Code42 helps you secure your data from insider threats by:
- Continuously monitoring endpoint and cloud file activity to detect risk
- Highlighting suspicious and anomalous behavior
- Capturing comprehensive file metadata as well as the file contents
This visibility into endpoint and cloud file activity helps you quickly detect and respond to both malicious and unintentional activity that threatens your intellectual property, sensitive data, and overall security.
This article provides best practices for using Code42 to detect and respond to insider threats.
The steps in this article require:
- The Code42 Platinum product plan
- A user with the Customer Cloud Admin role or Security Center User role
To upgrade to the Code42 Platinum product plan for a free trial, contact your Customer Success Manager (CSM). Code42 Platinum offers our most advanced risk detection, investigation, and response features.
If you're new to Code42, visit https://www.code42.com/trial to get started.
Part 1: Capture file activity
Step 1: Confirm endpoint monitoring settings
To ensure you capture file activity for all detection types, review your endpoint monitoring settings:
- Sign in to the Code42 console.
- Select Administration > Organizations > Active.
- Select the parent organization at the top of the hierarchy.
- From the action menu, select Edit.
- Select Endpoint Monitoring.
- Deselect Inherit settings from parent, if necessary.
- Verify Enable endpoint monitoring and all detection types (Removable Media, Cloud Sync Applications, Browser and other Application Activity, Printers, and File Metadata Collection) are selected.
- Click Save.
See Enable endpoint monitoring for file exfiltration detection for more information.
Step 2: Set up alerts to notify you about suspicious file activity
Code42 alerts enable you to define specific file activity behaviors and thresholds that trigger an alert. Alerts can be sent as emails, appear on dashboards, or both. For example, you could create an alert that emails you every time a user transfers a certain number of files to removable media or to a cloud sync folder.
To customize alert criteria for your Code42 environment:
Step 3: Monitor departing employees
The Code42 Departing Employees list provides comprehensive insight into the file activity of departing employees, enabling you to:
- Easily review endpoint and cloud file activity to quickly identify suspicious behavior
- Gain visibility into file activity before a user gives notice by looking at file events from the last 90 days
- Receive alerts for file activity behaviors and thresholds that meet your defined criteria
To get started monitoring departing employees:
Step 4: Monitor high risk employees
The Code42 High Risk Employees list provides comprehensive insight into file activity of employees you identify as a risk (for example, users with elevated permissions, access to sensitive data, on a performance improvement plan, etc.). The Detection > High Risk Employees section of the Code42 console enables you to:
- Quickly identify suspicious file activity of high risk employees over the past 90 days
- Assign risk factors to employees to provide more context for insider threat investigations
- Easily review both endpoint and cloud sync file activity
To start monitoring high risk employees:
Step 5: Add trusted domains and IP addresses to reduce noise
Data Preferences settings enable you to exclude file activity on specific domains and IP addresses from Code42 dashboards, alerts, and Forensic Search results. This helps you focus investigations on higher-risk activity by filtering out file events from locations you trust.
To add trusted domains and IP addresses:
- Sign in to the Code42 console.
- Select Administration > Settings > Data Preferences.
- On the Trusted domains tab, add domains you trust.
- On the IP addresses tab, add your in-network IP addresses.
See Data Preferences reference for more details.
Step 6: Add cloud or email data sources (optional)
Adding data sources authorizes Code42 to collect information from cloud services (for example, Google Drive, Microsoft OneDrive, or Box) and email services (for example, Gmail or Microsoft Office 365). Once connected, file activity in these sources is searchable in Forensic Search and can be used to generate alerts.
See Introduction to adding data sources for specific instructions for each data source.
Step 7: Define file backup policies
File backup is an important part of insider threat detection and response because it enables you to easily review the actual file contents during investigations of suspicious activity. As long as a file is backed up by Code42, it's available for download any time, even if the device that backed up the file is offline. For detailed recommendations about what to back up, see Considerations for defining your backup policies. For the most high-value settings in the Code42 console (including those that are related to backup) see Recommended Code42 console settings.
Step 8: Configure third-party integrations (optional)
IBM Resilient is a security orchestration, automation, and response (SOAR) platform for managing incident response. Code42 for Resilient adds Code42-specific functions, rules, and workflows to extend the capabilities of your IBM Resilient environment, including insider threat use cases.
See Code42 for IBM Resilient for more information.
Splunk Phantom is a security orchestration, automation, and response (SOAR) solution. Use the the Code42 app for Splunk Phantom to add Code42-specific actions to your Splunk Phantom environment, including Forensic Search queries.
See Code42 app for Splunk Phantom for more information.
Part 2: Review suspicious file activity
Code42 offers a wide variety of options to help you quickly identify suspicious or abnormal file activity. Not all options below apply in all situations, so pick the sections below applicable to your specific circumstances.
Review the Risk Exposure dashboard
Review the Risk Exposure dashboard for a high-level view of all endpoint and cloud file activity in your Code42 environment that may be putting data at risk. The Risk Exposure dashboard highlights file activity:
- On removable media
- Synced to cloud services
- Read by browsers and other apps (uploads and downloads)
- In .zip files and other archive formats
From the dashboard, click any data point to drill down to specifics, or investigate further in Forensic Search. See Review unusual file activity with the Risk Exposure dashboard for sample use cases.
After you define the specific file activity behaviors and thresholds required to generate an alert, you can view existing alerts to quickly uncover possible insider threat file activity.
Review departing employee activity
After adding departing employees, navigate to Detection > Departing Employees to review those users' file activity. Even if the employee did not provide much notice or you did not add the user as a departing employee right away, you can still review the 90 past days worth of activity.
See Departing Employees reference for more information.
Review high risk employees
After adding high risk employees, navigate to Detection > High Risk Employees to review those users' file activity.
See High Risk Employees reference for more details.
Review specific users
For users who are not already identified as departing or high risk employees, you can easily perform an ad-hoc review of their file activity over the past 90 days from Investigation > User Activity. See User Profile reference for more details.
Perform ad-hoc file activity searches
Forensic Search provides detailed visibility about endpoint and cloud file activity and helps you to quickly answer questions such as:
- Does any file activity look suspicious?
- Is there evidence of covering up suspicious file activity?
- Does an individual have a specific file, or did the individual previously have it?
Forensic Search allows you to see a wide array of file events, including when a file is created, modified, renamed, moved, or deleted. Search results return file events for your entire Code42 environment. File event details provide extensive metadata about the file, and offer the option to download the actual file contents.
See Forensic Search use cases for specific use cases.
Part 3: Respond to potential threats
No single response is appropriate for all situations because risk varies greatly based on the files and users involved. Therefore, Code42 focuses on giving you the information you need to respond to insider threats quickly and appropriately, which may include automated action, corrective conversation, legal action, engaging other stakeholders in your organization, or anything in-between.
While not a replacement for your existing response protocols, the following Code42 actions can help you respond to insider threats:
Download and review file contents
Code42 provides the ability to retrieve files involved in an investigation. Being able to definitively see what content is included in these files can help you determine an appropriate response. You can recover file contents in several ways:
- Download files from Forensic Search: In many cases, files are available for download from the search results. In the File > Filename section of an event's details, links to download the file appear if it is backed up by Code42.
- Restore files from the Code42 console: Administrators can restore a user's backed up files from any web browser or restore files to any device running the Code42 app.
- Collect files from a legal hold: If the user is already a custodian on legal hold, you can use the Code42 console to collect the files.
Search related threats
With Forensic Search, you can search your entire Code42 environment for other, related threats. For example, if you're responding to a non-sanctioned file share via a cloud service, you can identify other instances of the file in your environment to determine who else might be involved by searching for the file hash (MD5 or SHA256) or the filename.
Leverage third-party integrations (optional)
If you have already configured third-party integrations, you may be able to use Code42-specific actions and workflows as part of your response. For example, you can use IBM Resilient to download files from a user's backup, or use Splunk Phantom to quarantine a device.
For a detailed list of response capabilities, see:
Place users on legal hold
Adding a user to a Code42 legal hold backs up a separate copy of the user's files and retains them for as long as you specify in the preservation policy. This enables you to preserve files separately from the user-facing backup and retain files indefinitely for additional investigation or future legal action.
Contact your Customer Success Manager (CSM) at email@example.com for assistance with:
- Licensing for specific features
- Configuring your Code42 environment to best handle insider threat
If you are new to Code42, contact our sales team to get started.
- Gartner: Understanding Insider Threats
- U.S. Government: National Insider Threat Task Force
- FBI: An Introduction to Detecting and Deterring an Insider Spy