From DLP to Intelligent Data Exfiltration Analytics

The Business

The customer is a high profile international defense contractor developing advanced defense and security products servicing a global customer base. The company has over 80,000 employees worldwide and operates in 25 different geographical areas. The company is a leader in defense innovations and sells its products to governments and large organizations.


As a large defense and technology provider, the customer was facing high risk of sensitive data theft by rogue employees and contractors as well as a need to protect against theft by external attackers trying to get their hands on the company’s vast intellectual property information.
The client invested in an advanced DLP solution and SIEM to be able to monitor for risky events but due to the sheer size of the organization and the amount of data accessed on a daily basis, those solutions on their own were not enough and were generating false positives in high numbers that were not manageable.

The Securonix Solution

Faced with a critical need to be able to monitor and gain insights into how and by who their sensitive information is being accessed and the fact that they were not able to monitor for rogue employees, external attacks or activities performed by terminated employees Securonix was brought in to implement its Data Exfiltration and SIEM intelligence products to provide rapid visibility and behavioral analytics for sensitive data access and terminated user account monitoring

Client’s Solution Tour:

Core Use Cases Deployed:

Data Exfiltration

Securonix was implemented to analyze events that are generated by the customer’s DLP solution and enrich each event with identity and activity context. Securonix analyzes the activities performed by users by comparing each event to previous behavior by the user and also comparing it with colleague activity through its automated peer group analysis functionality. The solution then goes on to evaluate and risk rank each event by adding context that comes from HRMS, Firewall and Proxy data, allowing the security team to be aware of disgruntled employees (bad review, notice of termination in HRMS) as well as being able to flag employees for possible flight risk by evaluating other activities such as browsing the web on job sites etc. This creates a comprehensive picture that allows the security team to focus on those events that really need to be investigated.

By using Securonix to monitor the usage of its most sensitive information, the customer is able to significantly reduce the risk of data theft. The customer is no longer drowning in thousands of DLP alerts that more often than not, turn out to be false positives and is able to focus their efforts on those events that really matter.

Securonix is empowering the customer to rapidly detect and mitigate any misuse of data by providing immediate alerts to high risk events and providing the facilities to take action on these events in order to prevent the exfiltration of sensitive information from the organization. By being able to rapidly detect exfiltration attempts, the company is able to very significantly reduce the loss from exfiltration events.

Finding the needle in the needle stack

By enriching the events coming in from DLP with Identity and activity context, the client is able to reduce the total number of alerts that they need to investigate by up to 90%, and is reporting an overall reduction of false positive alerts of 99%. This is creating tangible savings for the client in time and resources that previously had to sift through thousands of false alerts.