(Updated on 10/11/2020)
Data exfiltration is among most organizations’ top concerns today: According to a recent study from McAfee, 61% of security professionals have experienced a data breach at their current companies. With stricter compliance regulations around data privacy, like GDPR and the California Consumer Privacy Act, the stakes for reporting data exfiltration events have also gotten much higher. In this post, we’ll define data exfiltration, explain the most common methods of data leakage and cover one of the top ways to prevent data exfiltration in your organization.
Definition of Data Exfiltration
According to Techopedia, data exfiltration happens when there’s unauthorized copying, transfer, or retrieval of data from either a server or an individual’s computer. Organizations with high-value data are particularly at risk of these types of attacks, whether they’re from outside threat actors or trusted insiders.
Insider threat incidents are one of the top causes of data exfiltration, whether they’re accidental or malicious. Malicious insider threats are trusted individuals who are looking to intentionally inflict harm on an organization for their own (or someone else’s) gain. However, it’s important to note that two out of three insider threat incidents are caused by accident, which could prove equally costly to an organization if these mistakes take too long to investigate.
Types of Data Exfiltration
According to McAfee’s research cited above, the most common methods for data exfiltration at organizations include database leaks, network traffic, file shares, and corporate email. While file shares top the list of tactics in North America, USB drives are the number one exfiltration vector in APAC and Europe. Email was also frequently used by insider threats in the study.
A recent CA Technologies insider threat report called databases the number one most vulnerable IT asset, ahead of file servers, cloud apps, and mobile devices. Because the data contained within them is so valuable, databases are commonly targeted by both insiders and external attackers alike.
Removable media are another common insider threat vector. Even in the age of ubiquitous cloud storage, old-school data exfiltration methods like flash drives are still pervasive. While it’s unrealistic to completely ban USB use for every organization, employees must understand the risks and adhere to policies around data access and storage.
Employees can also leak company data in a variety of ways, including personal email accounts, cloud storage, printers, file sharing sites, keyboard shortcuts, and more. It can be difficult for an organization to distinguish legitimate user activity from malicious activity, but in these cases, having a system in place that delivers context into user actions can help.
Besides users with malicious intentions, accidental insider threats can be a major cause of data exfiltration. Phishing emails and social engineering attacks remain a tried-and-true way for hackers to access company data. In addition, weak or reused passwords, or a lack of multi-factor authentication, are common weaknesses hackers look for to infiltrate a user’s account. In these scenarios, the best defense is often cybersecurity awareness.
According to a recent Verizon Insider Threat Report, misuse is another top cause of data exfiltration. Unlike its careless cousin the accidental insider threat, misuse can happen when users seek to either intentionally or unintentionally circumvent security controls or policies. For example, an employee may use unsanctioned software to work with a third-party contractor because it’s faster or easier to use, resulting in unintentional data exfiltration.
How to Prevent Data Exfiltration with User and Data Activity Monitoring
Many organizations look to traditional security defenses like data loss prevention (DLP) solutions to help prevent data exfiltration. While these tools are effective in some use cases, they often fall short in detecting data exfiltration from insider threats.
For example, DLP solutions are typically set up by an organization to detect data use policy violations and prevent data loss. The implementation involves an extensive data discovery and classification process established to find, categorize, and understand sensitive data. These settings must be managed on an ongoing basis as needs change, requiring teams to fine-tune their policy rules to ensure that the sources and definitions around sensitive data are properly updated.
In reality, these DLP solutions are difficult for organizations to set up and maintain, heavy on the endpoint, and frustrating for users. The extensive data discovery and classification can be burdensome for many under-resourced organizations, and as new technologies are added to the organization, they can fall through the cracks if the DLP is not properly maintained. What’s more, users may circumvent a DLP if it’s slowing down their productivity. DLP systems often rely on end-users to classify or tag documents, and some employees may add tags that are intentionally misleading to maintain their freedom of authorized use.
As an alternative or supplement to a DLP solution, organizations should adopt a dedicated insider threat management solution to prevent data exfiltration. Unlike DLP solutions, a platform like Proofpoint Insider Threat Management (ITM) relies on a combination of user and data activity monitoring. While DLPs and other tools focus on the data alone, user activity monitoring can help provide context into who’s doing what, when, and why.
Many traditional security defenses are aimed outwardly, so having a user and data activity monitoring solution can detect potentially suspicious user actions that other solutions may not… until it’s too late. Since insider threats are, by definition, already inside the perimeter, they can often go undetected, unless the security team has visibility into user activity, in context with other data that can prove whether an incident is unintentional or malicious. A platform like ITM can quickly alert teams to a potential insider threat and deliver a user activity timeline and detailed video playback to speed investigations.
Organizations can no longer afford to leave their treasure troves of data exposed. They must learn how to stop the most common data exfiltration threats, implement the right policies and training to curb accidental threats, and embrace a dedicated insider threat management solution to attain the appropriate level of context into a potential incident. If you’d like to give ITM's sandbox environment a spin, feel free to try us out (no download or installation required) and see how simple it can be to catch and stop data exfiltration at your organization.
Prevent Data Exfiltration with Proofpoint Insider Threat Management