What is Data EGRESS?
Egress is just another word for 'exit.' It may also mean the act of going out or coming out (of something).
For example, a fire-escape is defined as a “means of egress” because that’s how somebody can get out of a building if there was fire or any other emergency.
In our context of network security, egress means the data that is coming/going out of your network, devices or interfaces.
In a nutshell, data egress means the data is leaving your network and going to external location.
Egress happens whenever data leaves your organization’s network:
-
When you are sending out email messages.
-
When you are uploading any data to the cloud or any website.
-
When you are transferring a file on/to any removable media (e.g. USB, HDD, CD/DVD, etc)
-
When you are sending or uploading any file through FTP or HTTP(S) transfers.
-
How Data Egress is different from Ingress?
The traffic coming FROM the internet TO your local network would be 'ingress' traffic and traffic going FROM your local network TO the internet would be egress traffic. So far, it’s still simple.
However, Ingress poses many challenges to you. Because it is traffic that comes from outside of your organization’s network and is transferred into your network. But, it has to be UNSOLICITED traffic that gets sent from the internet to your private network. This traffic does not come in response to a request made from inside your organization’s network.
You have to get hold of two things here: 'Unsolicited' and 'Not in response to a request made from inside.' That's why, you deploy an huge variety of data-filters to manage or prevent ingress traffic. Right?
But this post is about 'egress'...
You are dealing with the amount of data that gets transferred from your organization’s host-network to external networks. You must monitor egress-traffic for anomalous or malicious activity, through egress filtering.
Egress filtering involves monitoring your egress-traffic to detect signs of malicious activity. If malicious activity is suspected or detected, then data transfers can be blocked to prevent the loss of your sensitive data. Egress filtering can also limit egress traffic and block attempts at high-volume data egress.
It enables your company to block the transfer of sensitive data outside its corporate networks, while limiting and blocking high-volume data transfers.
What are major security threats related with Egress?
If you have some sensitive data or some proprietary data, or high-value personal data, or PII data, etc, then you are an attractive target for cyber threat-actors.
They would definitely be interested in exfiltration of your data. They may employ a number of techniques to steal, intercept or snoop on your networks and your data, when it is in-transit. If they succeed, then you are highly vulnerable to data-loss and data-leakages. Attackers may use a number of approaches to get access to your data. They may implant a malware, backdoor trojan. They may use social engineering tactics too.
There are so many ways, they can exfiltrate your data. They can even go to the extent of encrypting your data, before it is exfiltrated. They can surely mask their own location and traffic sent to them.
Remember, any instance of malicious data-egress can surely be a handy work of an insider threat. For example, your own employees may attempt to steal your corporate data with the intent to harm your company by giving or selling that data to a hacker, third party, or competitor.
Accidental insider threats may also occur if your employees inadvertently send data to an unauthorized recipient or disable a security control.
-
6-Best Practices to manage the menace of Egress
1.
You must always start with knowing what is your most important data and where it is stored. Then you contemplate all the points where this particularly sensitive data leaves your network. You need to know all those points...You must highlight those points on the process flow-charts very clearly!
2.
You should develop a well-defined policy about your data which clearly elaborates all things necessary to enforce the egress of above mentioned data. This policy document must articulate what constitutes the 'acceptable' use of data. You must explain extremely thoroughly that how your company intends to protect its critical resources and sensitive data. You should also provide the list of services as well as applications that are approved for use. You would even go one step ahead and set guidelines for how your employees should access and handle sensitive data.
The above two steps are important as they establish the foundation for many good practices, as follows:
3.
Now you are ready to truly monitor all the traffic of your network. You would make fine-grained rules & policies to monitor the egress traffic. A careful network monitoring routine would allow your company to know which users and devices are active on your network. A high-quality network monitoring tool would allow you to measure many crucial network metrics, such as availability, response-time, and up-time too.
4.
You should ensure that your company has deployed a NGFW as the network gatekeeper, as they are capable of managing your traffic well, including data-egress and ingress. You must pay extra attention to the RULES you configure in your firewall, because appropriate rules would enable your firewall to detect, monitor, and block unauthorized data-egress.
I have very strong inclination to tell you upfront that most security professionals tend to focus relatively more to creating rules to address the 'ingress' traffic. They tend to overlook the egress in their approaches so many times. That's not good.
There has been a history of instances, when many data-breaches happened just because companies were liberal when they were setting the egress rules for their organisations. By not making appropriate rules for egress, they unknowingly allowed intruders to access and intercept company data without them even knowing an attacker had been active in their networks. Kindly don't commit this mistake!
Always remember that effective firewall rules will allow your organization to block data egress to unauthorized locations and malicious individuals. Hence, no compromise!
5.
You should make a point that all the events and whole traffic whether it is egress or ingress, is logged. I would recommend that you choose the most elaborated scheme of logging everything at every-level, at every device including your endpoints and NGFW. If you do that, your SIEM solution will perform effectively and efficiently while it analyzes your logs. If you set the tools effectively, they will be able to compile, correlate, and manage data-flows across your entire organisation. Eventually, you would succeed in warding off unauthorized data-exposure or leakages.
6.
You next approach should be to synergize everything with Data-Loss Prevention (DLP) solution. Merely, deployment of a DLP solution is not enough. Your actual work starts at the STEP-1, as mentioned above. Your company or organisation need to know very clearly -- What is their most sensitive data. As all data is not equal, you must always classify the data, in terms of sensitivity and the risks it generates if exposed. Right?
The finely defined classification of your data itself will dictate the level of protection it requires. Now you job obviously is to build and apply appropriate protective-measures. You should devote more deliberations to your most sensitive data...
The work would further enable your design 'Access policies' as to who you will allow to access specific data and resources. Zero Trust principle is the guide here.
Now your DLP solution is ready to best serve the interests of your organisation. DLP applies policy-based protection, such as blocking unauthorized actions or data encryption, to protect sensitive data. Combining DLP with data classification and data discovery ensures that you have a full picture of the sensitive data your organisation has, where it is stored, and how it is protected from unauthorized exposure and loss.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
______
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM