IBM Security QRadar SOAR

 View Only

Accelerating Incident Response with the Code42 for Resilient App

By Matthias Wollnik posted Thu August 22, 2019 09:15 AM

  

Insider Threat is on the rise. Data loss from insiders now accounts for 34% of threats and represents a 50% increase over the last 4 years. Furthermore, 90% of insider data loss, leak, and theft goes undetected internally suggesting that existing security tools that focus on data loss lack in detection and response capabilities. 

 

Code42 Next-Gen Data Loss Protection provides simple, fast detection & response to everyday data loss from insider threats by focusing on customer data on endpoints and the cloud to answer questions like:

  • Where is my data?
  • Where has my data been?
  • When did my data leave?
  • What data exactly left my organization?

 

The Code42 for Resilient app accelerates incident response related to data loss from Inside Threats by combining IBM Resilient’s market leading automation and incident handling with Code42’s context of file activity, vastly accelerating the time to discovery and remediation of data loss incidents.

 

Let’s walk through some of the key capabilities of the Code42 for Resilient app.

Tracking files on Endpoints and the Cloud

It happens every day, someone gives notice that they are leaving your organization. This poses unique problems to the IT and IS organizations. We know that departing employees will take some data with them when they leave, but it has proven incredibly difficult to get insight into what was taken. Especially, since most of the time the data is taken before the employee announces their intention to leave. With the Code42 for Resilient app, building out and implementing a well-defined process for managing departing employees and ensuring that data does not leave the organization is easy.

 

One of the most powerful Functions introduced with this app is “Search file events.”

 

Code42 maintains a datastore of every file transaction on endpoints and cloud repositories, along with a variety of data exfiltration events. It tracks every file creation, modification, deletion, transfer to USB, file upload, etc that is observed. When this Function is invoked with a specific query, a data table is added to the Incident for any of the file events gathered by Code42 that match the query:

You will then have an immediate overview of any suspicious file activity by the user in recent history. This speeds up detection of data loss and with the capabilities of IBM Resilient accelerates incident response.

 

The query options for the Function allow for specific matches to be identified such as:

  • Any file exfiltration activity
  • Any files matching a known MD5
  • Any files matching a specific file name
  • Any files of specific types
  • And many more

 

Of course each query can be limited to specific time spans. This makes it trivial to run a Function during a Departing Employee Workflow to simply ask “Did this user exfiltrate any files in the last 30 days” or “Where did we see this specific MD5 before?”

 

This and much more information can automatically be added to your Incidents with this Function.

Retrieve files from Endpoints

When data is taken by a departing employee, a never before seen malware is identified, or a Phishing campaign is identified, you often want to get your hands on the specific files involved. In the past, this usually required getting physical access to the endpoint device. In the modern world of distributed workforces, this has proven to be a major challenge to organizations.

 

With our “Download file from backup” Function, IBM Resilient can do this for you automatically when an incident is created, regardless of where the device may physically be located.

 

When this Function is performed for a given file path and machine, Code42 will reach into its cloud infrastructure and pull the relevant file out of its archives. Since the file’s data is pulled out of our archives, the endpoint does not have to be accessible or available. The file can then easily be attached to the Incident for your inspection.

 

This Function is primarily intended to pull a small number of individual files and make them available to the Incident. If a large number of files or files that are very large are of interest, you may want to utilize the Code42 console directly to pull the data instead of adding large amounts of data to the Incident directly.

And a lot more

These are just some of the many Functions that the Code42 for Resilient app introduces. A full set of Functions as well as all the documentation necessary to utilize the app can be found at https://code42.com/r/support/ibm-resilient.

 

Putting it all together

The Code42 for Resilient app accelerates incident response related to data loss from Inside Threats by combining IBM Resilient’s market leading automation and incident handling with Code42’s context of file activity vastly accelerating the time to discovery and remediation of data loss incidents.

IT and IS teams are now far more effective in identifying and responding to risky situations when employees leave your company, organizational changes happen and when new high-risk users are identified. Sample workflows and rules for these kinds of scenarios are included within the application.

 

 

Visit the IBM App Exchange to download the app. You can also view documentation, system requirements, and guides there. Please be sure to visit the IBM Resilient Community Forums if you have any feedback.

0 comments
14 views

Permalink