The bad news HBO got hacked. The good news? I don’t have to wait for Game Of Thrones anymore. Hopefully, I can binge watch it. With that said, if you are into defending networks this entire episode is a deja vu from the Sony Pictures Hack of 2014. According to the initial report, 1.5 terabytes(TB) of data got exfiltrated from HBO network.
To give you a context, 1.5 terabytes is about 750 hours of video. In comparison, 100 TB of data was stolen from Sony and was 100 times bigger than HBO in terms of the amount of data stolen. 
In this article, I want to focus on answering a single question. What can you do RIGHT NOW to detect and contain the data exfiltration? Before I answer that question, let me present the evidence and anatomy of an attack to validate that this approach works.
In 2013, criminals stole $45 million USD from 26 countries. They were able to carry out this attack easily because they were able to bypass the $500 USD withdrawal limit on the debit card by eliminating the withdrawal limit or increasing it.
As you can see in this picture, after raising the limit criminals walked away with backpacks full of cash from the ATM.
Sony, 100 terabytes of data was exfiltrated. Stay with me for a moment. Don’t worry about how the attacker got into the network. The question is how are they getting away with transferring 100 terabytes of data?
In the Sony, HBO and ATM hack there was one thing common. Massive data was transferred or there was a limit that was eliminated and an unusual amount of cash was withdrawn.
What if you could detect those outliers by egress or ingress traffic? That would be simple math. One single operator “outlier” would catch some of these anomalous events. From detecting unusual withdrawal from the account to massive data exfiltration.
Consider traffic in your organization. For most days your traffic would be a little bit more or less close to the average traffic. One should able to run multi-dimensional outlier to detect any sudden increase in the traffic or the money withdrawal.
This is the simplest and fastest way of detecting fraudulent or malicious activities. So if I were to recommend one thing for security operations teams beyond regular patching, it would definitely be to implement outlier to detect these activities.
The Outlier operator tracks the moving average and standard deviation of a value and detects or alerts when the value differs from the mean by some multiple of the standard deviation, for example, 3 standard deviations.
Suppose we want to use Outlier to monitor the total bytes uploaded to Sumo Logic from many different IP addresses. Building a separate Outlier search for bytes uploaded for every IP isn’t scalable, and applying Outlier to bytes uploaded for all IPs would not be useful. But we can monitor each IP addresses uploads in a separate stream, or dimension, using BY after the Outlier operator. This would create a multi-dimensional outlier operation.
| outlier size_in_bytes BY ip window=8, threshold=3, consecutive=2, direction=+ -- size_in_bytes - The parsed or aggregated value you are monitoring with Outlier.
— Window – Specifies how far back to look to calculate the rolling standard deviation. — Threshold – Specifies how many standard deviations from the rolling average the boundaries are, or how sensitive the search is in calling something a violation.
— Consecutive – Represents how many consecutive violations are required to consider the behavior a true exception.
— Direction – Allows you to specify whether values that are too high, too low or both, are considered to be violations.
To create a Dashboard, use a table chart in order to visualize violations and create alerts. Link to Outlier Documentation here: https://help.sumologic.com/Search/Search_Query_Language/Search_Operators/outlier
The simplest way to analyze your logs to detect such outliers is to implement Sumo Logic free. You should be able to implement Sumo Logic in less than 30 minutes and start using advanced machine learning operators such as ‘Outlier’ to detect signal from noise.