Data theft and data exfiltration: Understanding the difference

Data theft and data exfiltration are often used interchangeably, but they shouldn’t be. Understanding what each term refers to is important for anyone responsible for protecting an organization’s data. The distinction clarifies the scope and range of options for different approaches to protecting data.

Data theft

Data theft is a broad signifier, referring to any unauthorized access to and extraction of data. This includes technical means, but it can also be as simple as stealing a hard drive or copying a file to a thumb drive.

Data exfiltration

Data exfiltration refers very specifically to the process in which certain sophisticated cyberthreats access data and transfer it to a remote system under criminal control. It does not refer to the theft itself, but rather to the technical means of removing the stolen data without being detected.

Ransomware

Ransomware is a still-growing threat, and it has evolved. Unlike early versions that encrypted victims’ data in place, modern ransomware often finds and exfiltrates valuable data before encrypting the original. Modern criminals demand ransom not only for restoration of encrypted data, but also for not releasing the stolen data to the public.

This means that even with a great backup system that lets you restore encrypted data without the crooks’ help, you still need to pay them to keep the data private — assuming they even come through on their promise. So as ransomware develops, it’s becoming even more important to be able to detect and block attempts to exfiltrate data from your network.

Fighting data exfiltration

A modern network security platform that includes next-generation firewall capabilities like Barracuda Network Protection is critical to detecting and stopping data exfiltration. These solutions typically include advanced data loss prevention (DLP) capabilities. By monitoring all outbound traffic and applying policies based on the content of the traffic, DLP can be very effective in preventing sensitive or critical data from being exfiltrated from your network.

A strong network protection platform should also scan all internal and outbound traffic for known malware signatures, including known command-and-control malware that is responsible for moving your data. For this to be effective, it is important to keep your solution updated with the latest signatures. With cloud-hosted SaaS network protection, there is no need to worry about updates, which are performed at the server.

More advanced, machine-learning-based analysis of internal traffic can detect and stop attempts by embedded malware to spread laterally within your network prior to exfiltrating your data.

Fighting data theft

Protecting your data against theft and loss requires a multilayered approach. At a high level, it’s critical to encourage a culture of security across the organization. Establish standard practices that reduce opportunities for data theft, and refine and enforce your existing access controls. Consider implementing a Zero Trust infrastructure like Barracuda Zero Trust Access to provide access controls that are far more effective than single sign-on and multifactor authentication schemes.

Software supply-chain security

To keep the intrusions that can lead to exfiltration to a minimum — to address the risks of data theft — you need to cover a variety of vectors, including third-party software and your own exposed applications and APIs.

Instituting strong software supply-chain security involves a number of policies and strategies working together, but one of the keys is to reduce vendor sprawl. With fewer vendors comes a much smaller, less complex supply-chain attack surface.

It’s critical to keep all your software fully patched and up to date. As soon as vulnerabilities are discovered, crooks go to work on exploiting them, so you should be applying new security patches immediately and automatically.

Your own operationally critical online apps can be an especially pernicious vector for supply-chain attacks leading to data theft. Crooks who can compromise just one of the commonly used third-party libraries and subroutines can potentially compromise all the apps that call it — and penetrate their networks.

One key step to minimize this risk is to encourage a cultural shift within Dev/Ops that centers security at all steps in the process. This can be a significant challenge that requires a lot of coordinated and consistent efforts over time. According to Mike Vizard in this post, there is cause for optimism.

Application and API protection

An advanced, modern web application and API protection (WAAP) platform, like Barracuda Application Protection, can address a lot of emerging risks of data theft associated with the fast pace at which organizations have been deploying APIs.

Many organizations have lost track of how many APIs they have out there, what they all do, or where they all might be — and whether they might harbor vulnerabilities. Intelligent API discovery capabilities automatically find them all and put them at your fingertips.

Your WAAP solution should also find and automatically patch all vulnerabilities in your deployed apps — OWASP Top Ten and many others. It should also contribute to the cultural shift mentioned above, by integrating into dev processes and eliminating vulnerabilities well before apps go into production.

And it should have advanced capabilities to detect sophisticated human-seeming bots, provide full-spectrum DDoS protection, and optimize application delivery.

Multi-vector protection

A lot of the most sophisticated attempts to get into your network and steal data leverage multiple vectors, so ultimately you want to have them all covered with integrated solutions that share threat data in real time. A truly comprehensive cybersecurity platform is the best way to keep data thieves at bay, minimize data exfiltration attempts, and defeat many other types of cyberattack.