Sensitive Data Exfiltration Prevention

Combine analytics and detection to get an insight into how data exfiltration happens and how it can be prevented


Critical business information exfiltration emerges one after another in a variety of ways by increasingly sophisticated means, causing more losses every year. Although many organizations have deployed DLP systems, they still experience spectacular false positives and compliance violation that can bypass DLP policies, making the systems not effective enough to prevent data breaches.
In response to deliberate or accidental leakage by insiders, stealing data through application system vulnerabilities, and many other unconventional data exfiltration scenarios, traditional protection approaches can do very little.

Frequent data breaches with great losses

Complex exfiltration scenarios hard to detect

Ineffective traditional protection approaches



Data exfiltration incident analysis and reinforcement

Analyze data breach routes and scenarios, build sensitive data loss incident detection models, define required data sources and detection methods (rules and algorithms), and clarify detection expectations.


Incident Analysis and Detection

Leverage technologies including cluster analysis, data access and transfer anomaly monitoring, and insider data breach analytics to analyze complex, advanced data exfiltration scenarios to accurately locate data breach incidents.


Incident Auditing and Provenance Tracking

Take advantage of the big data technology to rapidly track the provenance of sensitive data breaches and analyze the root cause and scenarios to improve the data loss detection modeling algorithms.

Risk Analysis and Security Reinforcement

Draw on customers’ business characteristics, data types and priorities to analyze in details the risks of the breach route and scenario.

Explain the data loss risk analytics results to help customers clarify and resolve preventive measures and reinforcement strategies.

Establish a data loss incident detection model for each scenario, define required data source and fields, and clarify detection expectations.

Incident Analysis and Detection

High-risk data loss incident analysis and detection

Uses clustering analysis to filter out raw information of data loss related events to minimize the workload for analyzing data loss incidents and improve accuracy.

Combines application logs, system logs, and security logs and use rule-based and correlation-based analytics for higher DLP alerting accuracy and fewer DLP false positives.

Data access and transfer anomaly detection

Analyzes the users, locations, time, frequency, and access times of core systems and data, to immediately identify anomalous accesses. For example, a user has opened a web link containing sensitive data for more times than required by business within a short time period.

Analyze the access paths to core systems and data, as well as the data flows, to monitor in real time the internal core data for breaches by any possible means. For example, an internal server sends an unsolicited email with links to an external mailbox that belongs to a rival company.

Insider data breach analytics

Create behavioral baselines regarding department, individual and asset for each user to associate user behavior with assets and use machine learning algorithms and pre-defined rules to find anomalous behavior that significantly deviate from a user’s behavioral baseline.

Leverage user behavior analytics to locate sensitive data movements associated with high-risk users, adding those actions as important contextual data to identify anomalous user behavior.

Incident Auditing and Provenance Tracking

Leverage the big data technology to store all traffic data as required by the customer and perform auditing, provenance tracking, and forensics on sensitive data breaches from the massive data.

Ride on the big data analytics platform to perform quick search queries for sensitive data breaches and locate security incidents by means of traffic restoration, session restoration, and file restoration.

Applicable Industry

  • Finance (Banking, Securities, Insurance)
  • Organizations with personal information protection needs
  • Large enterprises with trade credential needs
  • Institutions with IPR protection needs

Supported System

  • Business operational system
  • Host operating system
  • DLP
  • IAM

Application Scenario

  • Data exfiltration incident analysis and reinforcement
  • High-risk data loss incident analysis and detection
  • Data access and transfer anomaly detection
  • Insider data breach analytics
  • Data breach auditing and provenance tracking

Data Source

  • Application system logs
  • Server logs
  • Network traffic data
  • DLP alerts
  • IAM data
  • WAF/FW alerts

Compliance and Best Practice

  • China’s Cybersecurity Law
  • Classified Cybersecurity Protection Regulations 2.0
  • Instructions on protection of trade secrets
  • Requirements on protection of financial information
  • Measures for protection of personal information
  • GPDR

Customer Benefits

Low false positives and effective detection compared to legacy detection technologies

Proactive discovery of data exfiltration incidents undetectable by traditional defense approaches

Compliance with regulatory provisions

Application Cases

Insurance policy data exfiltration due to account breaches

Perform real-time monitoring and risk alerting for insurance policy data theft due to internal account hacks, infrequent illegal insurance policy queries by malicious insiders, and other means to cut off the root causes of insurance policy data exfiltration.

Data exfiltration due to application system vulnerabilities

Perform real-time monitoring for data breaches due to business logic flaws, insufficient user access privileges, and other reasons to proactively discover data loss incidents unable to be detected by traditional approaches.

High-risk data loss incident analysis and detection

Effectively filter out data loss related raw information to minimize the workload for analyzing data loss incidents, increase DLP incident alerting accuracy, and reduce DLP related false positives as well as false negatives.