StealthWatch v6.5 – Data Hoarding by Matt Robertson

StealthWatch 6.5 – Data Hoarding

Certain high-profile data thefts in recent years have consisted of an attacker who maintained an operational presence inside an enterprise’s security perimeter and slowly collected data over a period of time before taking that data offsite. In many of these cases valid credentials were used to perpetrate the theft. In version 6.5 of the Lancope's StealthWatch System we have introduced new security algorithms to help detect these types of activities, known as data hoarding.

The first new algorithm, Suspect Data Hoarding, detects systems that have downloaded an unusually large amount of data from one or more hosts. The concept is illustrated in the below figure: 


Suspect Data Hoarding

The second new algorithm, Target Data Hoarding, detects systems that have unusually large amounts of data downloaded from them by one or more hosts. The concept is illustrated in the below figure:


Target Data Hoarding

Like most of the algorithms in the StealthWatch System, the above algorithms are both behavior and policy based. This means that a security event can be triggered on the occurrence of anomalous activity or by data transfers that exceed a configurable threshold. In the below example the user “Danielle” has collected 1.7GB of data to her machine which has exceeded acceptable policy levels. 


Data Hoarding Example


The new Data Hoarding algorithms in version 6.5 of the StealthWatch System provide an automated way of detecting malicious hosts or users on the network that are slowly collecting vast amounts of data. This functionality can be invaluable to an organization in protecting its data and intellectual property from targeted attacks such as Advanced Persistent Threats or malicious insiders