Skip to main content
Data Exfiltration Prevention Gaps

When Your Data Walks Out: Gaps in Exfiltration Prevention

Data exfiltration prevention is one of those things that sounds straightforward until you try to do it. You set up a DLP tool, write some rules, and hope nothing leaks. But anyone who's worked in security ops knows the reality: alerts pile up, false positives drain your team, and the clever exfiltration paths — encrypted tunnels, steganography, slow drips over weeks — often slip through anyway. This isn't about blaming the tools. It's about understanding the structural gaps that exist in even well-funded prevention programs. Because the threat model keeps shifting, and the gaps you don't know about are the ones that get you. Where Data Exfiltration Shows Up in Real Work Insider threats in finance and healthcare A loan officer at a mid-size credit union decides to leave.

Data exfiltration prevention is one of those things that sounds straightforward until you try to do it. You set up a DLP tool, write some rules, and hope nothing leaks. But anyone who's worked in security ops knows the reality: alerts pile up, false positives drain your team, and the clever exfiltration paths — encrypted tunnels, steganography, slow drips over weeks — often slip through anyway. This isn't about blaming the tools. It's about understanding the structural gaps that exist in even well-funded prevention programs. Because the threat model keeps shifting, and the gaps you don't know about are the ones that get you.

Where Data Exfiltration Shows Up in Real Work

Insider threats in finance and healthcare

A loan officer at a mid-size credit union decides to leave. Before she hands in her resignation, she exports the full mortgage pipeline — 1,400 borrower records with Social Security numbers, credit scores, and property addresses — into a single CSV, emails it to her personal Gmail, and deletes the sent folder. I have seen this exact pattern play out in three separate organizations. No malware required, no suspicious outbound traffic to a foreign IP. Just someone who knew exactly where the data lived and had legitimate access. The tricky part is that insider exfiltration rarely looks like a heist. It looks like a Tuesday. In healthcare, the scenario gets worse: a nurse prints patient intake forms for a side gig, or a radiologist downloads images to show a colleague at a competing hospital. The files aren’t stolen — they’re borrowed. But once they leave the network boundary, control evaporates. That hurts.

What usually breaks first is the assumption that data loss prevention (DLP) rules will catch everything. Most teams skip this: DLP triggers on patterns — ten credit cards in a file, continuous uploads to a cloud drive — but a single PDF of a patient list looks like routine work. Wrong order. The exfiltration happens before the alert fires, or the alert fires and nobody reads it. The catch is that insider threats exploit the gap between policy and practice: you can block USB drives, but you can't block a person’s eyes and memory — or their phone camera pointed at a screen. One hospital I worked with found a departing researcher had photographed 200 chest X-rays over three weeks using his personal iPhone. No log captures that.

Cloud misconfigurations that leak data

Not every exfiltration is malicious. Some is just sloppy. An engineer sets up an S3 bucket for a new analytics pipeline, marks it public for testing, and forgets to flip the toggle. That bucket holds seven terabytes of customer transaction logs — names, purchase histories, partial credit card numbers. Within twelve hours, a researcher’s automated scanner finds it. The data is now mirrored on three other continents. I fixed this once by finding the bucket before the scanner did — pure luck. Most teams don’t get that chance. The painful reality is that cloud misconfigurations account for a staggering number of exfiltration events, yet they never involve a villain. They involve tired engineers, incomplete IaC templates, and permissions that default to wide-open.

'We spent six months building encryption at rest. Then someone left a CSV in a public Google Drive folder.'

— Head of Security, fintech startup

The risk compounds when organizations treat misconfigurations as infra problems rather than data problems. Security teams monitor firewalls; DevOps manages bucket policies. The data itself floats between them, invisible until it’s gone. That sounds fine until the seam blows out — a third-party CI/CD tool gets read access to a bucket, pulls the data for testing, and writes it to a log server that lacks authentication. One misstep in a chain of ten. You lose a day of forensics just figuring out which link snapped.

Supply chain and third-party access risks

Here the attacker rarely touches your network at all. A marketing agency managing your ad campaigns has access to a Snowflake view of customer email addresses and purchase behavior. They subcontract the analytics to a firm in Southeast Asia. That firm uses a shared Slack workspace where a developer pastes a SQL query result containing 40,000 rows. The data is now in Slack’s cloud, visible to anyone with the link, and indexed by Google within hours. The original company never knew. Supply chain exfiltration is exfiltration without a perimeter — the data walks out through a partner’s partner’s mistake. The real kicker is that contracts rarely cover this flow. Legal writes NDAs; nobody audits how the data moves between sub-processors. Maintenance, drift, and the long-term cost of prevention all start right here: you can't protect data you don’t know is moving. Next time, test one partner’s data-handling practices yourself. Call their support line, ask how they revoke access for terminated employees, and time how long the answer takes. That gap is your real exposure.

Foundations Readers Usually Get Wrong

Confusing data classification with DLP

Most teams buy a DLP tool and assume the hard part is done. Wrong order. I have watched companies spend six figures on Symantec or Forcepoint, throw a few PCI/HIPAA regexes into production, and call it a day. The real gap? Their classification schema is a wish list, not a detection surface. Classification tells you what sits on a file share; DLP must tell you how it moves. Those are different problems. A credit-card regex catches plaintext PANs but misses the same number base64-encoded inside a JSON payload. That hurts. The tool flagged nothing because the pattern changed form—same data, new container. Teams then blame the vendor, but the root cause is treating classification as a synonym for prevention. It isn't.

Over-reliance on signature-based detection

The signature model works great for malware hashes. For data exfiltration, it leaks like a sieve. Attackers don't send a file named 'customer_list_final.xlsx' anymore—they split it into 200-byte chunks, pad each one with random whitespace, and stream them over WebSocket to a burner domain. No signature fires. I fixed this once by adding a simple Shannon-entropy threshold on outbound traffic; we caught eight compressed CSV dumps in the first week. Signatures give you confidence in the demo, then decay the moment a creative adversary changes one delimiter. The tricky part is that signatures feel scientific. Engineers trust them. But trust math built on yesterday's patterns—entropy, protocol abnormality, timing variance—and you catch what the signature author never imagined.

“We blocked the transfer of one file. The attacker moved forty-two pieces of that file over six hours using ICMP echo requests.”

— incident responder, post-mortem at a mid-market fintech

Field note: data plans crack at handoff.

Field note: data plans crack at handoff.

Ignoring encrypted and compressed channels

Encryption is the elephant every DLP admin hopes will stay in the corner. It won't. TLS 1.3 means the tool sees a blob of random bytes—no content inspection unless you MITM every connection, which breaks half the SaaS integrations your sales team relies on. And internal traffic? SSH tunnels, WireGuard overlays, even simple gzip+base64 over HTTPS: all invisible to standard DLP agents. What usually breaks first is the compressed archive inside an encrypted session. A 10 KB ZIP file balloons to 50 MB raw after decryption, but the tool never sees the contents because the outer layer was TLS. The only fix I've seen work is behavioral baselines on volume, frequency, and destination reputation—not content. If a developer's workstation starts pumping 300 MB/hour to a fresh DigitalOcean droplet at 3 AM, you don't need to read the payload. You need to kill the flow. Most teams skip this because it requires tuning per environment. That said, tuning is cheaper than leaking 50,000 records while your classifier waits for a plaintext match that never comes.

Patterns That Actually Cut Exfiltration Risk

Content-aware inspection with context

Most teams skip this: they buy a DLP tool, load fifty keywords like 'SSN' and 'confidential', and call it done. That catches nothing useful. The real trick is building rules that understand where data lives and who is handling it. I have seen a healthcare org plug a regex for patient IDs into their email gateway and block every lab report for three weeks. The catch—they had no context filter. A doctor sending a referral to a specialist: allowed. A marketer exporting the same file to a personal Gmail: stop. Context-aware inspection looks at sender role, recipient domain, attachment type, and the surrounding metadata. Worth flagging—this approach forces you to tag data at creation, which is painful. Without those tags, the engine guesses. And guesses fail at scale.

What does this look like in practice? You write a rule that says 'if file contains ICD-10 code AND destination is outside corporate tenant AND sender role != clinician, block.' That's not magic. It's tedious, precise work. The payoff? False positives drop by something like sixty percent—fast enough that users stop screaming at IT. The pitfall: teams drown in rule maintenance. Every new department, every acquired company, every SaaS integration adds exceptions. The rulebase rots. So you pair it with something that adapts without humans.

User and entity behavior analytics (UEBA)

Rules are static. Behavior changes. UEBA watches the rhythm: what time does the finance team usually export CSV files? How many rows? To which tool? When that rhythm breaks—a junior accountant pulling 50,000 records at 3 a.m.—the system flags it. That's the pattern that actually cuts exfiltration risk. I fixed a gap once where a contractor authenticated from a hotel in Singapore and downloaded the entire customer database thirty minutes after onboarding. No keyword DLP would have caught it—the file was named 'report_2024_Q1.csv,' all clean terms. The anomaly was the context: never accessed from APAC before, first day on the job, bulk extract. UEBA caught it in the next cycle.

The tricky part is baseline time. Most UEBA deployments need two to four weeks of clean data before they know 'normal.' During that window you're blind. Worse: if your org has seasonal spikes—quarterly closes, audit prep—the baseline shifts. Teams then tune thresholds too aggressively and the system goes silent. That hurts. One rhetorical question worth asking: can your team tolerate a month of training data with zero detection? Some can't. They revert to static rules before the engine learns.

Zero-trust network access and microsegmentation

Segmentation feels old-school. It's not. The gap most orgs miss is lateral movement inside the perimeter. Once data reaches an application server, it can often flow horizontally to any other server in the same subnet. That's where exfiltration hides—not at the edge, but inside. Microsegmentation locks down east-west traffic. A database server should talk only to the app tier, and only on port 5432. Not SSH. Not ICMP. Nothing else. When you shrink the blast radius, even a compromised credential can't move data sideways to a staging host that sends it out.

Zero-trust takes this further: no implicit trust based on network location. Every request—even from a known machine in the same rack—gets authenticated and authorized. Sounds exhausting. It's. The trade-off is operational complexity. Teams often disable policies when a microservice breaks because a rule was too narrow. What usually breaks first is DNS. Or certificate expiry. Or a startup order dependency. The pattern that works is incremental: start with a single critical asset, prove it stabilizes, then expand. Not yet a full zero-trust deployment—but better than the flat network that lets data walk out the side door.

‘We blocked lateral movement to three servers. Our data loss went from weekly incidents to two in six months. The cost was two weeks of broken app deploys.’

— Engineer at a mid-size retail company, post-mortem on a segmentation rollout

Anti-Patterns That Make Teams Revert to Old Ways

Blocking everything and drowning in false positives

The instinct is understandable—lock every door, flag every outbound attachment, and quarantine anything that smells like a social security number. I have watched teams flip every toggle in their DLP console on day one, convinced that maximal coverage equals maximal safety. The tricky part is that real work doesn't cooperate. Sales teams send customer lists to partners every Tuesday. Engineering pushes debug logs containing production IPs to external SIEMs. Block those, and you get a flood of tickets, a mutinous user base, and, eventually, a security director who quietly asks: 'Can we just turn that rule off for now?' The result is a switch from 'alert everything' to 'alert nothing' inside six months—the worst possible outcome. A false-positive rate above 5% in a high-volume org triggers bypass workflows faster than any attacker could. Worth flagging—the teams that avoid this pitfall start with a two-week observation period of logging-only mode. They learn what normal looks like before they start breaking it.

Flag this for data: shortcuts cost a day.

Flag this for data: shortcuts cost a day.

Ignoring shadow IT and unmanaged devices

Most endpoint DLP agents cover the corporate fleet. They miss the laptop a contractor brings in, the iPad a VP uses to check Slack from the manufacturing floor, and the dozen personal phones that have company email configured but no management profile. One healthcare client I worked with had perfect DLP coverage on their 2,000 Windows machines. Meanwhile, a radiologist was uploading imaging data to a free cloud-storage account from an Android tablet—no agent, no policy, no visibility. The catch is that agents-only strategies create a false sense of closure. Teams review dashboards that show 98% endpoint coverage and declare victory. Shadow IT eats the remaining 2% for lunch, often through browser-based exfiltration that no agent even watches. Unmanaged devices don't run your policies. They run personal apps, personal browsers, and personal judgment. Until you gate access at the identity-and-risk layer—conditional access policies, device posture checks on every authentication—the agent-only approach leaves a back door wide open.

We spent six months tuning our endpoint rules. Someone copied the entire customer database to a personal Google Drive from an unmanaged phone in the parking lot.

— CISO at a mid-market SaaS firm, after their annual audit revealed the gap

Relying solely on endpoint DLP agents

Not yet retired, but certainly fading. Endpoint agents see what happens on the machine: copy-paste, USB transfers, print-to-PDF. They're blind to what happens after data leaves the device—the web upload that happens via a browser extension, the API call that streams data directly to a B2B integration tool, the SSH tunnel that pushes a dump to a foreign server. The anti-pattern is assuming that because you have an agent on every box, you have exfiltration covered. That sounds fine until the exfiltration path never touches the endpoint filesystem. Browser-based SaaS apps, headless CI/CD pipelines, and managed file-transfer services all bypass the local agent entirely. A better pattern pairs endpoint monitoring with network-layer detection (DNS, TLS SNI, and cloud-access-security-broker inspection) plus user-behavior analytics that flags abnormal data volumes at the application layer. Every organization I have seen revert to old-school perimeter blocking did so because their agent-only DLP generated too much noise for too little actual interception—and the cloud apps kept flowing anyway. The next action: audit your top five SaaS integrations for direct data-ingress patterns that never hit a local drive. Build a small detection rule for each, even if logging-only, before you layer on any blocking. That baseline alone kills the blind spot.

Maintenance, Drift, and the Long-Term Cost of Prevention

Rule decay and alert fatigue

The DLP rule set you shipped six months ago is already a ghost. I have watched teams pour weeks into crafting regex patterns for credit-card numbers, source-code snippets, and internal API keys—only to find that by month four, nobody reads the alerts anymore. The tricky part is that the system still runs. It still fires. And because it fires so often on false positives (a customer uploads a test file that happens to match a SSN pattern), the security team starts marking everything as low priority. That's rule rot in action: the rules themselves don't change, but the tolerance for them does. You end up with a tool that screams constantly and a team that has learned to ignore the scream. Worth flagging—one engineer once told me, 'We filter the DLP dashboard the same way we filter spam.' That hurts.

'We tuned the rules for perfect coverage. Then we buried the alerts because we couldn't keep up.'

— Senior SecOps analyst, after a post-mortem on a missed SQL exfiltration

Staff turnover and knowledge loss

The person who built your baseline left in February. The person who understood the exception logic—the 'why' behind the whitelist—transferred to a different team in April. By June, no one in the room can explain why the Salesforce connector is allowed to export 10,000 rows without triggering a block. So what happens? Nothing. The connector keeps running because nobody wants to touch a config they don't understand. That's drift: the gap between what the policy says and what the system actually enforces widens silently. Most teams skip the documentation step when they set up DLP. I have seen this pattern repeat across a dozen organizations—the rule logic lives in one person's head, and when that person leaves, the system becomes a black box. The cost isn't just rework; it's the months of false negatives while the new team reverse-engineers the old intent.

Tool sprawl and integration debt

Three DLP engines. One cloud-native CASB. Two email gateways with overlapping policies. That sounds like defense in depth until you realize none of these tools talk to each other. What usually breaks first is the alert correlation: the CASB blocks a file upload, but the endpoint DLP doesn't know it happened, so it logs a separate alert with contradictory metadata. Teams end up spending more time reconciling tool outputs than investigating actual exfiltration events. The catch is that each tool was justified individually—'we need coverage for this specific vector'—but the aggregate complexity becomes a tax no one budgeted for. I have watched a five-person security team burn two days per month just deduplicating alerts across three consoles. That's integration debt, and it compounds every quarter. The common reaction is to add another tool to 'fix' the gap, which only drives the noise higher. The anti-pattern here is clear: more tools without a unified data plane doesn't reduce risk—it just re-distributes the confusion.

So what breaks first when the budget gets cut? Maintenance. The rule set freezes, the baselines go stale, and the drift that was already happening accelerates. Teams revert to the old ways because the system is too noisy to trust. The real cost of prevention isn't the software license—it's the headcount you keep burning on a system that slowly learns to shout about nothing.

When NOT to Use This Prevention Approach

Low-maturity orgs that need first-pass controls

If your startup hasn't classified a single file—no labels, no ownership map, nobody who can say where the customer list lives—heavy data loss prevention is a mistake. I have seen teams burn three months deploying endpoint agents, only to discover they blocked every spreadsheet sync to Slack and nobody knew why. The trap is seductive: vendors sell you a dashboard that looks like control, but without basic hygiene—least-privilege access, a half-decent asset inventory, or even a policy that distinguishes payroll from marketing decks—you drown in false positives. The alerts pile up, the security team gets paged at 2 AM for a contractor's resume upload, and within six weeks the DLP tool is either muted or bypassed. Don't bolt on exfiltration prevention before you can tell a secret from a sales pitch. What your org really needs is a single afternoon mapping data flows and turning off public S3 buckets. That cuts more risk than any fancy extrusion sensor.

Environments with heavy encryption (e.g., finance)

Regulated firms—think hedge funds, payment processors, core banking—already run full-disk encryption, encrypted email gateways, and often client-side key management for every document. Here, DLP becomes a layer that can't see what it's supposed to protect. The catch is philosophical: if your transport and at-rest encryption is compliant with PCI-DSS or SOC 2 Type II, adding content inspection means decrypting the data mid-flow—which auditors may flag as a control weakness, not a strength. Worth flagging: I've watched a trading desk lose four hours of revenue because a DLP proxy re-encrypted a deal memo with the wrong key. The seam blows out when encryption and prevention fight over the same packet; you get latency, false blocks, and a legal team that can't decide which framework takes priority. Sometimes the safest move is to lean on your existing crypto controls and accept the residual exfiltration risk. That sounds reckless until you calculate the cost of a single blocked legitimate transfer—easily six figures in a prop trading shop.

Flag this for data: shortcuts cost a day.

Flag this for data: shortcuts cost a day.

The trickier scenario is the hybrid: a firm with partial encryption mandates. Maybe HR data is plaintext while trading models are encrypted. Throwing universal DLP at that split creates a mess—the tool chokes on encrypted blobs it can't parse and over-scans the unprotected stuff with too many rules. Better to micro-segment. Encrypt the high-value models at rest and move them via air-gapped transfers. Let the less sensitive flows use lightweight pattern matching. One concrete anecdote: a fintech client of mine spent $200k on a DLP suite, then ripped it out after discovering their core ledger data was already AES-256 wrapped end-to-end. The vendor never told them encryption makes content inspection blind. That hurts.

When the cost of blocking exceeds the risk of leakage

Most teams skip this calculation entirely. They deploy prevention as if every byte leaving the network is a crisis, ignoring opportunity cost. Imagine a biotech startup: researchers collaborate daily with external labs, swapping gene sequences over unencrypted email. A strict DLP policy would quarantine those messages, killing experiments. The risk of a deliberate exfiltration is real but low—your biggest threat is a researcher accidentally CC'ing the wrong PI, not a spy. Blocking here destroys velocity. I have seen this pattern kill two startups: the first lost a patent race because their DLP tool quarantined the provisional filing attachment; the second saw their top ML engineer quit after being locked out of their own model cache for two weeks. — former CISO at a genomics startup, reflecting on the false-positive tax.

— paraphrased from a private conversation, 2024

Rhetorical question for the room: how many of your prevention rules would survive a simple cost-of-delay test? If the answer is fewer than half, you're over-blocking. The playbook should be: run in detect-only mode for one quarter, tally the incidents that actually caused harm (not just policy violations), then build rules that match the real threat model. Everything else is theater. Your next experiment: pick the three loudest DLP alerts from last week. Ask the business owner whether they'd rather accept the leak risk or lose the feature. You might be surprised how often they pick the leak.

Open Questions and FAQ on Exfiltration Gaps

Can AI models exfiltrate data in model weights?

Yes, and this is the question that keeps security researchers awake. Model weights are just millions of floating-point numbers — stitch training data into those weights, and you have a steganographic pipe that looks like a normal binary artifact to most DLP tools. I once helped a startup untangle a case where an intern pushed a fine-tuned model to Hugging Face that contained encoded customer PII in the final transformer layer. The model passed all standard malware scans. What caught it? A manual audit of loss curves that showed suspiciously low perplexity on specific user names. The tricky part is that model theft isn't always malicious — sometimes engineers cache weights locally for offline experiments, and that cache walks out on a USB stick or syncs to a personal cloud. The fix? Treat model registries as exfiltration endpoints, not just code repositories.

What about data loss via APIs and machine identities?

APIs are the open windows of modern data architecture — and nobody locks them properly. Machine identities, such as service account tokens and OAuth client secrets, often carry broad read permissions because developers hate debugging granular scopes mid-sprint. A single leaked token from a CI/CD pipeline can dump your entire customer database through a few REST calls. The friction point here is speed: revoking a token breaks production integrations, so teams hesitate. I saw one fintech solve this by baking a per-request data watermark into all internal API responses — if the data surfaces outside, they trace it to the exact token and timestamp. That sounds fine until you realize watermarks can be stripped by any intermediate proxy. The realistic approach is a two-lever strategy: enforce token expiration (48 hours max for short-lived tasks) and audit all API responses over 1MB for anomalous destination IPs. Most teams skip the IP audit — huge mistake.

“Data exfiltration via API doesn't announce itself with a virus alert. It feels like normal traffic until the data shows up in a competitor's demo.”

— Security architect at a B2B SaaS platform, after a breach that cost them $2M in churn

How do you balance privacy monitoring with employee trust?

Badly, mostly. I've watched companies deploy endpoint DLP agents that capture every browser request, then spend six months in HR disputes over flagged activity that turned out to be engineering research. The anti-pattern is treating all data as equally sensitive — it burns trust and blinds teams to actual threats. A better line is to monitor only the 3–5 channels that historically carry real incidents: large file uploads to personal drives, bulk API pulls by terminated accounts, and unusual activity windows (3 AM exports from CRM, for example). Let the rest slide. What usually breaks first is the false-positive ratio: when 99% of alerts are trivial, analysts start ignoring them. We fixed this by running a two-week baseline of 'normal' egress per team, then flagging only deviations past 3 standard deviations. That cut alert noise by 80% and restored engineer goodwill. The hard truth is that perfect monitoring is surveillance; good enough monitoring is partnership. Choose partnership, but keep the audit logs cold-stored for post-incident review. Not perfect — workable.

Summary and Next Experiments to Run

Audit your current DLP rules for gaps

Most DLP rule sets I have audited look impressive on paper—then fail on a trivial test: copy-paste to a personal browser session. Worth flagging: rules written six months ago often block entirely the wrong channels. The tricky part is that every cloud app update can silently widen a policy hole. Grab three team members, pick your five most sensitive data labels, and run a literal walkthrough. Try sending a CSV with fake production data via Slack, a Teams chat, and a forwarded Gmail alias. Time it. Write down which alerts actually fire—and which you expected to fire but didn't. That hurts. A single afternoon of this will surface gaps no dashboard ever shows.

One team I worked with discovered their DLP allowed file uploads to a known shadow-IT tool because the URL regex was two characters too short. Fix took twenty minutes. The risk had been open for eleven months. — data engineer, mid-market SaaS provider

Run a red team exercise on exfiltration paths

Don't hire a vendor for this—yet. A low-cost red team can be two colleagues from different departments playing attacker and defender for half a day. The attacker gets a simple goal: exfiltrate a dummy file from a shared drive without using email. The defender knows the exercise is happening but not the timing. What usually breaks first is endpoint DLP agent misconfiguration—agents on macOS often skip USB monitoring, for example. I have seen a junior dev tape a phone to a laptop screen to photograph internal architecture diagrams. No tool blocked that. Another team tested by pasting sensitive rows into a ChatGPT session—traditional DLP saw nothing because the data left as keystrokes, not file attachments. The catch is that these exercises reveal process gaps, not just tech gaps—and process gaps are usually harder to admit.

Run the same drill quarterly. Change the dummy file name each time. Patterns emerge fast.

Test one UEBA deployment on a single data type

User and Entity Behavior Analytics sounds like a budget-killer. But start small: pick one data type—say, payment card numbers in transaction logs—and train a UEBA model on a two-week baseline of normal access. Then introduce one anomalous pattern: a single user downloading 200 records at 3 a.m. on a Sunday. Does it flag? Does the alert go anywhere, or just disappear into a SIEM queue? Most teams skip this test and buy the full suite, then find the signal-to-noise ratio is so bad they ignore all alerts within a month. Start with one data type, one user group, one explicit anomaly. If the alert chain works, expand. If it doesn't, you saved a year of false-positive misery. That said, be ready for the false-negative surprise—UEBA often misses slow, low-volume exfiltration that spans weeks. No single layer catches everything. The next experiment after this one? Combine UEBA output with a manual review of one user's file-access logs for a single shift. Two low-cost layers beat one expensive blanket every time.

Share this article:

Comments (0)

No comments yet. Be the first to comment!