BLOG
|

4 min read

Preventing Internal and External Data Breaches with DataDefender

Blog post featured image

In the first half of 2025, Casmer Labs, Cloud Storage Security's internal threat laboratory, observed numerous high-profile data breaches and cybersecurity incidents that could be attributed to the lack of proactive activity monitoring. In the eyes of the press, the most popular example was the Coinbase attack, where overseas support staff exfiltrated sensitive data on behalf of cyber actors. On May 15, 2025, the day of its public disclosure, Coinbase (COIN) shares dropped 7% due to concerns about internal policies and an ongoing SEC investigation.

Despite organizations investing heavily in security resources, including tools, platforms, and headcount, the reality is that without a combination of employee education and proactive activity monitoring, no amount of controls can deter an educated or determined actor. While it remains unconfirmed if the offending employees were granted excessive permissions (e.g., access to or ability to download sensitive customer data), an effective activity monitoring solution would have detected this anomaly, preventing the incident before it began.

The Coinbase incident was just one of hundreds of security breaches that occurred in 2025, yet the internal and external threats have yet to be properly addressed.

 

Why Activity Monitoring Is Important

Modern business practices are increasingly reliant on data, with optimization through analytics and machine learning becoming standard even for small businesses. The ease of data ingestion into the cloud, facilitated by solutions like AWS Transfer Family, allows for transfers exceeding petabytes on a daily basis. Even self-managed SFTP solutions are easy to implement, further enabling the ease of ingestion of data into the cloud.

Cloud storage is also often more cost-effective than on-premises alternatives. Further cost reduction options offered by vendors such as AWS in the form of intelligent tiering enables organizations to automatically move data between retrieval tiers based on the data’s temperature.

It is likely that your organization's (and most others’) cloud data volume has significantly expanded over the past year. This expansion has also resulted in data dispersion across a growing number of new Amazon S3 buckets, Amazon EFS/FSx file systems, Amazon EBS volumes, and other repositories. For many organizations, this translates to data being fragmented across numerous AWS accounts and virtual storage containers. As this data becomes more dispersed, both the risk and attack surface increases.

 

How Activity Monitoring Works

Activity monitoring encompasses two core functions: signature-based monitoring and anomaly detection. Signature-based monitoring identifies known attack patterns, like the presence of ransom notes in a storage bucket, while anomaly detection establishes a baseline of normal activity and flags deviations.

Consider how activity monitoring could have prevented a Coinbase-like attack in a cloud environment:

  • Initial Setup: Upon installation, the anomaly detection system learns and establishes a baseline of typical log activity, defining what constitutes "normal."
  • Attack Initiation: After receiving a bribe, the Coinbase employees attempt to access and exfiltrate sensitive data.
  • Activity Monitoring Response: As the employees try to download the information, the activity monitoring solution takes immediate action:
    • Signature-Based Monitoring: The system detects and alerts on sensitive data being downloaded, immediately revoking the employees' permissions and stopping the attack.
    • Anomaly Detection: The system observes a mass download of sensitive information, an anomaly that triggers an immediate shutdown of the employees' permissions, thereby halting the attack.

While both monitoring methods achieve the same outcome in this scenario, their redundancy is often crucial. Signature-based detection is simpler, but more complex attacks, such as the Ingram Micro incident, might only be caught by anomaly detection methods. This incident, which caused approximately five days of downtime, was reportedly due to attackers compromising their VPN systems. At the time of this whitepaper's publication, it is probable that this VPN compromise led to the encryption and ransom of all systems, including Ingram Micro's cloud storage. Like the Coinbase incident, a robust, automated activity monitoring solution would likely have prevented the data encryption and loss experienced by Ingram Micro.

 

Why Activity Monitoring Works

Not every single threat is known- and not every threat exists yet. Many organizations assume that their Cloud-Native Application Protection Platforms (CNAPP) provide complete coverage into applications, users, workloads, and infrastructure. However, their coverage at the storage layer tends to be both slim and shallow, if present at all. This combination of this lack of coverage of the storage layer, the fact that cybercriminals are increasingly shifting their focus towards data, and the fact that the end goal of all data-centric cyber attacks is to exfiltrate data or extort said data’s owner means that there is a theoretically infinite number of attack paths to achieve such a goal.

Activity monitoring acts as both the first (and last) line of defense for an organization’s data, depending on whether that attack is internally or externally originated. If a cyber actor accesses an organization’s cloud account via a VPN vulnerability, activity monitoring could detect and prevent an exfiltration attempt. If an internal employee attempts to encrypt data after being fired, activity monitoring would detect this anomaly and pull their permissions.

To prevent similar attacks from affecting your organization, Casmer Labs recommends that the following best practices are followed:

  • Implement a robust backup strategy, which is key to protecting against ransomware
  • Adding a condition element in IAM to conditionally disable SSE-C encryption
  • Enable S3 lifecycle event notifications
  • Practicing basic digital security hygiene; changing passwords frequently, enabling multi-factor authentication (MFA), etc.
  • Implement a signature-based and anomaly detection activity monitoring solution that proactively parses logs to identify early indicators of breaches and ransomware attacks

 

DataDefender by Cloud Storage Security automates the detection and mitigation of threats, internal or external, preventing data exfiltration, ransomware, and other threats at the source. Sign up for the DataDefender beta here.

 

About Cloud Storage Security

Cloud Storage Security (CSS) offers customers the ability to protect the storage layer in their cloud environments. DataDefender by Cloud Storage Security offers customers complete protection over the entirety of their cloud storage environment. Make sure your organization:

  • Knows where its sensitive data resides
  • Configures their storage resources in a secure manner
  • Prevents the ingestion and distribution of malware, including ransomware
  • Identifies and stops internal and external attacks against storage, and the data within

 

The DataDefender beta program is open for applications now. Sign up at cloudstoragesecurity.com/datadefender to request access to the solution.

 

Cloud Storage Security’s cloud antivirus solution is also available in AWS Marketplace with a 30-day free trial.

 

angled bg image

Tired of Reading?

Want to watch something instead?

watch video blog cta image 614x261