Best practices for using Code42 to address insider risk

Last updated
Save as PDF

...

An Insider risk~~insider threat~~ is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage. This article provides best practices for security teams to follow in order to to most effectively detect insider threat file activities and respond to incidents.

This article applies only to

ParseError: EOF expected (click for details)
Callstack: at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/p[3]/strong/ins/span, line 1, column 10

s with an~~is intended for customers running a~~ on-premises
ParseError: EOF expected (click for details)
Callstack: at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/p[3]/strong/span, line 1, column 10
.~~c42~~}}

For

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ins[1]/span[1], line 1, column 10

environments, see

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ins[1]/span[2], line 1, column 10

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/span, line 1, column 10

. Customers using

Upgrade to the
ParseError: EOF expected (click for details)
Callstack: at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/div[1]/strong/span, line 1, column 10
~~should~~
Upgrade to the

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/div[1]/a[1]/ins/span, line 1, column 10

~~see the cloud article~~ to take advantage of~~. Our features in the~~

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/div[1]/a[2]/span, line 1, column 10

, our most advanced insider risk detection, investigation, and response features.

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/div[1]/ins[2]/span, line 1, column 10

offers many insider risk capabilities not available in on-premises environments~~offer far greater insider threat detection and investigation capabilities than our on-premises offering~~.

...

The procedures described here are suggestions, not requirements, for using
ParseError: EOF expected (click for details)
```
Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ul/li[1]/span, line 1, column 10
```
to handle insider threats at your organization. Be sure to adjust the tasks described in this article as needed to work in accordance with your company's own processes for addressing insider threat.

Forensic File Search is only available in
ParseError: EOF expected (click for details)
Callstack: at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ul/del/span, line 1, column 10
environments.

SYSADMIN~~Customer Cloud Admin~~

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ul/a[2]/ins/span, line 1, column 10

~~Security Center~~ User

Many of these tasks can be performed using the

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ul/li[3]/a/span, line 1, column 10

. If you have a standard insider threat scripting procedure, you can add the

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ul/li[3]/span[1], line 1, column 10

tasks to the script. For help with using

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/ul/li[3]/span[2], line 1, column 10

s, contact your Customer Success Manager to engage the Professional Services team.

...

User activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of

typical~~normal~~ activity that helps you identify spikes in file movement that signal unusual~~abnormal~~ activity.

...

If you already use

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/p[8]/span, line 1, column 10

, contact your Customer Success Manager (CSM)

at ~~csmsupport@code42.com~~ for assistance with:

...

If ~~External resources~~ ParseError: EOF expected (click for details)
Callstack: at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/del[7]/span, line 1, column 10
: you do not know your CSM, please ~~Inside Threat: The Evolving Nature of Attack Patterns~~contact our

ParseError: EOF expected (click for details)

Callstack:
    at (Article_Update_Log/2021-07-01/Best_practices_for_using_Code42_to_address_insider_risk), /content/body/a[2]/ins/span, line 1, column 10

External resources

...

Other changes:

/body/div/a/@href:

~~"/Administrator/Cloud/Monitoring_and_managing/Detect_and_respond_to_insider_risks"~~

"/Administrator/6/Monitoring_and_managing/Upgrade_to_the_Code42_Cloud"

/body/div/a/@title:

~~"Administrator/Cloud/Monitoring_and_managing/Best_practices_for_defending_against_insider_threat"~~

"Upgrade to the Code42 Cloud"

/body/ul/li[2]/a/@href:

~~"/Administrator/6/Monitoring_and_managing/Roles_resources/Roles_reference#Customer_Cloud_Admin"~~

"/Administrator/6/Monitoring_and_managing/Roles_resources/Roles_reference#SYSADMIN"

/body/ul/li[2]/a/@title: nothing ⇒

"Roles reference"

/body/ul[5]/li[2]/a/@href:

~~"/Administrator/6/Monitoring_and_managing/Detect_and_respond_to_insider_risks#Activity_notifications"~~

"/Administrator/6/Monitoring_and_managing/Detect_and_respond_to_insider_risks#Activity_Notifications"

/body/ul[5]/li[2]/a/@title:

~~"Best practices for defending against insider threat"~~

"Best practices for using Code42 to address insider risk"

/body/p[11]/a/@href:

~~"/Administrator/6/Monitoring_and_managing/Detect_and_respond_to_insider_risks#Third-party_tools"~~

"/Administrator/6/Monitoring_and_managing/Detect_and_respond_to_insider_risks#Integrations_with_third-party_security_tools"

/body/p[11]/a/@title:

~~"Best practices for defending against insider threat"~~

"Best practices for using Code42 to address insider risk"

/body/p[12]/a/@href:

~~"/Administrator/6/Code42_console_reference/User_Activity_and_Activity_Notifications_reference#User_Activity"~~

"/Administrator/6/Code42_console_reference/User_Activity_and_Activity_Notifications_reference#User_activity"

/body/p[12]/a/@title:

~~"Security Center reference"~~

"User Activity and Activity Notifications reference"

/body/p[14]/a/@href:

~~"/Administrator/6/Code42_console_reference/User_Activity_and_Activity_Notifications_reference#Activity_Notifications"~~

"/Administrator/6/Code42_console_reference/User_Activity_and_Activity_Notifications_reference#Activity_notifications"

/body/p[14]/a/@title:

~~"Security Center reference"~~

"User Activity and Activity Notifications reference"