[bdibs]

Proper audit logs that are regularly checked.

[drb91]

Assuming the exfiltration can be differentiated from normal behavior!

[auiya]

Seeing large amounts of encrypted traffic leaving via a DNS tunnel during non-standard business hours for instance would be an example of such an anomaly. It's not always that easy to detect however.

[mirimir]

Didn't Sony pick up exfiltration through exceptional data flows?

[IncRnd]

Sony was hacked 19 times in two weeks. There was a lot they didn't pick up on due to the difficulties involved with that.