Today, data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web.
For an organization, this data can be anything from customer email addresses to financial projections and the consequences of this data being leaked are tremendous and far-reaching. When data is leaked purposefully and without authorization, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.
Data exfiltration is the act of sensitive data deliberately being moved from inside an organization to outside an organization’s perimeter without permission. This can be done through the digital transfer of data, the theft of documents or servers, or via an automated process.
Data can be exfiltrated in a number of ways from both insiders and external bad actors. We’ll cover both in this article but, if you want to learn more about insider threats, read this blog: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions.
Here are some of the most common ways in which data exfiltration can be carried out.
According to IT leaders, email is the number one threat vector. It makes sense.
Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization.
Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how?
Employees, contractors, and other individuals with access to an organization’s systems and networks could email databases, calendars, images, planning documents, and other sensitive data to their personal email accounts or to other third-parties.
If there’s no security software in place to prevent an email from being sent anywhere, it just takes one click of a mouse to move data from inside of an organization into the wild.
But, it’s not just insiders who can exfiltrate data via email. Bad actors can, too, via phishing, spear phishing, or ransomware attacks. In this case, an employee (the target) will receive an email that appears to be legitimate. If successful, this fraudulent email will get them to share credentials, download a malicious attachment, or otherwise share sensitive information.
If the bad actor crafts the email in such a way that it appears to genuinely be from a trusted source like a CEO or third-party supplier, the target will often fall for the scam.
Data can also be exfiltrated via a USB or another personal device like a smartphone, laptop, camera, or external drive.
An employee (or someone else with access to the company network) simply has to download or upload the data without being detected in order for the attempt to be successful.
This happens more frequently than you might think. One report shows that:
While working in the cloud, storage services like Google Drive and DropBox offer employees incredible flexibility (especially when working outside of their office environment), but there is risk involved around data exfiltration.
Again, both insiders and outsiders could exfiltrate data via the cloud; all the person needs is access. Once they have access, they could simply copy, download, or print sensitive documents or they could modify the virtual machines, make malicious requests to the cloud service, and deploy malicious software.
Before the digitization of many business operations, data was exfiltrated via physical theft. It still happens! This could involve someone taking documents or entire servers with them when they leave the office, or faxing documents to themselves or a third-party.
In this case, lockable confidential waste bins, paper shredding devices, and security cameras or personnel could help secure sensitive data.
But, how do you prevent digital data exfiltration?
Preventing data loss is a top priority for IT, security, and compliance leaders. Not only do they want to protect client and customer information and their own Intellectual Property (IP), but they want to avoid the many consequences that come from a data breach.
But, data loss prevention (DLP) is a real challenge. And, while there are a handful of solutions, many fall short.
What it is: Data exfiltration prevention has often been simplified to stopping communication with certain accounts/domains (namely freemail accounts like @gmail) or blocking access to certain tools and software (like DropBox, for example).
Why it doesn’t work: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain.
What it is: SEGs are essentially more sophisticated spam filters. They’re used to block malicious inbound email threats like phishing attacks.
Why it doesn’t work: While SEGs may be effective in blocking bulk phishing emails, they can’t stop all spear phishing emails. That means the most targeted attacks can still get through and employees could easily fall victim to an attack and unknowingly exfiltrate data to a bad actor. (Not sure what the difference is between phishing and spear phishing? Read this.)
What it is: The first step in any DLP strategy is to label and tag sensitive data. This way, it can be monitored (and stopped) when it is seen moving outside the network.
Why it doesn’t work: This approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable; employees may label incorrectly or, worse, not do it at all.
What it is: Organizations could implement rule-based solutions that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration.
Why it doesn’t work: Similar to tagging, rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss.
What it is: Because it’s people who control our data, training is a logical solution to data exfiltration. In fact, 61% of organizations have training every 6 months or more frequently.
Why it doesn’t work: While training does help educate employees about data exfiltration and what the consequences are, it’s not a long-term solution and won’t stop the few bad eggs from doing it. You also can’t train away human error, including breaking the rules or falling for scams like phishing attacks. Learn more in our report: Why the Threat of Phishing Can’t Be Trained Away.
What it is: Machine learning – especially ML models trained on historical email data – understands the intricacies and fluctuations of human relationships over time. That means ML models can constantly update their “thinking” to determine whether an action looks like exfiltration or not.
Why it does work: This is the “human” way forward. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired.
Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.
Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks.
Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network.
Tessian Enforcer detects and prevents data exfiltration attempts by:
Tessian Defender detects and prevents data exfiltration attempts by: