Estimated reading time: 4 minutes
This picture could replace a thousand words... But you've seen recently that I have a lot of things to say :)
So let's talk about it ! The Ponemon Institute "Cost of a Data Breach Report 2020" report, commissioned by IBM, reveals that the average cost of a data breach in 2020 is 3.86 Million dollars.
If you think about it, there are many ways to make the cost of a data breach increase very quickly. Obviously, the amount of information exfiltrated is playing a big role in that cost, but the type of data is also a significant factor. Customer information, employee information and other PII are precious in terms of competition and regulation (ie: GDPR). This sort of information can be sold for a lot on the black market and therefore is actively being looked for. What to say about stolen Intellectual Property? It could just lead to a disaster for a company...
Another big factor is
time. Exfiltrating PII or Intellectual Property over a longer period of time can make a big difference in the cost of a data breach.
280 days is the average time for discovering and containing a data breach... You know it, you need to monitor potential exfiltration of data! But where to look? What to look at? Data exfiltration is one of the most complex behavior to monitor because of the difficulty of finding where to look.
Disgruntled employee, human error / misconfiguration, phishing, malware, these are all potential sources of exfiltration. File share, database, laptops, mailboxes, the list of places to monitor could be shortened to “everything” in the infrastructure.
Ok, I’ll stop with the bad news, and bring some good news! The IBM QRadar Data Exfiltration Content Extension can help you to get more visibility to manage this risk, with the least configuration possible.
In this blog we are going to answer a few questions with scenarios included the content pack, such as:
- How do I monitor sensitive files with lightweight maintenance?
- Can I do something with my network data?
- Is there a way to catch when a normal behavior becomes suspicious?
The IBM QRadar Data Exfiltration Content Extension is meant to work with many devices types such as Cloud, Mail, Proxy, Firewall, IDS/IPS, DLP, covering a maximum of the perimeter (let's meet at the" QRadar Configuration" --> "Properties" section for more details on the content covered by default).
Scenarios Highlights
How do I monitor sensitive files with lightweight maintenance?
Adding the name of each file that is sensitive to a rule or reference set is almost an impossible task to achieve. And what about when the filename is changed for some reason? The Files in Sensitive File Directories Rule takes care of the problem.
The only prerequisite is to populate the Sensitive File Paths Reference Set with the location of folders that contain sensitive files. The rule then automatically adds the names of the files seen in an event related to the location you identified to another reference set.
Apply Files in Sensitive File Directories on events which are detected by the Local system and NOT when an event matches any of the following BB:CategoryDefinition: File Deleted Events and when the event matches Filename (custom) is not N/A and when any of File Directory (custom) are contained in any of Sensitive File Directories - AlphaNumeric |
With this rule, monitoring sensitive files becomes very easy at this point.
The IBM QRadar Data Exfiltration Content Extension provides rules to watch for sensitive files shared with a guest user or group in a cloud environment such as AWS or Office 365.
Apply Sensitive File Uploaded to a Publicly Accessible Folder on events which are detected by the Local system and when an event matches any of the following BB:CategoryDefinition: Object Upload Events and when an event matches any of the following BB:Exfiltration: Files in Sensitive Directories and when any of File Directory (custom), Storage Name (custom) are contained in any of Publicly Accessible Folders - AlphaNumeric (Ignore Case) |
It also contains a rule to monitor if a sensitive file is being uploaded to a publicly accessible folder.
Apply Sensitive File Shared with a Guest User or Group on events which are detected by the Local system and when an event matches any of the following BB:CategoryDefinition: Link Shared Events and when any of Target User Area (custom) are contained in any of Guest Login Users - AlphaNumeric (Ignore Case) and when an event matches any of the following BB:Exfiltration: Files in Sensitive Directories |
Note: These searches are available for both flows and events!
Is there a way to catch when a normal behavior becomes suspicious?
Seeing an authorized access to 1 or 2 documents on the same location seems absolutely normal, Seeing 10 or 15 of them in a short period of time suddenly becomes more suspicious.
Catch anomalies regarding access or download of files with 4 rules tracking if a user is engaging in a reconnaissance behavior or is actively downloading an abnormal amount of documents.
Apply Excessive File Downloads Events From the Same Source IP on events which are detected by the Local system and when an event matches any of the following BB:CategoryDefinition: Object Download Events and when the event matches Filename (custom) is not N/A and when the event matches NOT ((NETWORKNAME(destinationip)='Net_172_16_0_0') OR (INCIDR('192.168.2.0/24', sourceip))) AQL filter query and when at least 10 events are seen with the same Source Address, Log Source and different Filename (custom) in 5 minutes |
Other Use Cases
The IBM QRadar Data Exfiltration Content Extension, with its 35 rules and 11 saved searches, provides a wide set of rules and tools to monitor potential exfiltration of data efficiently.
The content pack includes a pulse dashboard, which can help to have a global overview of your environment.
QRadar configuration
Install the DSM
Download and install the DSM relevant to your environment via Auto-Updates or Fix Central.
Enable X-Force
The content pack contains some rules based on reputation. Enable X-Force to benefit from these rules.
Install the Content Extensions
Rules
The IBM QRadar Data Exfiltration Content Extension is available on the App Exchange.
Properties
The pack contains Custom property definition placeholders. This means that you can copy the Custom Properties provided and adapt them to your environment by adding expressions under that definition. You can also download our sets of Custom Properties identified below.
Many Custom Properties have been developed for the devices covered by the IBM QRadar Data Exfiltration Content Extension. To get the list of what is available, just search for the device type you are looking for on the App Exchange.
The IDS/IPS devices we built properties for are:
- Fortinet FortiAnalyzer
- Checkpoint
- Palo Alto
- Cisco Firepower
- etc.
The cloud devices we built properties for are:
- Office 365
- AWS
- Azure
- IBM Cloud
- etc.
The proxy devices we built properties for are:
- Cisco Ironport
- Bluecoat
- Squid
- Zscaler
- etc.
The email devices we built properties for are:
- Postfix
- Microsoft Exchange
- Cisco Ironport
- Lastline
- Proofpoint
We keep releasing new properties to offer a better device coverage, don’t hesitate to have a look from time to time !
Let's take the example of the Excessive File Downloads Events From the Same Source IP Rule.
Apply Excessive File Downloads Events From the Same Source IP on events which are detected by the Local system and when an event matches any of the following BB:CategoryDefinition: Object Download Events and when the event matches Filename (custom) is not N/A and when the event matches NOT ((NETWORKNAME(destinationip)='Net_172_16_0_0') OR (INCIDR('192.168.2.0/24', sourceip))) AQL filter query and when at least 10 events are seen with the same Source Address, Log Source and different Filename (custom) in 5 minutes |
This rule would work the same way for any log source type (including custom types), as long as QRadar parses the Filename and the event is classified as any of the following categories : Audit.File Download Attempt, Audit.File Download Failure, Audit.File Download Success, Audit.Object Download Attempt, Audit.Object Download Failure, Audit.Object Download Success.
Custom Property placeholders are meant to be reused to adapt the content to any environment.
Custom Event Properties UI:
DSM Editor:
Like for every content pack we build, we try to make it general enough for it to work with a maximum of environments/devices, but also precise and smart enough to make its adaptation to your needs easy to handle.
The topic being so wide, this pack obviously doesn’t cover all the use cases related to data exfiltration, but it is a good base to get you started. We’re open to any suggestion for additional use cases to cover in this pack.
Please find our latest version of the IBM QRadar Data Exfiltration Content Extension on the App Exchange and don't hesitate to give us any feedback or ideas, these packs are built for you, tell us what you need.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.