This picture could replace a thousand words... But you've seen recently that I have a lot of things to say :) So let's talk about it ! The Ponemon Institute "Cost of a Data Breach Report 2020" report, commissioned by IBM, reveals that the average cost of a data breach in 2020 is 3.86 Million dollars. If you think about it, there are many ways to make the cost of a data breach increase very quickly. Obviously, the amount of information exfiltrated is playing a big role in that cost, but the type of data is also a significant factor. Customer information, employee information and other PII are precious in terms of competition and regulation (ie: GDPR). This sort of information can be sold for a lot on the black market and therefore is actively being looked for. What to say about stolen Intellectual Property? It could just lead to a disaster for a company...
280 days is the average time for discovering and containing a data breach... You know it, you need to monitor potential exfiltration of data! But where to look? What to look at? Data exfiltration is one of the most complex behavior to monitor because of the difficulty of finding where to look.
Disgruntled employee, human error / misconfiguration, phishing, malware, these are all potential sources of exfiltration. File share, database, laptops, mailboxes, the list of places to monitor could be shortened to “everything” in the infrastructure.
Ok, I’ll stop with the bad news, and bring some good news! The IBM QRadar Data Exfiltration Content Extension can help you to get more visibility to manage this risk, with the least configuration possible.
In this blog we are going to answer a few questions with scenarios included the content pack, such as:
The IBM QRadar Data Exfiltration Content Extension is meant to work with many devices types such as Cloud, Mail, Proxy, Firewall, IDS/IPS, DLP, covering a maximum of the perimeter (let's meet at the" QRadar Configuration" --> "Properties" section for more details on the content covered by default).
Adding the name of each file that is sensitive to a rule or reference set is almost an impossible task to achieve. And what about when the filename is changed for some reason? The Files in Sensitive File Directories Rule takes care of the problem.
The only prerequisite is to populate the Sensitive File Paths Reference Set with the location of folders that contain sensitive files. The rule then automatically adds the names of the files seen in an event related to the location you identified to another reference set.
With this rule, monitoring sensitive files becomes very easy at this point.
The IBM QRadar Data Exfiltration Content Extension provides rules to watch for sensitive files shared with a guest user or group in a cloud environment such as AWS or Office 365.
It also contains a rule to monitor if a sensitive file is being uploaded to a publicly accessible folder.
Or simply outside of the organization
Note: Once again, you don't need to feed QRadar with all the email addresses of your organization, simply populate the Building Block with the domain name(s) used by the company, and let QRadar do the rest.
Yes! Take advantage of your flows to monitor large outbound data transfer to an external storage website or a suspicious destination. The IBM QRadar Data Exfiltration Content Extension includes 6 event searches and 5 flow searches that can be used to create anomaly rules and help you detect when a behavior is suspicious.
The searches are not only monitoring obvious exfiltration of data, they are also accounting for slow exfiltration of data over days.
Note: These searches are available for both flows and events!
Seeing an authorized access to 1 or 2 documents on the same location seems absolutely normal, Seeing 10 or 15 of them in a short period of time suddenly becomes more suspicious.
Catch anomalies regarding access or download of files with 4 rules tracking if a user is engaging in a reconnaissance behavior or is actively downloading an abnormal amount of documents.
The IBM QRadar Data Exfiltration Content Extension, with its 35 rules and 11 saved searches, provides a wide set of rules and tools to monitor potential exfiltration of data efficiently.
Download and install the DSM relevant to your environment via Auto-Updates or Fix Central.
The content pack contains some rules based on reputation. Enable X-Force to benefit from these rules.
The IBM QRadar Data Exfiltration Content Extension is available on the App Exchange.
The pack contains Custom property definition placeholders. This means that you can copy the Custom Properties provided and adapt them to your environment by adding expressions under that definition. You can also download our sets of Custom Properties identified below.
Many Custom Properties have been developed for the devices covered by the IBM QRadar Data Exfiltration Content Extension. To get the list of what is available, just search for the device type you are looking for on the App Exchange.
The IDS/IPS devices we built properties for are:
The cloud devices we built properties for are:
The proxy devices we built properties for are:
The email devices we built properties for are:
We keep releasing new properties to offer a better device coverage, don’t hesitate to have a look from time to time !
Let's take the example of the Excessive File Downloads Events From the Same Source IP Rule.
This rule would work the same way for any log source type (including custom types), as long as QRadar parses the Filename and the event is classified as any of the following categories : Audit.File Download Attempt, Audit.File Download Failure, Audit.File Download Success, Audit.Object Download Attempt, Audit.Object Download Failure, Audit.Object Download Success.
Like for every content pack we build, we try to make it general enough for it to work with a maximum of environments/devices, but also precise and smart enough to make its adaptation to your needs easy to handle.
The topic being so wide, this pack obviously doesn’t cover all the use cases related to data exfiltration, but it is a good base to get you started. We’re open to any suggestion for additional use cases to cover in this pack.
Please find our latest version of the IBM QRadar Data Exfiltration Content Extension on the App Exchange and don't hesitate to give us any feedback or ideas, these packs are built for you, tell us what you need.