Flare’s GitHub Monitoring Cut Incident Response Costs by 95% for a Large North American Bank

Overview

  • A major Canadian bank had a former employee post sensitive information publicly on GitHub
  • A Flare alert notified the bank’s Cyber Threat Intelligence team and they were able to spring into action, containing the incident in 30 minutes
  • This eliminated 95% of costs per incident

According to a study with Stanford University Professor John Hancock and security firm Tessian, human error contributes to 88% of data breaches. Employee mistakes may seem harmless, but they can lead to leaked credentials, API keys, personally identifiable information, and intellectual property. 

This success story explains how Flare’s GitHub monitoring caught a previous employee of a major Canadian bank posting sensitive data on GitHub. The Cyber Threat Intelligence (CTI) team promptly identified and notified the former employee’s superior, who contacted the person in question and asked them to remove the content. Less than 30 minutes after the initial Flare alert, the CTI team had contained the incident. 

A CTI platform like Flare can collect and review data from different sources, then contextualize it to assess its prioritization. This allows cybersecurity teams to quickly address vulnerabilities. 

The Challenge

In-House GitHub Monitoring Can be overwhelming

The bank’s CTI team knew they should be monitoring GitHub and other shared repositories, but they often skipped it due to its complexity. Periodically, a CTI Analyst would manually run searches on GitHub based on high-level queries. Combing through the sheer volume of the results and identifying potential leaks represented an enormous time investment. 

The CTI team tested multiple solutions to improve their monitoring and response capabilities, but the level of noise and false positives made many tools an additional burden for the team. Flare was the only solution that combined state of the art data collection systems with a noise reduction and prioritization engine that gave them the necessary context for classifying each data leak’s criticality level without hundreds of hours of work.

“Whereas other solutions would present us with thousands of potential leaks which were impossible to work with for our small team, Flare was the only one that could successfully filter and prioritize data leaks with their 5-point scoring system,” said the CTI Director. 

How Flare Helped

This CTI team eliminated 95% of cost per incident. With strong data collection and a prioritization alerting system in place, the team optimized downstream processes of incident response with their newfound bandwidth. 

They even swiftly solved an incident in 30 minutes! After Flare detected a former employee posting sensitive data on GitHub, the CTI team promptly identified and notified the former employee’s superior. They reached out and asked the former employee to remove the content.

Prior to Flare, this sort of incident would have required a full-blown incident response operation, involving a task force of 6 analysts, managers, and directors. They had to assemble in a war room for 7 hours trying to find the data leak’s source, identify potential consequences, rotate credentials and API keys, and contact a number of current and former employees. The bank’s CISO was also personally involved in every item, as the threat level was always unknown at the beginning of the incident. 

The combination of the Flare platform and the CTI team’s newly built processes enabled them to proactively respond to technical data leaks, even ones that would be difficult to find for domain experts. For example, the bank remediated an incident with an API key being leaked in a code file where the organization’s name is not even present. There’s no more war room, and the CISO can be informed in weekly briefings of any remediation actions that took place, and isn’t involved unless the leak is immediately classified as very high-risk. 

Want to slash the time and costs associated with each incident? Book a demo to learn how we can shift your cybersecurity team from reactive to proactive remediation.