Mitigate insider risk using file, vector and user signal
Code42 Detection Features
Code42 is a SaaS insider risk detection and response solution that allows security teams to effectively mitigate data exposure and exfiltration risks without disrupting legitimate collaboration.
- Sync activity to cloud applications like Dropbox and iCloud
- Uploads to personal email and other sites through web browsers
- Files accessed by web apps like Slack and FTP
- Sharing from corporate cloud services like GoogleDrive, OneDrive and Box
- Email attachments from corporate Office 365 or Gmail
- File deletions from user computers
- A company-wide view of suspicious file movement, sharing and exfiltration activities by vector and file type.
- Reveals the top employees whose file activity needs investigation as well as concerning remote employee activity.
- Quickly investigate insider threats as well as identify security awareness gaps, Shadow IT and policy violations.
- A view of activity for a subset of users who are at a higher likelihood of putting data at risk.
- Examples include users experiencing an employment milestone, such as departure, or who have risk factors that require closer monitoring, such as contractors.
- Adding users to a lens kicks off system alerts and user management workflows so you can programmatically protect data when it is most vulnerable.
- Provide comprehensive event, file, vector and user information to quickly assess priority.
- Can be emailed or sent to your system of record and are triggered based on a number of file and event criteria.
- Alerts rules determine when you are notified by Code42 and not what activity is monitored. This ensures there are no gaps in context during insider threat investigations.
Code42 risk prioritization & signal capabilities
Code42 identifies when an employee is typically active on their computer and uses this behavioral pattern to determine when a given user's endpoint file activity takes place at unusual times.
Code42 surfaces when files are emailed or uploaded to domains and URLs that are not considered trusted. Security users establish the trusted domains for their company.
Suspicious file mismatch
Code42 identifies when the MIME/Media type of a high-value file, such as a spreadsheet, is disguised with the extension of a low-value file type, such as a JPEG. This is indicative of attempts to conceal exfiltration.
Code42 uses IP addresses to determine which activity is taking place off-network and may indicate increased risk. Security users establish their in-network IP addresses.
Code42 ingests user attributes like name, title, department, manager, and employment type (full-time, part-time, contractor) from a company's identity management system.
Code42 analyzes file contents and extensions to determine a file's category (e.g. source code, document or spreadsheet). Categories help to determine a file's sensitivity and value.
Code42 uses employment milestones, like employee departure, to identify when employees are at a higher likelihood of putting data at risk.
Security users can set thresholds for acceptable activity based on file count or size. These can be customized for a given user or vector.
Employees can be labeled with risk factors including contract employee, high impact employee, flight risk, performance concerns and elevated access privileges.
File archive (ZIP) detection
Code42 highlights exposure events involving .zip files since they may indicate an employee is attempting to take many files or hide files using encrypted zip folders.
By default, Code42 monitors web applications such as web browsers, Slack, FileZilla, FTP, and cURL. Organizations can easily add monitoring for additional applications such as WeChat, WhatsApp, Zoom and Amazon Chime.
Let's Talk Tech
See how Code42 simplifies insider risk investigations with user profiles and forensic search.
Review Code42 response options including SOAR playbooks, SIEM integrations, legal hold and deleted file recovery.