the loss of source code, client lists, CAD drawings, or the latest episode of a certain winter-obsessed TV show: people put their date into places they shouldn’t—and they’re able to do this regardless of how good their data loss prevention tools and polices are, or how large a security team they have in place, or how many ports on their machines are disabled: data loss prevention is failing. If you have data loss prevention deployed, there’s a good chance it is failing you right now.

Scared yet? Concerned?

You should be. People, even when set loose in a perfectly architected, immaculately maintained environment, will still wreak havoc intentionally or accidentally. If you build a wall, someone will build a taller ladder. If you block USB access, someone will use any number of other options to obtain that access. For everything else, there’s Florida Man. The TL;DR version: No plan survives first contact with the enemy.

What does all of this mean for data loss prevention tools? It means policies don’t stop people from taking data. One can’t out-engineer the malicious intent of a determined human. This is why Code42 moves beyond prevention to data loss protection; in other words, prevention on its own simply doesn’t work—and it doesn’t work for all of the reasons I just cited. At Code42, we focus on protecting from data loss. That’s because it’s possible and it’s critical to be able to rapidly detect, investigate and respond to a potential data loss incident.

To these ends, there are three additions we’ve made to our product that will help you to better protect your organization from data loss. Here they are:

Data Exposure Dashboards

Our data exposure dashboards enable you to quickly visualize exfiltration events across removable media as well as personal and corporate cloud accounts. They provide a 1-, 7-, 30-, or 90-day view of events across your organization in order to quickly investigate anomalous findings. Additionally, these dashboards reveal which files have been shared externally in your corporate Google Drive, OneDrive, and Box environments over the same period of time.

Data Exfiltration Alerts

The new data exfiltration alerts enable the creation of alert profiles for some, or all, of the users in your organization based upon how much data are being moved to removable media and cloud services. These alerts show exactly what data were moved, down to the specific file content. This makes it easy to assess whether the exfiltration poses a data loss risk to your organization.

SOAR BABY SOAR

Alerts are great, but they don’t work in a vacuum. Alerts need context. Previously, we’ve written about our integration with Splunk Phantom, and now we’re happy to announce support for IBM’s Resilient Security Orchestration and Automation (SOAR) platform. With this new integration, it’s now possible to include Code42’s data exfiltration and forensic metadata in your existing incident response automations. You can learn more and download the Code42 Resilient app by visiting IBM Security App Exchange.

And with that, I’m afraid this post has come to an end.

But not before I take a moment to brag. Code42 keeps racking up hardware in the form of industry awards. Most recently, we were honored with the Black Unicorn award from CyberDefense. If you want to see how awesome we are, head over to our honors page.

Stay safe out there.

Using Slack to Enhance Security Blog post

Tips From the Trenches: Using Slack to Enhance Security

Slack, the popular collaboration tool, got more than its share of media attention last month. All this Slack buzz gives us an opportunity to share how we use Slack here at Code42. We’ve thoroughly vetted Slack, and rather than banning it as a security risk, we actually use the tool to enhance our security capabilities.

Why Code42 uses Slack

So, what about those security concerns? Any tool that facilitates the sharing of information brings some risk of user abuse or error , such as oversharing, mis-sharing, etc. That’s true for Slack, just as it’s true for Google Docs, Dropbox — and even, yes, Microsoft Teams. Just like our approach to data loss protection, our internal security strategy takes an honest look at risk mitigation that focuses on the biggest risks — without unnecessarily impeding productivity, collaboration and innovation. Like all our third-party vendors, we hold Slack to our rigorous vendor security standard, which includes an annual vendor security risk reassessment process. Moreover, we’ve put security controls in place that balance the need to mitigate the inherent risks of information-sharing with the productivity and innovation value of the tool itself.

How we use Slack

At Code42, nearly every employee uses Slack every day for real-time direct messaging, increasing productivity and helping us deliver on one of our core company values: Get it Done, Do it Right. The Code42 security team, in particular, leverages Slack in unique and powerful ways.  Here are a couple ways we have integrated Slack functionality to improve our internal security program:

  1. Security alert notifications: Slack’s Incoming WebHooks allow you to connect applications and services to your Enterprise Slack. We use this capability to implement security notifications tied to activities in our security applications, which are then posted in a corresponding Slack channel. This provides our security analysts and partners across the business with real-time alerts right in the application where they are already communicating and collaborating throughout the day, helping them take appropriate and timely action.

    For instance, we have created private channels to alert on critical events within different environments, such as alerts from Capital One’s Cloud Custodian. The alerts are based on policy violations that we define in YAML policy files. Cloud Custodian then alerts our team — and takes action when needed. For example, if Cloud Custodian sees an S3 bucket configured as public, it will make it private by changing permissions in the access control lists (ACLs) and bucket policies — and then notify our teams of the change via Slack as depicted below.



    Screenshot of Slack’s Incoming WebHooks tool:


  2. Security news and updates: Our security team also created a public channel (open to everyone at Code42) as a collaborative workspace for all users. The public channel enables staff to crowdsource and share security knowledge, and to have discussions around the latest security news. Anyone can post security articles, whitepapers, podcasts, blogs or news — highlighting interesting ideas — and weighing in on each other’s responses. This channel acts as a security news feed, delivering just-in-time security-related information to employees to keep them aware of the latest security threats and trends. Code42 employees also often post what they are seeing in their own news feeds as they become more security savvy.

Walking the Talk

At Code42, we talk a lot about the fundamental paradox of enterprise information security: Information-sharing is both the key to success — and the biggest risk — in organizations. The smart approach focuses on controlling the risk, so you can unlock that value. We’ve vetted Slack and put security controls in place, so we can leverage its capabilities to fuel collaboration, enhance productivity and improve our internal security capabilities. Slack integrates with our security tools for real-time alerting and allows us to quickly disseminate security knowledge throughout the organization. Our internal use of Slack demonstrates how we walk the talk in our own approach to information security.