An insider threat is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage.
This article provides best practices for security teams to follow in order to to most effectively detect insider threat file activities and respond to incidents.
This article is intended for customers running a on-premises Code42 authority server. Customers using the Code42 cloud should see the cloud article. Our features in the Code42 cloud offer far greater insider threat detection and investigation capabilities than our on-premises offering.
- The procedures described here are suggestions, not requirements, for using Code42 to handle insider threats at your organization. Be sure to adjust the tasks described in this article as needed to work in accordance with your company's own processes for addressing insider threat.
- Forensic File Search is only available in Code42 cloud environments.
- You must have the Customer Cloud Admin role or the Security Center User role to perform the tasks in this article.
- Many of these tasks can be performed using the Code42 API. If you have a standard insider threat scripting procedure, you can add the Code42 API tasks to the script. For help with using Code42 APIs, contact your Customer Success Manager to engage the Professional Services team.
Step 1: Capture file activity
Before you can use Code42 to address insider threat, you must do the following to capture file activity:
Enable endpoint monitoring
Enable endpoint monitoring to capture file activity on each device in real time, helping you identify potential insider threat actions. Enable the following endpoint monitoring options:
- Removable media
- Cloud service
- Application activity (file upload and download)
- File restore
- Pattern matching
Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.
See Enable endpoint monitoring for file exfiltration detection for more information.
Select Removable media and Cloud service when enabling endpoint monitoring. These represent two common methods that departing employees use to take company data.
Set up Code42 to collect files on endpoints and place them into archives. In the event of insider threat file activity, you can download these files and examine their contents. You can also collect files from the archives for use in a legal hold action if needed.
To optimize file collection:
- Select all the users' files
By default, the Code42 app collects all files in a user's home directory. Use inclusion and exclusion settings to include any additional files from users' devices, and exclude any that you do not want to collect. Remember that any files that you do not collect cannot be downloaded for examination or used in a legal hold.
- Set file collection frequency and retention
To get the best coverage for file investigation, use the default frequency and versions settings to collect new file versions every 15 minutes and to never remove deleted files from archives.
- Extend cold storage duration
Cold storage is a temporary storage state for file archives after a user or device is deactivated in your Code42 environment. You can specify how long the archives are retained in cold storage before they are permanently deleted. Extending the cold storage duration preserves file archives for a longer period to ensure they are available for threat investigation. Keep in mind that users whose files are in archives in cold storage still consume subscriptions.
Step 2: Investigate suspicious file activity
Investigate suspicious file activity using the following Investigation options in the Code42 console:
You can also use third-party tools in conjunction with Code42 to investigate suspicious file activity.
User activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of normal activity that helps you identify spikes in file movement that signal abnormal activity.
See User Activity and Activity Notifications reference for more information.
Use the Export CSV feature to download data about users' file activity for analysis or archiving.
Step 3: Respond to insider threat incidents
When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. While your company has its own response protocol, the following Code42 features can help you respond to insider threat incidents:
Integrations with third-party security tools
Use the following third-party Code42 integrations to respond to suspicious file activity.
See Code42 app for Splunk Phantom for more information.
See Install and manage the Code42 for Splunk (Legacy) app for more information.
If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be gathered and held for legal action using Code42's Legal Hold. To obtain files for use in Legal Hold, you must first collect files into archives.
Gathering files for a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:
- Identify when the incident occurred.
- Determine who has files involved in the incident.
- Search the logs stored on endpoint devices running the Code42 app.
Add employees who have the highest risk of taking sensitive data to a legal hold. Adding them to a legal hold keeps the employees' files in archives for a longer period, in case they are needed for additional investigation or future legal action. Deactivated users cannot be added to legal holds. If you need to add a deactivated user to a legal hold, first reactivate that user.
If you are new to Code42 for Enterprise, contact our sales team to get started.
If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) at firstname.lastname@example.org for assistance with:
- Licensing for specific features
- Configuring your Code42 environment to best handle insider threat