How Do You Detect Information Leakage?

Information leakage or data exfiltration can occur in your company in many ways. Consider these two scenarios:

1. An employee accidentally or intentionally sends a spreadsheet containing confidential information via email to an unauthorised person
2. An employee accesses a confidential system across the network for the purpose of copying intellectual property to another system for exfiltration via other means

So how could you detect these two scenarios?

In the first scenario, Data Leak Prevention (DLP) products can be used, which can be either agent-based or network-based. The agents will provide different levels of sophistication, either looking for certain activity, documents that have certain attributes or permission on who can access and distribute data. An adequately deployed DLP technology could detect and prevent the accidental or intentional attempt to leak information.

The second scenario could be more difficult to detect. The use of DLP and deep packet inspection technology may be able to detect and prevent this type of information leakage but there is a strong possibility it will not. One reason is that it may be the action of an attacker that has already compromised your network and is now trying to leak information. Most network-based DLP solutions will not be able to inspect any form of encrypted traffic, making the technology irrelevant. To detect and prevent this type of activity more reliably will require a multifaceted approach, which may include technologies such as packet and session reconstruction, intelligence data feeds (such as Command and Control servers and known malware), traffic anomaly detection and statistical baseline of network traffic. To provide this type of in-depth analysis and investigative capabilities requires collecting data from different sources and feeding it into an analytics platform that can take in the different intelligence feeds, typically a security information and event management platform (SIEM).

There is no silver bullet when it comes to detecting information leakage. Instead, companies need a platform capable of handling the vast amount of data with real-time statistical and correlation capabilities to detect potential exfiltration.