Who is this article for?
Incydr
Code42 for Enterprise
CrashPlan for Enterprise
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, no.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Course introduction
For visibility into exposure and file exfiltration activities, you need data. Lots of data. And the foundation of Code42 Incydr's ability to speed insider risk detection and response comes from its ability to capture all file activity: on endpoints, corporate cloud, and email services. So in this overview video, we're going to show what Incydr can capture and from where.
In this course, we'll show you how to:
- Detect risk in the Risk Exposure dashboard
- Review alerts
- Review departing employees
- Review high-risk employees
- Review a specific user
- Run an ad-hoc search for file exfiltration activity
Time to complete course: 30 minutes
Part 1: Capture file activity
Module 1: Confirm endpoint monitoring settings
Code42 Incydr is designed to detect insider risk within your environment. One of the ways it does this is by collecting file exfiltration events across a number of vectors on your endpoints, while also collecting metadata about those files.
In this video, I'll show you how to review your endpoint monitoring settings to ensure you're capturing file activity for all detection types.
Module 2: Set up alerts to notify you about suspicious file activity
Code42 Incydr collects all file activity on your endpoints, corporate cloud, and email services. Instead of sifting through all that data manually looking for risk indicators, you can use Incydr's alerts to notify you when certain thresholds are met or specific actions are performed.
In this video, we'll look at how to define the rules Incydr will use to alert you of suspicious activity.
Module 3: Monitor high risk employees
Users with escalated privileges, poor security practices, or being declared a flight risk, are all examples of employees who pose a greater risk than others in your organization. Whether their actions are malicious or accidental, they may require additional monitoring to ensure data confidentiality and integrity. With Code42 Incydr, when you know an employee represents a higher risk, you can add them to a High Risk Employees list, making their activity more visible and easier to review.
In this video, we'll look at how to add someone to the list.
Module 4: Monitor departing employees
It should come as no surprise... when people leave their jobs they're going to take data with them. With Code42 Incydr, when you know an employee will depart, either voluntarily or involuntarily, you can add them to a Departing Employees list, making their activity more visible and easier to review.
In this video, we'll look at how to add someone to that list.
Module 5: Add trusted domains and IP addresses to reduce noise
When monitoring file activity, there's a difference between everyday collaboration and events that represent real risk. With Code42 Incydr you can filter out the noise of harmless activity, like sharing files between trusted domains, to reveal only the threats that could harm your business.
In this video, we'll look at how to identify specific domains and IP addresses so that these trusted share events don't show up as security events on Incydr's detection lists, dashboards, and user profiles.
Module 6: Define file backup policies
In addition to capturing all file activity on your endpoints, Code42 Incydr can also capture the files themselves. Having a copy of the files involved in a possible exposure or exfiltration, security analysts can quickly review the file contents as part of their investigation workflow, even if the endpoint is offline or the file has been deleted.
In this video, we'll look at how to define Incydr's file capture policies.
Part 2: Review suspicious file activity
Module 1: Detect risk in the Risk Exposure dashboard
Most insider threats don't intentionally make themselves known. So how does a security team know whether an investigation is required, or even where to begin? Code42 Incydr's Risk Exposure dashboard provides an overview of the different types of file activity in your environment, both on the endpoint and in the cloud. The main purpose of the dashboard is to help you identify when unusual activity is happening so you can investigate further in Forensic Search.
In this video we'll look at what the dashboard looks like and how to use it.
Module 2: Review alerts
Code42 Incydr's alerts can streamline your monitoring workflow by alerting you when specific file activity behaviors and thresholds are met. Alerts can be sent as emails, appear on dashboards, or both.
In this video, we'll look at investigating an alert with the Incydr console.
Module 3: Review departing employees
An essential part of the off-boarding process is making sure departing employees aren't taking anything they shouldn't. With Code42 Incydr, when an employee gives notice, you can add them to a list so their activity is more visible in your monitoring workflows.
In this video, we'll look at how to review such file activity and quickly identify suspicious file movement.
Module 4: Review high-risk employees
Some users pose a great insider risk than others. They may have elevated permissions, or are on a performance improvement plan, or have a history of poor security practices. With Code42 Incydr, when an employee is considered high risk, you can add them to a list so their activity is more visible in your monitoring workflows.
In this video, we'll look at how to view such file activity and quickly identify any suspicious file movement.
Module 5: Review a specific user
During your investigation workflow, there may come a time when you need additional information about a single user's activity. Code42 Incydr makes this easy by using something called a user profile, which is built on a user's file activity over the last 90 days.
In this video, we'll look at how to pull that view up and what information it provides.
Module 6: Ad-hoc activity searches
Forensic Search is a key component of Code42 Incydr's investigation capabilities. After gathering current and historical file events and metadata across both endpoints and cloud services, Forensic Search lets you investigate those events across your entire organization.
In this video, we'll look at how Forensic Search works, and what it can show you.
Use cases
Removable media
If you're like me, you've probably got a drawer of these little USB flash drives. They're convenient, hold lots of data, and fit in your pocket. What's not to love? Well, when it comes to insider risk, removable media is a pretty common exfiltration vector. You've got your USB drives, external hard drives, SD cards... and sure, you can try to block their use. But there are legit uses for these too.
Regardless of your policies, do you have the visibility you need to determine if there's a misuse of removable media in your organization? Well, Code42 Incydr gives you that visibility. Check this out.
File mismatch
So today I was using Code42 Incydr to review the activity of a departing employee. See, when people change jobs it can be tempting to take company data on the way out. Some just want to make their next job easier. Others believe the files belong to them. Sometimes it's accidental. Other times, it's definitely not, like when an employee attempts to conceal a file exfiltration attempt by changing the file extension so it doesn't match the file's contents. Check this out.