Code42 partners with Splunk to help security teams and SOC analysts prioritize insider risk

Code42 announced it is to deliver its data exfiltration alerts and dashboards within the Splunk Security Operations Suite. Security teams using the Code42 Insider Threat app for Splunk can identify and prioritize the most critical insider risk events, speeding response to data leaks and malicious attempts to exfiltrate data.

The Code42 Insider Threat app for Splunk will advance SOC analysts’ insider threat detection capabilities by making it easier to surface data leak alerts with context, simplifying triage and investigations. Accessible through Splunkbase, the Code42 Insider Threat app for Splunk will help security teams reduce investigation and response time.

FinancialForce, the leading provider of customer-centric business applications across finance, services and customer success teams, leverages the Code42 and Splunk integration to support their Insider Risk program. “This integrated risk score [between Code42 and Splunk] provides FinancialForce with a comprehensive view into risk,” said Aaron Momin, CSO for FinancialForce.

“It gives us a precise and factual indication of who is most likely to become an insider risk to the company. We can also group risk by function. So, for example, we can decipher that a certain function may tend to be the riskiest based on a concentration of employees with high risk scores,” he continued.

As a part of the offering, the Code42 Insider Threat app for Splunk enables organizations to operationalize insider risk workflows, such as employee offboarding, and mitigate Shadow IT risks. The app helps detect and visualize data movement to unsanctioned cloud applications, messaging systems and unmanaged devices.

Prioritize real insider threat and protect intellectual property

Today, two in three IT security leaders say they don’t know which Insider Risks to prioritize. The Code42 Insider Threat app for Splunk is powered by the Code42 Incydr product’s context-driven prioritization model, which correlates file, exfiltration destination and user risk indicators to surface and report on the risks that matter most to businesses. Through the app, Incydr sends prioritized alerts, audit log, file exposure and device health information to Splunk, where it is visualized in custom dashboards and can be triaged.

The Code42 app contains data exposure dashboards that provide a brief summary of detected high risk employees, insider risk cases, removable media transfers, cloud file shares, cloud desktop syncs, browser and app reads. These combined capabilities inform appropriate triage through the right human and automated response actions.

The Code42 Insider Threat app for Splunk provides insights that can be applied to existing SOC workflows. Features of the cloud-native app include:

• Alert prioritization: Gain actionable intelligence and reduce noise by ingesting Incydr prioritized alerts into Splunk.
• Exposure dashboards: Analyze and report on Insider Risk posture trends to quickly identify untrusted activity. At a glance, analysts can see the most critical user activity, destinations and events.
• Audit log retention: Satisfy compliance requirements by retaining audit log metadata beyond 90 days.
• Device health checks: Ensure analysts have accurate and up-to-date exfiltration information by making sure devices are checking in and sending data to respective clouds.

“The increased use of collaboration technology goes hand in hand with today’s hybrid work environments. As employees share files in their normal course of business, it is increasingly difficult for security analysts to determine which file activities are real threats to their business versus part of legitimate work,” said Ananth Appathurai, senior vice president of strategic partnerships and ecosystem at Code42. “Incydr tunes out 97% of noise created by employee collaboration to give security practitioners using Splunk the insight, control and transparency they need to speed response to the most critical insider threat events.”