Code42 + Splunk Phantom

Simple, fast detection and response to insider threat

Overview:

Threats to data from inside the organization happen accidentally when employees share the wrong file or fall prey to phishing attempts as well as maliciously when employees intentionally leak, sell or sabotage data. In order to minimize operational, financial and reputational harm to an organization, security teams need reliable methods to increase their visibility and improve their response times.

Code42 Next-Gen DLP helps organizations detect data loss, leak, misuse and theft by continuously monitoring file activity across endpoints and cloud services as well as preserving current and historical endpoint files for rapid content retrieval and investigation. The Phantom platform combines security infrastructure orchestration, playbook automation and case management capabilities to integrate teams, processes and tools together. When utilized together, security professionals receive the robust file information needed to enforce automated responses to risk, inform security decisions and reduce response times.

Benefits:

  • Automate responses and detect external file sharing by searching cloud service activity
  • Mitigate phishing attacks and investigate files by searching file name, hash, or other details across endpoints and cloud
  • Protect files from departing employees and preserve files by retaining all files and file versions indefinitely

Key Capabilities:

Respond: Code42 Next-Gen Data Loss Protection delivers valuable data exfiltration information to Splunk which in turn powers the Splunk Security Operations Suite. Customers can now very quickly and easily:  

  • Preserve files by retaining all files and file versions indefinitely
  • Investigate files by searching file name, hash or other details across endpoints and cloud
  • Detect external file sharing by searching cloud service activity

 

Code42 and Splunk Phantom app detecting phishing.

 

Respond to Threats Faster: Turn days to minutes

A standard phishing playbook built for Splunk Phantom may involve investigation actions that can be applied to a suspicious email such as investigate and geolocate IP addresses, and conduct reputation searches for IPs and domains. The logical next step is to help a security professional determine if a harmful attachment has made its way into the organization. With actions from Code42 added to the playbook, security teams can search the entire environment by file hash for other copies of the file. Finding multiple copies of a file can be quick evidence that there may be a widespread email campaign against users in the organization.

On the other hand, the search may show that the file has a long history on a company's endpoints. This history may suggest that the file exists as part of normal operating procedure and the security team is dealing with a false alarm. Either way, security gains additional file context so it can make smarter decisions about what to do next. Combining the speed of Code42 with the automation of Splunk Phantom can cut remediation time significantly.

Why Code42 and Splunk Phantom?

Code42 Next-Gen Data Loss Protection delivers valuable data exfiltration information to Splunk which in turn powers the Splunk Security Operations Suite. Customers can now very quickly and easily:

  • Correlate Code42’s data exfiltration information with other security events and incidents to get a better and broader understanding of potential Insider threats
  • Easily integrate exfiltration data from Code42 into Splunk dashboards and security alerts
  • Automatically respond and contain data loss incidents
  • Utilize consistent departing employee playbooks to automate and maximize their SOC's efforts; and reduce response times to data loss incidents

Next Steps?

Code42 and Splunk Phantom allows security teams to detect and respond to data loss threats in a simpler and faster manner. Learn more about the complete Code42 solution or request a live demo of this in action. Download the Code42 app here.