4 Steps to Create an Insider Threat Strategy

The increased need for collaboration as your employees work from home could be putting your organization’s data at risk. Our study found that 37% of workers use unauthorized apps daily while 26% use them weekly to share files with colleagues. Plus, 36% of workers believe that the increased emphasis on file-sharing has made them more complacent about data security. So, how do you protect your data and your business without stifling your company culture and employee productivity? It starts with building an effective insider threat program. Here are four foundational steps to creating a program that will foster collaboration without compromising the safety of your data. 

Gain support from the top down.

Gaining robust support and buy-in for your insider threat program is the essential first step to protecting the culture of trust within your organization. Support from key stakeholders at all levels will also help you navigate roadblocks and other issues as you create, implement and manage your insider threat program. 

Start at the top by getting the C-suite up to speed on the types of threats that exist, how they could affect the organization, and your strategy to mitigate the risks. After gaining support and funding, an effective insider threat program relies on real-time partnerships between security, IT, HR, legal and other teams within your organization. These different groups are essential to building insider risk management processes around your highest-risk scenarios, such as employee onboarding and offboarding, new product development and organizational changes like M&A. With their personal and professional interest established, focus on clearly defined accountability — what each stakeholder is accountable for delivering or executing in the overall insider threat program.

Focus on monitoring the right things.

It sounds obvious, but it bears repeating because too many companies get this step wrong: Make sure your insider threat program is focused on monitoring the right things — not looking in the wrong direction or trying to look in every direction. Here are considerations to help you focus your insider threat program:

  • Identify your regulated data. Clearly defining regulated data relevant to your organization gives you a solid starting point for what your insider threat program needs to protect. As you build out your insider threat program to address regulated data, you may expand to include non-regulated, unstructured data — your trade secrets, IP and other proprietary and sensitive information that drives your business.
  • Identify your biggest risks. Once you know what you’re protecting, work on understanding what you’re protecting that data from. In most organizations, the biggest insider threat risks center on departing employees, onboarding employees, access privileges to high-value data, and major organizational changes like an M&A.
  • Focus on the data — not the people. Many companies’ security programs focus on employee actions and use tools like user and entity behavior analytics (UEBA). This approach has implications on employee privacy and culture — and it’s simply the wrong focus. It’s the data you’re responsible for protecting. You don’t need to see everything your employees are doing on their web browsers — you just need to see web browser activity that touches your protected data.

Build a program focused on seeing what matters most.

Once you set the focus of your program, it’s time to set your sights on the data that matters most. There is no single tool that provides all the capabilities you need to protect every type of regulated, valuable or sensitive data in your organization. However, an effective insider threat program will complement an overall data security strategy with a combination of security tools that each play essential complementary roles. In general, insider threat programs typically consist of tools that fill three different functions:

  • Logging and alerting: Make sure you are capturing all relevant logging activities (this is sometimes tricky with SaaS applications) and set up alerts for activities deemed riskier.
  • Special tools: Depending on the technology implemented, you may get additional alerts, risk ranking or integrated workflows to help guide your set up.
  • Defined processes: Technology can’t solve all our problems, and sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.

Keep in mind there is no one-size-fits-all formula for an insider threat program. The most effective programs build in flexibility and agility. This includes allowing for additional context and accounting for the potential of human error. It also includes incorporating other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately as it changes over time. 

Communicate, communicate, communicate.

Finally, no matter how you decide to build out your program, transparency is a critical ingredient in ensuring efficacy from a data protection standpoint and trust from a company culture standpoint. Make sure your employees understand what you’re monitoring (and what you’re not), why you’re doing it, what they can and can’t do, and why it matters. It’s important that your employees understand how data risk can impact their day-to-day workflows and jeopardize the success of the business. It’s also important that they recognize how a smart approach to data protection does not inhibit their creative, productive and collaborative ways of working.

Forrester Publishes Timely Article on the Rise of Insider Threat

At a time when WFH (work from home) is emerging as the hippest acronym to use, Forrester’s aptly titled “Pandemic Fallout Creates Perfect Conditions For Insider Threat” article by Joseph Blankenship is very relevant. While organizations embrace remote work and figure out creative and innovative ways to unleash their collaborative cultures, they have to be mindful that the battlefield of insider threat has shifted away from the traditional perimeter and into open grounds. Oh, and these grounds happen to be off-network and off-VPN!

I had three brief takeaways from the article that I wanted to provide some personal context on.

  1. “The rapid move to remote work may leave some users outside the typical security controls organizations employ, leaving systems and data vulnerable.”
    This is a no brainer. So far, organizations have had the luxury of creating security strategies tied to the safe vicinity of corporate workspaces. The rapid shift to work-from-home has allowed very little time for planning, so expect gaps!
  2. Security teams need to “[n]ot rely entirely on user behavior monitoring tools that no longer reflect the actual environment users are working in.”
    Traditional approaches to data security haven’t evolved with company culture or the simple reality that users have, in fact, already started a movement of going remote. In this new world, data security simply has to keep pace with the way people work.
  3. “Your users are scared – both of getting sick and losing their jobs. How these concerns are addressed has tremendous impact on the likelihood of users turning malicious.”
    Protecting an organization from insider threat during a pandemic is not all about the tech. It’s just as much a human issue that involves fear and uncertainty. Simple measures that companies take during this time to remind employees of their value can in fact emerge as the best non-technology approach to preventing insider threat from ever happening.    

Code42 Extends Insider Threat Protection to Federal Agencies

An incident or breach caused by an undetected insider threat in the private sector could damage a business’s reputation or significantly impact the organization’s financial wellbeing. But, in the public sector, a similar undetected insider threat breach or incident could jeopardize our national security! That heightened level of risk is why we’re thrilled to share that Code42 has achieved the In Process designation from the Federal Risk and Authorization Management Program (FedRAMP) for Code42’s cloud-based insider threat and data loss recovery solution. With the In Process designation, Code42 appears on the FedRAMP Marketplace, which means that Federal agencies and contractors have the ability to leverage Code42’s insider threat detection, investigation and response capabilities.

Insider threat in the public sector: the risk is real

Breaches and insider threats in the private sector may get the lion’s share of the headlines, but the public sector is far from immune to the insider threat risk. A Carnegie Mellon analysis of data from the CERT National Insider Threat Center (NITC) Insider Threat Incident Corpus shows that the federal government has, by far, the highest number of serious insider threat incidents detected over the past 20+ years — more than all incidents from state and local governments combined. While alarming, it isn’t exactly surprising that the federal government is such a big target. Just as in the private sector, the offending insiders in the public sector tended to be in trusted positions, and most exfiltrated data during normal working hours. And just as in the corporate world, roughly one in three insider threats were contractors, vendors or another third party not directly employed by the federal agency.

Stepping up insider threat protection in the federal government

It’s not that federal agencies don’t understand the risks of insider threat; on the contrary, they are quite well versed and have been managing and setting best practices on insider threat programs for nearly a decade. In fact, way back in 2011, Executive Order 13587 mandated that all federal government agencies that operate or access classified computer networks implement an insider threat detection and prevention program — including the capacity to monitor and analyze the information from insider threats. But eight years later and with growing cloud adoption, there are exponentially more ways for insiders to exfiltrate data. The truth is that most federal agencies’ insider threat programs likely are built around traditional tools like data loss prevention (DLP) products that weren’t designed to handle the modern reality of ultra-portable data and widespread collaboration and file sharing — and simply can’t keep up with today’s resulting insider risks to data.

Code42 gives federal agencies a new insider threat toolset

The In Process designation is a significant milestone in the FedRAMP authorization process. Code42 is working towards FedRAMP authorization by the fall of 2020. But as I mentioned earlier, Code42 is already available on FedRAMP Marketplace — and organizations can even begin the onboarding process today. That means all federal agencies and contractors can leverage our industry-leading backup and recovery capabilities, while also gaining access to our insider threat detection, investigation and response capabilities.

Our solution quickly surfaces insider threats to a federal agency’s most sensitive, valuable and vulnerable files and information, so security teams can respond immediately and effectively — before damage is done. The solution tracks files as they are attached to web-based emails, uploaded to web applications, and moved to USB sticks and external hard drives. As part of its offering, Code42 also preserves a copy of all versions of all files on a user’s computer. This data can be used for forensics or to recover data after theft, ransomware, hardware or software failure.

Demonstrating our commitment to the highest security standards

FedRAMP Authorization requirements include some of the very highest standards for cloud security and data security risk mitigation in the world. Code42 is actively working on FedRAMP Authorization and, once achieved, will mean that we adhere to some of the most rigorous security standards and requirements. Of course, this is meaningful well beyond the public sector: FedRAMP certification should give all Code42 customers reinforced confidence in our ability to secure and protect your data.

We’re quite proud of this achievement around the Code42 offices — and we’re excited to extend our solution beyond commercial and educational organizations to the federal government, helping to protect sensitive federal data that impact us all.

Don’t Poison Your Employee Experience With the Wrong Approach to Insider Threat

The year 2019 was a harsh reminder that as much as organizations try to downplay insider threats, they cannot be ignored or overlooked. Organizations like Capital One, McAfee (itself an insider threat solution) and even Apple can attest as they all found themselves on the wrong side of the headlines. Needless to say, as the year wrapped up, many 2020 predictions and resolutions included a better approach to insider threat.   

Forrester’s aptly titled report, “Don’t Poison Your Employee Experience With The Wrong Approach To Insider Threat” is timely! As much as we don’t want to admit the obvious, our colleagues are among the biggest threats to the data security of our organizations. But there’s a balance between understanding malicious and non-malicious intent. And with the CCPA and GDPR serving as backdrops to data privacy, security organizations have their work cut out in balancing the security and productivity of end users. No easy feat!

My Top 5 Takeaways on Forrester’s Latest Report on Insider Threat:

  1. Make your insider threat program fit within the overall security program. We know incident response processes have taken center stage in the security world. It’s all about decreasing time to detect and respond to threats. Insider threat needs to be a part of the overall incident process. Few organizations have well-defined incident response scenarios for insider threats, but that trend is changing fast.
  2. Don’t let security become a burden on employee productivity. Code42 has been saying this for quite some time and it’s worth repeating. Security is often confronted with a crossroads situation. Traditionally, the idea of prevention (otherwise known as Data Loss Prevention) has operated on the notion of blocking suspected users from carrying out their jobs. This approach is outdated and comes at the cost of collaboration. A new wave of solutions are paving the way for a security strategy rooted in protection, and one that embraces collaboration.
  3. The Collaboration Culture is a Security Culture. Gone are the days where security is a dreaded practice with productivity stalling implications. Today’s security culture is about embracing collaboration and why not? Ask any CEO what their top digital transformation initiatives are and they’re likely to put “better collaboration” near the top of the list.
  4. Technology and human intelligence fuel your insider threat program. Emerging insider threat programs are made up of people and technology. While many organizations have relied on technology to solve a very human program, it’s clear that understanding user behavior patterns, what drives user actions and predicting users’ next moves are equally important. In the end, an insider threat program is all about speeding up time to respond to a threat. By combining technology and human intelligence, you are building yourself an all-encompassing program that covers multiple vectors.
  5. Code42 takes the focus off users and instead focuses on file behavior. And of course, I have to mention Code42 here. While many security solutions are solely focused on user behaviors and actions, our approach has been simply rooted in understanding the behavior of the file. And it’s very simple logic… In the end, the malicious end user is after your “data,” so understanding everything about that data is paramount. As I like to say, “don’t follow the employee, follow the data.” With data privacy becoming more important and organizations growing more mindful of being “big brother,” an approach rooted in data will only become more important and compelling.

2020 will undoubtedly be another breakthrough year for insider threat. There will be more headlines, innovative security solutions and smarter insiders. In the midst of this growing problem, it’s good to see Forrester remind us that building an effective insider threat program doesn’t have to come at the cost of killing your employee experience. An effective security strategy coupled with a productive workforce? I say bring on 2020.

Download the complimentary Forrester report here.

3 Steps to Building a Successful Insider Threat Program in the Age of Data Privacy

Data privacy laws are picking up steam – think the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) – and there is a lot of concern about what security and privacy teams can and should do to enforce policies that protect the business. From a data privacy standpoint, consumers – and employees for that matter – historically have been largely left in the dark about what personal information a business may have about them and how that information is being used, stored and shared. With GDPR and CCPA, consumers and employees now are more emboldened to ask questions and provide direction on how their data is used.

In this new world with data privacy top of mind, corporate insider threat programs are especially under the microscope – and they’re getting an (undeserved) bad rap. There is a misconception that insider threat programs impinge on personal data privacy rules. As a result, some employees have very strong reactions against insider threat programs. To that end, many security teams end up having conversations around insider threat that end with comments such as, “I don’t want to be Big Brother!” or “Having a program implies I don’t trust my fellow co-workers.”

The reality is that data drives businesses and data is leaving companies every day (read more on this topic in our 2019 Data Exposure Report). Even though data loss by employees can take different forms, it’s important to take them all seriously. Sometimes employees take data accidentally. Other times, they take it intentionally without realizing the harm their actions could cause. Still other times, employees take data maliciously. Regardless of intent, the damages of data loss are real and it’s important we consider these risks to our businesses.

Insider threat programs are necessary and very effective in protecting corporate IP.  To run an insider threat program while keeping employee privacy concerns in check, consider these three important steps:

Decide what you need to monitor

What does insider threat mean to you? I like to use a simple definition that removes intent and focuses on impact: insider threat is any type of threat to an organization’s security posture from within. Focus on the systems that manage your sensitive information, the departments that are more likely to handle sensitive information, or on the workflows that increase the probability that information is leaving the company (think departing employees, mergers & acquisitions, etc.).

Build out a program around it

Once you’ve defined what matters, build out an insider threat program around it. Programs are typically built out in one of three ways (though often a combination of these):

  • Logging and alerting: If you defined sensitive systems as the focus, this is often a natural way to build out your program. Make sure you are capturing all relevant logging  activities (this is sometimes tricky with SaaS applications) and set up alerts for activity that may be deemed more risky.
  • Special tools: You may decide there are additional tools you want to implement in order to monitor and manage your insider threat program. Depending on the technology implemented, you may get additional alerts, risk ranking, or integrated workflows to help guide your set up.
  • Defined processes: As much as we’d like to think technology can solve all of our problems, sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.

As with all things security, remember that there is very little “black and white.” Build your program to allow for additional context, account for the potential of human error, and incorporate other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately.

If you are looking for additional guidance on the mechanics of building or maturing an insider threat program, here are a couple of great resources to check out:

Tell your employees

Finally, no matter how you decide to build out your program, let your employees know what you are doing. Be very clear with employees about what information your program is collecting and monitoring, and how the information is being used. I often see this in the form of a log-in banner, an employee privacy statement or policy, or as part of security awareness training. Also, have a feedback process for people to reach out to you for more information.

My best advice when deciding what information to share is to put yourself in the shoes of an employee. What would you want to know, and would you find the data monitoring to be reasonable? At the end of the day, while you may be the owner of your organization’s insider threat program, you are also likely the subject of someone else’s.

Building an Insider Threat Program Without Becoming Big Brother

I don’t believe that there’s an enterprise in existence that wouldn’t benefit from an insider threat program. Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. I know that’s not easy to hear, but it’s true.

Consider a survey conducted by Osterman Research. The survey found that 69% of respondents experienced significant data or knowledge loss as a result of employees taking information with them when they left, as Andy Patrizio wrote in his CIO story, Sensitive data often follows former employees out the door.

“ Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. ”

Despite how pervasive and serious the risks posed by insider threat are today, few organizations have an insider threat program in place, and fewer still have an effective insider threat program.

There are a number of reasons insider threat programs aren’t very common. The first is that getting started in building an insider threat program can be overwhelming – even though it doesn’t have to be. Some of these challenges are technical, such as the failings of traditional data leak prevention products. Other challenges are cultural; for instance, many organizations fear that their insider threat program could turn into a Big Brother level of oversight.

However, when done right, an insider threat program doesn’t have to become Big Brother. In fact, it doesn’t have to become overbearing or negatively affect culture. In this post, I share the key insights I’ve learned that will help any organization get started with an effective insider threat program that won’t turn into Big Brother.

Earn the support of your executives

It’s true of any data security program, but especially for an insider threat program: to succeed, you need to have the support of business leadership. It will be your organizational leadership that ensure the program gets the continuous funding it needs as well as the political backing to overcome any speed bumps that arise.

Obtaining that support is best achieved by articulating to executive leadership the real-world risks to the organization so that they understand the threats and how important it is to fund and support such an effort. This will require detailing the types of data risks your organization faces and the strategy for mitigating those risks.

Earn the support of stakeholders throughout the organization

Partnership from other business stakeholders, such as the legal department and human resources, also are essential. If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. If these departments are not engaged with the insider threat program, you run the risk of having an ineffective program on your hands.

“ If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. ”

Prepare for culture shocks

One of the reasons insider threat programs can appear authoritarian is they are designed without the existing internal culture in mind.

When it came to managing insider risks at a former employer, it was common for me to run into cultural issues. We were always working closely with our vendors, many of whom were based in Silicon Valley. While discussing data risks with these organizations, we often learned that they did not have even the most basic controls pertaining to insider threat, including not bothering with employee background checks. They often didn’t understand who was joining the organization. “We trust our people,” they’d say. “We only hire the best, most talented people. Everybody wants to work here. Why would anybody do anything bad here?”

In building an insider threat program, you’ll have to deal with such cultural barriers, and the challenges to overcome them are real. Essentially, to overcome those challenges, you will need to convince staff and everyone throughout the organization that the focus isn’t on punishing people doing things they shouldn’t, but rather protecting the organization’s data and its business viability.

For those in regulated industries, this conversation is likely a lot easier to have with executives and staff. When you work in a regulated industry, it’s evident why certain types of data must be watched and protected, and it’s easier to extend that to other kinds of data.

For those working outside of regulated industries, where it’s not mandated that data be protected, it’s undoubtedly a much more challenging argument to win. But it’s an argument that executives will be receptive to if you explain the costs to the business associated with losing data or intellectual property that is important to the organization.  

Make sure the program is transparent

Another reason insider threat programs can appear oppressive is when they are built in secret. When staff are aware of the insider threat program, but they don’t understand why it is in place, they are more likely to grow resentful and even fearful of the program. Also, when staff aren’t at all aware about the insider threat program, they can be very brazen in taking data that belongs to the company. There is no reason to take either of these counterproductive approaches.

When organizations are transparent about the insider threat program and why it’s necessary, then staff, contractors, and business leaders will be more supportive of the effort to protect intellectual property and confidential and valuable information. 

Establish acceptable data use policies

Everyone will feel better about the program if they are not finding themselves second guessing whether or not they are acting within protocol. Are they permitted to use cloud storage services? If so, which ones? Can data be moved to USB devices and other local, removable storage devices? What about sharing data on corporate collaborative platforms such as Slack or Microsoft Chatter? What’s the policy for taking data home and/or keeping it on their notebooks?

Staff and contractors need clear demarcation lines of what is an acceptable use of the organization’s systems and data and who owns the organization’s data. Employees must be made aware of these policies.

Data risk will vary depending on the organization

The specific type of data that is protected will be dependent on the nature of the organization and the industry in which it works. The types of data and roles that will pose more significant risks will vary among different types of organizations. An aerospace engineering firm or defense contractor will have a different risk posture than a law firm, financial services firm, or pharmaceutical company. Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary.

“ Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary. ”

Put the right data protection tools in place

Although much of your insider threat program will consist of data security policies and employee training and awareness, those policies will need to be enforced with technology. When considering the types of tools that will support your insider threat program, choose the best tools to provide the capability to detect, investigate, and respond to data breach incidents with the appropriate level of insight.

Another consideration is how well the tools you select will integrate within your environment. This must be viewed from the standpoint of how well it will work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.

Provide ongoing training and awareness

Ongoing security training and awareness exercises are essential for maintaining good data security practices and muscle memory for all employees across the organization. If your organization has an existing security training and awareness function, you can integrate insider threat messaging into awareness exercises.

Incorporating insider threat scenarios into ongoing security training and awareness will also help employees understand the importance of the risks you’re trying to manage. This will help employees understand the rationale and can also create allies within your organization.  

Build a sustainable program that will change with the times

Just as your organization and business environment evolve over time, so will your organization’s risks. So, it is important to ensure that your insider threat program can keep pace with the changes in your business and risks. Fundamentally it’s about keeping your focus on effectively managing data exfiltration and insider risk as your organization evolves.

All of this may seem straightforward—and it is—but that doesn’t make it easy or swift to accomplish. Like so many effective processes, the important thing is to keep your insider threat program risk-based, aligned with your organization’s culture and nimble enough to evolve with your organization.  

If you’re building an insider threat program from scratch, start small, keep it simple and be open to making changes. Early wins are important and will help drive the success of the program. Furthermore, they will keep the support of executives and staff who understand that the organization’s long-term success depends on protecting its data. Because it certainly does.

Microsoft and Code42 Ignite the Focus on Insider Threat

The entire Code42 team had a great time attending Microsoft Ignite in Orlando. Microsoft Ignite brings together more than 25,000 attendees who have keen interests in software development, security, architecture and IT. I have to tell you, before going to Ignite, I held preconceived notions that attendees would hold a clear bias toward IT challenges and not the broader challenges facing enterprise security.

Fortunately, I was mistaken, and it quickly became apparent that security and cloud concerns were a big part of the conversation. For all of us at Code42, that meant we were in store for an exciting week. We came to Ignite with a significant announcement – our new integration with Office 365 email.

More tools to mitigate insider threat

Why integrate Code42 with Office 365 email? There are a couple of reasons. First, while there’s been plenty of talk about the demise of email as the top communication platform, the reality is the amount of confidential and proprietary information sent via attachments every day in email is mind-boggling and enterprises need better controls. Second, while Office 365 email does provide ways to create email policies and flag risky emails, Code42 provides complementary insights and valuable investigative information into the who what, when and why (as I like to call it) around the files. This is just another way Code42 helps our customers to mitigate insider risks.

We also showcased some new Code42 capabilities that enhance the workflow for departing employee data exfiltration detection. As you may already know, managing the data exfiltration risks associated with departing employees has been a significant effort for Code42. When it comes to mitigating insider threats and data breaches, it turns out that departing employees are notorious for taking trade secrets, confidential information, and other types of intellectual property with them as they leave organizations for new companies.

The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. This is precisely why Code42 developed and released its new departing employee workflow capabilities.

“ The departing employee challenge is exacerbated by the following: first, most organizations don’t have a data exfiltration mitigation policy in place for departing employees; and second, there typically aren’t technology or applications available to assist in the departing employee workflow. ”

Being able to showcase such powerful new capabilities and seeing the positive reactions from such a large crowd, was one of the most rewarding parts of Ignite for me. Of course, Code42 SVP Rob Juncker got us off to the ideal start with a session mainly dedicated to insider threat and the importance of having a well-defined off-boarding process to protect valuable IP when employees leave.

The new capabilities were a hit among attendees. But, more importantly, to me, the new departing employee capabilities were the catalyst for conversations into understanding current departing employee workflows. These conversations largely confirmed what we’ve been saying here at Code42: that typical departing employee workflows are either under-developed or non-existent. No wonder insider threat continues to be on the upswing!

While Ignite gathers an IT-centric audience, what we learned is that when it comes to insider threat, multiple departments are part of the conversation. It isn’t uncommon to expect IT, security, compliance as well as HR teams to be in the mix when figuring out the best course of action to manage insider threat.

Demos, doughnuts and a customer’s personal account

We were also fortunate to be joined by one of our customers, David Chiang, an IT system engineer at semiconductor provider MACOM. David presented on how MACOM relies on Code42 to detect, investigate and respond to insider threats and file exfiltration. He framed the departing employee threat perfectly when explained how, when a departing employee tells MACOM that they’re “just taking personal pictures,” MACOM can now (thanks to Code42) look back and validate if that’s so. “If we access the files and find that it was company property, the conversation changes,” he explained.

And under those circumstances, that conversation should change. The problem is that too many – actually, the vast majority of organizations – don’t have such process and technology in place to provide themselves that level of visibility. Hopefully, our data security and departing employee announcements, an excellent and in-depth story from one of our customers on their success (over some excellent mini donuts) resonated and will change some of the status quo for the better.

While Code42 went into Microsoft Ignite with an intent to learn and educate around regarding the insider threat, it turned out we weren’t alone. There were two other significant announcements that reinforced the importance of mitigating insider threats. The first of those was Proofpoint’s acquisition of ObserveIT. Why? Because ObserveIT has been in the insider threat space for quite some time, and this acquisition is clear validation that Proofpoint views insider threat as an integral expansion of their security portfolio moving forward. The second announcement was from Microsoft itself. Microsoft unveiled its Insider Risk Management tool within Office 365 that is designed to help identify and remediate threats coming from within an organization.

I’m happy to say that the many announcements, as well as attendee interest and conversation around the issue, give me hope that insider threat programs are about to take center stage when it comes to managing enterprise data risk. And next year, Microsoft Ignite 2020, is bound to dig even deeper into the insider threat and all of the associated risks. We can’t wait to be there.

Insider Threat Begs the Question, “Where’d My File Go on the Web?”

You know the risks posed by Shadow IT and unsanctioned app use. It’s a blind spot we’ve all been fighting for years now. But a new challenge is emerging: what do you do when the app is sanctioned? For example, how do you stop employees from exfiltrating data via Google Drive — when your organization uses this app, legitimately, all day long? With cloud and web-based apps like Google Drive, Gmail, OneDrive and Slack increasingly blurring the lines between personal and professional use, how do you shine light into the alarming blind spot we’re calling “Mirror IT?”

An easy way to move and share files

Most of us have used email or cloud storage as a means to instantly and easily make files available from anywhere. In fact, our 2019 Code42 Data Exposure Report found that 43% of business decision-makers say they use their personal email to share files with peers, and 41% use Google Drive. Not surprisingly, this is also one of the most common (and fastest growing) methods of employee data theft a.k.a. insider threat. Look to the headlines and you’ll read about cases like the sales executive at U.S. solar company SunPower Corp who emailed himself highly confidential files — and used them in his next role at a SunPower competitor.

“ An experienced security team with a range of tools at their disposal should be able to use network-layer information to piece together a good idea of where that file went — but only if users are on the network…and it won’t be fast or fun. ”

You can see that, right?

It’s not that modern data security tools are totally blind to this kind of activity. Most have some level of visibility into the web and cloud apps that touch your files. But some of the most popular enterprise data security tools are still limited to telling you that Google Chrome or Firefox accessed a file — essentially telling you that your file went somewhere on the internet. An experienced security team with a range of tools at their disposal should be able to use network-layer information to piece together a good idea of where that file went — but only if users are on the network…and it won’t be fast or fun.  

Sanctioned apps make things blurry

The real challenge comes in “Mirror IT” situations where employees have both personal and professional accounts for apps like Gmail, Google Drive or Slack. In these scenarios, how can you see — and respond to — an employee removing a customer list or source code via the approved Google Drive app? Leading CASB solutions can block unapproved sites — but they won’t help you here. Even top-of-class data loss prevention tools can only get as far as telling you that Google Drive accessed the file. But you have no way to make the all-important distinction about whether that file was uploaded to their personal or professional Google Drive account. Once again, a veteran security analyst could likely get to the bottom of this question, given some time — but in the meantime, those valuable files remain exposed.

A simple, fast answer to the question, “Where’d my file go?”

Code42 shines powerful light into the black hole of web and cloud file activity in a number of ways. Now, we’re solving the challenge of “Mirror IT” by giving you a first-of-its-kind level of visibility: Code42 shows you the title of the tab and the specific tab URL that was active at the moment the file activity occurred. This means you can plainly discern personal versus professional accounts and instantly understand the potential risk to your data.

It’s all part of the simple, speedy solution we’ve created for homing in on the risky signal amid all the noise of your users’ normal, harmless activity. The Code42 dashboard lets you immediately see when files are read or uploaded by an internet browser — and gives you one-click visibility into the tab title and URL.

The end result: with just two clicks, you can definitively answer the question, “where’d my file go?” and immediately take action, if necessary. It’s just one more way Code42 provides much-needed visibility to give you high-fidelity alerts and actionable information to help you find and address the data risks in your organization.

Code42 blog header

Hey Microsoft Ignite, Code42 is Here Talking Insider Threat

Team Code42 is excited to be at the Orange County Convention Center for the Microsoft Ignite conference this week. We have a ton going on and are ready to talk to security and IT teams about one of the biggest insider threats to their data – employees who quit. Swing by to see us at booth #1141 and find out how we can show you exactly what IP your employees are stashing in their pockets, personal email and cloud. Hint: they probably took the data long before you knew they were leaving.

All week, we will be ready to give demos and previews of our Code42(R) Next-Gen Data Loss Protection solution, which makes it quicker and easier to detect, investigate and respond to insider threats. Visit with Team Code42:

  • Nov. 4: 12:30-7:30 p.m.
  • Nov. 5: 8:30 a.m. to 6 p.m.
  • Nov. 6: 8:30 a.m. to 6 p.m.
  • Nov. 7: 8:30 a.m. to 5:15 p.m.


Rob Juncker, SVP, Speaks in Theater C at 2:15 p.m
Employees are Taking Data when They Quit
Sixty percent of departing employees admit to taking data – company trade secrets, customer lists and source code – when they leave their job. Want to know the truth? The other 40% probably are lying and also have taken data. At a time when the data economy is flourishing and your competitive edge hinges on keeping your most innovative ideas under lock and key, we have to find better ways to protect valuable IP and trade secrets when employees and contractors quit and head off to their next gig. That’s why Rob Juncker, our SVP of product, research, operations and development, is leading off the show with a presentation about insider threat called, “Employees are Taking Data when They Quit.” Head over to Theater C on the expo show floor at 2:15 p.m. ET on Monday to catch his talk.

Tuesday and Wednesday:

Code42 Customer MACOM in Booth #1141
Don’t take our word for it. Hear from one of our power users, MACOM’s David Chiang, about how he uses the Code42 solution to hang onto MACOM’s most valuable files. Be sure to spend some time talking to David in Code42 booth #1141 about how he tackles the challenge of data loss from departing employees and protects MACOM’s highly proprietary semiconductor designs and CAD drawings. He’ll be in the booth Tuesday and Wednesday from 9 a.m. to 12 p.m.

Other Activities in Code42 Booth #1141

Monday: Demos and Drinks, 4-7:30 p.m.
End your day with a product demo and glass of McSwagger’s Own Ale from local brewery Crooked Can Brewing Company.

Tuesday: Demos and Donuts, 8:30 a.m. to 12 p.m.
Grab mini donuts made fresh in our booth while taking in a solution demo.

Wednesday: Midweek Energy Boost, 8:30 a.m. to 12 p.m.
Need some more wings mid-week? We’re doing a Red Bull giveaway and solution demos.

Thursday: Thank You, Safe Travels Cookies, 11 a.m. to 3 p.m.
Before you finish at Ignite, swing in for a solution demo and fresh-made cookies.

Code42 Next-Gen Data Loss Protection Customer Success

CrowdStrike and Code42 vs. External and Insider Threats (Video)

After working on security teams at large retail organizations, I’m now in the unique, and fortunate, position to be the director of security at Code42, an organization that makes one of the products that my team uses daily. This gives us direct access to Code42’s latest product features, beta testing, and the opportunity to network with organizations like CrowdStrike both as peers and as customers of each other’s products.

The Code42 Next-Gen Data Loss Protection solution is an incredibly helpful tool to have in the toolkit. I’m proud of how my company is innovating to help fill a critical need in data security, particularly around protecting data from insider threats. But as any savvy security professional knows, there’s no one silver bullet to address all of an organization’s data security needs. For this, I rely on different products to protect Code42’s data from an ever-present array of threats.

One of the key solutions we use at Code42 is CrowdStrike, the fastest-growing endpoint detection and response solution on the market. Some of the things I love about CrowdStrike are its high-fidelity rate and its low rate of false positives; how it has a lot of searchable, granular event data; and its Falcon OverWatch service, which provides a “second set of eyes” to alert us to unusual activity in our environment. 

CrowdStrike and Code42 work shoulder-to-shoulder to protect our data. CrowdStrike protects our organizations from external threats such as malware, while Code42 accelerates our detection of and response to insider threats, like departing employees

“ CrowdStrike and Code42 work shoulder-to-shoulder to protect our data. CrowdStrike protects our organizations from external threats such as malware, while Code42 accelerates our detection of and response to insider threats, like departing employees. ”

As you can tell, I’m a huge advocate for CrowdStrike, which made it particularly cool to meet with Tim Briggs, CrowdStrike’s incident response analyst, at our Evolution19 conference in Denver earlier this year. I learned a lot from Tim, and even got a few tips from the trenches about how he uses Code42 and CrowdStrike in their environment. For example, Tim shared a story about a recent incident, when their security team received an alert from the CrowdStrike platform that was related to torrent activity in their system. Torrent activity could be extremely malicious, in that an employee may be exfiltrating valuable IP, or it could simply mean an employee was misusing company assets. 

With the alert in hand, the CrowdStrike security team was able to use Code42 to look at the files and download history of the employee in question. They quickly figured out that the employee was downloading movies onto their device. With that context, the CrowdStrike team was able to ascertain that, while the employee was misusing company assets, he wasn’t behaving maliciously or exfiltrating data. The security team was then able to report that to their executive team. 

While the threat landscape is in a constant state of flux, two things will never change. Breaches will happen, and employees will take data when they leave. It is that simple. Together, CrowdStrike and Code42 are dedicated to making it faster and easier for our respective customers to detect and respond to insider and external threats.