Trust and cloud activity

Updated

Overview

Incydr monitors file activity that takes place in both personal and corporate cloud storage accounts. When file activity is detected, Incydr applies its trusted activity model to those events. This article explains how Incydr applies defined or inferred trust to file events in cloud storage to identify and prioritize untrusted activity.

Trusted cloud file activity

Users can interact with files in cloud services by:

  1. Uploading files to a cloud service either from a browser or a desktop sync app.
  2. Changing sharing permissions to share files with other users in corporate cloud storage drives.
  3. Emailing attachments through cloud-based email services.
  4. Downloading reports from Salesforce environments.

Incydr determines whether file activity generated by these methods is trusted using either defined or inferred trust. Because identifying trust depends on the method used to interact with the cloud storage service, each method requires a different configuration.

Files uploaded to cloud services

Users can upload files to the cloud using either a browser (when checking files into a source code repository or adding files to a cloud storage drive) or a desktop sync app (such as the Slack desktop application or any desktop sync app that syncs local and cloud files). Incydr determines whether these uploads are trusted using both defined and inferred trust.

  • Many cloud services have well-defined structures that allow personal activity to be easily differentiated from corporate use. For example:
    • Source code repositories contain unique structures in URLs that categorize projects, branches, and products.
    • Jira or OneDrive corporate tools use unique URL addresses to identify corporate sites.
    • Slack provides unique workspace names for organizations, clubs, and social groups.
    Set up trusted domains to define the activity that occurs in these structures as trusted. 
  • Google Drive currently does not provide the information needed to differentiate uploads to personal drives from those to corporate locations. Thus, Incydr uses inferred trust to determine when a file has been uploaded from a monitored endpoint to a monitored corporate drive to identify it as trusted.
  Browser activity Desktop sync activity
Example trusted action
  • File uploaded to a trusted domain (such as a corporate Jira or OneDrive domain), to a specific URL path (a trusted GitHub repository), or to a Slack workspace via a web browser
  • File uploaded to a corporate Google Drive
 File synced to a drive via the Google Drive for desktop (formerly Google Drive File Stream)
Type of trust applied Defined
Metadata evaluated for trust Tab URL, Tab title Domain, Sync username
Configuration needed
  • Set up trusted activity.
  • For Google Drive:
    1. Connect Incydr to the corporate environment in Data Connections.
    2. Verify that the Incydr agent is installed on user endpoints.

Set up trusted domains.
Can I use defined trust for a specific cloud service via a URL?
Defined trust can only be established when the cloud service easily differentiates between personal and corporate accounts by using unique structures or paths in the URL.

The following list describes whether common cloud service vendors provide unique URLs:

  • OneDrive: Yes
  • Box: Yes, only if you configure a custom URL (which is not required)
  • Dropbox: No
  • Google Drive: No

Files shared in corporate cloud storage

Corporate cloud storage services like Box, Google Drive, and OneDrive allow users to share files with other collaborators using tools available in the browser after logging in. File sharing permissions changes can only be detected by Incydr's data connections.

  Sharing activity
Example trusted action File in a corporate Box, Google Drive, or Microsoft OneDrive is shared with internal coworkers
Type of trust applied Defined
Metadata evaluated for trust Email domains of Shared with recipients
Configuration needed Connect Incydr to the vendor environment in Data Connections

 

Attachments sent through cloud-based email services

A common exfiltration vector is email: users can simply send sensitive attachments to a personal email address, or inadvertently to other untrusted recipients. Incydr determines whether this activity is trusted using defined trust.

  Email activity
Example trusted action
  • Attachments sent from your corporate domain to trusted recipients
  • Email sent from your corporate Gmail or Microsoft Office 365 email accounts to trusted recipients
Type of trust applied Defined
Metadata evaluated for trust Email domains
Configuration needed

Set up trusted domains

If your organization uses Gmail or Office 365 email, connect Incydr to those environments in Data Connections

Reports downloaded from Salesforce

Business services like Salesforce house your vital business data in databases and reporting tools. By monitoring this environment directly, Incydr can identify when reports containing critical business data have been downloaded to an unmonitored device. Without this level of monitoring, you might not know that a report had been downloaded to a personal computer or mobile device at all.

  Salesforce report downloads
Example trusted action Report in Salesforce is downloaded to an endpoint that is monitored by Incydr
Type of trust applied Inferred
Metadata evaluated for trust Incydr username
Configuration needed
  1. Connect Incydr to the Salesforce environment in Data Connections, and scope it to monitor the users who can export reports in Salesforce
  2. Verify that the Incydr agent is installed on endpoints for users who can export reports in Salesforce

Considerations

  • Incydr evaluates events for exact matches of your trusted activity values, although wildcards are allowed for more flexibility. Use caution with leading and trailing wildcards as you can inadvertently trust unintended destinations.
  • Files downloaded into a folder syncing with a cloud service are automatically categorized as trusted activity because the file is not being exfiltrated from the device.
  • Inferred trust uses an authorized data connection and the Incydr agent installed on an employee's endpoint. If a user is in scope for monitoring by the data connector but does not have an endpoint that is monitored by Incydr (or vice versa), corresponding file events cannot be matched, resulting in events falsely being flagged as untrusted.
  • Matching cloud activity with corresponding endpoint activity to determine inferred trust can take up to one hour.
  • Delayed detection of corresponding file events can cause Incydr to flag sharing in corporate cloud services as untrusted. This can happen if the vendor has throttled the Incydr data connection's API requests or if the employee's endpoint is offline or powered down immediately following the activity.
  • Some vendors are better than others at using separate domains for personal versus corporate cloud storage.
    • Use defined trust when you can easily differentiate personal accounts from corporate accounts. Vendors that require unique corporate domains include:
      • Microsoft OneDrive
      • Box, if you configure a custom subdomain for your corporate environment (which is not required or enabled by default)
    • Connect Incydr to the corporate cloud storage environment in Data Connections to use inferred trust when you cannot easily differentiate personal accounts from corporate accounts. Inferred trust works well for these vendors:
      • Google Drive, which does not provide unique URLs or useful tab title information to clearly identify personal accounts
      • Box, if you have not configured a custom subdomain for your corporate environment
      • Microsoft OneDrive, as a failsafe and backup in case defined trust cannot be determined or if trusted activity is not configured.

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.