Data Exfiltration

Learn about common data exfiltration challenges and how IncydrTM helps solve them

Contact Sales

What is data exfiltration?

Data exfiltration is the unauthorized movement of data. It is most frequently used to describe intentional scenarios in which a user takes files from corporate-owned computers, systems and applications for personal benefit. This often results in financial, reputational or efficiency gains for an employee. For an organization, however, data exfiltration is an insider threat risk that must be addressed as part of a data security strategy.

While many believe data exfiltration is done with malicious intent, such as IP theft, this is not always the case. Not all data exfiltration means an employee intends to steal data. Employees and contractors may move data to unauthorized places to get their jobs done more easily and efficiently. For example, they may use an unsanctioned USB device to transfer a large file to another coworker. Or they might use their own DropBox account to send a file to an agency because external sharing is blocked within their corporate OneDrive system. They do not intend to cause harm, but these actions still put corporate data at risk.

Unfortunately, an employee having good intent when taking data doesn't mean there isn't significant corporate impact. Organizations need a way to speed the time it takes to detect and respond to data exfiltration activity in order to properly protect their brand, customers and competitive advantage.

Data exfiltration is common during employee departure


of employees admit to taking company data to a new job.

(Code42 Data Exposure Report 2019)


of security leaders believe prevention solutions are not enough to stop insider threat.

(Code42 Data Exposure Report 2019)


of organizations breached by insider threat had a DLP solution in place.

(Code42 Data Exposure Report 2019)

Downfalls of traditional approaches

Focusing on employee intent leaves data vulnerable
It is common for security teams to view insider threat as a rare or malicious problem and thus not assign it many resources. But insider threat occurs any time an authorized user puts data at risk--regardless of intent. A narrow definition of insider threat leaves sensitive files unprotected from everyday user mistakes.

Siloed visibility into corporate systems
Security teams who rely on built-in data security controls from vendors such as Microsoft, Google and Box lack a comprehensive understanding of insider risk in their environment. Additionally, security teams must duplicate their policy and management efforts across all systems in their environment.

Limited protection of IP and other high-value files
Products like endpoint Data Loss Prevention (DLP) only monitor activities that violate a policy. This leads to blindspots unless policies are perfectly written, implemented and maintained. Often, policies are only created to protect compliance data. This leaves many business files, like customer lists, financial reports, product roadmaps and marketing strategies, vulnerable to insider threat.

Difficult deployment and management
Products with long deployment times, such as DLP and Cloud Access Security Broker (CASB) delay effective data protection by taking organizations months if not years to fully implement. Coupled with this, products that significantly impact device performance or have a high per-user cost are often only deployed in pockets of the organization. This limits security visibility into data risk.

Incydr Solution

Incydr is a SaaS data risk detection and response product. It enables organizations to detect and respond to data exfiltration from computers as well as corporate cloud and email services.

An agent continuously monitors all file activity on corporate Mac, Windows and Linux computers to detect exfiltration via web, apps and removable media. Direct integrations to corporate cloud services like Google Drive and OneDrive detect when employees use the service to share files from computers and phones. Integrations with corporate email services such as Microsoft Office 365 and Gmail detect when file attachments are sent to untrusted recipients.

Learn more about Incydr

Using Incydr to detect and respond to data exfiltration

Detect data exfiltration activity
See high-risk activity including browser uploads, email attachments, and file transfers to USB, Slack, Dropbox and iCloud.

Investigate insider threat events
Identify the employees most likely to put data at risk and get a prioritized list of employees whose recent file activity requires investigation.

Quickly take action
Automate remediation with SOAR, inform security awareness training strategies and substantiate insider threat litigation.