An insider threat is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage.
This article provides best practices for security teams to follow in order to to most effectively detect insider threat file activities and respond to incidents.
This article is intended for customers running a on-premises Code42 authority server. Customers using the Code42 cloud should see the cloud article. Our features in the Code42 cloud offer far greater insider threat detection and investigation capabilities than our on-premises offering.
- The procedures described here are suggestions, not requirements, for using Code42 to handle insider threats at your organization. Be sure to adjust the tasks described in this article as needed to work in accordance with your company's own processes for addressing insider threat.
- Although Code42 is an essential part of your defense against insider threat, a robust insider threat response program involves many additional processes and stakeholders. Forrester Research offers steps for establishing such a program. For details, see the The Forrester Playbook for Insider Threat available from Code42.
- Forensic File Search is only available in Code42 cloud environments.
- You must have the Customer Cloud Admin role or the Security Center User role to perform the tasks in this article.
- Many of these tasks can be performed using the Code42 API. If you have a standard insider threat scripting procedure, you can add the Code42 API tasks to the script. For help with using Code42 APIs, contact your Customer Success Manager to engage the Professional Services team.
Step 1: Capture file activity
Before you can use Code42 to address insider threat, you must do the following to capture file activity:
Enable endpoint monitoring
Enable endpoint monitoring to capture file activity on each device in real time, helping you identify potential insider threat actions. Enable the following endpoint monitoring options:
- Removable media
- Cloud service
- Application activity (file upload and download)
- File restore
- Pattern matching
Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.
See Enable endpoint monitoring for file exfiltration detection for more information.
Select Removable media and Cloud service when enabling endpoint monitoring. These represent two common methods that departing employees use to take company data.
Set up Code42 to collect files on endpoints and place them into archives. In the event of insider threat file activity, you can download these files and examine their contents. You can also collect files from the archives for use in a legal hold action if needed.
To optimize file collection:
- Select all the users' files
By default, the Code42 app collects all files in a user's home directory. Use inclusion and exclusion settings to include any additional files from users' devices, and exclude any that you do not want to collect. Remember that any files that you do not collect cannot be downloaded for examination or used in a legal hold.
- Set file collection frequency and retention
To get the best coverage for file investigation, use the default frequency and versions settings to collect new file versions every 15 minutes and to never remove deleted files from archives.
- Extend cold storage duration
Cold storage is a temporary storage state for file archives after a user or device is deactivated in your Code42 environment. You can specify how long the archives are retained in cold storage before they are permanently deleted. Extending the cold storage duration preserves file archives for a longer period to ensure they are available for threat investigation. Keep in mind that users whose files are in archives in cold storage still consume subscriptions.
Step 2: Investigate suspicious file activity
Investigate suspicious file activity using the following Investigation options in the administration console:
You can also use third-party tools in conjunction with Code42 to investigate suspicious file activity.
User activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of normal activity that helps you identify spikes in file movement that signal abnormal activity.
See User Activity and Activity Notifications reference for more information.
Use the Export CSV feature to download data about users' file activity for analysis or archiving.
Step 3: Respond to insider threat incidents
When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. While your company has its own response protocol, the following Code42 features can help you respond to insider threat incidents:
Integrations with third-party security tools
Use the following third-party Code42 integrations to respond to suspicious file activity.
See Code42 app for Splunk Phantom for more information.
If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be gathered and held for legal action using Code42's Legal Hold. To obtain files for use in Legal Hold, you must first collect files into archives.
Gathering files for a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:
- Identify when the incident occurred.
- Determine who has files involved in the incident.
- Search the logs stored on endpoint devices running the Code42 app.
Add employees who have the highest risk of taking sensitive data to a legal hold. Adding them to a legal hold keeps the employees' files in archives for a longer period, in case they are needed for additional investigation or future legal action. Deactivated users cannot be added to legal holds. If you need to add a deactivated user to a legal hold, first reactivate that user.
If a user is identified as an insider threat, Access Lock enables administrators to lock the user's Windows device, thereby preventing unauthorized access. Locking the device prevents access to all content on the device (not just the files selected for backup). Access Lock leverages Microsoft's BitLocker technology to lock all drives connected to the device with a new key. Once a device is locked, it is completely inaccessible without the new recovery key to unlock it. The data on the device is retained and can be used to further investigate the threat.
See Access Lock for additional information.
If you are new to Code42 for Enterprise, contact our sales team to get started.
If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) at firstname.lastname@example.org for assistance with:
- Licensing for specific features
- Configuring your Code42 environment to best handle insider threat