‘Data Exfiltration’--an unauthorized transmission of your data to a third party--has traditionally been one of the most difficult InfoSec problems to identify and block. Part of the problem lies in breadth of the definition, since ‘exfiltration’ can encompass everything from a criminal moving your data to a server in North Korea to a disgruntled employee walking out the door with data on a USB stick.
The essential and often overlooked ingredient in detecting data exfiltration is the role of context. With the complexity of data flows constantly increasing, value judgments about the appropriateness of a given data flow is critical to ensuring maximum security with maximum productivity.
Consider two recent alerts generated by the PatternEx Threat Prediction Platform (TPP): one of our customers had a very slow drip of data going from their secure intranet to a NAS device in Ukraine. Another customer found large volumes of data being regularly exported to Box. Both events were considered outliers by our unsupervised learning models. But were they malicious?
The answer: “it depends on the context.” While one company might never want data flowing to a personal NAS device in the Ukraine, another might find it necessary in order to support a contractor living in Kiev. By the same token, a company might want to shut down all data going to solutions like Box while another might have just signed an enterprise agreement with them. The point is that every enterprise has authorized third-party solutions they endorse and unauthorized solutions that are creating risk. It requires a human to assess the risk, make a judgment call, and then intervene. Mitigating risk predictably and reliably must be automated. Human interpretation and intervention simply doesn’t scale.
The goal of the PatternEx Threat Prediction Platform is is to mimic a skilled InfoSec analyst. We achieve this by developing a probabilistic infrastructure to detect attacks, and then strengthening it by continuously accepting feedback from your analysts, the same people who intimately understand your company's risk profile. The upshot is a truly dynamic system that learns your company's unique risk profiles and human-accepted behaviors.
The PatternEx solution examines your flow data, sourced from whatever vendor you prefer: Cisco, Palo Alto Networks, Juniper, and so forth. Utilizing that data, we compute what the Machine Learning world calls “features”, which can include things as simple as totals of all data sent and received for a particular connection. We also look at features like intervals between connections, standard deviations, protocols and other dimensions within your data to derive behaviors. Based on those behaviors, the PatternEx Threat Prediction Platform then reports the outliers that warrant examination.
Starting on Day 1, without baselining or having to define (or learn) what “normal” looks like in your network, you’ll gain instant visibility into abnormal behaviors occurring within your enterprise. Your analysts investigate the outliers, and provide on their feedback on the alerts. That analyst input immediately trains the models to accept data flows you've designated as appropriate, while flagging data flows that you've flagged as malicious. In short, PatternEx learns what risk is acceptable (and what's not) within your enterprise based on your analyst's’ judgment and intuition (i.e. “context”).
DLP Solutions: Not Enough
Data loss prevention (DLP) solutions require you to tag your data in some fashion --all of it. Most DLP solutions today work via regular expressions, metadata matching, watermarks or other traditional methods of catching data in transit. But this requires many devices positioned all over your network, and all requiring constant updates as your add or remove data. With DLP’s also relying on static rules and static enforcement policies, companies often see DLP as a hindrance to business, because rules frequently block valid movement of data.
With the PatternEx approach, we simply look for the abnormal behaviors that indicate your data is doing something it hasn’t done before, like being slowly uploaded to a server in the Ukraine, or to a system in North Korea. Regardless how difficult the perpetrator attempts to hide their activity, their behaviors don’t lie. From using malformed DNS packets to sending data in an extremely slow trickle to many scattered systems, if a behavior is abnormal, it will be immediately spotted and called out for your team's attention.
Consider all the judgment calls required to manage a network: When is it OK for your source code to be moved? When it is OK for your customer data to be accessed? When it is ok for your financial data be transferred to a third party? With PatternEx, you teach the system, and it remembers. Based on your definition of ‘normal’ and your judgment calls on what is acceptable or not within your enterprise, your platform is customized to your unique risk tolerance, automatically handling future alerts with greater precision.