Detecting and Preventing Data Exfiltration

Summary

Excerpt From SECDEF Memo – Impacts on SCIF/SAPF Security Webinar
Learn Ways to Detect and Prevent Data Exfiltration in the Video Below
Speakers Jeremy Fremin and CTO Dr. Brett Walkenhorst talk about how their systems cooperate to identify and lessen security risks. In the clip below, they present an example of a secure environment where a chain of connected devices are present. Through information sharing and risk score elevation based on threats recognized, the two systems work together in cooperation.

Video Transcript

So what's gonna happen here is we create this chain where on the upper right, we've got a cell tower connected to we'll just say a a smartphone. It's any hotspot, but smartphone works. It's connected to that wirelessly. The smartphone is connected the dongle over WiFi. The dongle's plugged into a system.

The system has access to the data store on the left. Right? So what happens when when this devices get fired up even before things get plugged in, we will see that cellular connection. Once the dongle gets plugged into the system and starts communicating over Wi Fi, we'll see that as well.

We're gonna see all of those wireless interfaces immediately when they fire up using the Bastille system. Right? So so right away, just with the use of a wireless intrusion detection system such as Bastille, we're going to see those interfaces. We're going to see that there's something in the space that shouldn't be there, and we're going to locate it within the space so someone can go do something about it.

And that happens right away. Now on the back end, we've also got data that's going to be transiting this chain and being moved from the data store out through the cellular network. And as soon as that process starts, Raktop systems, if deployed in the data store, can come in and do its magic.

And and rather than steal a thunder, I'd rather have the expert talk about that. So Jeremy, do you wanna just mention, like, how Racktop would handle that situation and what it what it would do? Yeah. Absolutely. So so nominally, we would be monitoring this activity on a regular basis anyway.

So if a high volume data transfer or an unusual time of day or an unusual user access, those are things that we would detect in a nominal sense. But but let's say the threat actor was, you know, a little bit more savvy and decided to do this in, you know, a lower and slower activity that may not hit some of our thresholds or may not hit some of our risk activities.

One of the ways we can mitigate from that is to have this tipping and queuing that's happening between the physical layer and the IT layer and the logical layer, where Bastille were to detect this potential data exfil tip us that, hey, there's something unusual in the threat environment in the physical threat environment that could then elevate our risk scores such that even regular day to day activity would trip as unusual behavior and have somebody go look and potentially shut it down in an automated fashion.

So this is a way where we could actually make, you know, one plus one equal way more than two just by having some communication and integration across those different domains, which isn't typically the case today. Yeah. Good. So there's synergy here as with many many use cases associated with security, it takes different approaches at different layers.

And I think this is a great example of where two different systems operating at very different layers can inform one another and elevate a risk score associated with some behavior. One one thing I wanna point out here is either system will detect something inappropriate happening in this specific use case because the policy is should be pretty strict.

Right? Devices shouldn't be coming into the facility. In In the case of Raktop, Raktop can actually work to immediately mitigate that risk. In the case of that variation on a thing that I described, let's say the user just wanted to take photos with the phone and maybe backhaul over cellular.

In that case, only one of those elements in that chain exists, but Bastille is gonna see it. And what about the case when the phone just takes pictures and then wants to go out? Well, that phone is always communicating something. Even if you put it into airplane mode, it turns out there's still emissions coming from that phone.

So if you try to sneak it in with it with it powered off and then you power it on, Bastille's gonna see it immediately before you even have a chance to put it into airplane mode. If you try to sneak it in with airplane mode, we're still gonna see it because it's still it's still sending some some packets.

Not as much, but it's still sending some things. So so there's really no way to get around that with even those more covert types of behaviors. Now let's take that idea of synergy and bring it outside of the SCIF. So let's say instead of just this one simple chain, we're in a more permissive environment, but it's still about data that we care about.

Right? We all have environments like this. Enterprise network environments, maybe they're maybe they're unclassified, but there's CUI on them or whatever it is. It's sensitive information, proprietary information, trade secrets. Whatever it is, we wanna protect it. Now instead of just that one chain, we've got a lot more stuff to deal with.

Right? So from the Bastille perspective, there's a there's a ton of devices out here in this noisier environment, and we're gonna disambiguate all that stuff. We'll figure out everything that's there and we'll localize it for you. But we need to identify a behavior with a more permissive device policy, a behavior that could lead to something bad.

And this is where some of that metadata comes in that I talked about where we can infer some things about behavior that help us get at something threatening. So for example, let's say there's a behavior about the physician, about the data flow, about the there's something maybe it's an unauthorized device, or we can tell by its behavior that there's a significant flow of data coming through these certain paths, and maybe we see that they're connected.

So maybe we can find out that there is a potential exfiltration threat occurring based on certain metrics, but we may not know for sure. And this is really where that synergy comes into play in my mind because Raktab may have a similar view. They're seeing some data transition on the data store, and there's a certain risk associated with that.

But if we both see similar in issues, so let's say rack top sends some information to the Bastille system that says, I I think there might be a data expo event going on. Bastille can identify all potential chains that could be contributing to that and elevate the risk associated with with those.

And at the same time, flow information back to rack top saying, hey. We've got some chains here that look like, you know, one or more chains. They look like they might be an issue. Do you see anything? And Rak Top can elevate its risk score. So all of that, I think, is very useful to do in the context of a general enterprise network and super helpful to have these multiple views of the problem to get at really what's happening in this very complicated noisy space.