Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to versions 6 and 7.

Other available versions:

Cloud | Version 5Link: What version am I on?

Code42 Support

Enable endpoint monitoring for file exfiltration detection

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to versions 6 and 7.

Other available versions:

Cloud | Version 5Link: What version am I on?

Overview

Endpoint monitoring uses the Code42 app to capture file activity on user devices in real time, helping you track user behavior to identify potential data leaks or security problems.

Code42's file exfiltration detection captures file activity anywhere on a user's device, not just within the user's backup file selection, related to removable media, cloud services, uploads and downloads via web browsers and other applications, and file restores. It also searches contents of files selected for backup for specified text patterns.

Endpoint monitoring types

Enabling endpoint monitoring in your Code42 environment allows you to detect the following categories of potential file exfiltration activity:

  • Removable media: Monitors file activity on removable media, such as USB drives or SD cards.
  • Cloud service: Monitors file activity in folders on the device used for syncing with cloud services, including:
    • Box
    • Box Drive (Mac only, version 6.8.4 and later)
    • Dropbox
    • Google Backup and Sync (version 6.7.1 and later)
    • Google Drive (version 6.5.2 and earlier; see permissions requirements)
    • Apple iCloud
    • Microsoft OneDrive
      • Version 7.0 and later: Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device.
      • Version 6.x: OneDrive for Business is not supported..
  • Application activity: Identifies files opened in apps commonly used for uploading and downloading files, such as a web browser, Slack, FTP client, or curl. 
    • Devices using Code42 app versions older than 7.0.0 only monitor activity in web browsers, and only on Windows devices. Version 7.0.0 expands upload and download detection to include Macs as well as other applications, such as Slack, FileZilla, FTP, and cURL.
    • Code42 server versions 6.5 - 6.8 label this Browser activity. Version 6.0.x labels it File upload.
  • File restore: Monitors files restored through the Code42 app and the administration console, both by users and administrators.
  • Pattern matching: Checks for the existence of known malicious files or patterns of sensitive data based on YARA rules for text (non-binary) files included in the user's backup file selection.

Considerations

  • Code42 recommends only enabling endpoint monitoring in a small, test organization at first. If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.
  • Endpoint monitoring is only supported for Windows and Mac devices. Linux devices are not supported.
  • If Compliance Settings are activated for an organization, you cannot enable endpoint monitoring for that organization or any of its child organizations that inherit settings. Parent and sibling organizations are not affected.
Google Drive permissions requirements
Windows devices may require administrator action to monitor activity in the Google Drive folder:
  • Code42 app version 6.5.1 and later: If the Code42 app is installed by a member of the administrator's group, no action is required. If the Code42 app is not installed by a member of administrator's group, you must grant read access to SYSTEM for the Google Drive folder on each device.
  • Code42 app version 6.5.0 and earlier: You must grant read access to SYSTEM for the Google Drive folder on each device because, by default, Google Drive grants read access to the logged-in user only, and the Code42 service runs as a system process.
See the Microsoft support site for how to add read access to a folder.
Google Drive File Stream activity not detected by endpoint monitoring
Google's Drive File Stream retrieves files by mounting a temporary internal drive partition on the user's device and streaming files to the temporary drive. The Code42 app only monitors file movement to external drives, so it does not detect this activity.

Before you begin

  1. Ensure your Code42 environment meets the following requirements:
  2. Create a test organization, and then add a small number of test users to use in the steps below for initial endpoint monitoring testing. Alternatively, use the Change Organization command to move a small number of existing users into the test organization.

Enable endpoint monitoring for file exfiltration detection

Step 1: Lock archive encryption key settings

Endpoint monitoring requires standard encryption. Before implementing endpoint monitoring in any organization in your Code42 environment, you must lock the encryption setting to prevent users or administrators from changing it later.

Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.

Option A: Lock encryption settings for all organizations

  1. Sign in to the administration console.
  2. Go to Administration > Settings > Device Backup.
  3. Select the Security tab.
  4. In the Archive Encryption Key section:
    1. Verify that Standard is selected.
    2. Click the Lock icon to prevent users from changing this setting.
      A confirmation prompt is displayed.
    3. Select inheritance options as desired for your Code42 environment.
    4. Select I understand.
    5. Click Ok.
  5. Click Save.

Option B: Lock encryption settings for a specific organization

  1. Sign in to the administration console.
  2. Select Administration > Organizations > Active. (In versions 6.0.x, select Organizations.)
  3. Select an organization.
  4. From the action menu, click Device Backup Defaults.
  5. In the General section, deselect Use device defaults from parent.
  6. Select the Security tab.
  7. In the Archive Encryption Key section:
    1. Deselect Use default archive encryption key setting.
    2. Verify that Standard is selected.
    3. Click the Lock icon to prevent users from changing this setting.
    4. Review the confirmation message and click OK.
  8. Click Save.

Step 2: Enable endpoint monitoring for organizations

Start with a test organization
Code42 recommends enabling endpoint monitoring in a test organization first to ensure settings are properly configured to capture the user activity you want to monitor. Once you see the desired results with a small number of users, then start enableing endpoint monitoring one organization at a time.

Option A: Enable endpoint monitoring for a specific organization

To enable endpoint monitoring on devices in a specific organization:

  1. Sign in to the administration console.
  2. Select Administration > Organizations > Active. (In versions 6.0.x, select Organizations.)
  3. Select an organization.
  4. From the action menu, select Edit.
  5. Select the Endpoint Monitoring tab.
  6. Deselect Inherit settings from parent, if necessary.
Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.
  1. Select one or more detection types to enable them.
  2. Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.

Option B: Enable endpoint monitoring for all organizations

In most cases, it is better to enable endpoint monitoring one organization at a time (option A above). We only recommend enabling endpoint monitoring for all organizations at once if you have already tested endpoint monitoring with a small number of users first, and you have less than 5,000 users in your Code42 environment. If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.

To enable endpoint monitoring on all devices in your Code42 environment:

  1. Sign in to the administration console.
  2. Go to Administration > Settings > Endpoint Monitoring.
  3. Select one or more detection types to enable them.
  4. Click Save to immediately apply your changes to all devices in your Code42 environment.

Optional configuration steps

Advanced settings
Steps 3 - 6 below are optional configuration settings, and are not required to start capturing file activity. If you want to configure any of these items to override the Code42 defaults, click the + icon next to each step for detailed instructions.

Step 3: Configure pattern matching

Step 4: Enable automatic file scanning of detected removable media

Step 5: Exclude paths from monitoring

Step 6: Enable automatic file scanning of cloud folders

Review file activity

Details of monitored exfiltration activity are available in both the Security Center section of the Code42 administration console and in the Code42 app for Splunk.

Security Center

Permissions for Security Center access
The SYSADMIN role includes Security Center access automatically. To grant Security Center access to a user with a different role, assign the Security Center User role to the user.  The default local administrator with the SYSADMIN role can only view user activity in the Security Center for data stored in on-premises storage servers, but cannot view user activity for data stored in the Code42 cloud. To view Code42 cloud data, sign in as a different user with the necessary permissions. 

  1. Sign in to the administration console.
  2. Select Security Center > User Activity.
  3. Enter a username.
  4. Enter a date range.
  5. Click Search.
  6. Review the Activity Results.
  7. For more details, select the action menu in the upper-right of any chart and select Export CSV. The exported file contains extensive details about the file activity.
Security Center requires a trusted certificate for SSL connections
If your Code42 environment uses a self-signed certificate, Security Center activity results do not appear when browsing over an SSL connection. To view results, you must configure an SSL certificate signed by a trusted certificate authority (CA).

Code42 app for Splunk

Install the Code42 app for Splunk to gain access to dashboards and other detailed information about file exfiltration activity in your Code42 environment.

For more information on Splunk, including their free trial that can be used with the Code42 app for Splunk, see Splunk's documentation.

Videos

Watch the video below to learn how to enable file exfiltration detection.

Watch the video below for an overview of file exfiltration detection.

For more videos, visit the Code42 University