Endpoint monitoring
Who is this article for?
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
Overview
Endpoint monitoring, also called file exfiltration detection, uses the Code42 app to capture file activity on each device in real time. This helps you identify five types of potential data leaks or security problems:
- Removable media
- Personal cloud
- Browser and application activity
- Restore
- Pattern matching
Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.
Considerations
- Code42 recommends only enabling endpoint monitoring in a small, test organization at first. This helps to ensure settings are properly configured to capture the user activity you want to monitor. Once you see the desired results with a small number of users, then start enabling endpoint monitoring one organization at a time. If your Code42 environment contains more than 5,000 users, Code42 recommends contacting your Customer Success Manager (CSM) for assistance creating a deployment strategy.
- If Compliance Settings have been activated for an organization, you cannot enable endpoint monitoring for the organization or child organizations that inherit settings. Parent and sibling organizations are not affected.
Endpoint monitoring types
Endpoint monitoring identifies the following five types of security-related activity on users' devices.
| Endpoint Monitoring Type | What Activity Is Identified | Example |
|---|---|---|
| Removable media | Users placing files on removable media, such as USB drives or SD cards. | A user plugs in a USB drive, copies a file to the drive, and removes the drive. |
| Personal cloud |
Users syncing files using these cloud storage apps:
|
A user adds a file to the Dropbox folder on a device with the Dropbox desktop app installed.
|
|
Application activity (version 7.0 and later)
Browser activity
File upload |
Users upload or download files, such as attaching a file to a web-based email or downloading a file over FTP.
Devices using Code42 app versions older than 7.0.0 only monitored activity in web browsers, and only on Windows devices. Version 7.0.0 expands upload and download detection to include Macs as well as other applications, such as Slack, FileZilla, FTP, and cURL.
|
A user attaches a file to a Gmail message. |
| Restore |
File restores:
|
A user restores files from the Code42 app. |
| Pattern matching | Existence of known malicious files or patterns of sensitive data based on YARA rules for text (non-binary) files included in the user's backup file selection. | A user saves a text file that contains Social Security numbers. |
Windows devices may require administrator action to monitor activity in the Google Drive folder:
- Code42 app version 6.5.1 and later: If the Code42 app is installed by a member of the administrator's group, no action is required. If the Code42 app is not installed by a member of administrator's group, you must grant read access to SYSTEM for the Google Drive folder on each device.
- Code42 app version 6.5.0 and earlier: You must grant read access to SYSTEM for the Google Drive folder on each device because, by default, Google Drive grants read access to the logged-in user only, and the Code42 service runs as a system process.
Before you begin
- Create a test organization, and then add a small number of test users to use in the steps below for initial endpoint monitoring testing. Alternatively, use the Change Organization command to move a small number of existing users into the test organization.
- Ensure your Code42 environment meets all the requirements for endpoint monitoring:
| Component Or Configuration | Requirements |
|---|---|
| Licensing |
You must have a product plan that includes file exfiltration detection in order to use endpoint monitoring. |
| Authority server |
Meets the minimum system requirements |
| Storage server |
|
| Code42 app |
|
| Backup encryption key policy | Users' archives must use the Standard archive encryption key policy. Endpoint monitoring data cannot be collected for users with Archive key password or Custom key archive encryption. This means no data appear for these users in Security Center results. |
| Code42 app for Splunk (Optional) |
With a subscription (or trial) for Splunk Enterprise, you can view the data collected by endpoint monitoring using version 2.1 or later of the Code42 app for Splunk. |
Enable endpoint monitoring
Step 1: Lock archive encryption key settings
Endpoint monitoring requires standard encryption. Before implementing endpoint monitoring in any organization in your Code42 environment, you must lock the encryption setting at its standard level. Locking this setting prevents users or administrators from changing the setting.
Option A: Lock encryption settings for all organizations
- Sign in to the administration console.
- Go to Settings > Device Backup.
- Click Security.
- Under Archive Encryption Key:
- Deselect Use default archive encryption key setting.
- Verify that Standard is selected.
- Click Lock to prevent users from changing this setting.
A confirmation prompt is displayed. - Select inheritance options as desired for your Code42 environment.
- Select I understand.
- Click Push and Lock.
- Click Save.
Option B: Lock encryption settings for a specific organization
- Sign in to your administration console.
- Go to Organizations.
- Select an organization to view its details.
- From the action menu, click Device Backup Defaults.
- Under General, deselect Use device defaults from parent.
- Click Security.
- Under Archive Encryption Key:
- Deselect Use default archive encryption key setting.
- Verify that Standard is selected.
- Click Lock to prevent users from changing this setting.
A confirmation prompt is displayed. - Select inheritance options as desired for child organizations of this organization.
- Select I understand.
- Click Push and Lock.
- Click Save.
Step 2: Enable endpoint monitoring for organizations
Code42 recommends enabling endpoint monitoring in a test organization first to ensure settings are properly configured to capture the user activity you want to monitor. Once you see the desired results with a small number of users, then enable endpoint monitoring for additional organizations.
Option A: Enable endpoint monitoring for a specific organization
To enable endpoint monitoring on devices in a specific organization:
- Sign in to your administration console.
- Go to Organizations.
- Select an organization.
- From the action menu, choose Edit.
- Select Endpoint Monitoring.
- Deselect Inherit settings from parent, if necessary.
- Select one or more detection types to enable them.
- Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.
Option B: Enable endpoint monitoring for all organizations
In most cases, it is better to enable endpoint monitoring one organization at a time (option A above). Code42 only recommends enabling endpoint monitoring for all organizations at once if you have already tested endpoint monitoring with a small number of users first, and you have less than 5,000 users in your Code42 environment. If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.
To enable endpoint monitoring on all devices in your Code42 environment:
- Sign in to your administration console.
- Go to Settings > Endpoint Monitoring.
- Select one or more detection types to enable them.
- Click Save to immediately apply your changes to all devices in your Code42 environment.
Step 3: Configure pattern matching (optional)
In order to use the pattern matching method of endpoint monitoring, you must manually deploy a file to each device you want to monitor for patterns. This file identifies dangerous, malicious, or sensitive files included in the user's backup file selection with a rule-based framework called YARA.
Perform these steps on each device:
- Create a folder named yr on the device in the Code42 app's cache directory.
Default cache directories on each operating system:- Windows: C:\ProgramData\CrashPlan\cache
To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy for file locations. - Mac: /Library/Caches/CrashPlan
If you installed per user, see the file and folder hierarchy. - Linux: /usr/local/crashplan/cache
- Windows: C:\ProgramData\CrashPlan\cache
- Create a YARA rule file using the instructions from the YARA project.
See below for an example YARA rule file. - Save the YARA rule with the name rules.yar to the yr folder.
- Restart the Code42 service on the device.
Pattern matching considerations
- You must manually deploy the YARA rule file to each device you want to monitor for patterns.
- Unlike the other types of endpoint monitoring, pattern matching only monitors files included in the user's backup file selection.
- The frequency of pattern matching scans is set by the Backup new version frequency setting. By default, this is every 15 minutes.
- Pattern matching only monitors files that are created or modified after a YARA rule is added. Files existing before a YARA rule is added are not scanned for that rule until the file changes.
- Pattern matching can scan for MD5 hash and filename matches on any file, but does not extract file contents of binary or compressed files. Practically speaking, this means pattern matching only searches the contents of plain text files, unless you create a rule targeting a specific binary string.
- After adding a new YARA rule, you must restart the Code42 service on each device.
Sample YARA rule file
The example rule file below includes two rules. Each rule contains instructions for identifying a pattern of data on users' devices, including:
- An MD5 hash for a specific file
- Text strings formatted as Social Security numbers
import "hash"
rule md5Match
{
meta:
meta_tag = "MD5 example"
condition:
hash.md5(0, filesize) == "5b110441c6eead0d1943211d6a3e704c"
}
rule ssnMatch
{
meta:
meta_tag = "SSN example"
strings:
$re1 = /(\d{3})-(\d{2})-(\d{4})/
condition:
$re1
}
Step 4: Enable automatic file scanning of detected removable media (optional)
By default, endpoint monitoring does not automatically perform a file scan when a removable drive is detected. This prevents the collection of data on removable media that you may not want to monitor. However, you can enable this automatic file scanning if desired.
- Call the Code42 API with the following curl command:
curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets": [{"key": "org-securityTools-device-detection-scan-enable","value": "true","locked": true}]}' -u '<username>:<password>' https://<server_address>:<port>/api/OrgSettings/<orgId>
Setting "locked" to true locks this setting so that it cannot be overridden at the user level.
Replace the following entries with the values of your authority server:
- Replace
<username>and<password>with the administrator username and password. - Replace
<server_address>:<port>with the host and port of your authority server. - Replace
<orgId>with the organization ID. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
- To verify that scanning is enabled, use the following curl command to get all the settings for the organization:
curl -i -X GET -u '<username>:<password>' https://<server_address>:<port>/api/OrgSettings/<OrgID>
- Search the output for the "org-securityTools-device-detection-scan-enable" key to verify that its value is set to "true".
Step 5: Exclude paths from monitoring (optional)
You can exclude paths of personal cloud services and removable media if you do not want to monitor them. This can reduce both the amount of unwanted monitoring data and the processing load on user devices.
- Call the Code42 API with the following curl command:
curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets":[{"key":"org_securityTools_detection_monitoring_exclusions","value":"{\"windows\":[\"<regEx1>\",\"<regEx2>\"],\"macintosh\":[\"<regEx>\",\"<regEx2>\"]}","locked":true}]}' -u '<username>:<password>' https://<server address>:<port>/api/OrgSettings/<orgId>
Setting the "locked" value to "true" locks this setting so that it cannot be overridden at the user level. If you do not want to use this setting for certain users, you may move the users to a separate child organization with its own setting.
Replace the following entries with the values of your authority server:
- Replace
<regEx1>and<regEx2>with regular expressions for the paths to exclude. You may add as many expressions as you need to exclude multiple paths.- Note: File paths must use forward slashes ( / ) for path separators, even for Windows paths. For example:
[\"C:/Users/Clyde/Temp(?:.*)*\"]. Using a backslash ( \ ) to escape characters in your regex value is not supported.
- Note: File paths must use forward slashes ( / ) for path separators, even for Windows paths. For example:
- Replace
<username>and<password>with the administrator username and password. - Replace
<server_address>:<port>with the host and port of your authority server. - Replace
<orgId>with the organization ID. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
- To verify that exclusions are set, use the following curl command to get all the settings for the organization:
curl -i -X GET -u '<username>:<password>' https://<server_address>:<port>/api/OrgSettings/<OrgID>
- Search the output for the "org_securityTools_detection_monitoring_exclusions" key to verify that its value is set to the desired paths to exclude from monitoring.
Step 6: Enable automatic file scanning of cloud folders (optional)
Cloud folder activity, as reported in Security Center and in Activity Notification emails to administrators, is not affected by this scan setting. When Cloud service monitoring is enabled, cloud folder activity (for example, moving new files into the cloud folder) is always monitored and reported.
In addition to watching file activity, endpoint monitoring can also optionally scan all contents of monitored cloud folders. These scan results provide a snapshot of all files in the folder at the time of the scan, and are only visible via the CSV export and the Code42 app for Splunk. Scan results are not reported in Security Center.
Beginning with Code42 server version 6.8.4, cloud folder scanning is off by default. Because some cloud services provide on-demand file streaming, user devices may contain a shortcut file for every file the user has access to throughout the organization. Disabling the scan reduces both the amount of unwanted monitoring data and the processing load on user devices. However, you can manually re-enable the cloud folder scans with the steps below.
- Sign in to the administration console.
- Double-click the Code42 logo in the upper-left to open the command-line interface (CLI).
- Enter this command:
setting.set ORG org-securityTools-cloud-detection-scan-enable true <orgId> - Replace
<orgId>with the organization ID you want to monitor. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
Visualize data from endpoint monitoring
You can visualize the data collected by endpoint monitoring in two ways.
Security Center
Sign in to the Security Center to view basic information from endpoint monitoring in a web browser.
- Sign in to the administration console.
- Select Security Center > User Activity.
- Enter a username.
- Enter a date range.
- Click Search.
User activity appears.
Code42 app for Splunk
Install the Code42 app for Splunk to visualize detailed endpoint monitoring data as part of a larger Splunk installation.
For more information on Splunk, including their free trial that can be used with the Code42 app for Splunk, see Splunk's documentation.