Oktane18: Code 42 -- Accelerating Collaborative Incident Response

Mark: Hello. Thanks for joining me. Good afternoon, I guess it's officially afternoon now. As I just kind of talked about, we'll do a couple of things today. One is we'll talk about how to accelerate incident response. I'll get you guys out of here quickly. I know I'm the only thing standing between you and lunch, so insert corny joke there. So you guys can hold any questions until the end, we'll have a microphone. I know my presentation is incredibly thorough and concise, but in case there are any lingering questions, you can just ask that at that point ... And then, as she mentioned, the survey card as well.

So today we're going to be talking about accelerating incident response. My name is Mark, I'm with Code42, and we'll talk about ... who here's heard of Code42 or a crash plan? Okay, so a couple of people. So we'll talk a little bit more about Code42 and how we work with Okta and how we help accelerate instant responses, and some overall strategies on how to do that. But before we do that, I want to just think about your company today, right. What is important, what is valuable? Is it IP, is it certain designs, is it certain data sets? And what happens if that data is compromised? If that data is taken out of the organization. If ransomware, Malware, if some type of incident happens so that you are no longer able to move forward as an organization you are paralyzed. And how do you respond to that?

How do you respond, actually, and know that you have mitigated it completely that you have a full understanding of what the incident is and so that you can know that you resolved it as opposed to just hoping or praying. All right. So those are the types of things that we're going to be talking about how to accelerate that confidence. So today we're going to cover a couple of things. One is why incident times are growing, incident response times. So when something bad happens, right? In today's world bad things are going to continue to happen. Why are times increasing, how Code42 and Okta work together to help reduce that time? And then three, some strategies that you can take back with you to help your organization actually improve that speed to respond.

So first a little bit about Code42. We're based out of Minnesota which means we're getting ready for three weeks of summer here coming up. We have about two and a half million different endpoints so desktops laptops that are protected with our with our agent and we'll talk about that in just a little bit. We have over 500, right around 600, what we call guardians or employees of Code42. And we say guardians because we really believe that we're guardians and we help people protect ideas because one of the mantras that we have that we really live dear to is every idea matters and we'll talk about that because in an incident response, every idea matters and every second matters. And we do that in three different ways. So using our lightweight agent okay, the text is a little weird on this screen. That's okay.

So using our lightweight agent, we really help protect ideas and content in three different ways. First is from a business continuity so being able to have access to your information whether you delete it, whether your laptop is put in a lake. Being able to restore and do that quickly and effectively so that you can continue to move forward. The second way is helping out with information governance. So whether that be how do I make sure that I'm compliant with certain regulatory requirements or regulatory aspects that my organization needs to comply with or is it ... oh boy, those are really messed up. Sorry about that, or we are also a critical part of the compliance and legal discovery as well. So in that process where you are trying to preserve information, Code42 is a critical piece in that collection and preservation as opposed to setting that computer in a closet, have full closets full of data that you need to store, we can actually do that behind the scenes silently so not to interfere with your individual workers.

And then finally, from an incident response because we have visibility and because we work on the endpoint inside and investigation powers into where is data what's happened, how is that data moved throughout your organization and being alerted to one potentially bad things are happening. So where we do this is we do it all over the world. Again we're headquartered out in Minnesota, we have offices throughout the world and we have data centers in many different locations to help with, not only speed, scale, latency but also to help overcome data bandwidth or data privacy and data sovereignty. And for those who we do help out, we help out over 50,000 organizations, tech companies with seven of the eight top Ivy League or some of the Ivy League schools and across a broad range of industries.

And when we think about ideas because every idea matters a lot of the most important ideas in identity from Okta are also protected by Code42. So Okta uses Code42 as an endpoint agent to make sure that the items on their desktop and laptops are protected and that they can effectively move forward. And at Code42, I'm reminded every day by the Okta verify app, as many of you are, that we are also protected by Okta and that Code42 uses Okta to provision over 50 applications and manages all those different applications.

So how do Okta and Code42 work together? In the typical way that you would expect in the sense that we have an app on the Okta store and that companies use Okta to connect back into their directory services that covers across multiple domains, multiple force. We really have a strong relationship with Okta and we are building in where you can actually create a new instance of Okta through Code42 and in fact, Okta is a critical part in how Code42 goes to market and talks about moving people to cloud that if you buy a Code42 instance, you can actually get an instance of Okta for Code42.

So let's talk about the way the world is today. We're going through a digital transformation and I think everybody can agree the way that we the way that we do work today, the way that data is shared, the way that data is consumed, and the way that data is collaborated upon is changing and changing very rapidly. Historically from an incident perspective, we used to have this box, a virtual moat that we were able to put around our organization. We were able to make sure that things didn't get out and we were able to make sure that things didn't get in, right? Well that's changed and that's going to continue to change. And the way that people work is going to continue to evolve and isn't going to be going backwards, right? These the number of different avenues that people can work, the different number of different avenues that people can share information, and collaborate isn't going to go away. Think about your cell phone. Can you think about working without your cell phone, right? But you can't put that toothpaste back in that tube.

So when we think about, and again I apologize about the text, when we think about what the implications of this are, as people continue to become more and more distributed, as this data become more and more digitized, it has a lot of implications on IT and security. How do you, with no longer some strong walls to protect your individual users, how do you actually make sure that you can know where that data is and that how to protect your users and to respond to incidents especially as more and more data is going to the cloud. In fact, recently, a survey showed that 74% of businesses are actually putting business critical sensitive information up in the cloud. And that trend is going to continue as organizations become more comfortable with that ... as organizations adopt, say an Okta, to feel comfortable with the access and management. But that actually creates something that happens that's interesting is the behavior of individuals starts to change. Now data is all around in lots of different places and they feel more empowered and more comfortable moving data around even if they know that that behavior is risky.

So what you end up with is, as we become more decentralized, more digitized, that data becomes more and more difficult to actually understand where it is and be able to respond effectively when bad things happen and, again, when bad things happen. So if we look at this picture, this is actually an accurate representation of Code42's environment whereas, like I said, not a large organization, 500 people, but we have a lot of different endpoints and places where data can go. And data no longer flows in a linear manner, It's not from the user to the endpoint. Data is flowing from cloud to cloud, from cloud endpoint, and it flows a number of different ways and so this fragmented environment needs better visibility into where data is and to be able to access and to control access and manage that data.

So, from a security standpoint when you think about being able to respond, there's a couple of key things that you need to be able to answer. One is where's my data? Used to be, like I said, very easy to know what's data, what is on the endpoint but now, with all the different cloud connectors and all the different cloud places, you have Slack, SharePoint, OneDrive, Box. How do you actually know where that data is if you don't know where that data is? If you don't know where that data is, It's very difficult to feel confident that you're actually effectively responding to an incident. How can I be notified or how can I see movement of that data, right? Who was involved, how do I use federation and use Identity Management to actually track and understand who has access to that information and who has actually moved that data? Am I compliant? We talked a little bit about that but that's about where is PII, potentially, Personally Identifiable Information, where's that potentially living? What about PHI, Personal Health Information? How do I understand if I'm compliant?

And above all, in this new world of democratized and data that's living all over, how can I do that while I'm enabling my users to continue to run at speed, to run at scale, and not actually put restrictions upon them, right? You think about some heavy handed approaches like a DLP, very expensive, very hard to use, and that can actually cause a lot of friction with the end user versus the IT and people start to find ways around those. So how can I continue to enable my end users to run at speed while having the ability to respond to these incidents?

So all of these things put together are why the abilities of organizations to respond to times is growing, right? Tools are not as effective with being able to manage all the different areas that they need to cover and they don't have the breadth and the insight that different organizations need. So we think about a traditional response, right? We think about it the way that a traditional organization would respond to an incident. A traditional response, once that incident occurs, is actually over 60 days. And once that first day happens, right? It could be something like an employee removes data or Malware's introduced. Oftentimes, there's a manual intervention that is required in order for that process to even start.

So, before they can even begin the manual steps of recording a recording, finding out what happened, there's a manual intervention that has to happen. And then, again, how do you understand where the data is and pulling it from all the different areas takes a number of days and takes an extended period of time in an age where time is increasingly more and more valuable and information is more and more valuable and impactful. So, well, it says Code42 up there, I promise. So, at Code42, how we approach and how we perceive the, and how we approach the problem is we understand and we provide visibility into where files have been, where data has been, where has it ever been., how has that data moved through your organization, where have those files been? Not only on your endpoint but also in the cloud with, and using our integration with Okta, you're able to see a consolidated view of who has actually moved that data through so you can be able to better and more accurately respond to potential incidents and to put to specific threats.

So we'll talk a little bit more about how Code42 and Okta work together but I think one of the best ways to do it is just to talk through some specific examples. So we're going to talk about Jim and we're going to talk about Sean. So two real life scenarios that will kind of highlight how having visibility into data and visibility into where data moves will really enable your organization to respond quickly. So let's talk about that Jim. So Jim is a CFO or he's a finance analyst. But importantly, he's working on data that is time sensitive. So he's working, he's preparing for quarterly earnings report.

So public information, but the data that he has isn't public yet so it's time sensitive. This data, anyone who has access to this data is governed by the rules of the SEC for insider trading and the knowledge of what they can and can't do with that type of information. Great thing is he has all the information done but he shared it in a wrong folder. He shared it in a public folder instead of a closed folder with the other executives. So what happens, right? How does Jim respond, what do they need to do? Well first they need to identify that, "Hey, this is a problem" and as soon as Jim identifies that, "I've shared that in a different folder than I mean," then he needs to investigate.

Has anyone actually downloaded this information, has this data made its way through? Because just because that data was put out there doesn't actually mean it was a bad incident. And, of course, this isn't malicious, this isn't something that AVY systems or Malware systems can find but this is an incident. And then finally, how does an organization remediate that? How do you actually make sure that you're protecting the organization? So unfortunately, Eric, an avid investor, actually saw that this file was out there and said, "Hey, that looks interesting" and he said, "You know what?, this could be something that may be useful." He wasn't ... know it would necessarily illegal for him to use but he did change the name of that file and he did save it to a different location just to kind of protect himself and the company. So what does Jim do? Well first, using Code42, we can actually identify who's downloaded a file within his organization. So because Code42 tracks all the metadata and information on any computer within their organization through our endpoint, he's able to see every single computer that has actually downloaded that file.

Had they changed the name, any modification, all of that's tracked with Code42. What did they do with the file, how did that file move from where they downloaded it to other folders, did they email it, did they upload it, did they put it on different USBs? And where does that file currently live, what is that state? So identifying do we have a potential problem? So now, we say, "Great, looks like who made have potential problem, let's investigate. Who else has that file?" Did Eric share it with anyone, what did they do with it, and who else has that file today?

So now that we've identified, using Code42, what the scope of that potential problem is, where that file lives, and how it has moved through your organization, and not only were that file lives today, but where that file has ever been within your organization. Now we can remediate using Identity Management, using Okta, we can pull that access for those particular individuals, we can talk to those people and say, "You are now subject to these rules of SEC because this is now insider information." And we could prevent that data going public through quick response and through managing their access.

So that's an example of something that wasn't real malicious, right? Jim accidentally had saved file but you may have somebody like Sean, right? Sean's a developer and engineer within your organization working on game changing technology, something that's really going to provide value for your organization and tech that's going to drive your company into the future, which is awesome except that Sean thinks that he's actually going to go somewhere else. So, what does Sean do? Sean says, "Well, you know, this is my work, this is the work that I put my blood sweat and tears in, I'm actually going to take that data away." So Sean doesn't like to be in the office, so at a coffee shop or somewhere else, he uploads that data and he moves that information. He either moves that information to Box, Dropbox, OneDrive, maybe he moves it to a USB drive, he moves that data because he believes that that's his data that he can take with him.

What do you do, how does a company get notified of that, identify that, particularly when that's outside of your core network? Well fortunately, you guys have Ed, Ed is in security and Ed has Code42 and is notified and alerted about that data ex-filtration. So regardless of which endpoint or what endpoint that data is being moved to, whether it be in the cloud, whether it be a USP stick, Ed is notified that hey, something has happened. But just moving that data isn't necessarily a bad thing, right? You need to investigate and identify is this something bad? So, using different tools that Ed has at his disposal, he can actually see the data that Sean moved in notes, not pictures, it's not cat videos, it's actually the source code that he moved. So now we have a problem.

So he's able to investigate and understand that this is now something that we actually need to remediate, and how do we remediate it? Well, we remediate it through a number different ways. Pulling back that access, removing that access, and understanding who else has those files? So when we think about it, right? Identification, is the company at risk, when identified or was notified that, "Hey, we have a potential issue," I said, "OK great, how do we understand if it's actually a problem, who else has access to it and where did that 50 Gigs of data go?"

Then we investigate what actually was happening to that data, where was that data being moved, and what was in that information? And then finally, being able to remediate, how can we prove? Using Code42, you're able to actually prove not only what data that was but where that moved and, let's say it was a USB, providing not only the name of that USB stick but also the serial number of that USB because the proof is going to be important when having those conversations and when trying to quickly remediate this. So in a matter of just moments or hours, we've gone from an potential incident to being able to identify, investigate, and remediate through either pulling in the proper authorities, the proper internal staff, and having that conversation. So as opposed to the 60 plus days, now we're able to actually remediate well before data may even have gotten out of the building and contain it.

So, when we talk specifically about the remediation step, right? I talked quite a bit about the identification, how do you identify when there's an issue where data may be but the remediation step is really in a couple of different ways. One is being notified of that problem and validating those concerns. Using Code42, you're able to be identified, alerted, and investigate that and understand is this an actual problem? Is this file something that's wrong, is this file something that contains PII or sensitive information? Then, using Okta, our integration, being able to revoke that access. How do you stop the bleeding? Contain the mess so that you can then plan your next steps for your management of that particular incident. So, when we think about the expansion of time that time in responding to incidents, that we talked about earlier, there's a couple of core reasons. One is as the different data sources continue to expand out, that causes a gap in-between the ability for us to detect and analyze and actually manage and respond.

How do you have a single source of truth and how do you have a plan in place to be able to react efficiently. So when we think about that, there's a couple of steps that we can take to actually closing the Incident Response gap and to help speed up your organization's response to these incidents regardless of which tools you have. First is just simplifying and rationalizing your processes. So this idea of having one pane of glass or a single insight into what is going on within my organization. How am I alerted and how do I have visibility across things within that may be happening? And when we talk about processes, that isn't just about the alerting side, it's also about the identity side, the access management. So leveraging somebody, like an Okta, like a single sign on, is really critical in being able to do quick responses so that you can remediate that very quickly. Second one is having access data in real time.

So being able to have access to that information in short order so that you're not waiting two days, five days, because, particularly as the data can move and spread very quickly, it's important to have that detail right away. So when you look at tools, when you look at information, don't look at things that are going to delay or extend that period of time. You want to be able to identify and close the response very quickly. And then third, we're going to get a comprehend and a save view. But wanting to make sure that we have a comprehensive view, right? And that means more than just understanding where data is at today but that means where has data ever been? Because it isn't, if you think about Malware, if think about Ransomware, something that we haven't really touched on, but if you think about those things, those things make their way through an organization and you may be killing endpoints, you may be killing the end problem without understanding where things have actually come from and how that has moved through your organization.

So it's important to be able to have a comprehensive view of that data as it's moved through your organization. So, I said today we were going to help talk about a couple of things, why incident times are expanding, how Code42 and Okta work together, and then some strategies on how you can bring back to your organization, help, and help manage that. So, before I open up to questions if you have any, just appreciate your time and hope you guys have a great rest of your day, thanks. Questions?

Speaker 2: Yeah, how do you tag data to watch it move, I mean [crosstalk 00:25:16]?

Mark: How do we tag, so every time a file is created, modified, or deleted, we capture the metadata of that information. So we don't actually tag it, we actually record that the event happened. So, what that enables us to do is, if you see that this information is, say, in one spot of the organization, we capture that metadata, we don't actually tag that metadata or tag that file, we capture the metadata so you can, then, search for say, the MD5 hash, the file name, and see where it may else be in the organization. So it may have transferred via USB or some other method, that's how we capture information.

Speaker 2: Think you came into our company or you're a new vendor of ours, what would you do about the data that's already there, is there ways to capture it like that metadata of it, when it was created and-

Mark: Yep, yep. So it's Code42, when there's the ... so the question is with customers or a new deployment of Code42, how do we capture and index that existing. So there is kind of a ramp up period. So as we back up and as we index, we do that on the front end. So, there's a little bit of a time where we're a little bit heavier of an agent but we do capture all that information.

Speaker 2: Okay, and so you put an agent on all machines, is that kind of a starting point [crosstalk 00:26:41]

Mark: Yep, yep, exactly. So the way that Code42 is, we deploy a lightweight agent that can be done silently. So a lot of organizations, in fact, deploy Code42 and the end users don't even know that it's on there or even know that it's running in the background. And so that happens. And with that, you get the ability to do the back up as well as the forensic file investigation.

Speaker 2: Thank you.

Mark: Yeah, you bet. You sir?

Speaker 3: Do you support Citrix environment?

Mark: I'm sorry?

Speaker 3: Does your agent support Citrix Media Environment?

Mark: Oh, the virtual desktop?

Speaker 3: Yep.

Mark: So we don't but we work well in compliment with those because even when they're a virtual desktop, a lot of times, data is either created on the physical endpoint, moved to the endpoint, but we don't track the actual VDI, no.

Okay great. Thank you very much.