Detecting Data Exfiltration Patterns in SaaS Applications
Learn how to identify data exfiltration before it becomes a breach. Covers bulk-download signals, after-hours anomalies, and how LiteSOC's data.* events give you real-time visibility
Data exfiltration is the silent killer of SaaS companies. Unlike a brute-force attack which announces itself in your logs exfiltration often looks like normal user behavior until it's too late. A disgruntled employee exporting every customer record before resigning. An attacker using a stolen session to systematically drain your database. A third-party integration quietly syncing far more data than it should.
The bad news: most SaaS apps have no idea it's happening. The good news: the signals are there if you know what to look for.
What is Data Exfiltration?
Data exfiltration is the unauthorized transfer of data from your system. It comes in two forms:
- Insider threat: A legitimate user (employee, contractor, partner) abusing their access to copy, download, or transmit data they shouldn't.
- External attacker: A threat actor who has gained access via stolen credentials, session hijacking, or API key compromise and is systematically extracting data.
Both leave a trail. Your job is to instrument your application to capture it.
The Four Exfiltration Signals
1. Bulk Data Downloads
A user who downloads 10 records a day suddenly exports 50,000 in a single session. This is the clearest exfiltration signal, and it's shockingly easy to miss if you're not tracking download volumes per user.
Track this with a data.export event every time a user triggers a bulk download or CSV export:
import { LiteSOC } from "@litesoc/node";
const client = new LiteSOC({ apiKey: process.env.LITESOC_API_KEY });
// Inside your export handler
await client.track({
event_name: "data.export",
user_id: session.userId,
ip_address: req.ip,
metadata: {
record_count: exportedRows,
export_format: "csv",
table: "customers",
filters_applied: !!query.filters,
},
});
LiteSOC's behavioral baseline will alert you when a single user's export volume spikes beyond their 30-day rolling average.
2. After-Hours Access
Normal users access your application during business hours, within the timezone tied to their profile. When data access events cluster between 2 AM and 5 AM local time especially high-volume ones that is a strong exfiltration signal.
This pairs with impossible travel detection. An account that logs in from London at 9 AM and then initiates a bulk export from Singapore at 2 AM is almost certainly compromised.
3. Rapid Sequential Record Access
Rather than exporting a table in one shot, sophisticated attackers will paginate through your API to avoid triggering bulk-export alerts. The pattern: hundreds of GET /api/records?page=N requests in rapid succession from the same session.
Track data.read events with a batch_size context field and set alerts when a session reads more than your baseline threshold in a short window:
await client.track({
event_name: "data.read",
user_id: session.userId,
ip_address: req.ip,
metadata: {
resource: "invoices",
record_count: results.length,
page: query.page,
is_programmatic: isAPIKeyRequest,
},
});
4. Scope Creep in API Keys
API keys are often the exfiltration vector that goes completely undetected. A key provisioned for a narrow purpose (e.g., webhook verification) starts being used to read sensitive resources. Track data.read events by API key, not just by user, and alert when a key accesses resources outside its historical pattern.
Building a Detection Baseline
Point-in-time anomaly detection produces too many false positives. A CFO running end-of-quarter exports will trigger every threshold-based rule you write. The solution is behavioral baselines.
LiteSOC builds a 30-day rolling baseline per user per event type. Rather than alerting on "user exported more than 1,000 records," it alerts on "user exported 10× their typical volume." This eliminates noise while catching genuine outliers.
For your own application-level logic, you can query the LiteSOC Management API to retrieve a user's recent data.export activity and compare it in real time:
// Check if current export is anomalous before allowing it
const recentExports = await fetch(
`https://api.litesoc.io/events?event_name=data.export&user_id=${userId}&limit=30`,
{ headers: { "X-API-Key": process.env.LITESOC_API_KEY } }
);
const { data: events } = await recentExports.json();
const avgRecordCount =
events.reduce((sum: number, e: any) => sum + (e.metadata?.record_count ?? 0), 0) /
(events.length || 1);
if (requestedCount > avgRecordCount * 5) {
// Require step-up authentication or manager approval
return res.status(403).json({ error: "Export volume exceeds your baseline. Step-up auth required." });
}
The Data Event Taxonomy
LiteSOC provides four purpose-built events for data activity. Use all of them.
| Event | When to Fire | Key Metadata |
|---|---|---|
data.read | Any sensitive record fetch | resource, record_count, is_programmatic |
data.export | CSV/JSON/bulk download triggered | record_count, export_format, table |
data.delete | Record or batch deletion | record_count, resource, is_bulk |
data.share | Link sharing, permission grant, external access | recipient, permission_level, resource_id |
Don't conflate these. Keeping them separate lets you build precise alert rules e.g., "alert on data.export > 10,000 records" without being drowned out by routine data.read events.
What to Do When You Detect It
Detection without a response plan is theater. When LiteSOC fires a data exfiltration alert, your runbook should:
- Immediately invalidate the session (or API key) that triggered the alert.
- Freeze the account pending review not delete, freeze.
- Snapshot the alert with full forensic context (LiteSOC preserves IP, geolocation, and network intelligence for this exact purpose).
- Notify your security contact via your configured webhook or email channel.
- Preserve the audit trail do not modify or delete the user's records until legal review is complete.
LiteSOC's webhook payloads include the full event object and alert context, so an n8n or Zapier automation can handle steps 1–4 in under five seconds.
Conclusion
Data exfiltration is detectable, but only if you instrument your application to capture the signals. Start with data.export events today, it's a single line of code per export endpoint and layer in data.read, data.delete, and data.share as you go. With LiteSOC's behavioral baselines doing the heavy lifting, you'll know about exfiltration before your customers do.
Ready to instrument your first data event? Check out the LiteSOC Node SDK or the REST API reference.
Stay Updated
Get the latest security insights and product updates delivered to your inbox. No spam, unsubscribe anytime.