Skip to main content

Who is this article for?

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Detect and respond to insider risks

Overview

Code42 helps you identify insider risks and secures your data from threats by:

  • Continuously monitoring endpoint and cloud file activity to detect risk
  • Highlighting suspicious and anomalous behavior
  • Capturing comprehensive file metadata as well as the file contents

This visibility into endpoint and cloud file activity helps you quickly detect and respond to both malicious and unintentional activity that threatens your intellectual property, sensitive data, and overall security.  

This article provides best practices for detecting and responding to insider risks.

Considerations

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you do not know your CSM, please contact our Customer Champions.

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

Part 1: Capture file activity

Step 1: Confirm endpoint monitoring settings 

Incydr Professional and Enterprise

To ensure you capture file activity for all detection types, review your endpoint monitoring settings:

  1. Sign in to the Code42 console
  2. Select Administration > Environment > Organizations.
  3. View details of the parent organization at the top of the hierarchy:
    1. Click View organization details View details.
    2. Select Endpoint Data Collection.
  4. Verify the organization does not inherit settings from the parent organization. If necessary, click Edit Edit settings and deselect Inherit settings from parent organization.
  5. Verify all detection types (Removable Media, Cloud Sync Applications, Browser and other Application Activity, and Printers) are selected.
  6. Click Save.

Incydr Basic and Advanced, CrashPlan Cloud, and other plans

To ensure you capture file activity for all detection types, review your endpoint monitoring settings:

  1. Sign in to the Code42 console
  2. Select Administration > Environment > Organizations.
  3. View details of the parent organization at the top of the hierarchy:
    1. Select the organization.
    2. From the action menu, select Edit.
    3. Select Endpoint Monitoring.
  4. Verify the organization does not inherit settings from the parent organization. If necessary, deselect Inherit settings from parent.
  5. Verify Enable endpoint monitoring is selected.
  6. Verify all detection types (Removable Media, Cloud Sync Applications, Browser and other Application Activity, and Printers) are selected.
  7. Verify File Metadata Collection is selected. 
  8. Click Save.

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only: See Enable endpoint monitoring and file metadata collection for more information.

Step 2: Set up alerts to notify you about suspicious file activity

Alerts enable you to define specific file activity behaviors and thresholds that trigger an alert. Alerts can be sent as emails, appear on dashboards, or both. For example, you could create an alert that emails you every time a user transfers a certain number of files to removable media or to a cloud sync folder.

To customize alert criteria for your Code42 environment:

  1. Sign in to the Code42 console
  2. Select Alerts > Review Alerts.
  3. Select Create rule.
  4. Define the rule criteria. For a detailed explanation of all options, see Create and manage alert rules.

Step 3: Monitor high-risk employees

The High Risk Employees list provides comprehensive insight into file activity of employees you identify as a risk (for example, users with elevated permissions, access to sensitive data, on a performance improvement plan, etc.). The User Activity > High Risk Employees section of the Code42 console enables you to:

  • Quickly identify suspicious file activity of high-risk employees
  • Assign employees to high-risk user groups to provide more context for insider risk investigations
  • Easily review both endpoint and cloud sync file activity

To start monitoring high-risk employees:

  1. Sign in to the Code42 console
  2. Select User Activity > High Risk Employees.
  3. Click Add to list.
  4. Complete the information for the employee. For a detailed explanation of all options, see Add high-risk employees.

Step 4: Monitor departing employees

The Departing Employees list provides comprehensive insight into the file activity of employees that are leaving your company, enabling you to:

  • Easily review endpoint and cloud file activity to quickly identify suspicious behavior
  • Gain visibility into file activity before a user gives notice by looking at file events
  • Receive alerts for file activity behaviors and thresholds that meet your defined criteria

To get started monitoring departing employees:

  1. Select User Activity > Departing Employees.
  2. Click Add to list.
  3. Complete the information for the employee. For a detailed explanation of all options, see Add departing employees.

Step 5: Add trusted domains and IP addresses to reduce noise

Data Preferences settings enable you to exclude file activity on specific domains and IP addresses from dashboards, alerts, and Forensic Search results. This helps you focus investigations on higher-risk activity by filtering out file events from locations you trust.

To add trusted domains and IP addresses:

  1. Sign in to the Code42 console
  2. Select Administration > Environment > Data Preferences.
  3. On the Trusted domains tab, add domains you trust.
  4. On the IP addresses tab, add your in-network IP addresses.

See Data Preferences reference for more details.

Step 6: Add cloud or email data connections (optional)

Adding data connections authorizes Code42 to collect information from cloud services (for example, Google Drive, Microsoft OneDrive, or Box) and email services (for example, Gmail or Microsoft Office 365). Once connected, file activity in these sources is searchable in Forensic Search and can be used to generate alerts.

See Introduction to adding data connections for specific instructions for each data source.

Step 7: Define file backup policies

(Does not apply to Incydr Professional and Enterprise)

File backup is an important part of insider risk detection and response because it enables you to easily review the actual file contents during investigations of suspicious activity. As long as a file is backed up, it's available for download any time, even if the device that backed up the file is offline. For detailed recommendations about what to back up, see Considerations for defining your backup policies.  For the most high-value settings (including those that are related to backup) see Recommended Code42 console settings.

Step 8: Configure third-party integrations (optional)

Code42 offers a variety of tools to leverage our insider risk features and data in other systems, including:

  • The Code42 API, Python SDK, and command-line interface (CLI)
  • Third-party integrations with SOAR and SIEM security analytics tools, including Cortex XSOAR, IBM Resilient, LogRhythm, Sumo Logic, and Splunk.

For more details, see Code42 integrations resources.

Part 2: Review suspicious file activity

The Code42 console offers a wide variety of options to help you quickly identify suspicious or unexpected file activity. Not all options below apply in all situations, so pick the sections below applicable to your specific circumstances.

Watch the videos below to get an overview of how to use Code42 Incydr to review suspicious file activity. For more videos, visit the Code42 University.

Review the Risk Exposure dashboard

Review the Risk Exposure dashboard for a high-level view of all endpoint and cloud file activity in your Code42 environment that may be putting data at risk. The Risk Exposure dashboard highlights file activity:

  • On removable media
  • Synced to cloud services
  • Read by browsers and other apps (uploads and downloads)
  • In .zip files and other archive formats

From the dashboard, click any data point to drill down to specifics, or investigate further in Forensic Search. See Review unusual file activity with the Risk Exposure dashboard for sample use cases.

Review alerts

After you define the specific file activity behaviors and thresholds required to generate an alert, you can view existing alerts to quickly uncover possible insider risks. 

Review high-risk employees

After adding high-risk employees, navigate to User Activity > High Risk Employees to review those users' file activity.

See High Risk Employees reference for more details.

Review departing employee activity

After adding departing employees, navigate to User Activity > Departing Employees to review those users' file activity. Even if an employee did not provide much notice or you did not add the user as a departing employee right away, you can still review their past file activity.

See Departing Employees reference for more information.

Review specific users

For users who are not already identified as departing or high-risk employees, you can easily review their past file activity from User Activity > All Users.  See All Users reference for more details.

Perform ad-hoc file activity searches

Forensic Search provides detailed visibility about endpoint and cloud file activity and helps you to quickly answer questions such as:

  • Does any file activity look suspicious?
  • Is there evidence of covering up suspicious file activity?
  • Does an individual have a specific file, or did the individual previously have it?

Forensic Search allows you to see a wide array of file events, including when a file is created, modified, renamed, moved, or deleted. Search results return file events for your entire Code42 environment. File event details provide extensive metadata about the file, and offer the option to download the actual file contents. 

See Forensic Search use cases for specific use cases, or watch the video below for more details.

Part 3: Respond to insider risks

No single response is appropriate for all situations because risk varies greatly based on the files and users involved. Therefore, we focus on giving you the information you need to respond to insider risks quickly and appropriately, which may include automated action, corrective conversation, legal action, engaging other stakeholders in your organization, or anything in-between. 

While not a replacement for your existing response protocols, the following actions can help you respond to insider risks and mitigate threats: 

Download and review file contents

Code42 provides the ability to retrieve files involved in an investigation. Being able to definitively see what content is included in these files can help you determine an appropriate response. You can recover file contents in several ways:

  • Download files from Forensic Search: In many cases, files are available for download from the search results. Links to download it appear in the File > Filename section of an event's details.
  • Restore files from the Code42 console (does not apply to Incydr Professional and Enterprise): Administrators can restore a user's backed up files from any web browser or restore files to any device running the Code42 app.
  • Collect files from a legal hold (does not apply to Incydr Professional and Enterprise): If the user is already a custodian on legal hold, you can use the Code42 console to collect the files.

Search related risks

With Forensic Search, you can search your entire Code42 environment for other, related risks. For example, if you're responding to a non-sanctioned file share via a cloud service, you can identify other instances of the file in your environment to determine who else might be involved by searching for the file hash (MD5 or SHA256) or the filename.

Create a case to organize the investigation

Use Cases as an efficient way to compile, document, and share details about insider risks. This helps you make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

See Create and edit cases for more details.

Leverage third-party integrations (optional)

If you have already configured third-party integrations, you may be able to use Code42-specific actions and workflows as part of your response. For example, you can use IBM Resilient to download files from a user's backup, use Splunk Phantom to quarantine a device, or use Cortex XSOAR to block users.

For more details, see Code42 integrations resources.

Place users on legal hold

(Does not apply to Incydr Professional and Enterprise)

Adding a user to a legal hold backs up a separate copy of the user's files and retains them for as long as you specify in the preservation policy. This enables you to preserve files separately from the user-facing backup and retain files indefinitely for additional investigation or future legal action.

Additional help

Contact your Customer Success Manager (CSM) for assistance with:

  • Licensing for specific features
  • Configuring your Code42 environment to best identify insider risks

If you do not know your CSM, please contact our Customer Champions for support. If you are a new customer, contact our sales team to get started.