Flare’s GitHub Monitoring Cut Incident Response Costs Significantly for a Large North American Bank

Gradient blue and lighter turquoise background. There is a green bubble in the top left that says "Success Story." White text below it says "Large North American Bank Streamlines Sensitive Data Leaks Monitoring; Significantly Cutting Incident Response Costs"


  • A major North American bank had a former employee post sensitive information publicly on GitHub
  • A Flare alert notified the bank’s Cyber Threat Intelligence team and they were able to spring into action, containing the incident in 30 minutes
  • This cut down the cost per incident signficantly

According to a study with Stanford University Professor John Hancock and security firm Tessian, human error contributes to 88% of data breaches. Employee mistakes may seem harmless, but they can lead to leaked credentials, API keys, personally identifiable information, and intellectual property. 

This success story explains how Flare’s GitHub monitoring caught a previous employee of a major North American bank posting sensitive data on GitHub. The Cyber Threat Intelligence (CTI) team promptly identified and notified the former employee’s superior, who contacted the person in question and asked them to remove the content. Less than 30 minutes after the initial Flare alert, the CTI team had contained the incident. 

A CTI platform like Flare can collect and review data from different sources, then contextualize it to assess its prioritization. This allows cybersecurity teams to quickly address vulnerabilities. 

The Challenge

In-House GitHub Monitoring Can be Overwhelming

The bank’s CTI team knew they should be monitoring GitHub and other shared repositories, but they often skipped it due to its complexity. Periodically, a CTI Analyst would manually run searches on GitHub based on high-level queries. Combing through the sheer volume of the results and identifying potential leaks represented an enormous time investment. 

The CTI team tested multiple solutions to improve their monitoring and response capabilities, but the level of noise and false positives made many tools an additional burden for the team. Flare was the only solution that combined state of the art data collection systems with a noise reduction and prioritization engine that gave them the necessary context for classifying each data leak’s criticality level without hundreds of hours of work.

“Whereas other solutions would present us with thousands of potential leaks which were impossible to work with for our small team, Flare was the only one that could successfully filter and prioritize data leaks with their 5-point scoring system,” said the CTI Director. 

How Flare Helped

This CTI team eliminated a majority of their cost per incident. With strong data collection and a prioritization alerting system in place, the team optimized downstream processes of incident response with their newfound bandwidth. 

They even swiftly solved an incident in 30 minutes! After Flare detected a former employee posting sensitive data on GitHub, the CTI team promptly identified and notified the former employee’s superior. They reached out and asked the former employee to remove the content.

Prior to Flare, this sort of incident would have required a full-blown incident response operation, involving a task force of six analysts, managers, and directors. They had to assemble in a war room for seven hours trying to find the data leak’s source, identify potential consequences, rotate credentials and API keys, and contact a number of current and former employees. The bank’s CISO was also personally involved in every item, as the threat level was always unknown at the beginning of the incident. 

The combination of the Flare platform and the CTI team’s newly built processes enabled them to proactively respond to technical data leaks, even ones that would be difficult to find for domain experts. For example, the bank remediated an incident with an API key being leaked in a code file where the organization’s name is not even present. There’s no more war room, and the CISO can be informed in weekly briefings of any remediation actions that took place, and isn’t involved unless the leak is immediately classified as very high-risk. 

Want to slash the time and costs associated with each incident? Sign up for a free trial to learn how we can shift your cybersecurity team from reactive to proactive remediation.

Share This Article

Related Content