Code42 Next-Gen Data Loss Protection (DLP) is a product suite of capabilities that help protect your company's information. This article provides best practices for Code42 security teams so they can most effectively use Code42 Next-Gen DLP.
Code42 Next-Gen Data Loss Protection is distinctly different from traditional data loss prevention. For more information, see Introduction to Code42 Next-Gen Data Loss Protection.
- Advanced Code42 Next-Gen DLP features such as Forensic File Search are only available to customers with the Code42 Next-Gen DLP Platinum product plan.
- If you have an on-premises authority server or storage server, you must first upgrade to the Code42 cloud before you can get the Code42 Next-Gen DLP Platinum product plan.
We recommend you follow these best practices when you implement Code42 Next-Gen Data Loss Protection.
Code42 Next-Gen Data Loss Protection automatically collects and stores every version of every file across all devices. Code42 Next-Gen DLP also indexes all file activity across devices and cloud services like Google Drive and Microsoft OneDrive.
To optimize file collection:
- Select all the users' files
By default, the Code42 app collects all files in a user's home directory. Use inclusion and exclusion settings to include any additional files from users' devices, and exclude any that you do not want to collect. Remember that any files that you do not collect cannot be recovered in the event of a data loss incident.
- Collect new file versions every 15 minutes
To get the best coverage for file recovery, use the default frequency and versions settings to collect new file versions every 15 minutes.
- Enable file metadata collection
Select Forensic search and Cloud search detection types when enabling endpoint monitoring (described in the next section). Turning on these settings allows Code42 to collect file metadata on all files on all devices and in cloud services, even if the file contents are not being collected.
Code42 Next-Gen Data Loss Protection permits you to see file activity on removable media and files shared via cloud services.
To optimize monitoring:
- Enable endpoint monitoring
Follow these steps to enable endpoint monitoring (also known as file exfiltration detection). This turns on monitoring for:
- Removable media use
- File sharing on cloud services
- File uploads and downloads in web browsers and other applications
- File restores to devices
- Files with contents that match a certain pattern
- Forensic searches
- Set up activity notifications for high-risk users
Configure activity profiles in Security Center for high-risk users to monitor their file activity detected by endpoint monitoring. You will receive an email notification when suspicious activity occurs.
You can triage and prioritize data threats by searching file activity across cloud services and all devices, even when they are offline.
To optimize threat investigation:
- Review user activity
Run the User Activity report to search for users' security events detected by endpoint monitoring. The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.
- Use Forensic File Search to monitor data activity
Use Forensic File Search to create saved searches to routinely scan for threats. Create saved searches for any number of use cases, such as finding known malware, seeing the location of critical files, and identifying cloud files shared with external users.
- Use the Code42 API to automate threat detection
Use the Forensic File Search API to create customized searches that you can script to automate threat detection.
You can retain files for all employees, for as long as the files are needed to satisfy data retention requirements related to compliance or litigation.
To optimize file preservation:
- Never remove deleted files from archives
To preserve files for threat investigation, use the default frequency and versions settings to never remove deleted files from archives.
- Preserve files with Legal Hold for enhanced surveillance
If you suspect employees of malicious file activity, use Code42 Legal Hold to preserve their files as evidence. The resulting gathered files can be used in legal proceedings as needed. Gathering files for a legal hold is invisible to users and can use different file selection and preservation settings than Code42's standard file collection.
- Extend cold storage duration
Cold storage is a temporary storage state for data after a user or device is deactivated in your Code42 environment. You can specify how long this data is retained in cold storage before it is permanently deleted. Extending the cold storage duration preserves data for a longer period to ensure it is available for threat investigation, especially in cases of employee departure. Keep in mind that users whose data is in cold storage still consume subscriptions.
In the event of data loss (for example, deletion, corruption, or ransom), retrieve files from Code42 file archives.
To most effectively recover files:
- Recover files moved to a cloud service or removable media
To recover files involved in suspicious file movement, restore files from the administration console and use the Restore files as of setting to select the files on the date they were moved so you can examine their contents.
- Recover deleted or corrupted files
To recover deleted or corrupted files, restore files from the administration console. To recover deleted files, select Display deleted files. To recover corrupted files, use Restore files as of to select file versions from a date prior to corruption.
- Recover files from a lost or stolen device
If a device is lost or stolen, restore that device's files to a new replacement device.
- Recover files compromised by a ransomware attack
Recover from a ransomware attack by downloading uninfected file versions that were collected prior to the time of infection.