CASE STUDY: DEXRR
Data exfiltration-detection for national Australian law firm.
Customer
Australian national law firm.
Challenge
Learn from Medibank, HWLE and National Public Data, and take a proactive approach to reducing risks associated with data exfiltration (breaches), the associated, unauthorised exposure of sensitive customer and legal information, and the consequential monetary and reputational loss.
Solution
dotSec designed and deployed DEXRR, a search and analytics package that runs as a layer over Splunk Enterprise Security (ES), and which is focused on detecting and alerting on activities that indicate unauthorised data exfiltration.
1.7TB+
Log volume analysed per quarter
240M+
Log events per day
530 + 30
Number of on-prem and cloud-service log sources
24
Constantly running DEXRR correlations
DEXRR overview
The HWLE incident of 2023 saw attackers compromise that law firm (not the client in this case study!) and exfiltrate over 4TB of data, without being detected. Before that (in 2022) Medibank was breached and first reported that attackers had access to the records of 3.1M people… before realising that the number was closer to 9.7M.
And after that, in 2024, attackers breached National Public Data, an online background check and fraud prevention service, and accessed 2.7B records associated with more than 170M people.
The common thread of course is that the data exfiltration attacks were successful and undetected until much later and so in order to reduce the risks of a similar incident, dotSec developed the DEXRR package as a layer of additional Splunk ES searches, alerts and reports, to reduce the risks associated with this kind of attack.
Operationally and cost effective!
Sure, you can probably get a cheaper service but let’s face it, you’ll get what you pay for: Data exfiltration-detection is a stonkingly hard problem to solve, and it requires large volumes of logs to be collected, correlated and analysed from a huge range of sources, including Microsoft 365, Dropbox, laptops and desktops…
And Kiteworks, Cisco networking kit, Azure WAF, Cloudfront, NetSkope, CrowdStrike EDR services and VMware vCenter, and custom and in-house applications and services…
To name just a few!
dotSec’s MSIEM team is located in Australia and consists of seasoned cyber security experts that hold lots of professional certifications: Splunk Enterprise Security Admin, Splunk Enterprise Admin, ISO/IEC 27001:2022 Lead Implementer and Auditor, CISA, CISM, CRISC and CDPSE.
And Masters of Information Technology, Masters of Cyber Security, and some PhDs. They’re the real deal!
Attention to detail
The DEXRR package consists of analytics that are focused on detecting activities that may indicate data exfiltration. dotSec worked with our client to gather relevant logs from multiple systems and applications, and then spent an extended period base-lining the system in order to get a good understanding of what “normal activity” looked like.
This step was especially important for a law firm since BAU activities generally involve frequent and often large information exchanges, so detection of anomalous activity associated with unauthorised information exchanges and data exfiltration is a non-trivial exercise.
You see, real MDR+MSIEM is not a set-and-forget, sell a license and then chuck it over the fence, kind of deal. It involves attention to detail and an understanding of normal and anomalous business activities. And sure, that means we’re not the cheapest, but as our client has told us (and yes, we can provide written references to bona fide enquiries), they get what they pay for!
Effective compliance, exceptional service
The dotSec MDR+MSIEM service has proven its effectiveness in both simulations, Red Teaming exercises, and in actual incident detection, response, containment and recovery events.
dotSec is ISO/IEC:27001:2022-certified and is a PCI QSA company, so we know a thing or two about compliance. And our MDR+MSIEM service is delivered as a PCI DSS-compliant service, with an AoC, so you can be confident that we will reduce, rather than add to, your compliance cost and pain.