Overview
Incydr's robust content inspection capabilities provide an additional level of protection for your organization's most sensitive data. Incydr's content inspection works by inspecting exfiltrated files for PII, PCI, and other sensitive content types, then showing you how this data is leaving your organizaiton and where it's going.
In addition, Incydr's content inspection:
- Supports compliance controls to protect regulated data with minimal configuration.
- Adds a new layer of context to PRISM scores, enabling Incydr to better detect file sensitivity.
- Enables you to define Custom file content risk indicators to detect important keywords unique to your environment.
- Supports real-time alerts to notify you as soon as exfiltration of sensitive content is detected.
- Does not slow down users or endpoints. All content inspection processing is performed in the Incydr cloud.
- Does not require writing or maintaining complex regex policies.
Before you begin
- This functionality requires the Content inspection add-on SKU. Contact your Customer Success Manager (CSM) for questions about licensing requirements.
- The Collect exfiltrated file contents setting must be enabled. See Endpoint Data Collection settings for more details.
How it works
Content inspection uses Incydr's risk indicator framework to highlight exfiltrated files that contain sensitive information. When sensitive content is identified, a risk indicator is applied to the file activity. Risk indicators are surfaced throughout Incydr dashboards, alerts, event details, and more.
File contents are only inspected for files exfiltrated to untrusted locations
Incydr's content inspection focuses on the contents of files leaving your organization. It is not designed for general data discovery.
Files sent to trusted locations are not inspected. Files involved in non-exfiltration activity are not inspected.
For example, if a user moves a file with credit card numbers to removable media, the Credit card number risk indicator is applied to the event (shown below in the file event details).
The Exfiltration dashboard also highlights files with sensitive information leaving your organization.
To view:
- Sign in to the Incydr console.
- Select Dashboards > Exfiltration.
- Click Show filters, then select File risk indicators.
- Select the sensitive content risk indicators to include in the graph (for example, Credit card number, US Social Security Number (SSN), etc.).
- On the right, select the destinations to include.
- Click Update results.
Content types and risk indicators
Each sensitive content type has a corresponding risk indicator. To view the risk indicators for each content type detected by Incydr:
- Sign in to the Incydr console.
- Select Risk settings.
- In the File risk indicators section:
- Select Credentials and tokens to view the types of credentials and tokens detected by Incydr.
- Select Personally Identifiable Information to view the pre-defined PII types detected by Incydr.
- Select Custom file content risk indicators to view your custom keyword risk indicators. For steps to create a new custom risk indicator, see the next section.
Add a custom file content risk indicator
Custom file content risk indicators enable you to define sensitive keywords for your organization and detect when files containing those words are exfiltrated from your environment.
For example, a law firm might choose to apply risk to any file sent to an untrusted destination containing the phrase "Attorney-Client Privilege."
To create a custom file content risk indicator:
- Sign in to the Incydr console.
- Select Risk settings.
- In the File risk indicators section, select Custom file content risk indicators.
- Select Add custom risk indicator.
- Enter a label, description, and select a risk score.
-
Choose the file content type:
- Plain text: Evaluate file contents based on specific text strings
- Regular expression (regex): Evaluate file contents based on regex patterns
-
In the Includes any field, enter the text you want to detect.
- Plain text:
- Enter up to 10 terms on separate lines.
- Each term is limited to 500 characters.
- Terms are not case-sensitive.
- Wildcards are not supported.
-
Regular expression:
- Enter up to 10 terms on separate lines.
- Each term is limited to 500 characters.
- For best results, use basic regex. Complex pattern matching such as negative lookaheads is not supported
- Plain text:
- Click Save.
Alerts
One of the key features of Incydr's content inspection is the ability to receive real-time alerts as soon as exfiltration of sensitive content is detected. Since each sensitive content type has a corresponding risk indicator, you can easily integrate these into your alert rule configurations, just like any other risk indicator.
Use one of these rule templates to set up an alert based on sensitive content:
- Personally identifiable information (PII): Define an alert rule based on specific PII entities like social security numbers and credit card numbers.
- Custom file content risk indicators: Define an alert rule based on your own content strings. For example, files that contain the text “Attorney/Client Privilege.”
- Tokens and credentials in source code: Define an alert rule based on specific credentials like SAML tokens and AWS session keys.
Configure alerts for sensitive content
To alert on sensitive content:
- Sign in to the Incydr console.
- Go to Alerts > Manage Rules.
- To create a new alert rule, select Create rule and select a type. Alternatively, select an existing rule to update it.
-
Select the content types to include in the alert.
If you selected an existing rule or used a different rule template, click the editicon next to the Personally identifiable information (PII) or Custom file content risk indicators rule setting.
-
Edit other settings as necessary. For example, select AI Tools destinations along with specific PII types to be alerted when that content is sent to untrusted AI tool destinations.
For complete details about defining rule criteria, see Create and manage alert rules.
Review alerts
To review alerts with sensitive content:
- Sign in to the Incydr console.
- Go to Alerts > Review Alerts.
-
Review the Content inspection column.
-
Optionally, click the filter
icon. In the Content inspection section, select an item to show only alerts that identified that type of content.
- Select an alert to show more details about the exfiltrated files and the sensitive content in those files.
For more information about reviewing alerts, see Review Alerts reference.
Audit log
Changes to Custom file content risk indicators are tracked in the audit log. To review activity:
- Go to Administration > Status > Audit Log.
- Click the filter
- Expand the Administration and select one or more of the following:
- Content inspection entity created
- Content inspection entity updated
- Content inspection entity deleted
Security architecture
Content inspection is an optional component of Exfiltrated File Collection and adheres to our strict security architecture. In addition:
- The contents of your files are never used to train data models of any kind.
- Files are encrypted in transit and at rest.
- Files are streamed in memory during inspection, but are not persisted to disk in any additional locations.
- Users are not granted any additional permissions. Only users with existing permissions to view exfiltrated file contents can see the inspected contents.
- Content inspection uses natural language processing to apply contextual metadata to file events.
- File contents are not modified during the inspection process. If content of interest is identified, a summary (for example, "Social Security Numbers") is submitted to the Security Data Pipeline. This enables additional metadata to be added to events without directly exposing the content of the collected files. The actual sensitive content continues to only be visible to users with permissions to view exfiltrated file contents.
Comments
Please sign in to leave a comment.