Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
673
Views
0
Helpful
0
Comments

Data Hoarding Alarm Category versus Data Exfiltration Alarm Category

Meddane
VIP
VIP

on ‎04-02-2023 04:38 AM

Data Hoarding Alarm Category

The Secure Network Analytics Data Hoarding alarm indicates that a host within a network has downloaded an unusual amount of data from one or more servers.

data H exfiltration.JPG

 Security Events Associated with the Data Hoarding Alarm Category include:

1. Suspect Data Hoarding

a. Suspect Data Hoarding monitors how much TCP/UDP data an inside host, while acting as a

client, downloads from internal servers. The event fires when the amount of data surpasses

the threshold for a given host. This threshold is built automatically by baselining.

b. This event is an indication of a particular host gathering data to prepare for exfiltration or

other larger-than-normal downloads of internal data.

2. Target Data Hoarding

a. Target Data Hoarding monitors how much TCP/UDP data an inside host, while acting as a

server, serves to other inside clients. The event fires when the amount of data surpasses the

threshold for a given host. This threshold is built automatically through baselining.

b. This event is potentially an indication of one or many Inside Hosts gathering more data than

normal from a particular Inside Host, potentially in preparation for exfiltration or misuse.

Data Exfiltration Alarm Category

The Secure Network Analytics Data Exfiltration alarms tracks inside and outside hosts to which an abnormal amount of data has been transferred. If a host triggers events exceeding a configured threshold, it results in Data Exfiltration alarm.

data H exfiltration.JPG

 

The Suspect Data Loss security event is in the Exfiltration alarm category and based on observed flow rather than a number of default points assigned to the alarm category when the security event occurs.

When this event triggers, an inside host acting as a client has uploaded a cumulative amount of TCP or UDP payload data to an outside host, and the amount exceeds the threshold set in the policy applied to the inside host.

What does it mean when this alarms fires? A host is being used to upload more information to the Internet than is acceptable. This can be anything from someone using external backup services to maliciously exfiltrating corporate data.

 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents