Incydr - Source Code Protection

Updated

This article contains information on how Incydr detects and prevents source code exfiltration, monitors risky file activity, and provides tools for investigation and response, ensuring protection of proprietary code without disrupting engineering productivity.

Overview

Learn how Incydr detects source code exfiltrations to untrusted repositories without needing to know what to look for – offering much-needed protection of source code without disrupting the productivity of engineering teams.

Course Objective

By the end of this course you will learn:

  • About the damage that source code leaving can cause a company
  • How Incydr protects against source code exfiltration

Audience

This course intended for all security practitioners. 

What To Expect

This course will show you how to configure Incydr to easily monitor source code movement.

Prerequisites

  • You are an  Incydr Administrator or Security Practitioner, with beginner to intermediate experience level.
  • You are familiar with Incydr.

Introduction

Detect Risky Source Code Movement

Proprietary source code is likely the most valuable asset to your company – and the damage of it leaving can cost a business $15 million per incident. Incydr protects this high-value IP by detecting and preventing source code exfiltrations without complex policies.

Risky Source Code Movement

The State of Source Code Exfiltration

THE PROBLEM:
88% of security leaders wish they had more visibility into source code movement
Companies have long fought to keep proprietary source code from leaking and landing in the hands of competitors. You need tracking across Git, USB, cloud storage, email, and Airdrop to stop engineers from moving source code to personal or unapproved public repositories, but challenges still remain for security teams:

  • Limited visibility into the variety of clients & plugins engineers utilize.
  • Difficulty policing Git pulls and pushes without harming productivity.
  • Lack of controls to respond appropriately to untrusted branding or repository use.

THE SOLUTION:
Catch high-risk source code leaks with Incydr
Keep a close watch over proprietary source code and ensure it never leaves your company with Incydr. Be alerted the moment source code exfiltration is initiated and leverage appropriate response controls to stop the movement of high-value IP dead in its tracks.

How exactly does Incydr keep source code safe and secure?

  • Visibility into all Git push/pull activities, regardless of whether they are known applications or processes in use.
  • Accurately differentiate between sanctioned or unsanctioned Git activity.
  • Automatically send Instructor educational micro-trainings to developers for low-risk exfiltrations.
  • Swiftly answer source code theft attempts with endpoint blocking controls.

How To Configure Source Code Protection

How To Monitor Source Code Movement

Exfiltration dashboard

The Exfiltration dashboard provides insight into file movement across your environment, enabling you to quickly identify files moving to untrusted destinations.

Exfiltration Dashboard

  1. Data movement: Displays how data in your environment is moving to untrusted destinations.
  2. Risk settings: Displays all risk indicators and associated scores.
    To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role.
    Users with the Insider Risk Read Only role can view risk settings, but not make changes.
  3. Selected time frame: Click to select a date range for data on the dashboard.
  4. Export: Click the export icon to save an image of any tile.

Incydr article:

Data Movement Graph

The Data movement graph on the Exfiltration dashboard shows how data in your environment is moving to untrusted destinations. This graph enables you to easily identify the greatest sources and destinations of exfiltrated files across all risk categories.

Data Movement

  1. Selected time frame: Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
  2. Export: Click to save an image of the data movement graph.
  3. Show / hide filters: Click to collapse or expand the filters applied to the data movement graph. By default, the graph displays the 5 source risk indicators with the highest event counts in your environment.
  4. Risk indicator type: Defines which type of risk indicators appear on the left side of the graph. Choose from:
  • User risk indicators
  • Source risk indicators (default)
  • File risk indicators
  1. Risk indicators: Displays all risk indicators of the selected type (d) that have occurred in your environment.
    The top 5 risk indicators (by event count) are selected by default. Click any risk indicator to select/deselect it and add/remove it from the graph. Click Update results to apply changes.
  2. Destination risk indicators: Displays all destinations for the file events selected on the left.
    The top 5 risk indicators (by event count) are selected by default. Click any risk indicator to select / deselect it and add/remove it from the graph. Click Update results to apply changes.
  3. Filter by Watchlists: Select one or more watchlists to filter the activity in the graph to users currently on a watchlist. For example, select Departing to review where departing employees are sending data.
  4. Update results: Click to refresh the graph after changing the filter selections.

  5. User / Source / File risk indicators: Displays the risk indicators included in your filter selection, along with the count of events for each risk indicator.
    Hover over a risk indicator for more details.

    If multiple risk indicators are applied to a single event, the sum of risk indicators in the detailed view may not match the raw number of events.


    Click a risk indicator to view the events in Forensic Search.

  6. Data flow lines: Displays a visual mapping of files moving to untrusted destinations.
    Hover over any section to view more details. Click a section to view the events in Forensic Search for that specific risk indicator combination.
  7. Destination/Events: Displays the destination risk indicators for the file events on the left, along with the count of events for each destination.
    Hover over a risk indicator for more details. Click a risk indicator to view the events in Forensic Search.
  8. View all results in Forensic Search: Click to view all events displayed in the graph in Forensic Search.

Incydr article:

Source Code Dashboard

The Source Code dashboard highlights GitHub activity in your environment, including source code files pushed from trusted repositories to potentially risky destinations.

Source Code Dashboard

  1. Authenticate GitHub: Click to add or update a GitHub personal access token.
    A token enables more details on this dashboard, including repo type, description, and license details. Without a token, some repositories may not show all details and will be categorized as Unknown. See Access token for more details.
  2. Date picker: Click to select the date range for all data displayed on the dashboard.
  3. Top users with risky Git activity: Lists users who have pushed code to repositories not on your list of trusted activity.
    Click the search icon to view events in Forensic Search.
    Click the view details icon for more details about the user and the source repositories of these events.
  4. Repository destinations: Shows Git activity based on repository ownership and privacy settings. Click the search icon next to any item to view those events in Forensic Search.
    See Repository types for descriptions of each type.
  5. Files exfiltrated from trusted repositories to potentially risky destinations: Displays files acquired from trusted repositories and sent to potentially risky destinations. If a destination listed here does not represent risk, you can optionally click the trust shield icon to add it to your list of Trusted activity.
  6. Top active untrusted repos: Lists the most commonly-used repositories not on your list of Trusted activity. Repos with a lot of activity may indicate they're commonly used for corporate-approved tasks.
    For publicly accessible repositories, click the Repository value to view it in GitHub. (Private repositories do not include links.)
    Click the trust shield icon to add the repo to your list of Trusted activity, or click the search icon to investigate in more detail.
  7. Event totals by repo type: Shows total events counts for each repository, organized by repository type. Click View details for more information about each repository.

Incydr article:

Investigation

  • Forensic Search is a powerful tool for investigating file activity across your organization. With a wide range of search filters covering both endpoint and cloud activity, you can easily create custom queries to gain visibility into all activity monitored by Incydr.
  • Cases helps you manage and respond to security investigations with tools that collect, organize, and retain user file activity.
  • Watchlists enable you to create groups of users you want to monitor more closely for risky file activity. Watchlists also enable you to implement preventative controls, such as restricting browser uploads, removable media, and cloud sharing.

Response

  • Instructor is a compilation of training resources to help you educate employees about risky behaviors and how to prevent them.
  • Preventative controls enable you to restrict users from performing specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

Case Study

Banked Protects Source Code And Employee Trust With Incydr

Put yourself in the shoes of an innovative tech company aiming to disrupt a highly regulated space, while also keeping their data secure. Sound like a tall order? With Incydr, Banked has found the sweet spot – gaining total visibility to keep their source code safe and retain their competitive edge, without disrupting employee productivity.

Read the Banked Case Study.

Summary

Proprietary source code is a valuable asset that needs protection. Incydr offer a solution by tracing source code movement and alerting on risky activities. It helps establish source code exfiltration monitoring by setting up trust for Git repositories, and differentiating between sanctioned and unsanctioned Git activity.
Incydr also aids in investigating risky activity, documenting evidence, creating reports, and applying preventative controls.
In this course we covered:

  • The damage that source code leaving can cause a company
  • How Incydr protects against source code exfiltration

Additional Resources

Incydr

Support

Dashboards

Investigation

Response

What's Next

Step 1: Set up trust for a Git repository URI

  1. Log in to the Incydr console.
  2. Navigate to Administration | Environment | Trusted activity.
  3. Click on Add trusted activity.
  4. Select Git repository URI.
  5. Add a Git repository URI to trust Git pushes to this location.
  6. Click on Save.

To trust browser uploads to this location, you must also add a Specific URL path entry.

Step 2: Configure Alerts

  1. Log in to the Incydr console.
  2. Navigate to to Alerts | Manage Rules.
  3. Under Recommended rules, select Source Code exfiltration.
  4. Follow the on-screen instructions to complete the rule creation.

Step 3: Review suspicious file activity

Step 4: Respond to insider risks

Questions or Comments?

If you’d like to learn more, don’t hesitate to reach out to your Customer Success Manager (CSM), or Sales Rep.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.