About Data Exfiltration Anomalies

Last updated
Save as PDF

Limited Availability: To access the Data Exfiltration Anomalies, contact Skyhigh Support.

Data Exfiltration Anomalies represent activities that result from unauthorized or abnormal movement of data from the enterprise to external destinations, such as downloading data from Sanctioned services and uploading it to the Shadow services. It also detects activities within the organizations, such as mass downloads from Sanctioned services or access to data inconsistent with a user’s role, especially when sensitive or labeled files are involved. Severity of the threats increases with respect to DLP policy violations, Shadow service risks, and user risks.

Data exfiltration anomalies help organizations reduce insider risk and AI-driven data misuse by focusing on visibility into data leaving trusted environments when traditional controls are bypassed. These anomalies indicate malicious users within the organization who have unauthorized access to large amounts of data, or users who have access to data at risk of loss.

NOTE: You can access the data exfiltration anomalies only if you have configured Skyhigh Cloud Connector to unify user identities.

Key Benefits

Dynamic Detection. Moves beyond static thresholds by identifying sudden spikes in activity, role-inconsistent access, cross-domain transfers, and low-and-slow patterns that may indicate an intent to circumvent security controls. Proactive detection of data loss, clearer investigation context, and faster, risk-aligned response across cloud, web, and user activity.
Increased Detection Accuracy. By focusing on behavioral patterns rather than fixed criteria, the detection capabilities significantly enhance signal quality, helping you pinpoint genuine threats while minimizing false positives. Unified UEBA intelligently compares a user's current activity against their historical behavior and that of their peers, ensuring a comprehensive understanding of normal operations.

This sophisticated approach allows your security team to respond proactively to potential data exfiltration attempts, ensuring the integrity of your sensitive information.

Use Cases

Data exfiltration from Sanctioned to Shadow services. An employee with access to sensitive PII in a company’s SharePoint downloads multiple files and uploads them to their personal Gmail account, triggering a data exfiltration anomaly. The security operations center (SOC) team investigates by reviewing logs to identify attributes such as specific files, source and destination services, timestamps, and IP addresses involved. They utilize the User UID filter to view the complete list of user activities. This filter helps validate user behavior and impose access controls or restrictions to mitigate risk.

This incident not only addresses the immediate threat but also leads to improved monitoring protocols, enhanced user education, and stricter access controls, reinforcing the organization’s commitment to data security.
Gradual low-and-slow exfiltration. An employee is gradually exfiltrating sensitive data by downloading files in small data sets to evade detection from Data Loss Prevention (DLP) systems. The unified User and Entity Behavior Analytics (UEBA) continuously monitors this behavior, identifying the pattern of low-and-slow uploads to shadow services throughout the week/days. When such activities are detected, the Security Operations Center (SOC) team investigates the employee’s activities and takes appropriate action, such as revoking access to sensitive files. Long-term tracking of these patterns enhances the organization's capability to prevent potential data breaches effectively.
Role inconsistent data access. An employee with an HR role downloads a large volume of design documents from the organization's central repository. This activity raises significant concerns as it falls under both peer group deviation and cross-domain access anomaly. SOC teams can detect such behavior clearly, monitor, and take appropriate actions against misuse of legitimate access, which poses a potential threat to the organization's data security and integrity.
Mass downloads within the organization. An employee accesses a Sanctioned cloud application and downloads a large volume of files in a short timeframe. The SOC team flags this behavior as unusual, as it deviates from their normal usage patterns. The team analyzes and investigates the flagged activity to determine potential security risk. The risk is amplified if the downloads involve sensitive labeled files.

View Data Exfiltration Anomalies

Use the procedure below to view data exfiltration anomalies and the service names to which files are downloaded or uploaded. Additionally, view the anomalous activities of a user across Shadow, Sanctioned, and Web services using the user UID:

In the example below, a user has downloaded 100 files from SharePoint (Sanctioned service) and uploaded them to GitHub (Shadow service).

Go to Incidents > Anomalies > Anomalies.
Select the Filters tab.
Select the Data Exfiltration Anomaly checkbox from the Anomaly Type filter to view data exfiltration anomalies.
Select any data exfiltration anomaly from the Anomaly table.
On the Anomaly Cloud Card, select File Downloaded to drill down and view specific download activities. When you drill down, you can view the source service name from which the files are downloaded.
On the Anomaly Cloud Card, select Upload to drill down and view specific upload activities. When you drill down, you can view the destination service to which the files are uploaded.
Select the User UID filter from the Anomaly Cloud Card to view the complete list of anomalous activities across Shadow, Sanctioned, and Web services associated with the selected user UID.