Incydr - Departing Employee

This article contains information on protecting intellectual property (IP) from departing employees using Incydr. It covers monitoring, risk assessment, automated responses, and best practices to prevent data exfiltration during employee offboarding.

Overview

Most employees take data with them when they leave for their next job. We make sure your most valuable files stay with you.

Course Objective

By the end of this course you will learn how to:

• Get visibility into cloud and endpoint exfiltration via watchlist - including Git push and pull activity, browser events, Airdrops, and cloud syncs.
• Integrate Incydr directly with your HR tools and automate response - all while bridging the gap between Human Resources (HR) and Security.
• Use best practices for validating actual file contents so you know without a doubt how sensitive exfiltrated data may be.
• Implement real-time blocking for departing employees.

Audience

This course intended for all security practitioners. 

What To Expect

This course will show you how to protect Intellectual Property (IP) from departing employees.

Prerequisites

• You are an  Incydr Administrator or Security Practitioner, with beginner to intermediate experience level.
• You are familiar with Incydr.

Introduction

THE PROBLEM:
Departing employees are walking away with your most valuable IP
Whether malicious or because they feel ownership over their work, employees are leaving the business with customer lists, research data, source code and more – and that has serious implications:

• 1 in 3 chance you lose IP when an employee quits.
• 3/4 of companies don’t know what data employees take to their next job.
• #2 highest cause of a successful data breach.

THE SOLUTION:
See and stop data theft before employees walk out the door
Incydr can see all the ways IP moves out of the organization from departing employees. From day one, it automatically differentiates low-risk events from real departing employee threats. And with Incydr’s wide range of response controls, you can quickly contain the threat – or outright block their attempt of exfiltration.

Built to protect departing employee data theft
What makes Incydr stand out?

• Visibility into cloud and endpoint exfiltration in one solution including Git push/pull activity, Salesforce downloads, Airdrops and cloud syncs.
• Integrate directly with HR tools to automatically revoke permissions – without even bothering HR.
• Validate actual file contents to know for sure how sensitive the data is.
• Implement real-time blocking for high-risk employees, working closely with intellectual property.

How Does Incydr Work?
Incydr is a SaaS Solution with an Extensible Cloud Architecture.

Configuring Departing Employee Monitoring

First, you'll need to take some steps to ensure departing employee monitoring is configured. You may refer back to these steps throughout monitoring and investigating, as you fine-tune your settings.

1. Connect relevant apps

• Use Incydr Flows to connect apps such as Bamboo HR, or Workday to add an employee to the Departing Employee watchlist, based on their departure date.
• Use SCIM to provision users to Incydr from Azure AD or Okta for employee attributes.
• Configure other integrations, such as Mimecast (as applicable), to ensure comprehensive visibility across your environment.

2. Populate the Departing employee watchlist

Add employees that are about to leave (or have left) the company to the Departing watchlist. Departing employees often take data with them when they leave and sometimes take data after they have left if their access is not properly revoked.
Using Incydr Flows and SCIM to connect other systems to Incydr (configured in Step 1) allows you to use information in those systems to update your Incydr environment. For example, to ingest user attributes, such as employment milestones, departure date, or elevated access credentials for use in watchlists.
You can also add users to a watchlist manually, by groups or as individuals.

3. Configure trust settings
Incydr uses a trust-based model to filter expected, approved file activity from unexpected, possibly risky activity. This model allows you to better identify file exfiltration, more quickly investigate events, and rapidly respond and resolve issues before they pose a threat to your intellectual property, business development, and organizational reputation. This article explains Incydr's trusted activity model and how it works as part of your insider risk strategy.
Follow these instructions to configure trusted activity.

4. Configure specific alerts
Alert rules:

• Enable you to define the file activity that poses the greatest file exfiltration risk for your organization.
• Notify you when risky activity occurs.
• Integrate with Instructor, enabling you to automatically send targeted, timely educational content to users in response to risky activity.

For any watchlist, you can build alerts to notify you when a user on the watchlist performs a specific action. Follow these instructions to modify alerts for a watchlist.

Now that you've configured the settings, you can start monitoring departing employee file movement.

Proactive Risk Identification and Severity Model (PRISM)

Before we talk about monitoring and investigating, it's important to understand how individual risk indicators contribute to the overall risk severity of a file event.

HOW IT WORKS
Precise context analysis you can trust
Incydr’s Proactive Risk Identification and Severity Model (PRISM) uses three-dimensional context analysis across data, user, and destination to automatically identify both known and unknown risks without predefined rules. Each event gets a PRISM score from 0 to 10 based on 250+ risk indicators. This approach accurately prioritizes event severity and enables Incydr to automate response controls for various risks.

• Data context: Examines the source and sensitivity of files.
• User context: Analyzes user behavior and attributes.
• Destination context: Assesses how and where files are moved.

PRISM: How Incydr Prioritizes Risk to Data.

Why PRISM?

PRISM simplifies data protection for everyone

Key benefits of PRISM

• Identifies risk for both known uses cases and hidden blindspots.
• Allows security teams to investigate the most critical events quickly.
• Uses automated response controls to address common risks with less effort.

Next, let's learn how to monitor, investigate and respond to departing employee file movement.

Monitor and Investigate Departing Employee File Movement

There are multiple ways to monitor departing employee file movement, including:

Action Items dashboard

The Action Items dashboard displays items requiring attention, including open alerts, top users by critical activity, users departing this week (see below), unwatched Instructor lessons, and open cases.

Exfiltration dashboard

The Exfiltration dashboard provides insight into file movement across your environment, enabling you to quickly identify files moving to untrusted destinations. You can filter by the Departing watchlist to view file activity of users currently on that watchlist.

Departing employee watchlist

Watchlists enable you to create groups of users you want to monitor more closely for risky file activity. Watchlists also enable you to implement preventative controls, such as restricting browser uploads, removable media, and cloud sharing.

Departing employee risk report

The departing employee risk report shows you a summary of risky activity an employee on the Departing watchlist has had in the last 90 days. In the report, you can see a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they've caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees. Use the report to make your offboarding triage tasks more streamlined and consistent.

For the purpose of this article, we're going to focus on monitoring with the Departing employee watchlist, and investigating from the Departing employee risk report.

Departing Employee Watchlist

Watchlists enable you to create groups of users you want to monitor more closely for risky file activity. Watchlists also enable you to implement preventative controls, such as restricting browser uploads, removable media, and cloud sharing.
See Watchlists reference for further information.

1. Risk Indicator: Identifies the risk indicator and risk score added to file events for all users on this watchlist. For more information about risk indicators and how they work, see Risk settings reference.
2. Trust settings: Indicates trust settings are applied to this page. Click to learn more and to view your trust settings.
   File activity that matches an item on your list of trusted activity is excluded from dashboards, watchlists, user profiles, and alerts, but is still searchable in Forensic Search.
3. Search: Enter a username to find file activity for a specific user on the this watchlist. This searches across your entire Incydr environment and includes deactivated users.
4. Selected time frame: Shows the time frame in which the file activity occurred. Click to change the time frame.
5. Edit alerts: Click to see and modify the alerts that include this watchlist.
6. Edit users: Click to add users or remove users from the watchlist.
   If no users have been added yet, the button is labeled Add users
7. Action menu:

• Edit title and description: Click to change the watchlist name or its description.
• Delete watchlist:
  • Any users and alerts assigned to the watchlist are removed from the watchlist.
    Users are removed from the watchlist, but their User profiles still exist in Incydr and they can be added to other watchlists.
  • If the assigned alerts are not being used elsewhere in Incydr, the alert rule is also deleted from alerts.
  • Any integrations for the watchlist will no longer function.

8. Watchlist settings: Shows the following:

• Risk score: The risk indicators associated with the watchlist, and the indicator's risk score.
• Preventative controls: The preventative controls applied to users on this watchlist.
• Users: The groups of users and number of individual users added to the watchlist.
• Alerts: The alert rules that include this watchlist as a rule setting.
  
  Click Edit to change the settings.

9. Departing users: Shows a summary of users on the Departing watchlist, including the number of users departing today, as well as in the next 7 and 30 days.
10. User activity by severity: Shows the number of users with file events for each severity.
    Click a severity to filter the list of users to include only file events of that severity.
11. Filter: Click to filter the list by:

• Event severity.
• Departure date.
• Risk indicators.
• Username.
• Department (requires provisioning).
• Watchlists.

12. List of users: Shows all users on the watchlist, sorted by the highest number of critical-severity file events, then by high-severity file events. See below for detailed descriptions of each column.
13. Risk report: Click to view a risk report for the departing user, summarizing activity from the past 90 days. The report includes a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they’ve caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees.
14. Actions: Click Actions for options to:

• View profile: Opens the User Profile, where you can view their past file events.
• View events in search: Opens the user's file events in Forensic Search, where you can see greater detail about the file events.

15. View details: Click to see more details about the user's file activity, including open alerts, cases, and file events with risk indicators applied.

Departing Employee Risk Report

The departing employee risk report shows you a summary of risky activity an employee on the Departing watchlist has had in the last 90 days. In the report, you can see a summary of the alerts the user has triggered, the number of cases they were involved in, how many critical events they've caused, and how many events they have that correspond to the most common exfiltration scenarios for departing employees. Use the report to make your offboarding triage tasks more streamlined and consistent.

See Departing employee risk report reference for further information.

1. Export: Click to choose to download the risk report as an image (PNG, JPEG, or SVG), or as a CSV file with event details.
   To export an image of the entire report, click the top area of the report after selecting the image file type. To export only a section of the report, mouse over any item and then click. (The highlighted area indicates the items included in the export.)
2. User: Displays a summary of the employee's information, including:

• Name.
• Department.*
• Title.*
• Watchlists the employee has been added to.
  *Displays this information if your Incydr environment uses provisioning. For more information, see Provision user attributes to Incydr.

3. View profile: Click to see the employee's User profile.
4. Notes: Do one of the following:

• Click Add to add more details to the user's profile.
• Click Edit to modify existing notes.
  Notes are limited to 1000 characters.

1. Risk breakdown:
   Shows the number of alerts, cases, and Instructor lessons sent to the user in the past 90 days. Click View to see more details about each item.

   Case and alert counts are only visible if you have the appropriate permissions.
   Instructor details require a product plan that includes Instructor.

2. Risk indicators: Shows the user's top risk indicators sorted by the number of the user's critical events.
3. View critical events: Click to see the user's critical events in Forensic Search.

Review Alerts

Alerts highlight risky file activity in your organization, such as when important data is moved to untrusted locations. The Review Alerts page shows when activity is detected that matches the settings defined in your alert rules.

See Review Alerts reference for further information.

1. Risk settings: Click to open Risk settings, where you can view and customize the scores for each risk indicator. Scores are used to calculate the severity of each file event. For more information, see the Risk settings reference.
2. Alerts summary: Displays a summary of open, in progress, and closed alerts. Click an alert count summary or View all to filter the list below to include only those alerts.
3. Filter: Click to filter alerts by status, date, risk severity, rule name, user, or watchlist. For more details, see Filter alerts below.
4. Filtered by: Indicates which filters are applied to the list of alerts. Click on "X" to remove a filter. Remove all filters to view all alerts.
5. Select all: Selects all alerts on the page and presents a Change status button. Click the button to move multiple alerts at once to a different status.
6. Select individual alerts: When you select one or more alerts, the Change status button appears. Click the button to move the selected alerts to a different status.
7. Severity: The risk severity of the highest-scoring individual file event in this alert, based on its risk indicators and the following scoring ranges:

• 9+: Critical.
• 7-8: High.
• 4-6: Moderate.
• 1-3: Low.
• 0: No risk indicated.

If the risk severity is unknown, "—" appears in this column.
For more information about risk indicators, see Risk settings reference.

8. Date observed: Date and time the alert was generated. Click the column header to sort results by date in ascending or descending order.
9. Summary: Describes the activity that generated the alert. The Summary may also include:

• Risk indicators that apply to the activity but that are not explicitly included in the alert rule criteria
• Risk indicators for other activity performed by the user around the same time

These related risk indicators can provide valuable additional context about the activity.

10. Rule name: Indicates the specific rules that triggered the alert.
11. User: The username or the cloud user associated with the file events that generated the alert.
    If the user is on a watchlist or department attributes are available, those are also displayed here. Watchlist membership and department attributes reflect the current status of the user, which may differ from when the event occurred.
12. Status: The status of the alert:

• Open: Alerts that have not yet been investigated.
• In progress: Alerts for which an investigation is underway.
• Closed - True positive: Resolved alerts that represented a valid risk.
• Closed - False positive: Resolved alerts that did not present a valid risk.

13. View detail: Click to view more details about the alert, including exfiltration activity, user attributes, the rules that triggered this alert, and Instructor lessons sent to the user.

Use Forensic Search

Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.

Search file activity

Forensic Search is a powerful tool for investigating file activity across your organization. With a wide range of search filters covering both endpoint and cloud activity, you can easily create custom queries to gain visibility into all activity monitored by Incydr. For example:

• Browser uploads and downloads.
• Cloud sharing.
• Removable media usage.
• Git clone, pull, and push activity.
• Print activity.
• File created, modified, and renamed events.
• Paste activity from clipboard to browser.

Download and review file contents

In many cases, files are available for download from the search results. Links to download it appear in the File | Filename section of an event's details.

Search related risks
With Forensic Search, you can search your entire Incydr environment for other, related risks. For example, if you're responding to a non-sanctioned file share via a cloud service, you can identify other instances of the file in your environment to determine who else might be involved by searching for the file hash (MD5 or SHA256) or the filename.

See Forensic Search reference for further information.

Respond to Departing Employee File Risk

No single response is appropriate for all situations, because risk varies greatly based on the files and users involved. Therefore, we focus on giving you the information you need to respond to insider risks quickly and appropriately, which may include automated action, corrective conversation, real-time blocking, training and education, legal action, engaging other stakeholders in your organization, or anything in-between.

We're going to focus on the following response actions:

• Utilize Incydr Cases to collect, organize, and retain user file activity.
• Add the departing user to another Watchlist, with preventative controls applied to restrict risky activities.
• Work with business partners in HR and Legal if we want to use Incydr Flows to disconnect the user's endpoint from the network or suspend or reduce their access to our systems.

We'll also cover options for responding to isolated incidents:

• Work with the user to recover the file.
• Have the user sign an attestation that no further copies of that file exist.
• Send an Instructor lesson to remind the user what they can and cannot take.

Create a Case to Organize the Investigation

Cases drive consistency and collaboration in your incident management process by documenting your investigation for all stakeholders, as well as retaining investigation evidence and exporting your findings.

• Retain file activity details: When investigating in Forensic Search, you can quickly create a Case to ensure long-term retention of suspicious events.
• Access file contents: Easily access the file contents associated with high-risk data exposure events from within a Case to ensure all evidence stays together.
• Document investigation findings: Enter notes about the Case to summarize findings and recommended actions from your investigation and incident response process.
• Inform relevant stakeholders: Quickly export Case summaries and share them with business stakeholders, like legal, HR, or the employee’s manager.

Use Cases as an efficient way to compile, document, and share details about insider risks. This helps you make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.
Specifically, Cases enables you to:

• Assemble evidence related to an investigation.
• Add file events from Forensic Search.
• Add notes to provide additional context.
• Summarize and share findings with others in your organization.

See Manage cases and Cases reference, for more details.

Add the Departing User to a Watchlist with Preventative Controls

Watchlists enable you to create groups of users you want to monitor more closely for risky file activity. Watchlists also enable you to implement preventative controls.
Preventative controls enable you to restrict users from performing specific actions, including uploading and pasting content in a web browser, mounting removable media, and sharing files via cloud services.

Preventative controls

Steps to add a user to a Watchlist with preventative controls

1. Configure a watchlist to apply preventative controls.
2. Add user to the watchlist with preventative controls enabled.

For more information, also see: Manage Incydr preventative control settings.

Incydr Flows

Incydr Flows, powered by Tines, allow security teams to automate actions between Incydr and other corporate systems like IAM, PAM, EDR, HCM, ITSM, and email security in order to save time and increase effectiveness.

Response Flows

Response Flows orchestrate controls to mitigate corporate data leak. These controls are intended to contain active insider threats and can be automated based on the severity of an event. They are delivered through integrations with systems like IAM, PAM, EDR and ITSM.

Remove user access to contain threats
 

Remove employee access to systems using Okta.

Quarantine an endpoint to contain threats
Quarantine endpoints during active insider threat investigations with Crowdstrike and SentinelOne.

PDF

• Incydr Response Flows (288.4 KB)

For more information, see Introduction to Incydr Flows, and Configure Incydr Flows.

Respond to an isolated incident

If we determine that this was an isolated incident, we can:

• Work with the user to recover the file.
• Have the user sign an attestation that no further copies of that file exist.
• Send an Instructor lesson to remind the user what they can and cannot take.

Recover the file
Depending on what was moved and where it went, work with the employee to ensure the data is removed from the unsanctioned application or device swiftly. This is best done via a video call, where you can ask the employee to share their screen so you can assist to make sure it is done properly.

Sign an attestation
Once the file is recovered, if needed, you can send them a data destruction attestation to sign saying that they are not aware of the data residing anywhere outside the trusted network, in any form or fashion. Work with your legal team to establish when and how to use an attestation for your program. Here’s a template we provide to our customers to build upon for their organization: Unauthorized data transfer and deletion attestation template.

Send an Instructor lesson
It’s important to provide the employee information on the RIGHT way to take action in the future. Providing guidance at the time of the error is highly impactful and more likely to be remembered than, say, an annual training. We call this just-in-time training and it works. Also, people are busy so if you want them to consume it, make it a quick lesson. We suggest a 1-3 minute training on the specific situation. Instructor lessons were built specifically for this purpose.
The video below is an example of a video that you can send to a departing employee. There are also departing employee videos for Sales, Marketing and Developers.
For more information, see Send Instructor lessons.

Empathetic Investigations

• Empathy First: Departing Employee Use Case
• Empathetic Investigations Approach

Case Studies

Snap Finance Uses an Incydr & Wrike Context Flow to Protect Data During Employee Departure

Challenge: Understanding data movement to protect confidential information and IP
Snap Finance is a growing FinTech company with a remote workforce across multiple countries. As they grew globally, without a physical perimeter, they realized they needed better visibility into data movement between users, applications and devices in their environment. Without it, they may not know if confidential information or intellectual property were exfiltrated, especially during employee offboarding. With a focus on protecting both their competitive advantage and customer trust, the Snap Finance team began looking for a solution to get a better understanding of their environment and speed up their response to potential exfiltration events.

Solution: Process Automation and Increased Visibility with Incydr 
Prior to using Incydr to protect their data, Snap Finance needed a way to mitigate the impact of data loss when an employee left the organization. Now, Incydr’s Departing Employee Lens works seamlessly through an Incydr Flow with Wrike (their project management system). First, Human Resources puts a notice in Wrike that an employee is departing. Incydr then receives this information from Wrike, and automatically adds the employee into the Departing Employee Lens, ensuring that all activity moving forward will be labeled with a “Departing Employee” Incydr Risk Indicator (IRI). Snap Finance security analysts can then review prioritized file exfiltration activities and quickly take a right-sized response. The workflow even takes into account the different employment laws and privacy considerations of the specific country in which the departing employee resides.

Results: Enacting a Right-Sized Response During Employee Departures
By automating their departing employee process with the Incydr + Wrike Flow, Snap Finance has been able to catch and quickly initiate a right-sized response to instances of exfiltration during employee departures. This allows them to mitigate the risk of critical IP leaving the organization without their knowledge. They now have an understanding of their environment and what normal vs. risky behavior truly looks like. Today, Snap Finance is well-prepared to not only protect their organization’s crown jewels, but also their customers’ data, preserving trust and allowing them to retain their competitive edge.
Download Snap Finance Case Study.

Certinia Uses Incydr to Protect Data from Top Exfiltration Risks

Problem: Protecting data from departing employees and third parties
On an annual basis, the Certinia security team conducts an executive information security risk assessment to align team priorities with business objectives and identify the most pressing risks in the organization. Based on this assessment, Aaron Momin, CSO at Certinia (previously known as FinancialForce), determined that data leaking by departing employees, to competitors or to third parties was a significant security risk with the potential to cause major business impact. The security team needed to deploy and integrate the right technology and establish repeatable workflows to mitigate insider risk in these high-risk situations.

Challenge: The need for speed & reducing alert fatigue
To effectively protect data from insider risk, and meet executive expectations, Certinia needed the ability to quickly detect and respond when critical insider risk events occur. To save them time, and decrease alert fatigue, Momin knew they needed a solution that could prioritize the risk that matters most and provide flexible ways to automate response. “For our security team, speed to response is critical. It’s not about boiling the ocean, but mitigating the top risks against the company — and prioritizing our efforts,” says Momin.

Customer Requirements

1. Solve top use cases like protecting data from departing employees, competitors and third parties
2. Protect the data that matters most including source code, IP and customer data
3. Solution that quickly prioritizes alerts that matter most without contributing to alert fatigue

Solution: Why Incydr was the right solution for Certinia
Through his tenure in data security, Momin knows that data is always changing, meanwhile threat actors, business transactions and workflows are always evolving. This dynamic means that it is essential to have a solution that can provide continuous visibility into risk exposure. As Momin and his team looked further into solving these complexities they discovered Incydr provided the best solution for Certinia to manage insider risk.

Key Benefits

• Accelerate response by correlating Incydr IRIs and alerts with other security telemetry in their integrated user risk-scoring engine.
• Save time by automating previously manual processes to protect data during employee departures and other high-risk times.
• Secure corporate data by closing insider risk posture gaps with a holistic IRM solution.

Download Full Certinia Case Study.

Summary

In this course, you learned how to protect IP from departing employees.
We covered:

• Getting visibility into cloud and endpoint exfiltration via watchlists - including Git push and pull activity, browser events, Airdrops, and cloud syncs.
• Integrating Incydr directly with your HR tools and automating response - all while bridging the gap between HR and Security.
• Using best practices for validating actual file contents, so you know without a doubt how sensitive exfiltrated data may be.
• Implementing real-time blocking for departing employees, when appropriate.

Additional Resources

Top Link for Sharing

• Safeguarding Intellectual Property  During Employee Offboarding
  The clips from throughout this course, in one video

Incydr

• Use Case: Departing Employees
• Incydr Flows
• Incydr Ecosystem
• Incydr’s Proactive Risk Identification and Severity Model (PRISM)
• Response controls

Support

Configure

• Configure Incydr Flows
• Manage Watchlists
• Trusted Activity
• Create and manage alert rules

Monitor & Investigate

• Action Items dashboard reference
• Exfiltration dashboard reference
• Watchlists reference
• Departing employee risk report reference
• Review Alerts reference
• Forensic Search reference

Respond

• Cases reference
• Manage Incydr preventative control settings
• Introduction to Instructor

Insider Risk Management (IRM) Program Launchpad

• Incydr - Human Resources Information Systems
• Incydr - IAM and PAM
• Incydr - Empathetic Investigations Approach

Case Studies

• Snap Finance Case Study
• Certinia Case Study