Detecting and Blocking Data Exfiltration Threat Vectors

Sophisticated hackers are increasingly targeting your most valuable data – but you can fight back with smart, targeted security measures

Sophisticated hackers are increasingly targeting your most valuable data

Of all the threats facing businesses, data exfiltration is one of the most significant. A survey by the Ponemon Institute found that the biggest targets of cyber-attacks are intellectual property and customer data, and the sophistication of these threats are a real concern for security professionals.

With so many data exfiltration threat vectors, there’s not enough time in the day to handle them all without holistic, automated and intelligent control mechanisms. These mechanisms correlate security controls’ data to identify real threats and remove false-positive alerts.

Determine the Problem to Solve

Every executive making investment decisions for security controls asks, “What is the problem we need to solve?” In this case, the answer is, “We need to take large amounts of data from the systems in which we have already invested, and identify what is happening in our environment to determine if data exfiltration is occurring or has occurred.” This is where threat-intelligent solutions are valuable. They take big data (security data) to prevent data leakage and quickly determine what is going on in the environment.

Sensitive data (HIPAA PHI, PCI Cardholder Data, SOX financial information, etc.) is everywhere. It’s in databases, file servers, applications, laptops, mobile devices and USB drives, and is transmitted via email and to cloud storage services such as Box, DropBox or Google Drive. It’s also the most valuable data that your company has, and is therefore the most crucial to protect. Consider the ease of PCI compliance validation when comparing card payment providers.

Evaluating Your Security Controls Technology

For every place that data is transmitted, received, processed and/or stored, there is a data exfiltration threat vector. For example, when an authenticated user has access to a web server in a less-secure zone (DMZ) and makes a query to a sensitive record in the database server in a highly secure zone (internal system segmented into a highly secure environment), can the security controls technology track the application calls correlated to user credentials/IP addresses? In many of environments, this tracking is not performed, which makes it extremely difficult to determine the real user and then to conduct data breach investigations/forensics.

When VIMRO conducts risk assessments and regulation compliance gap analysis, we ask the questions that most auditors ask, such as: “How would you know if you had a data breach?” and “How will you respond when you recognize that a breach is occurring or has occurred?” Too often the answer is, “I don’t know.” We usually hear this answer when organizations have vast amounts of data from firewalls, routers, web servers, database servers, Active Directory servers and other logs (DLP, IDS, anti-malware, etc.) but they do not have a system that intelligently correlates the data and provides actionable metrics.

The Value of an Effective Threat-Intelligent Management System

Most often, we learn that the organization thought they had a threat-intelligent management system when they purchased a SIEM. Unfortunately, while a SIEM is a great collection technology, it is not a good threat-intelligent correlation technology. Additionally, most security technologies, such as anti-malware, IDS and DLP rely on signatures to determine threats instead of basing the threats on behavior patterns. A valuable threat-intelligent technology identifies threats based on anomalies to determine good behavior versus bad behavior. This increases the probability of spending time on real data-exfiltration threats instead of wasting valuable time reacting to false-positive events.

Think of every successful sports team: when all the players work together, they win games. A threat-intelligent management system that can integrate the large quantities of data from all of your devices and applications allows all your security controls to work together and provides results on which you can take effective and efficient incident-handling actions.

Find out even more about how to keep your critical business information and sensitive data out of the wrong hands HERE>>>

Share this post: