Code42 Incydr + Cortex XSOAR: Right-Sizing Insider Risk Response

Sep 14, 2021
3 minutes

Security teams struggle on a daily basis to expediently detect and respond when users put corporate data and IP at risk. Employees cause 13 data exposure events everyday, while 51% of security leaders receive daily complaints about mistakenly blocking legitimate work.

Furthermore, 72% of security leaders say they don’t have the necessary context to know if they should close the alert or pursue an investigation when insider risk is detected. All of this uncertainty impacts productivity and workforce collaboration, forces users to find workarounds to move data, gives the security team a bad reputation, and leads to analyst burnout. Over time, the result is a culture that lacks risk-awareness and increases corporate exposure to Insider Risk.

You already know that responding to threats caused by external hackers requires a very different approach from how you want to respond when the risk is from individuals with authorized access inside of your organization. The challenge is that the business impacts on your organization’s finances and reputation from both external attacks and insider risks can be the same, but the controls needed to respond appropriately are not. Unlike external threats, managing Insider Risk effectively without causing disruption to service or burning out your analysts requires automation to help quickly deliver the right-sized response every time.

Security teams, therefore, must rethink the approach to Insider Risk response in a way that is:

  • Designed to monitor, contain, educate, or resolve events
  • Tailored by severity, context, and priority level
  • Automated for scale, speed, and accuracy

This is called taking a right-sized response. When security teams have the right level of insider risk context and accurate alert prioritization, optimal automation should be applied to speed the time it takes to remediate Insider Risk. Leading drivers behind why organizations are increasing their investment in automation include the many business impacts and cultural benefits like improving productivity, reframing how security teams engage with their organization, and reducing analyst burnout.

Severity-driven Automated Response to Insider Data Loss 

Together, Code42 Incydr and Palo Alto Networks Cortex XSOAR provide solutions that deliver the full capabilities of Code42’s response methodology. Code42 Incydr provides risk severity context through prioritized file, vector, and user Insider Risk Indicators (IRIs) and informs the type of control that’s needed for the level of risk. Using XSOAR orchestration playbooks, customers are then able to automate controls to contain, educate, or resolve detected data exfiltration events.

Code42’s turn-key pack available within the Cortex XSOAR Marketplace enables security teams to:

  • Manage data leaks with conditional containment controls: Stop local sync apps, disable USB ports, lock a device, or network segment containing a risky endpoint.
  • Automate response across users and teams with resolution controls:  Launch inquiries to evaluate user intent, expedite user-feedback for resolution, and execute any necessary follow up actions or escalations.
  • Deliver timely security awareness training with educational controls: Reduce future instances of data exposure with the automated delivery of recommended user security awareness training and an updated review of the corporate acceptable use policy.

Learn More 

To learn more about the Code42 Incydr content pack for Cortex XSOAR, read our Solution Brief Surface Data Risk and Automate Response to Insider Threats.

You can view the Code42 Incydr pack here:

Join our upcoming use case webinar featuring Code42 on September 30th at 9:00 AM PST to see a live demo of the Incyder content pack and engage with the experts during live Q&A. Save your seat!   




Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.