Profit from selling
In early 2018, an employee at a large media and entertainment company was caught selling extremely sensitive intellectual property to a third-party. This type of activity would be especially hard to detect using traditional tools such as threshold-based solutions that look for large or anomalous uploads. In this case, the files were being sent infrequently, and when they were sent, the amount of data traversing the network was very small.
In addition, this was a case where the perpetrator was authorized to access the information he was sharing. The files in question were sent to this person’s corporate email account from others within the organization. And the person did not forward or send all of the attachments contained in an any given email. They were selective and only sent very specific files, making their actions unlikely to trigger alarms that typically look for large or continuous uploads.
While the amount of data being uploaded was small and usually only occurred a handful of times per week, Awake identified the activity as “persistent” and “unique,” therefore elevating its risk score to prompt a closer look.