It’s not a matter of “if” you will be attacked, but “when”. Preventing attackers from breaching our system is a necessity and stopping them before they can complete their mission is a requirement. Analyzing our data inflow, outflow productively to find data exfiltration, will help reducing the cost of a data breach.
Data exfiltration is mechanism of a data breach that occurs when an individual’s or organization’s data is illegally copied. They are generally a targeted attack where the hacker copies sensitive data from victim’s machines. The hackers gain access to the target machine through a remote application or by directly installing a malware through portable media.
A medium sized organization will have 20,000 devices connected to the network. It includes mobile phones, laptops, printers, servers and other devices that communicate through the Internet. There are myriads of channels used for data transmission: cloud-based apps like Salesforce and Amazon Web Services, email messaging services, various internet/web portals and social media. The amount of data the company’s network connected devices generate is around 20TB or more in a single day. Exfiltration within normal traffic patterns and sizes is already hard to detect and that’s compounded by the use of increasingly stealthy encryption when sensitive credentials are compromised.
With the introduction of new technologies and devices like drones, IoT, BYOD policies into organizations, we are increasing the risk rate that each individual is forced to face during their online activities.
False positives in DLP and SIEM
An advanced DLP solution and SIEM are used to monitor for risky events, but due to the sheer size of an organization and the amount of data accessed on a daily basis, those solutions on their own are not enough and are generating false positives in high numbers. Many data exfiltration were left unnoticed during the early stages due to the false positive findings of SIEM tools. Shifting to productive monitoring and SIEM intelligence coupled with behavioral analysis will help in early detections of data breaches.
Incorporating behavioral analysis in DLP tools will reduce false positives up to 99% as analyzed by a case study. Breaches are inevitable, but sensitive data loss isn’t. A traditional perimeter defense will not necessary the attackers from stealing sensitive data. Organizations will need to start with the assumption that some adversary might be successful in their attempt to bypass the defenses. One of the most vital stages in an APT type attack is the data exfiltration step. Companies must invest in preparing a model for understanding the threat vectors and creating a threat model. This will definitely help in identifying adversaries and their approaches.
Organizations must think differently
Companies should adopt a mentality of ‘Think like a hacker’. The motives of hackers are varied but their goals are all same. They intend to steal, leak or expose data from a victim. The victim can be an individual, an organization or even a nation. Instead of companies simply claiming that they cannot be breached, they can put in efforts and time to build a better approach. The traditional risk based approach will not single handedly help in mitigating or tackling a data breach. It should be coupled with proper incident response plans and data loss prevention mechanisms.
Plan for a better plan
Companies planning to invest in cyber security must also focus on different approaches to tackle cyber events. Cyber threats are increasing rapidly throughout the year. Few of the steps that companies can concentrate to build a custom defense strategy can include:
Cyber defense strategy and measures like multi-layered security approach that includes network defenses, strong passwords, intrusion detection, and multi-factor authentication to protect sensitive data can help companies to tackle breaches efficiently. The biggest challenge is in the detection because identifying these types of data exfiltration events is tedious because of the amount of data generated.
Edited by Pierluigi Paganini
(Security Affairs – Hackers, cyber security)