Preventing Internal and External Data Breaches with DataDefender

In the first half of 2025 Casmer Labs, Cloud Storage Security's internal threat research team, observed a steady increase in high impact data exposure and data theft incidents driven by insider activity, compromised access, and the lack of proactive activity monitoring.

The most visible example in media coverage was Coinbase. On May 15 2025 Coinbase disclosed that cyber criminals had bribed overseas customer support agents to access internal systems and extract data for a subset of Coinbase customers. Coinbase stated that affected data included personal and account level information such as names, dates of birth, partial Social Security numbers, masked bank information, and balance snapshots. Coinbase reported that no passwords, no private keys, and no customer funds were taken. Coinbase refused to pay the twenty million dollar ransom demand and instead offered a twenty million dollar reward for information. Coinbase estimated that total cost exposure, including customer reimbursement and remediation, could reach between one hundred eighty million and four hundred million dollars. Coinbase shares fell roughly six to seven percent the day of disclosure, amid questions about internal controls and an existing Securities and Exchange Commission investigation. 

The Coinbase incident is an example of an internal access abuse event. This was not an external intrusion in the traditional sense. It was insiders who had access using that access to pull customer data and hand it over to criminal actors. This remains one of the hardest classes of breach to prevent.

Ingram Micro, one of the worlds largest global technology distributors, reported a ransomware incident in early July 2025. Public reporting associated the attack with the SafePay ransomware group. Ingram Micro stated that ransomware was identified on internal systems and that the company took systems offline to contain the spread. For several days Ingram Micro could not process orders or licensing transactions in normal fashion and many of its downstream partners experienced business disruption. Reporting has suggested that the attackers may have taken advantage of remote access exposure and virtual private network access paths, though Ingram Micro has not confirmed an initial access vector. 

Both incidents share two traits. First, attackers focused on data and on business interruption. Second, early containment depended on the ability to detect unusual access and unusual behavior in real time.

Why Activity Monitoring Is Important

Most modern organizations are now data driven organizations. Customer records, transaction data, financial reporting data, production telemetry, internal audit trails, and internal communications data all land in cloud storage. This includes Amazon S3 buckets, Amazon Elastic File System file systems, Amazon FSx file systems, Amazon Elastic Block Store snapshots and volumes, and similar services.

In parallel, ingestion bandwidth has increased. Services such as AWS Transfer Family support the movement of extremely large data sets into cloud storage. Even self managed secure file transfer protocol pipelines and partner uploads can push high volume data into object storage daily.

Cloud storage is also relatively inexpensive compared to traditional on premises storage. Vendors offer cost management features such as intelligent tiering. Intelligent tiering automatically moves objects between retrieval tiers based on access frequency to reduce spend.

The result is predictable. The total volume of data in cloud storage grows quickly. That same data becomes more widely distributed across many storage locations, many AWS accounts, and many logical containers. Sensitive data that used to exist in a single controlled system is now duplicated into buckets created for analytics, support, operations, compliance, vendor sharing, and backup.

As data spreads, the attack surface spreads. Data that was once centrally controlled can often be accessed, copied, or exfiltrated by more people, more systems, and more automated workflows than expected.

This is why proactive activity monitoring matters. Without activity monitoring, unusual access to data can proceed for hours or days before anyone notices.

How Activity Monitoring Works

Activity monitoring for cloud storage typically combines two approaches.

The first approach is signature based monitoring. Signature based monitoring looks for known malicious behavior or known high risk events. For example, a sudden appearance of ransom notes or bulk encryption attempts in a storage location, or an identity attempting to download an entire sensitive bucket.

The second approach is anomaly detection. Anomaly detection learns what normal access looks like for a given storage location or identity and then flags abnormal behavior. For example, a service account that usually reads a few kilobytes of logs per hour suddenly attempting to copy gigabytes of sensitive customer records.

Consider the Coinbase incident in a cloud storage context. According to Coinbase, criminal actors bribed overseas support agents to access and extract sensitive information for a subset of Coinbase users. 

If those insiders had attempted to stage or download that customer data from cloud storage, an effective activity monitoring solution could have done the following

1. Establish a baseline
   

   During normal operation, anomaly detection builds a baseline of which identities access which storage locations, how often they read or write, and in what volume.

2. Detect mass access
   

   When a support identity that normally pulls a single record for a single user suddenly attempts to bulk download sensitive records for many users, anomaly detection flags that spike as abnormal.

3. Apply controls
   

   Signature based rules identify that the content being accessed includes high sensitivity customer data. Automated response can remove access, quarantine the identity, or lock the storage location to prevent further exfiltration.

This is the same basic model that applies to ransomware. In the Ingram Micro incident, SafePay ransomware reportedly forced core systems offline for days while the company worked to contain and recover. 

If an attacker gains access to an environment and begins encrypting or staging data for extortion, activity monitoring can detect mass write modification and mass encryption like behavior in storage. Automated response can isolate affected storage locations or revoke the attacker identity. The objective is to stop encryption and stop bulk data staging before full business interruption.

Why Activity Monitoring Works

There are three structural reasons why activity monitoring remains necessary.

1. Not every threat is known in advance. Security teams cannot publish signatures for an insider who has not been recruited yet or for a new ransomware operator that has not announced itself yet. Anomaly detection does not need a prior signature. It only needs to know that behavior is not normal for this storage location or this identity.

2. Many security platforms do not provide deep coverage at the storage layer. Cloud native application protection platforms focus on application runtime and container posture. Identity security focuses on credential use and session hardening. Network controls focus on traffic inspection and segmentation. All of these are important. However, in many environments, object storage and file storage are still monitored lightly, if at all. That is a gap, because attackers increasingly go straight to the data. 

3. Data theft and extortion are now core business models for criminal groups. Coinbase publicly stated that actors demanded twenty million dollars and threatened to publish stolen customer data. Coinbase refused to pay. Ingram Micro was forced to take core systems offline and work through staged restoration while its global channel partners were unable to transact normally. This is now routine. It is not rare.

Casmer Labs Recommended Practices

Casmer Labs recommends the following practices for organizations that handle sensitive customer data, operational data, financial data, or regulated data in cloud storage.

1. Maintain a reliable backup and recovery plan
   

   Maintain offline or otherwise isolated backups of critical systems and critical data. Test restoration on a regular cadence. Scan backup images for known ransomware before restore to avoid reinfection.

2. Apply strong access governance in storage
   

   Limit who can view, copy, or download sensitive data. Remove broad read and write access to high sensitivity storage locations. Use identity and access management conditions such as required encryption and allowed network paths.

3. Enable lifecycle and event notifications for sensitive buckets
   

   Enable storage level notifications for object creation, deletion, modification, and large download events in high sensitivity buckets. Alert on bulk changes.

4. Enforce basic account security hygiene
   

   Require strong authentication, including multifactor authentication for administrative actions and for any identity that can access sensitive cloud storage. Rotate keys and credentials that can access storage. Remove unused access paths.

5. Deploy activity monitoring for storage
   

   Implement an activity monitoring solution that combines signature based detection and anomaly detection. The solution should monitor object level access, write patterns, and download patterns in storage, generate alerts on suspicious behavior, and remove access or quarantine automatically.

DataDefender

DataDefender by Cloud Storage Security focuses on activity monitoring and data security posture management for cloud storage. DataDefender is designed to detect and respond to internal and external threats at the storage layer, including data exfiltration, ransomware, and insider misuse.

DataDefender provides

1. Visibility
   

   DataDefender maintains a live inventory of cloud storage resources across connected Amazon Web Services accounts. This includes Amazon S3, Elastic File System, FSx file systems, Elastic Block Store snapshots and volumes, and Glacier style archival locations. The inventory includes ownership, business purpose, exposure status, encryption state, and recent activity.

2. Classification
   

   DataDefender identifies sensitive data locations, including personal data, financial records, customer transaction data, and operational runbooks. This supports prioritization and access reduction for high risk storage.

3. Activity monitoring
   

   DataDefender records which identities accessed which objects and when. It highlights unusual or bulk access, mass listing, mass download, encryption like write patterns, and large transfers. This supports investigation of data exfiltration attempts, insider misuse, and ransomware staging.

4. Continuous posture assessment
   

   DataDefender continuously evaluates storage posture and checks for publicly accessible Amazon S3 buckets, overly permissive access control lists, broad cross account access, insecure snapshots, missing encryption, missing logging, weak retention controls, and lack of immutability. Findings are prioritized by severity so that the most critical cloud storage risks are addressed first.

5. Evidence for response
   

   DataDefender links identity, timestamp, object, and configuration state. During an incident this supports answering what data was accessed, by whom, when, and from where. That level of evidence is needed for internal reporting, customer notification, regulatory inquiries, and legal review.

Cloud Storage Security

Cloud Storage Security protects the storage layer in the cloud. DataDefender is a storage focused data security posture management and activity monitoring platform. It is designed to help organizations detect ransomware behavior, detect data exfiltration, and identify insider misuse inside cloud storage, and to maintain continuous visibility and control over cloud storage security posture.

This class of control is now essential. Attackers no longer need to break an application to cause damage. They only need to convince someone with access to pull the data for them, or reach storage long enough to encrypt it.

The DataDefender beta program is open for applications now. Sign up at cloudstoragesecurity.com/datadefender to request access to the solution.