An insider threat is an organizational threat that comes from anyone who has authorized access to internal data or computer systems, including employees, contractors or third-party vendors. Insider threats can be malicious (intentionally taking intellectual property to a competitor) or unintentional (accidentally sharing a confidential file publicly on the web).
This article provides best practices for using Code42 to detect insider threat and respond to incidents.
This article applies to Code42 cloud environments. If you have an on-premises Code42 authority server, see the on-premises article.
- The procedures described here are suggestions, not requirements, for using Code42 to handle insider threats at your organization. Adjust the tasks described in this article as needed to work in accordance with your company's own processes for addressing insider threat.
- Although Code42 is an essential part of your defense against insider threat, a robust insider threat response program involves many additional processes and stakeholders. Forrester Research offers steps for establishing such a program. For details, see the The Forrester Playbook for Insider Threat available from Code42.
- You must have the Code42 Platinum product plan to use the detection, alerts, and Forensic File Search capabilities of Code42. Contact your Customer Success Manager (CSM) for assistance with product plans. If you're not sure how to reach your CSM, email firstname.lastname@example.org and we will connect you.
- You must have the Customer Cloud Admin role or the Security Center User role to perform the tasks in this article.
- Many of these tasks can be performed using the Code42 API. If you have a standard insider threat scripting procedure, you can add the Code42 API tasks to the script. For help with using Code42 APIs, contact your Customer Success Manager to engage the Professional Services team.
Step 1: Capture file activity
Before you can use Code42 to address insider threat, you must do the following to capture file activity:
Enable endpoint monitoring
Enable endpoint monitoring to capture file activity on each device in real time, helping you identify potential insider threat actions. Enable the following endpoint monitoring options:
- Removable Media
- Cloud Sync Applications
- Browser and other Application Activity (file upload and download)
- File Metadata Collection (only available if you have the Code42 Platinum product plan)
Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection.
See Enable endpoint monitoring for file exfiltration detection for more information.
Add data sources
If your product plan includes one or more data sources, authorize Code42 to collect information from those sources. Data sources can include cloud services (for example, Google Drive, Microsoft OneDrive, Box) and email services (for example, Gmail, Microsoft Office 365). Once connected, this information is available in Forensic File Search for investigation.
See Introduction to adding data sources for Forensic File Search for more information.
Set up Code42 to collect files on endpoints and place them into backup archives. In the event of insider threat file activity, you can use Forensic File Search to download these files and examine their contents using the Most Recent Version or Exact Match links. You can also collect files from the archives for use in a legal hold action if needed.
To optimize file collection:
- Select all the users' files
By default, the Code42 app collects all files in a user's home directory. Use inclusion and exclusion settings to include any additional files from users' devices, and exclude any that you do not want to collect. Remember that any files that you do not collect cannot be downloaded for examination or used in a legal hold.
- Set file collection frequency and retention
To get the best coverage for file investigation, use the default frequency and versions settings to collect new file versions every 15 minutes and to never remove deleted files from archives.
- Extend cold storage duration
Cold storage is a temporary storage state for file archives after a user or device is deactivated in your Code42 environment. You can specify how long the archives are retained in cold storage before they are permanently deleted. Extending the cold storage duration preserves file archives for a longer period to ensure they are available for threat investigation. Keep in mind that users whose files are in archives in cold storage still consume subscriptions.
Step 2: Detect suspicious file activity
Quick detection of suspicious file activity is critical to successful insider threat response.
Code42's detection tools let you see activity associated with malicious insider behavior, such as unauthorized file movement. After setup, detection operates in the background and provides alerts to notify you when suspicious activity occurs.
If you have the Code42 Platinum product plan, detect unauthorized file activity using the following Detection and Alerts options in the administration console:
Risk Exposure dashboard
The Risk Exposure dashboard shows file activity from throughout your entire environment. The dashboard provides a quick view of potential risks.
See Review unusual file activity with the Risk Exposure dashboard for more information.
See Create and manage alerts for more information.
Employees leaving your company are a potential source of insider threat, because some take your company's data with them when they leave, whether innocently or maliciously. From Detection > Departing Employees, review the file activity of employees who are leaving your company.
- Quickly identify suspicious file movement
- Review endpoint and cloud services activity
- See file activity for the 90 days leading up to a departure
See Add departing employees for more information.
Add employees to the Departing Employees application as soon as you have their departure dates, and enable alerts for all departing employees. If you delay, you could miss detecting unauthorized file activity.
Step 3: Investigate suspicious file activity
Investigate suspicious file activity using the following Investigation options in the administration console:
You can also use third-party tools in conjunction with Code42 to investigate suspicious file activity.
- Code42 Platinum product plan
The User Profile displays when you select Investigation > User Activity and enter a user's name. From User Profile you can review the file activity of employees, helping you to quickly identify suspicious file movement, review endpoint and cloud services activity, and see file activity for the previous 90 days. See User Profile reference for more information.
- Non-Code42 Platinum product plan
User Activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of normal activity that helps you identify spikes in file movement that signal abnormal activity. You can export the results to a CSV file for analysis or archiving. See User Activity and Activity Notifications reference for more information.
If you have the Code42 Platinum product plan, use Alerts instead of activity notifications. Alerts notify you on a wider range of file activity.
See Configure activity profiles for more information.
Forensic File Search
In the event of an insider threat incident, Forensic File Search provides detailed visibility about files on user devices, including files not selected for collection. Use Forensic File Search to search file metadata to gain a clearer understanding of insiders' file activity. Forensic File Search is only available to customers with the Code42 Platinum product plan.
Forensic File Search helps you to quickly answer questions such as:
- Is there file activity that looks suspicious?
- Is there evidence of covering up suspicious file activity?
- Does an individual have a specific file, or did the individual previously have it?
Forensic File Search allows you to see a wide array of file events, including when a file is created, modified, renamed, moved, or deleted. Search results return file events for all organizations in your Code42 environment.
Forensic File Search is the most powerful file investigation tool available in Code42. See our use cases to learn how to use Forensic File Search to investigate suspicious file activity.
Step 4: Respond to insider threat incidents
When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. While your company has its own response protocol, the following Code42 features can help you respond to insider threat incidents:
Integrations with third-party security tools
Use the following third-party Code42 integrations to respond to suspicious file activity.
IBM Resilient is a platform for orchestrating and automating security incident response. Code42 for Resilient adds Code42-specific functions, rules, and workflows to extend the capabilities of your IBM Resilient environment, including insider threat use cases.
See Code42 for IBM Resilient for more information.
Splunk Phantom is a security orchestration, automation, and response (SOAR) solution. Use the the Code42 app for Splunk Phantom to add Code42-specific actions to your Splunk Phantom environment, including running file queries with Forensic File Search.
See Code42 app for Splunk Phantom for more information.
If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be gathered and held for legal action using Code42's Legal Hold. To obtain files for use in Legal Hold, you must first collect files into archives.
Gathering files for a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:
- Identify when the incident occurred.
- Determine who has files involved in the incident.
- Search the logs stored on endpoint devices running the Code42 app.
Add employees who have the highest risk of taking sensitive data to a legal hold. Adding them to a legal hold keeps the employees' files in archives for a longer period, in case they are needed for additional investigation or future legal action. Deactivated users cannot be added to legal holds. If you need to add a deactivated user to a legal hold, first reactivate that user.
If a user is identified as an insider threat, Access Lock enables administrators to lock the user's Windows device, thereby preventing unauthorized access. Locking the device prevents access to all content on the device (not just the files selected for backup). Access Lock leverages Microsoft's BitLocker technology to lock all drives connected to the device with a new key. Once a device is locked, it is completely inaccessible without the new recovery key to unlock it. The data on the device is retained and can be used to further investigate the threat.
See Access Lock for additional information.
If you are new to Code42 for Enterprise, contact our sales team to get started.
If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) at email@example.com for assistance with:
- Licensing for specific features
- Configuring your Code42 environment to best handle insider threat