Code42 Next-Gen Data Loss Protection (DLP) is a product suite of capabilities that help protect your company's information. This article provides best practices for Code42 administrators to follow so you can most effectively use Code42 Next-Gen DLP.
What is Code42 Next-Gen DLP?
Traditional DLP versus Code42 Next-Gen DLP
Traditional data loss prevention (DLP) solutions use policies and blocking technology to attempt to prevent data loss. While policies can be effective, they require a great amount of setup and maintenance, and once in place, they can block employees from getting their work done.
Code42 Next-Gen Data Loss Protection (DLP) focuses on protecting all data against loss. By tracking all data, you can identify where it lives, who has access to it, and how it moves and changes. Code42 Next-Gen DLP helps you better detect insider threat, satisfy regulatory compliance requirements, and speed up incident response.
Watch the short video below for an introduction to Code42 Next-Gen DLP.
How to get Code42 Next-Gen DLP
If you are an existing customer with an on-premises authority server or storage server, watch the video below to learn how to migrate to the Code42 cloud so you can get Code42 Next-Gen DLP.
We recommend you follow these best practices when you implement Code42 Next-Gen DLP.
Code42 automatically collects and stores every version of every file across all devices. Code42 also indexes all file activity across devices and cloud services like Google Drive and OneDrive.
To optimize file collection:
- Select all the users' files
By default, the Code42 app collects all files in a user's home directory. Use inclusion and exclusion settings to include any additional files from users' devices, and exclude any that you do not want to collect. Remember that any files that you do not collect cannot be recovered in the event of a data loss incident.
- Collect new file versions every 15 minutes
To get the best coverage for file recovery, use the default frequency and versions settings to collect new file versions every 15 minutes.
- Enable file metadata collection
Select Forensic search and Cloud search detection types when enabling endpoint monitoring (described in the next section). Turning on these settings allows Code42 to collect file metadata on all files on all devices and in cloud services, even if the files themselves are not being collected in archives.
Code42 permits you to see files being moved by users to removable media or shared via cloud services.
To optimize monitoring:
- Enable endpoint monitoring
Follow these steps to enable endpoint monitoring (also known as file exfiltration detection). This turns on monitoring for:
- Removable media use
- File sharing on cloud services
- File uploads and downloads in web browsers and other applications
- File restores to devices
- Files with contents that match a certain pattern
- Forensic searches
- Set up activity notifications for high-risk users
Configure activity profiles in Security Center for high-risk users to monitor their file activity detected by endpoint monitoring. You will receive an email notification when suspicious activity occurs.
Use Code42 to triage and prioritize data threats by searching file activity across cloud services and all devices, even when they are offline.
To optimize threat investigation:
- Review user activity
Run the User Activity report to search for users' security events detected by endpoint monitoring. The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.
- Use Forensic File Search to monitor data activity
Use Forensic File Search to create saved searches to routinely scan for threats. Create saved searches for any number of use cases, such as finding known malware, seeing the location of critical files, and identifying cloud files shared with external users.
- Use the Code42 API to automate threat detection
Use the Forensic File Search API to create customized searches that you can script to automate threat detection.
Use Code42 to retain files for all employees, for as long as the files are needed to satisfy data retention requirements related to compliance or litigation.
To optimize file preservation:
- Never remove deleted files from archives
To preserve files for threat investigation, use the default frequency and versions settings to never remove deleted files from archives.
- Preserve files with Legal Hold for enhanced surveillance
If you suspect employees of malicious file activity, use Code42 Legal Hold to preserve their files as evidence. The resulting gathered files can be used in legal proceedings as needed. Gathering files for a legal hold is invisible to users and can use different file selection and preservation settings than Code42's standard file collection.
- Extend cold storage duration
Cold storage is a temporary storage state for data after a user or device is deactivated in your Code42 environment. You can specify how long this data is retained in cold storage before it is permanently deleted. Extending the cold storage duration preserves data for a longer period to ensure it is available for threat investigation, especially in cases of employee departure. Keep in mind that users whose data is in cold storage still consume subscriptions.
In the event of data loss (for example, deletion, corruption, or ransom), retrieve files from Code42 file archives.
To most effectively recover files:
- Recover files moved to a cloud service or removable media
To recover files involved in suspicious file movement, restore files from the administration console and use the Restore files as of setting to select the files on the date they were moved so you can examine their content.
- Recover deleted or corrupted files
To recover deleted or corrupted files, restore files from the administration console. To recover deleted files, select Display deleted files. To recover corrupted files, use Restore files as of to select file versions from a date prior to corruption.
- Recover files from a lost or stolen device
If a device is lost or stolen, restore that device's files to a new replacement device.
- Recover files compromised by a ransomware attack
Recover from a ransomware attack by downloading uninfected file versions that were collected prior to the time of infection.