At this point, there's nary an industry or government that hasn't suffered some level of data breach. Even universities can’t seem to keep a cap on data losses. Often, pwning data is all too simple, and, at 10GBE speeds, data exits hastily.
A RaspberryPi3 attached to a wall wart (power supply) with a 128GB flash card can be removed as easily as it was installed. Add a Wi-Fi dataflow exit, or perhaps another circuit to internal resources, and you could be looking at huge costs in both asset value and liability.
Cloud access security brokers (CASBs) and systems dataflow monitoring systems that look for anomalous behaviors can help. And, certainly, an ounce of prevention is worth a pound of cure. But nothing is foolproof because fools are so ingenious. You must watch for the signs that something’s afoot.
How do you know? Here's a quick list of 25 signs that your data may be "leaving the building."
1. Unknown internal IP addresses or IP addresses with the incorrect IP/MAC address pair
2. Large, unexpected data flows from one host to another
3. No. 1 and/or No. 2 transferring data on IPv6, where it’s never been used before
4. Large flow to unexpected external IP addresses
5. Rapid DHCP address changeovers with new MAC addresses
6. Finding new subnets and/or VLANs where there were none before
7. Larger than normal email messages (Hopefully, organizational ceilings for messages are low and are monitored.)
8. Local storage policy violations (Multi-terabyte USB drives are trivial to obtain.)
9. New WiFi hosts, both APs and non-AP supplicants
10. Excessive browser uploads or anomalous port traffic on VMware hosts
11. New VMs where there were none before (local cloud abuse)
12. Sudden appearance of RDP, WinRM or apps like VNC, LogMeIn and other remote desktop apps
13. SSH/Telnet/FTP/SFTP traffic detection, as found by anomalous port access traffic
14. Data movement quotas near or just under peak allocation for extended periods
15. Data flows over http rather than https, or unencrypted data found anywhere in packet traces
16. The presence of NTLM network packets anywhere (often used by older NAS storage systems, and now deprecated with prejudice)
17. The presence of SMBv1 or SMBv2 protocols (See No. 16.)
18. Changes to default access control lists (ACLs) for important global resources or plausible host targets (Look for baseline default changes through logs, especially frequent baseline changes.)
19. Data movements using unsigned URLs to cloud resources like GoogleCloud or AWS
20. Finding data sets marked for deletion that have reappeared, or remain undeleted
21. Cloud bucket checksums that don’t
22. Employee exits without account removals, zombie user account accesses, large repository pulls from civilian users
23. High activity between known audits
24. Slow implementations of new PAM credentials
25. Email server bulges
Unfortunately, this is just a shortlist of the signs of data exfiltration. In general, my strongest and best recommendation is to read your logs. And, if something doesn't look right, it probably isn't.