How CrowdStrike And Incydr Work Together Against External Threats And Insider Risk
"I’ve used nearly every DLP solution out there and they’re often so complex, they make your life harder, not easier. But Falcon and Incydr work really nicely together so you can figure out what’s happening very quickly and respond right away."
Tim Briggs,
Director of Incident Response at CrowdStrike
CrowdStrike discusses their approach to data loss incident investigations
Tim Briggs, Director of Incident Response at CrowdStrike, shared a story about a recent incident when their security team received an alert from CrowdStrike Falcon that was related to torrent activity in their system. Torrent activity could be extremely malicious, in that an employee may be exfiltrating valuable IP, or it could simply mean an employee was misusing company assets.
With the alert in hand, the CrowdStrike security team was able to use Mimecast Incydr to look at the files and download the history of the employee in question. They quickly figured out that the employee was downloading movies onto their device. With that context, the CrowdStrike team was able to ascertain that while the employee was misusing company assets, he wasn’t behaving maliciously or exfiltrating data. The security team was then able to report that to their executive team.
While the threat landscape is in a constant state of flux, two things will never change. Breaches will happen, and employees will take data when they leave. It is that simple. Together, CrowdStrike and Incydr are dedicated to making it faster and easier for our respective customers to detect and respond to insider and external threats.
How does CrowdStrike use Falcon and Incydr together today?
“We use Falcon to alert us to threats from outside our organization and to potentially risky exfiltration events, and Incydr gives us the details we need to verify what’s actually happening within our organization so we can investigate and respond with confidence. To put it simply, Falcon alerts on an event and Incydr has proof of the files involved.
Something we’ve found really important and should really be best practice for anyone working in Insider Risk – is having multiple sources of information so you can verify what has happened and understand the details of each event. When you’re dealing with Insider Risk, a lot of these incidents may not be intentional or malicious, but they can still affect someone’s life in a very serious way. It’s critical that you verify that an alert reflects what actually happened and that you have validation to back up what you’re seeing and help you determine the next steps.”
What is Tim's favorite part of using CrowdStrike Falcon and Incydr together?
“Both solutions are so simple to use – it’s clear that simplification is a priority in both tools and it really pays off. I’ve used nearly every DLP solution out there and they’re often so complex, they make your life harder, not easier. But Falcon and Incydr work really nicely together so you can figure out what’s happening very quickly and respond right away.
For example, if we have an employee leaving the organization, we can make sure they’re in the Incydr Departing Employee Lens to monitor file movement closely. From there it’s easy for us to jump into Falcon and block USB ports or take other necessary steps to protect our data if we identify something suspicious. The ease of use is great on its own, but where it really helps is with enabling our team to work faster. Employees can get up to speed really quickly and jump right in without needing a whole lot of training on using the tools.”
Reduce low & moderate data sharing activity just like CrowdStrike
Did you know you can send security education as a response to detected Incydr events? When Incydr flags a low-risk security event, employees receive a Mimecast Instructor video lesson stating what they did wrong and how to prevent this mishap in the future.
CrowdStrike experienced a 36% reduction in low & moderate data sharing activity after just 4 months of using Instructor.