Case study: data exfiltration detection for national law firm
Customer: National Australian law firm
Service: Implementation of data exfiltration detections for Splunk Enterprise Security (ES)
Outcome: Practical, always-on detections that surface suspicious data movement across cloud services, endpoints, and network activity
Background and context
Data exfiltration is one of the hardest security problems to solve well, particularly in legal environments where large volumes of sensitive information move frequently, often under legitimate authority. What makes exfiltration risk difficult is that the “bad” activity can resemble normal work: large transfers, unusual access patterns, new devices, or access from uncommon locations. The difference is typically visible only when you correlate activity across multiple systems and evaluate it against what is normal for that business.
Recent incidents have reinforced an uncomfortable reality: exfiltration is often discovered late, after the damage is done. The Office of the Australian Information Commissioner (OAIC) has stated that the Medibank incident affected approximately 9.7 million individuals, highlighting the scale that can be involved when data protection controls do not hold under real adversary pressure.
Similarly, the coordinated response reporting associated with the HWL Ebsworth incident described reported exfiltration of approximately four terabytes of data. This is a useful reminder for legal-sector leadership that breach outcomes are not always limited to service disruption. Data removal is frequently part of the threat model.
The MediSecure incident also demonstrates scale and consequence management complexity, with the OAIC noting approximately 12.9 million individuals may have been impacted.
And finally, in 2025, we saw that ASIC commenced a law suit in the Federal Court of Australia. ASIC alleges [that] from March 2019 to 8 June 2023, FIIG Securities Limited failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place. The filing claims that FIIG was responsible for “systemic and prolonged cybersecurity failures” that allowed attackers from ALPHV to exfiltrate a claimed 385GB of data, in an attack that took place at FIIG in May 2023.
From a detection engineering perspective, these events illustrate a common thread: The organisations involved were not aware until much later that their information had been accessed and stolen, and they therefore faced material consequences after sensitive information as a result of the breach. For many boards and executive teams, the key question becomes practical: what can we do to reduce the chance of exfiltration going unnoticed until much later?
The customer
A national Australian law firm with a high sensitivity to confidentiality, client trust, and reputational risk.
Like most modern firms, the operating environment included a mixture of cloud services, endpoints, and network infrastructure, as well as business workflows that generate legitimate large data movements as part of normal operations.
Project Challenges
The customer’s objective was to take a proactive stance on reducing the risk associated with exfiltration-type events, including:
- Unauthorised disclosure of client and legal information
- Regulatory exposure and breach notification burden
- Downstream harm, including identity fraud and targeted scams
- Reputational damage and commercial impact
This challenge is amplified in legal environments because high-value information is concentrated and routinely exchanged.
Exfiltration detection cannot be implemented as a single “magic alert”. It requires telemetry, correlation, baselining, and tuning that reflect business reality.
The solution: DEXXR
dotSec designed and deployed DEXRR, a search and analytics package running as a dedicated detection layer on Splunk Enterprise Security (ES). DEXRR focuses on identifying activities and patterns associated with unauthorised data exfiltration.
Splunk’s own Enterprise Security guidance recognises common exfiltration paths and the role of correlation searches in surfacing suspicious activity across domains.
DEXRR builds on this concept by tailoring detections to the customer environment, validating log coverage, and implementing correlations designed to identify:
- Unusual data movement volume or frequency for a user, host, or application
- Anomalous access patterns indicating potential staging and collection
- Suspicious flows between systems that do not normally exchange large data sets
- Behavioural indicators that become more meaningful when combined, such as new location plus unusual access plus high-volume export
A practical exfiltration program also needs a working model of how attackers operate. Splunk’s security use case material describes exfiltration as a sequence of identification, collection, and staging activities. This matters because it is often easier to detect staging and preparation steps than the final transfer, especially when the final transfer uses legitimate services.
Implementation approach
DEXRR was delivered as an implementation project with ongoing operational integration into the customer’s monitoring program.
Key components included:
- Data source validation and log coverage mapping
Exfiltration detection is only as good as the telemetry. The engagement validated and tuned log sources across the environment, including cloud services, identity, endpoints, and network controls. The aim was to ensure that DEXRR detections were grounded in reliable, searchable evidence. - Baseline “normal” business activity
Legal operations generate large and frequent information exchanges. The solution emphasised understanding normal patterns first, then defining the boundaries where anomalies become meaningful. This reduces false positives and increases analyst confidence when an alert is raised. - Correlation-driven detection, not single-event alerting
DEXRR was built around correlating data transfer patterns over both shorter and longer time duration. The DEXRR correlation is based on an accurate baseline and robust sampling methodology, ensuring the detection of anomalies associated with data movement. This aligns to how Splunk Enterprise Security is typically used to identify risk patterns, with an added capability boost through the use of customer specific baselines and the power of machine learning. - Tuning for investigative quality
A detection that fires but does not provide context wastes analyst time. DEXRR detections were tuned to provide usable investigative pivots, including identity context, host context, related events, and time-bound sequences. - Operational alignment and response readiness
Detection is only half the equation. Response capability matters. NIST’s incident handling guidance emphasises the operational lifecycle of detection and analysis, containment, eradication, and recovery. This shaped how detections were framed so that they could be actioned efficiently.
One reason boards care about exfiltration is time. The longer an attacker has to explore, collect, and stage, the worse outcomes become. Mandiant’s M-Trends reporting discusses attacker “dwell time”, the period from compromise to detection, and notes that even where detection is improving, the window is still meaningful for attackers.
On the cost side, IBM’s reporting highlights how long breaches can take to identify and contain, and how those timelines translate into material financial impact.
For legal-sector decision makers, the operational point is straightforward: reducing time-to-detect reduces the attacker’s opportunity to perform extended staging and extraction, and it improves your options for containment and consequence management.
Scale and metrics
1.7TB+
Log volume analysed per quarter
240M+
Log events per day
530 + 30
Number of on-prem and cloud-service log sources
24
Constantly running DEXRR correlations
Key outcomes
Effective
DEXRR was engineered to unify, correlate and baseline these disparate signals within Splunk ES, creating a holistic view of the data access and transfer activity across the organisation.
The DEXRR architecture drives operational efficiency by focusing on high-fidelity correlations based on observed patterns rather than noisy and isolated events.
By correlating and prioritising meaningful patterns, the DEXRR package enables security teams to pivot from reactive alert chasing, to a focused response to actual data transfer anomalies.
Detailed
Law firms routinely exchange sensitive information in ways that can resemble exfiltration when viewed out of context.
That is why the engagement focused on understanding the customer’s normal activity patterns and then implementing detections designed to identify anomalies that were truly unusual for that environment.
This is also why “set-and-forget” MDR is a poor fit for serious exfiltration risk reduction.
Effective monitoring requires continuous tuning, periodic reassessment of baselines, and careful validation of log sources as business systems change.
Compliant
For Australian organisations, breach consequence management is not theoretical.
The OAIC’s Notifiable Data Breaches (NDB) scheme outlines expectations regarding notification and response, and the Privacy Act requires reasonable steps to protect personal information.
These regulatory realities influence how boards evaluate security programs.
dotSec’s MDR, MSOC and MSIEM services are delivered with a strong compliance posture, and our delivery model is designed to reduce, not add to, your compliance burden.
The next steps
DEXRR was implemented to reduce the risk that data exfiltration activity would go undetected in a national Australian law firm environment. The approach emphasised telemetry validation, baselining of normal business activity, correlation-driven detections, and operational readiness. The resulting deployment runs continuously at scale, providing meaningful visibility into exfiltration patterns across a complex environment.
If you want to understand how DEXRR would map to your own environment, we can walk through likely exfiltration paths, confirm the most important log sources, and outline a practical Splunk ES uplift plan.
Premier australian cyber security specialists
