Looking For Data Exfiltration Protection Solutions

Dan1010 · ‎01-22-2024

Hello ISC2 community!

I am looking for asssitance with solutions concerning insider threats and data exfiltration. I have a couple certs, but being a dev you can imagine how often I get to use that knowledge. I feel like I am likely behind on the latest solutions and then not as confident in my choices moving forward. All feedback is much appreciated!

Recently, my team has become more interested in negating efforts of insider threats. I understand there is a lot that can be done for prevention and detection. The area we are currently interested in is software solutions for detecting when an insider threat pulls the trigger on the attack. The use-case being when an authorized user has access to a set of resources and decides to collect as much of that data as possible as quickly as possible for whatever end goal. As well, immediate prevention (automated response) is probably needed. In my limited experience and what I gather from our community, I think of rate-limiting mechanisms and solutions to detect large or abnormal data movements and amount of requests per user and perhaps even time of day.

What is that latest and greatest in the field for that?
Is it a solution that is specific in guarding an application or can be used across other things for the whole company?
Does the solution work well with cloud solutions in that my team will have the ability to implement, control, and modify the solution (off-prem hardware / container problems)?

Does the solution cause network performance issues?

Thank you all!

Early_Adopter · ‎01-22-2024

This is a confluence Between, DLP, classification Tagging, UEBA and user risk profile controls etc - so I don’t start shilling here send me a DM and we can discuss there.

Cheers,

Michael

JoePete · ‎01-25-2024

@Dan1010 wrote:
The use-case being when an authorized user has access to a set of resources and decides to collect as much of that data as possible as quickly as possible for whatever end goal. As well, immediate prevention (automated response) is probably needed. In my limited experience and what I gather from our community, I think of rate-limiting mechanisms and solutions to detect large or abnormal data movements and amount of requests per user and perhaps even time of day.

These aren't bad ideas, but I wouldn't make them the focal point. That should be classification. Everything start with classification, but that is a huge culture change that most organizations don't want to adopt. People should think classification before they write or create. The response is "wait, I need to make the thing before I classify it, right?" I would say there is a lot of value to doing it the other way around. Think of your audience and purpose first (classify) before you start writing. In any case, without good classification, you're like a carpenter without a tape measure.

I'd add an element of digital rights management. That might give you more granularity into controlling what authorized people can do. My presumption is that you are looking something like a SaaS document store rather than some sort of network/Internet access to a filesystem. You could make the interface nice and clunky so that it comes a one file at at a time type access.

But all of this I keep circling back to classification. You have to know the sensitivity of the data in order to properly secure and control it. If you have that, then everything else is easier.