* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/)
* Network-Based Data Exfilt...

# Network-Based Data Exfiltration Detection Extends Visibility of Threats

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fnetwork-based-data-exfiltration-detection%2F)  
[](https://twitter.com/share?text=Network-Based+Data+Exfiltration+Detection+Extends+Visibility+of+Threats&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fnetwork-based-data-exfiltration-detection%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fnetwork-based-data-exfiltration-detection%2F&title=Network-Based+Data+Exfiltration+Detection+Extends+Visibility+of+Threats&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/network-based-data-exfiltration-detection/&ts=markdown)  
\[\](mailto:?subject=Network-Based Data Exfiltration Detection Extends Visibility of Threats)  
Link copied  
By [Rachel Deng](https://www.paloaltonetworks.com/blog/author/rachel-deng/?ts=markdown "Posts by Rachel Deng")  
Jun 09, 2021  
4 minutes  
[Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown)  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown)

[Data breaches](https://www.paloaltonetworks.com/cyberpedia/data-breach?ts=markdown) in public cloud environments continue to be a significant problem. Studies show that there were [3,950 confirmed data breaches](https://enterprise.verizon.com/resources/executivebriefs/2020-dbir-executive-brief.pdf) in 2020 alone. This is partially due to the fact that detecting an exfiltration attempt is extremely challenging -- it takes an average of [228 days to identify a data breach](https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/pdf). Worse still, the average cost of a breach last year was over [$3.8 million](https://www.ibm.com/security/data-breach), not to mention the costs of reputational damage.

To help reduce these risks, Prisma Cloud can now analyze a combination of network flow logs and user behavior to help identify potential malicious data exfiltration attempts before they become an issue.

## What Is Data Exfiltration?

[Data exfiltration](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration?ts=markdown) is when malicious actors gain access cloud environments and illegally download (steal) data.

The [MITRE ATT\&CK™ for Cloud framework](https://www.paloaltonetworks.com/blog/prisma-cloud/mitre-attck-for-cloud-improve-threat-detection/?ts=markdown) identifies this as an "exfiltration" tactic following "initial access." Unlike other tactics in the matrix that deal with mitigating vulnerabilities, exfiltration refers to the impact after your cloud infrastructure has been compromised. It is separate from techniques for discovering vulnerabilities, as attackers have already gathered enough information to compromise an account and begin transferring data out of a cloud environment.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/06/word-image-59.png)

No matter the industry or size of your organization, if you have valuable data like intellectual property, financial information or personally identifiable information (PII), you are a potential target for data exfiltration. In fact, a survey conducted in 2020 shows that [nearly 80% of organizations](https://enterprise.verizon.com/resources/reports/dbir/) have weathered cloud security breaches.

Unfortunately, while many enterprise security teams focus on the early tactics of the ATT\&CK framework to prevent attackers from infiltrating their network, most tend to overlook the signs of data leaving their network.

This is where the new network-based data exfiltration detection helps complete our customers' security strategy.

## How Does Network-Based Data Exfiltration Detection Work?

Once an attacker is able to access cloud data, the goal is to transmit as much as they can out of the network as quickly as possible. And to reduce their chances of being detected, attackers will often use a predetermined protocol, such as Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure (HTTPS), Domain Name System (DNS) or File Transfer Protocol (FTP), to transmit the data.

However, these activities would almost certainly deviate from normal user behavior patterns. For example, the data volume may be much greater than most users would transmit. They may also be accessing the environments from a known TOR exit node.

Knowing this, Prisma Cloud uses advanced machine learning (ML) algorithms to analyze network flow logs and user behaviors to create a model of baseline activity. It can then detect deviations from that baseline that could signal malicious data exfiltration attempts, and create an alert.

## Network Anomaly Detection in Prisma Cloud

Beyond data exfiltration monitoring, Prisma Cloud provides a rich set of ML-based detection capabilities for anomalous network activities like:

**Port Scan Activity**Identifies port scan attempts by inspecting inbound and outbound network traffic. It refers to the "discovery" tactic defined in the ATT\&CK framework for cloud.

**Spambot Activity**Identifies if a host inside the customer's cloud environment is generating outbound SMTP traffic and for which no prior mail-related network activity has been observed. It refers to the "impact" tactic in the ATT\&CK framework.

**Unusual Protocol Activity**Identifies network activity from a client host to a server host inside the customer's cloud environment, using an unknown IP protocol. It refers to the "defense evasion" tactic in the ATT\&CK framework.

Together, these capabilities allow users to continuously monitor flow logs generated from network traffic in each environment and look for any potential malicious activity.
![Network anomaly incidents in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/06/word-image-60.png)
Network anomaly incidents in Prisma Cloud

## Next Steps

Network-based data exfiltration detection will be available to Prisma Cloud users in the next two months. To learn more about how to operationalize [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management?ts=markdown) in the meantime, check out our white paper, [Guide to CSPM Tools](https://www.paloaltonetworks.com/resources/ebooks/guide-to-cloud-security-posture?ts=markdown).

*** ** * ** ***

## Related Blogs

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Azure-Specific Policies to Detect Suspicious Operations in the Cloud Environment](https://www.paloaltonetworks.com/blog/cloud-security/anomaly-detection-policies-azure/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud Provides New Extensive Use Cases for Azure Customers](https://www.paloaltonetworks.com/blog/cloud-security/prisma-cloud-provides-new-extensive-use-cases-for-azure-customers/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Building a Zero Trust Framework for Cloud Native Applications](https://www.paloaltonetworks.com/blog/cloud-security/zero-trust-cloud-native-applications/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Palo Alto Networks Shifts Left with Prisma Cloud 3.0](https://www.paloaltonetworks.com/blog/2021/11/shift-left-with-prisma-cloud-3-0/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Prisma Cloud at Ignite '21: What to Know](https://www.paloaltonetworks.com/blog/cloud-security/prisma-cloud-ignite-21/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### Enhancing UEBA with Compute Provisioning Anomaly Detection](https://www.paloaltonetworks.com/blog/cloud-security/compute-provisioning-anomaly-detection/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language