Data Exfiltration

What is Data Exfiltration?

According to Techopedia, data exfiltration happens when there’s unauthorised copying, transfer, or retrieval of data from either a server or an individual’s computer. Organisations with high-value data are particularly at risk of these types of attacks, whether they’re from outside threat actors or trusted insiders.

Various Storage Devices – Tape, CD, USB Drive, Sim Card

Insider threat incidents are one of the top causes of data exfiltration, whether they’re accidental or malicious. Malicious insider threats are trusted individuals who are looking to intentionally inflict harm on an organisation for their own (or someone else’s) gain. However, it’s important to note that two out of three insider threat incidents are caused by accident, which could prove equally costly to an organisation if these mistakes take too long to investigate.

Data exfiltration is among organisations’ top concerns today: According to a recent study from McAfee, 61 percent of security professionals have experienced a data breach at their current companies. With stricter compliance regulations around data privacy, like GDPR and California Consumer Privacy Act, the stakes for reporting data exfiltration events have also gotten much higher.

Types of Data Exfiltration

According to McAfee’s research cited above, the most common data exfiltration methods at organisations include:

  • Database leaks
  • Network traffic
  • File shares
  • Corporate email

Cloud Apps and Databases

A recent CA Technologies Insider Threat report called databases the number one most vulnerable IT asset, ahead of file servers, cloud apps, and mobile devices. Because the data contained within them is so valuable, databases are commonly targeted by both insiders and external attackers alike.

Removable Storage Media

Removable media are another common insider threat vector. Even in the age of ubiquitous cloud storage, old-school data exfiltration methods like flash drives are still pervasive. While it’s unrealistic to completely ban USB use for every organisation, employees must understand the risks and adhere to policies around data access and storage.

While file shares top the list of data exfiltration methods in North America, USB drives are the number one exfiltration vector in APAC and Europe.

Accidental Insider Threats

Besides users with malicious intentions, accidental insider threats can be a major cause of data exfiltration. Phishing emails and social engineering attacks remain a tried-and-true way for hackers to access company data. In addition, weak or reused passwords, or a lack of multi-factor authentication, are common weaknesses hackers look for to infiltrate a user’s account. In these scenarios, the best defence is often cybersecurity awareness. Email data exfiltration was also frequently used by insider threats in McAfee’s study.

Data Misuse

According to a recent Verizon Insider Threat Report, misuse is another top cause of data exfiltration. Unlike its careless cousin the accidental insider threat, misuse can happen when users seek to either intentionally or unintentionally circumvent security controls or policies. For example, an employee may use unsanctioned software to work with a third-party contractor because it’s faster or easier to use, resulting in unintentional data exfiltration.

Employees can also leak company data in a variety of ways, including personal email accounts, cloud storage, printers, file sharing sites, keyboard shortcuts, and more. It can be difficult for an organisation to distinguish legitimate user activity from malicious activity, but in these cases, having a system in place that delivers context into user actions can help.

How to Prevent Data Exfiltration with User and Data Activity Monitoring

Woman Using a ComputerMany organisations look to traditional security defences like data loss prevention (DLP) solutions to help prevent data exfiltration. While these tools are effective in some use cases, they often fall short in detecting data exfiltration from insider threats.

For example, enterprise DLP solutions are typically set up by an organisation to detect data use policy violations and prevent data loss. The implementation involves an extensive data discovery and classification process established to find, categorise, and understand sensitive data. These settings must be managed on an ongoing basis as needs change, requiring teams to fine-tune their policy rules to ensure that the sources and definitions around sensitive data are properly updated.

In reality, these DLP solutions are difficult for organisations to set up and maintain, heavy on the endpoint, and frustrating for users. The extensive data discovery and classification can be burdensome for many under-resourced organisations, and as new technologies are added to the organisation, they can fall through the cracks if the DLP is not properly maintained. What’s more, users may circumvent a DLP if it’s slowing down their productivity. DLP systems often rely on end-users to classify or tag documents, and some employees may add tags that are intentionally misleading to maintain their freedom of authorised use.

As an alternative or supplement to a DLP solution, organizations should adopt a dedicated insider threat management solution to prevent data exfiltration. Unlike DLP solutions, an insider threat management platform like Proofpoint’s relies on a combination of user and data activity monitoring. While DLPs and other tools focus on the data alone, user activity monitoring can help provide context into who’s doing what, when, and why.

Many traditional security defences are aimed outwardly, so having a user and data activity monitoring solution can detect potentially suspicious user actions that other solutions may not… until it’s too late. Since insider threats are, by definition, already inside the perimeter, they can often go undetected, unless the security team has visibility into user activity, in context with other data that can prove whether an incident is unintentional or malicious. A platform like Proofpoint Insider Threat Management can quickly alert teams to a potential insider threat and deliver a user activity timeline and detailed video playback to speed investigations.

Organizations can no longer afford to leave their treasure troves of data exposed. They must learn how to stop the most common data exfiltration threats, implement the right policies and training to curb accidental threats, and embrace a dedicated insider threat management solution to attain the appropriate level of context into a potential incident. If you’d like to give Proofpoint’s sandbox environment a spin, feel free to try us out (no download or installation required) and see how simple it can be to catch and stop data exfiltration at your organization.