What is ADX or Anti Data Exfiltration?

Pioneered by BlackFog, ADX (Anti Data Exfiltration) is a technique used to prevent unauthorized data from leaving a device. By targeting multiple parts of the kill chain, ADX effectively blocks the activation and spread of cyberattacks. Since cyberattacks, especially ransomware focuses on data theft for extortion this has become an important technique to thwart modern polymorphic attacks that cannot be stopped by traditional anti-virus solutions.

ADX works by investigating outgoing data on endpoint devices. This gives it a markedly smaller footprint than other solutions, such as firewalls or DLP, which examines incoming and outgoing traffic at the edge of the network. ADX solutions are lightweight enough to run on mobile devices and do not need to work on the corporate network. Instead of comparing traffic to a dictionary of attack signatures, ADX solutions use behavioral analytics to identify unusual behaviors on a user-centric basis. ADX limits the ability for users – including privileged users and administrators – to send sensitive data outside the network.

The goal of any cyberattack is data theft. Adding an ADX solution to a security strategy ensures that there is nothing for an attacker to gain. Without data exfiltration there is no breach, no ransom and no extortion. When cybercriminals can’t steal data, they move on to the next target.

We know that any cybercriminal intent on infiltrating a device or network will eventually find a way in, regardless of the perimeter defense solutions that are in place. ADX looks at the problem in a new way. By making the assumption that bad actors will get into the network, it focuses on preventing them from leaving with an organizations data. No data exfiltration means no successful cyberattack.

Data Loss Prevention (DLP) is one of the most popular legacy approaches to keeping sensitive data secure for organizations. A traditional network approach developed in the 1990’s, it struggles to accommodate the needs of the modern remote workforce. ADX builds on the technology behind DLP while making it more relevant to today’s workforce and security threats. BlackFog sits on the endpoint, so it doesn’t matter where employees are based. Unlike DLP which requires a strict set of policies which are difficult to implement and change, BlackFog is easy to deploy, and fully automated.

EDR / XDR solutions provide necessary endpoint protection as well as threat detection, investigation, and response by using threat intelligence and data analytics. BlackFog works well alongside these solutions but also offers some advantages over these technologies. Here are some main points to consider.

1. AI powered EDRs can’t always provide persistent, protectable solutions for 100% threat detection whereas BlackFog uses behavioral analysis to identify and block suspicious activity before the attack begins.
2. With EDR /XDR not all responses are automated, so human input and response is required. BlackFog is a fully automated on-device technology, meaning the action is taken immediately by the agent on the device. No human intervention required.
3. Some EDR / XDR solutions do not provide cross platform protection and reporting. They also require “a push” to install updates, whereas BlackFog can work across most platforms with integrated reporting available from our Enterprise Console. Our updates are all done automatically via the on device agent.
4. Traditional EDR / XDR requires specialized and dedicated staff. BlackFog does not require specialized staff to monitor or react to threats or attacks, eliminating the need for dedicated resources. Our Enterprise Console provides a centralized, easy to use view of what is happening across all devices in the organization.
5. Most EDRs / XDRs are cloud based whereas BlackFog provides on device protection that does not require any cloud access to provide protection.
6. EDR / XDR is not designed to prevent data exfiltration. Insider threats such as employee mistakes, credential theft and rogue employees require constant monitoring and intervention. BlackFog’s core function is preventing data exfiltration through outbound traffic analysis, restricting data leaving the device under specific, suspicious circumstances.

ADX has been specifically designed to be a zero trust solution as it prevents any code from unauthorized data exfiltration. BlackFog effectively validates a zero trust architecture by ensuring every application is doing exactly what it says it should. In an ideal world this would not be necessary, but latent code can activate at anytime as we have seen time and time again.