What is Data Exfiltration on Email and How Do You Prevent It?

  • By Maddie Rosenthal
  • 04 June 2020

While there are various ways in which someone can exfiltrate data – which we’ve covered in What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks – email is the biggest risk. In fact, it’s the threat vector IT leaders are most concerned about protecting

In this article we’ll answer three key questions:

  1. What is data exfiltration on email?
  2. Why is it so dangerous?
  3. How can organizations prevent it from happening? 

What is data exfiltration on email?

In order to understand what data exfiltration on email is, we should start with what data exfiltration is more broadly.

Data exfiltration is the act of sensitive data deliberately being moved from inside an organization to outside an organization’s perimeter without permission. This can be done through the digital transfer of data, the theft of documents or servers, or via an automated process. 

Data and sensitive information found in spreadsheets, calendars, trading algorithms, planning documents, and customer PII can be moved outside of an organization’s perimeter via email in one of two ways:

  1. Someone inside the organization (like an employee, exiting employee, contractor, or business partner) emailing data to their own personal accounts or to a third-party.
  2. External bad actors targeting employees with phishing or spear phishing scams. While these email attacks can be designed for the purpose of initiating a wire transfer, they’re often ploys to extract sensitive information or credentials or to install malware onto a network.
“According to one report, 10% of all insiders and 10% of all external bad actors use email to steal data. ”

Why is data exfiltration on email so dangerous?

We’ve already mentioned that email is the threat vector IT leaders are most concerned about protecting. But why?

There are two key reasons: it’s easy to access (email accounts today are managed on laptops, smartphones, tablets, and even watches) and the underlying technology behind email hasn’t evolved since its inception in the 1970s. That means there are core security features missing that modern communication platforms have as a standard, including the ability to redact or recall and encryption-by-default. 

This makes it one of the go-to mediums for data exfiltration. In fact, according to one report, 10% of all insiders and 10% of all external bad actors use email to steal data.

And, if data is successfully exfiltrated, the consequences can be tremendous. =

Case in point: A major US health insurance provider agreed to pay $115 million to settle a class-action lawsuit after it was discovered that an employee had stolen data on 18,000 Medicare members, including names, ID numbers, Social Security numbers, health plan IDs, and dates of enrollment. 

Interested in learning more about incidents like this? Read 6 Examples of Data Exfiltration on our blog. 

How can I prevent data exfiltration on email?

Data exfiltration is a big problem for organizations. 

Whether it’s an exiting employee emailing data to their personal accounts on their way out (which 45% of employees admit to doing) or a hacker targeting someone with privileged access to networks and data via a phishing email, security, IT, and compliance leaders must find a way to prevent sensitive information from leaving their organization. 

there are several solutions available, but few succeed in preventing data exfiltration attempts on email.

Blocking or blacklisting domains

What it is: Data exfiltration prevention has often been simplified to stopping communication with certain accounts/domains (namely freemail accounts like @gmail).

Why it doesn’t work: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain.

Secure Email Gateways (SEGs)

What it is: SEGs are essentially more sophisticated spam filters. They’re used to block malicious inbound email threats like phishing attacks.

Why it doesn’t work: While SEGs may be effective in blocking bulk phishing emails, they can’t stop all spear phishing emails. That means the most targeted attacks can still get through and employees could easily fall victim to an attack and unknowingly exfiltrate data to a bad actor. (Not sure what the difference is between phishing and spear phishing? Read this.)

Rule-Based solutions

What it is: Organizations could implement rule-based solutions that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration. For example, “If an email contains the word “social security number”, then quarantine the email and alert IT.”

Why it doesn’t work: Rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss

Training 

What it is: Because it’s people who control our data, training is a logical solution to data exfiltration. In fact, 61% of organizations have training every 6 months or more frequently. 

Why it doesn’t work: While training does help educate employees about data exfiltration and what the consequences are, it’s not a long-term solution and won’t stop the few bad eggs from doing it. You also can’t train away human error. 

Machine Learning

What it is: Machine learning (ML) models trained on historical email data understand the intricacies and fluctuations of human relationships over time. That means ML models can constantly update their “thinking” to determine whether an action looks like exfiltration or not. 

Why it does work: This is the “human” way forward. At Tessian, we call it Human Layer Security. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired. 

How does Tessian prevent data exfiltration on email?

Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.  

We currently protect customers across industries, including those that are highly regulated like Legal and Financial Services.

Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks

Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. 

Tessian Enforcer detects and prevents data exfiltration attempts by:

  1. Analyzing historical email data to understand normal content, context, and communication patterns
  2. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  3. Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  4. Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training

Click here to download the data sheet.

Tessian Defender detects and prevents data exfiltration attempts by:

Analyzing historical email data to understand normal content, context, and communication patterns

  1. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  2. Performing real-time analysis of inbound emails in real-time to automatically predict whether the email looks unsafe. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  3. Alerting users when targeted email attacks are detected with clear, concise, contextual warnings that reinforce security awareness training

Click here to download the data sheet.

Maddie Rosenthal