Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Detect and respond to insider threats

Overview

Code42 helps you secure your data from insider threats by:

  • Continuously monitoring endpoint and cloud file activity to detect risk
  • Highlighting suspicious and anomalous behavior
  • Capturing comprehensive file metadata as well as the file contents

This visibility into endpoint and cloud file activity helps you quickly detect and respond to both malicious and unintentional activity that threatens your intellectual property, sensitive data, and overall security.  

This article provides best practices for detecting and responding to insider threats.

Considerations

  • To complete the steps in this article, you must have either the Customer Cloud Admin role or Security Center User role.
  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

Part 1: Capture file activity

Step 1: Confirm endpoint monitoring settings

To ensure you capture file activity for all detection types, review your endpoint monitoring settings:

  1. Sign in to the Code42 console
  2. Select Administration > Organizations > Active.
  3. Select the parent organization at the top of the hierarchy.
  4. From the action menu, select Edit.
  5. Select Endpoint Monitoring.
  6. Deselect Inherit settings from parent, if necessary.
  7. Verify Enable endpoint monitoring and all detection types (Removable Media, Cloud Sync Applications, Browser and other Application Activity, Printers, and File Metadata Collection) are selected.
  8. Click Save.

See Enable endpoint monitoring for file exfiltration detection for more information.

Step 2: Set up alerts to notify you about suspicious file activity

Alerts enable you to define specific file activity behaviors and thresholds that trigger an alert. Alerts can be sent as emails, appear on dashboards, or both. For example, you could create an alert that emails you every time a user transfers a certain number of files to removable media or to a cloud sync folder.

To customize alert criteria for your Code42 environment:

  1. Sign in to the Code42 console
  2. Select Alerts > Review Alerts.
  3. Select Create Rule.
  4. Define the rule criteria. For a detailed explanation of all options, see Create and manage alerts.

Step 3: Monitor high risk employees

The High Risk Employees list provides comprehensive insight into file activity of employees you identify as a risk (for example, users with elevated permissions, access to sensitive data, on a performance improvement plan, etc.). The Detection > High Risk Employees section of the Code42 console enables you to:

  • Quickly identify suspicious file activity of high risk employees over the past 90 days
  • Assign risk factors to employees to provide more context for insider threat investigations
  • Easily review both endpoint and cloud sync file activity

To start monitoring high risk employees:

  1. Sign in to the Code42 console
  2. Select Detection > High Risk Employees.
  3. Select Add High Risk Employee.
  4. Complete the information for the employee. For a detailed explanation of all options, see Add high risk employees.

Step 4: Monitor departing employees

The Departing Employees list provides comprehensive insight into the file activity of departing employees, enabling you to:

  • Easily review endpoint and cloud file activity to quickly identify suspicious behavior
  • Gain visibility into file activity before a user gives notice by looking at file events from the last 90 days
  • Receive alerts for file activity behaviors and thresholds that meet your defined criteria

To get started monitoring departing employees:

  1. Select Detection > Departing Employees.
  2. Select Add Departing Employee.
  3. Complete the information for the employee. For a detailed explanation of all options, see Add departing employees.

Step 5: Add trusted domains and IP addresses to reduce noise

Data Preferences settings enable you to exclude file activity on specific domains and IP addresses from dashboards, alerts, and Forensic Search results. This helps you focus investigations on higher-risk activity by filtering out file events from locations you trust.

To add trusted domains and IP addresses:

  1. Sign in to the Code42 console
  2. Select Administration > Settings > Data Preferences.
  3. On the Trusted domains tab, add domains you trust.
  4. On the IP addresses tab, add your in-network IP addresses.

See Data Preferences reference for more details.

Step 6: Add cloud or email data sources (optional)

Adding data sources authorizes Code42 to collect information from cloud services (for example, Google Drive, Microsoft OneDrive, or Box) and email services (for example, Gmail or Microsoft Office 365). Once connected, file activity in these sources is searchable in Forensic Search and can be used to generate alerts.

See Introduction to adding data sources for specific instructions for each data source.

Step 7: Define file backup policies

File backup is an important part of insider threat detection and response because it enables you to easily review the actual file contents during investigations of suspicious activity. As long as a file is backed up, it's available for download any time, even if the device that backed up the file is offline. For detailed recommendations about what to back up, see Considerations for defining your backup policies.  For the most high-value settings (including those that are related to backup) see Recommended Code42 console settings.

Step 8: Configure third-party integrations (optional)

Code42 offers a variety of tools to leverage our insider threat features and data in other systems, including:

  • The Code42 API, Python SDK, and command-line interface (CLI)
  • Third-party integrations with SOAR and SIEM security analytics tools, including Cortex XSOAR, IBM Resilient, LogRhythm, Sumo Logic, and Splunk.

For more details, see Code42 integrations resources.

Part 2: Review suspicious file activity

The Code42 console offers a wide variety of options to help you quickly identify suspicious or abnormal file activity. Not all options below apply in all situations, so pick the sections below applicable to your specific circumstances.

Watch the videos below to get an overview of how to use Code42 Incydr to review suspicious file activity. For other videos in this series, see our Training course: Detecting risk with Code42 Incydr. For more videos, visit the Code42 University.

Review the Risk Exposure dashboard

Review the Risk Exposure dashboard for a high-level view of all endpoint and cloud file activity in your Code42 environment that may be putting data at risk. The Risk Exposure dashboard highlights file activity:

  • On removable media
  • Synced to cloud services
  • Read by browsers and other apps (uploads and downloads)
  • In .zip files and other archive formats

From the dashboard, click any data point to drill down to specifics, or investigate further in Forensic Search. See Review unusual file activity with the Risk Exposure dashboard for sample use cases, or watch the video below for a quick overview.

Review alerts

After you define the specific file activity behaviors and thresholds required to generate an alert, you can view existing alerts to quickly uncover possible insider threat file activity. Watch the video below for a quick overview.

Review high risk employees

After adding high risk employees, navigate to Detection > High Risk Employees to review those users' file activity.

See High Risk Employees reference for more details, or watch the video below for a quick overview.

Review departing employee activity

After adding departing employees, navigate to Detection > Departing Employees to review those users' file activity. Even if an employee did not provide much notice or you did not add the user as a departing employee right away, you can still review file activity for the past 90 days.

See Departing Employees reference for more information, or watch the video below for a quick overview.

Review specific users

For users who are not already identified as departing or high risk employees, you can easily perform an ad-hoc review of their file activity over the past 90 days from Investigation > User Activity.  See User Profile reference for more details, or watch the video below for a quick overview..

Perform ad-hoc file activity searches

Forensic Search provides detailed visibility about endpoint and cloud file activity and helps you to quickly answer questions such as:

  • Does any file activity look suspicious?
  • Is there evidence of covering up suspicious file activity?
  • Does an individual have a specific file, or did the individual previously have it?

Forensic Search allows you to see a wide array of file events, including when a file is created, modified, renamed, moved, or deleted. Search results return file events for your entire Code42 environment. File event details provide extensive metadata about the file, and offer the option to download the actual file contents. 

See Forensic Search use cases for specific use cases, or watch the video below for more details.

Part 3: Respond to potential threats

No single response is appropriate for all situations because risk varies greatly based on the files and users involved. Therefore, we focus on giving you the information you need to respond to insider threats quickly and appropriately, which may include automated action, corrective conversation, legal action, engaging other stakeholders in your organization, or anything in-between. 

While not a replacement for your existing response protocols, the following actions can help you respond to insider threats: 

Download and review file contents

Code42 provides the ability to retrieve files involved in an investigation. Being able to definitively see what content is included in these files can help you determine an appropriate response. You can recover file contents in several ways:

  • Download files from Forensic Search: In many cases, files are available for download from the search results. If the file is backed up, links to download it appear in the File > Filename section of an event's details.
  • Restore files from the Code42 console: Administrators can restore a user's backed up files from any web browser or restore files to any device running the Code42 app.
  • Collect files from a legal hold: If the user is already a custodian on legal hold, you can use the Code42 console to collect the files.

Search related threats

With Forensic Search, you can search your entire Code42 environment for other, related threats. For example, if you're responding to a non-sanctioned file share via a cloud service, you can identify other instances of the file in your environment to determine who else might be involved by searching for the file hash (MD5 or SHA256) or the filename.

Create a case to organize the investigation

Use Response > Cases as an efficient way to compile, document, and share details about potential threats. This helps you make more informed decisions about how to respond, and also provides a permanent record of the file activity and users associated with the investigation.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

See Create and edit cases for more details.

Leverage third-party integrations (optional)

If you have already configured third-party integrations, you may be able to use Code42-specific actions and workflows as part of your response. For example, you can use IBM Resilient to download files from a user's backup, use Splunk Phantom to quarantine a device, or use Cortex XSOAR to block users.

For more details, see Code42 integrations resources.

Place users on legal hold

Adding a user to a legal hold backs up a separate copy of the user's files and retains them for as long as you specify in the preservation policy. This enables you to preserve files separately from the user-facing backup and retain files indefinitely for additional investigation or future legal action.

Additional help

Contact your Customer Success Manager (CSM) at csmsupport@code42.com for assistance with:

  • Licensing for specific features
  • Configuring your Code42 environment to best handle insider threat

If you are a new customer, contact our sales team to get started.