An insider threat is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage.
This article provides best practices for security teams to follow in order to to most effectively monitor for insider threat activities and respond to incidents.
For additional Code42 best practices to protect your company from data loss, see Code42 Next-Gen Data Loss Protection best practices. For additional best practices to protect your company's data when employees leave, see Best practices for protecting data when employees leave.
Watch the short video below to learn how to detect data loss from an insider threat. For more videos, visit the Code42 University.
- Although Code42 is an essential part of your defense against insider threat, a robust insider threat response program involves many additional processes and stakeholders. Forrester Research offers steps for establishing such a program. For details, see the The Forrester Playbook for Insider Threat available from Code42.
Monitor insider threat activity
A key part of a robust insider threat response program is monitoring for insider threat activity.
Code42's File Exfiltration Detection provides monitoring tools that give you visibility into activity often associated with malicious insider behavior, such as unauthorized file movement. After setup, monitoring operates in the background and provides alerts to notify you when suspicious activity occurs.
The following Code42 features help you monitor and view insider threat activity:
Endpoint monitoring uses the Code42 app to capture file activity on each device in real time, helping you identify five types of potential data leaks or security problems:
- Removable media
- Personal cloud
- Application activity (file upload and download)
- Pattern matching
Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.
You can visualize the data collected by endpoint monitoring in two ways:
- View basic information from endpoint monitoring in User Activity or Activity Notifications in the administration console.
- Install the Code42 app for Splunk to visualize detailed endpoint monitoring data as part of a larger Splunk installation.
See Enable endpoint monitoring for file exfiltration detection for additional information.
If you are licensed for Code42 Forensic File Search with the endpoint data source, user activity for Cloud Folders, Removable Media, and Application Activity is also available via the Investigation > Forensic Search section of the administration console.
Exposure filters in Forensic File Search introduce more advanced search options, and also display some file activity details in the administration console that were previously only available via CSV export. For more details, see the Forensic File Search reference guide.
User activity searches for users' security events detected by endpoint monitoring. The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.
See User Activity and Activity Notifications reference for additional information.
See Configure activity profiles for additional information.
Code42 app for Splunk
If your organization has Splunk Enterprise or Spunk Cloud, use the Code42 app for Splunk to visualize detailed endpoint monitoring data in the security dashboards. The Code42 app for Splunk has separate dashboards for monitoring removable media, cloud services, file restore, and file upload.
See Install and manage the Code42 app for Splunk for additional information.
Respond to an insider threat incident
When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. The following Code42 features help you respond to an insider threat incident:
Forensic File Search
In the event of an insider threat incident, Forensic File Search provides detailed visibility for Code42 administrators about files on user devices, including files not selected for backup. Using Forensic File Search, administrators can search file metadata to gain a clearer understanding of file activity throughout the organization.
Forensic File Search helps you to quickly answer questions such as:
- Is there file activity that looks like malicious activity?
- Is there evidence of covering up malicious activity?
- Who in my organization has, or previously had, a specific file?
Forensic File Search reports on file events detected by Code42. A file event is any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions. Search results return file events for all organizations in your Code42 environment.
If a user is identified as an insider threat, Access Lock enables administrators to lock the user's Windows device, thereby preventing unauthorized access. Locking the device prevents access to all content on the device (not just the files selected for backup). Access Lock leverages Microsoft's BitLocker technology to lock all drives connected to the device with a new key. Once a device is locked, it is completely inaccessible without the new recovery key to unlock it. The data on the device is retained and can be used to further investigate the threat.
See Access Lock for additional information.
Legal Hold web app
If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be collected and held for legal action using Code42's Legal Hold web app.
File collection from a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:
- Determine who has restored files from a particular organization and when the restores occurred.
- Search the logs stored on endpoint devices running the Code42 app.
If you are new to Code42 for Enterprise, contact our sales team to get started.
If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) for enterprise support at firstname.lastname@example.org for assistance with:
- Licensing for specific features
- Configuring your Code42 environment to best handle insider threat