7 Steps to Real-Time File Exfiltration Detection (Video)

This year’s Verizon Data Breach Investigations Report (DBIR) came out a few weeks ago, and — surprise, surprise — insider threat remains one of the biggest problems for enterprise data security. Looking at the DBIR, there are all the usual data exfiltration suspects: Most are so-called “inadvertent insiders” and a few are malicious insiders or malicious outsiders using stolen credentials. All of these attackers are acting with complete authorization, so their activities tend to fly under the radar — not tripping any of the traditional data security alarms — until it’s far too late. In fact, Verizon found that the vast majority (68 percent) of insider data loss events take a month or more for the organization to discover.

See file exfiltration in real-time

With Code42 deployed in your environment, you have a powerful tool for recognizing suspicious file exfiltration activity by authorized users. Code42’s File Exfiltration Detection solution enables you to set a threshold to alert you if users move more than a typical amount of files to an external location — whether copying them to a removable storage device or uploading them to a cloud service.

Code42’s File Exfiltration Detection solution in action

Here’s how File Exfiltration Detection could help you detect and respond to a disgruntled employee’s malicious attempt to steal your IP:

  1. Set the threshold. From the Code42 web console, set the File Exfiltration Detection threshold at 10 files or 50 MB.
  2. Alert! An email notification tells you that a user recently moved more than 200 MB of data to a third-party cloud service account, such as Microsoft OneDrive or Google Drive.
  3. Confirm. Clicking the email link brings you back to the Code42 web console, where you can see the details of the user’s suspicious activity. For example, you can view a historical perspective of the user’s cloud service activity to see that, yes, this is a highly unusual event.
  4. Investigate. Dig deeper by exporting a CSV file that shows detailed information on all the files included in this mass exfiltration. The CSV includes each file’s name and MD5 hash as well as details on where the files were moved and when.
  5. Unzip the zip. Let’s say the malicious insider attempted to hide photos and videos of proprietary manufacturing processes in a large, innocent-sounding zip file: “cat videos.zip.” You can use the Code42 Backup + Restore solution to download that zip file and reveal its true contents.
  6. Track the source. What if the malicious actor tried to hide his tracks by renaming and/or modifying the original files? Because File Exfiltration Detection provides the MD5 hash of all the exfiltrated files, you can use Code42 Forensic File Search to search your entire environment for the MD5 hashes. This lets you track the modified or renamed file back to its source.
  7. Take action — faster. Between the real-time alert from File Exfiltration Detection, the complete data visibility from Code42 Backup + Restore and the instant file search capabilities of Code42 Forensic File Search, this entire investigation took less than an hour. You know the event happened. You know who did it. And you have a huge head start on stopping the malicious actor before more sensitive data gets out of your control.
Facebook Twitter Google LinkedIn YouTube