Detecting and Preventing Data Exfiltration

Modern organisations operate as part of a complex, partially-trusted eco-system comprising other organisations, a diverse range of third-party technologies, and end users operating in a variety of organisational cultures.

This eco-system manifests itself in various forms:

The organisation is part of a supply chain (either at its head or as a participant - often transitively - or both)
Procurement of specific technologies, software systems or services from other organisations
"Bring your own device cultures" whereby end users utilise new personal technologies or software services (from partially- trusted third parties) in their day-to-day working practices.

Such partially-trusted settings are not an exception but a norm in modern business settings.

UK organisations (like their international counterparts) participate in a complex network of relationships, which expose them to a wide array of potential threats.

Data exfiltration is one such key threat - an attacker having established presence on an organisation's network can filter data out of the system through a variety of means. The costs of such data exfiltration are substantial - with fines from regulatory bodies and cost of IP theft leading to significant economic losses.

If we assume that at some point a breach in the security measures will take place, what mechanisms can enable cyber security personnel and systems in an organisation to detect, stop or at least disrupt data leakage from the organisation's system following such a breach?

‌

The Objectives

The research undertaken aims to address the above question. Specifically, the research has the following objectives:

Provide guidance that enables organisations to benchmark themselves against the state-of-the-art and state-of-the-practice of dealing with data exfiltration threats.
Reveal typical data exfiltration means, counter measures and their effectiveness as well as key trends and patterns that may be indicative of data exfiltration from an organisation.
Provide an understanding of the link between particular business practices and technologies and data exfiltration and highlight how new and emerging technologies and/or business practices may impact data exfiltration modes, patterns and countermeasures.
Recommend revisions and updates to the technical measures in the critical security controls and complement these with guidelines for organisations. The guidelines will enable organisations to prioritise data exfiltration risks depending on the specific business and security contexts in which they operate and map these priorities to specific mechanisms and countermeasures for improving resilience to data exfiltration.

Guides and Reports

The insights we have gained from from the grounded theory analysis of data breach incidents, a Systematic Litterature Review of the academic domain and a survey from organisations have been synthesised into reports that will enable organisations to benchmark themselves against the state- of-the-art and state-of-the-practice of dealing with data exfiltration threats. Such a comparison is expected to reveal the areas where a particular entity (i.e., organisation) needs to improve their knowledge, expertise, competencies, technological innovation to either identify and thwart or recover with minimum loss from a data exfiltration attempt.