Skip to main content

Who is this article for?

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Implement Incydr: Use the detection lists and alerts

Overview

This article provides best practices for using the risk detection lists, the Departing Employees list and the High Risk Employees list. It also provides best practices for using the alerts that notify you when possible risky file activity occurs.

For more information about using the detection lists and alerts, see:

Enable endpoint monitoring
You must enable endpoint monitoring before you can use the risk detection lists and alerts.

Considerations

Code42 Professional Services can help you use detection lists and alerts for Incydr. Contact your Customer Success Manager (CSM) to engage Professional Services.

Best practices for the High Risk Employees list

High-level High Risk Employees list workflow

  1. Receive information that employees need to be monitored. The information can come from a number of places, such as your HR department, an endpoint detection and response (EDR) system, a directory service, and so on. The factors that determine when an employee should be added to the High Risk Employees list are defined by your insider risk program.
  2. Add employees to the High Risk Employees list, and assign risk factors.
  3. Monitor high risk exposure activity in the Risk Exposure dashboard, High Risk Employees listalerts, or integrations.
  4. Open a case if suspicious file activity is uncovered.
  5. After investigation is complete and legal and HR have cleared the individual, close the case and remove the employee from the High Risk Employees list.

Automatically add users to the High Risk Employees list

Install and configure the Code42 command-line interface tool (CLI) tool to automate placing employees into the High Risk Employees list. You can also use the Code42 API to pull data from an external application such as a human resources information system (HRIS) or a directory service.

Assign risk factors

To define relative risk for employees, assign them risk factors:

  • High impact employee: Has a special role or broad access to high-value data
  • Elevated access privileges: Has elevated privilege or access to sensitive systems
  • Performance concerns: Is dissatisfied or on an improvement plan
  • Flight risk: Is an active job seeker or potentially leaving the company
  • Suspicious system activity: Tried to access sensitive systems or raised alerts in other security monitoring systems
  • Poor security practices: Violated internal data or physical security policies
  • Contract employee: Is a contract or temporary employee

Monitor High Risk Employees activity

Respond to incidents uncovered in the High Risk Employees list daily as appropriate based on frequency and severity. Review the Unauthorized Data Transfer and Deletion Attestation Template with HR and legal teams.

Best practices for the Departing Employees list

High-level Departing Employees list workflow

  1. An employee puts in their notice or they are slated to be separated from the company. The information can come from a number of places, such as a human resources information system (HRIS), or a directory service. 
  2. Add departing employees to the Departing Employees list.
  3. Monitor high risk exposure activity in the Risk Exposure dashboard, Departing Employees listalerts, or integrations.
  4. Open a case if suspicious file activity is uncovered.
  5. After investigation is complete and legal and HR have cleared the individual, close the case and remove the employee from the Departing Employees list.

Automatically add users to the Departing Employees list

Install and configure the Code42 command-line interface tool (CLI) tool to automate placing employees into the Departing Employees list. You can also use the Code42 API to pull data from an external application such as a human resources information system (HRIS) or a directory service. 

Ingest SCIM source data to populate additional information about a user

Set up SCIM data from a provisioning provider (such as Azure AD, Okta, or PingOne) or implement a Code42 User Directory Sync script.

Respond to Departing Employees activity

Respond to incidents uncovered in the Departing Employees list daily as appropriate based on frequency and severity. Review the Unauthorized Data Transfer and Deletion Attestation Template with HR and legal teams.

Best practices for alerts

Create rules to automatically send you alerts when suspicious data exfiltration happens. You can either use templates to create rules or create rules from scratch. You can view alerts in the Code42 console or use an integration such as the CLI or APIs to send alerts to a SIEM or SOAR system. Because context and detail are critical, we recommend alerting on specific, non-acceptable uses such as USB device use or non-sanctioned cloud services.

Use alert emails judiciously

All alert notifications appear in the Code42 console and can be reviewed whenever needed. However, if you'd like, you can also send alert emails. Keep in mind that because sending too many alert emails can result in fatigue on the part of recipients, send them judiciously. Email alerting is ideal for specific objectives, for example:

  • Identify PST file exfiltration
  • Identify USB device use that is outside of sanctioned usage
  • Identify database dumps

Send alerts to SIEM, SOAR, UBA, and ticketing

Get alert data into your primary security incident response platform via CEF or JSON. Use the CLI platform or the Code42 API for integration.

  • Aggregate and normalize event data and associated exposure data.
  • Correlate with directory services for a more contextual view of user, system, device, and access activity.
  • Correlate with other security tools: email security gateway, endpoint detection and response (EDR), URL filtering.
  • Correlate user behavioral data with a human resources information system. 

Resources

Code42 University: Investigating Insider Risk

  • Was this article helpful?