[tetha]

> The retrieval of a large file would be a good opportunity for detection by SIEM content, but without further knowledge of the application it might not be - large file transfers from that machine might be normal as part of e.g. batch processing.

Or an eccentric and occult edge case like "backups", especially if it's a database system. Sorry for the snark, but I've had to tell some people the importance of backups for production persistence like a broken record for a week or two.

And sure, you could have IDS rules / firewalls setup to flag or block traffic except to the backup storage hosts and the replication servers and the batch processing servers and the monitoring andso on and so on, flag files, ...

But that stuff is hard, requires a lot of maintenance and adds risk to a lot of critical / stress-powered processes. Change your backup storage at 3 am due to hardware failures? Whoops, the firewall of database host #13 wasn't updated, and now you have no more backups from that host.