File servers still exist for legacy storage and governance, but most modern workflows now happen in collaboration tools, code platforms, chats, and AI systems.

File servers remain, but they are no longer central to operations.

They still appear important on paper: legacy project shares with strict permissions, legal drives with structured folders, and network areas where data loss prevention (DLP), classification, and governance controls have been refined over the years. These remain prominent in legacy consoles, which can be reassuring for those familiar with that environment.

However, current workflows have shifted elsewhere.

Product teams now work in shared documents, kanban boards, and temporary comment threads. Engineering focuses on code review platforms and build systems rather than traditional file servers. Sales and customer success teams exchange sensitive information through tickets, chats, and embedded panels. Increasingly, this information is also processed by AI assistants for summarization, translation, or drafting.

If your tools are designed to monitor files on servers or scan cloud storage for similar patterns, they may detect some activity, providing a sense of control. However, these tools still operate under the assumption that data exists solely as files in specific locations.

The business no longer operates this way.

Data security posture management (DSPM) was introduced to address this shift. Early products promised to scan cloud environments, identify sensitive data in object stores and SaaS platforms, and provide a comprehensive map. For teams used to discovering unexpected S3 buckets through breach reports and incidents, this was a welcome solution.

Initially, this approach was effective. Architects could identify critical data locations, compliance teams could incorporate these findings into risk assessments, and CISOs could confidently discuss coverage with audit committees.

However, DSPM began to conflate awareness with control, similar to previous file-centric DLP solutions.

This is evident in many deployments: scans are performed, issues are reported, and some high-profile remediation projects are initiated. However, the focus soon shifts, and operational challenges continue to arise from familiar sources.

This is not due to negligence; it reflects the limitations of a map-only approach. Knowing a cloud store contains sensitive data is helpful, but it does not address how users or AI systems interact with that data.

Both the traditional DSPM and file-centric models are effective at identifying data locations but lack insight into data activity.

Feedback from those closest to the issue highlights these weaknesses.

CISOs value having an inventory, but they are also responsible when incidents occur involving key accounts or critical projects. In these situations, knowing which stores are sensitive is insufficient; they need to determine whether a specific user, tool, or agent interacted with that data in a way that requires regulatory explanation.

Security architects also appreciate data maps, but they recognize that risk ratings across repositories do not identify which ones are most vulnerable to workflow issues. Static risk scores cannot differentiate between stable and dynamic risk environments.

Engineers are tasked with integrating DSPM findings, DLP rules, and inputs from EDR and IAM systems to create a unified solution. When these components are separate products, engineers often serve as the connectors, which becomes problematic if key personnel transition to other teams.

SOC analysts manage the resulting alerts, which often come in separate formats such as file-based actions and DSPM issues. They are expected to correlate these streams manually. When unusual activity occurs, the effectiveness of the response depends on timely cross-referencing of relevant data.

There is extensive mapping, but limited intervention.

A new approach is emerging among teams seeking more effective solutions.

In this approach, DSPM is not eliminated but repositioned. It serves as a valuable source of information about critical data locations, though it is no longer the central focus of data security.

The primary focus shifts to a more direct question:

“Given that we know which stores and datasets are most important, how do we monitor data activity and intervene appropriately without disrupting workflows?”

Addressing this requires two elements that previous models did not prioritize.

The first is continuous data lineage: maintaining a real-time record of how content from critical stores moves throughout the environment. This includes not only files, but also reports, exports, cached copies, chat messages, and AI prompts that originate from these sources.

The second is implementing controls that recognize data lineage. DLP and related policies should consider the origin of content, not just patterns and paths. For example, treating any data derived from a specific dataset as critical when it moves to certain destinations is a more precise approach than simply blocking content based on pattern recognition.

When DSPM, DLP, and data lineage are integrated within a single platform, the system can automatically adjust how high-risk data is managed across endpoints, browsers, collaboration tools, and AI workflows. Analysts benefit from built-in correlations, reducing manual effort.

When these capabilities exist in separate products that only exchange data through exports and webhooks, it increases complexity and workload for those responsible for maintaining system alignment.

This is not a criticism of any specific vendor. File-centric DLP and map-only DSPM were appropriate solutions for their time and addressed genuine industry needs.

However, industry requirements have evolved.

If your unstructured data security strategy continues to prioritize file servers or static cloud inventories, you will remain unprepared for incidents that occur outside the scope of these tools.

Alternatively, by using a DSPM, that is integrated with DLP that uses data lineage, you gain the ability to detect and respond to potential data exfiltration before it is too late.

About the Author: Franklin Nguyen is a product marketing leader in AI and data security at Cyberhaven. With prior roles spanning Tenable, Zscaler, VMware, and IBM, he brings experience across cloud infrastructure, hyperscalers, and modern security platforms, helping organizations navigate the evolving challenges of protecting data in AI- and cloud-driven environments. Based in the San Francisco Bay Area, Franklin also leads the AI & Data Security Collective, a community of security leaders focused on advancing best practices, collaboration, and innovation in AI and data security.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, File Servers)

A expansão internacional do grupo de cibercriminosos conhecido como Scattered Spider acendeu um sinal de alerta entre empresas latino-americanas. Especialistas em segurança apontam que, embora não haja registros confirmados de ataques desse grupo no Brasil ou vizinhos até o momento, seu alcance global e métodos sofisticados representam um risco iminente para organizações na região.

Com táticas de engenharia social elaboradas e capacidade de driblar defesas tradicionais, o Scattered Spider tem mirado grandes empresas em diversos países. “A questão não é mais ‘se’ seremos atacados, mas de ‘quando’ e ‘como’, afirma Felipe Guimarães, Chief Information Security Officer da Solo Iron. “As táticas empregadas pelo grupo exploram fragilidades universais, presentes em empresas em todo o mundo – o que inclui as empresas latino-americanas”, pondera o especialista.

Um dos maiores riscos é que os setores visados pelo Scattered Spider no exterior também são pilares econômicos na América Latina. O grupo historicamente focou suas ações em empresas de telecomunicações, terceirização de processos de negócios (BPO) e grandes empresas de tecnologia – indústrias que possuem ampla presença na região. Nos últimos tempos, foi observado um aumento de interesse do grupo pelo setor financeiro global, o que inclui bancos e instituições presentes no Brasil e países vizinhos.

“Isso significa que companhias latino-americanas, seja diretamente ou através de filiais e parceiras, podem entrar na mira à medida que o Scattered Spider amplia seu raio de atuação. Mesmo empresas que não operam internacionalmente devem se precaver, pois os criminosos podem enxergar organizações locais como pontes de entrada para fornecedores ou clientes globais, ou simplesmente como alvos lucrativos por si sós, caso identifiquem falhas de segurança exploráveis”, pontua Guimarães.

Na mira das agências de inteligência

Relatórios do FBI e da Agência de Segurança Cibernética e de Infraestrutura (CISA) dos EUA descrevem o Scattered Spider como “especialista em engenharia social”, empregando diversas técnicas para roubar credenciais e burlar autenticações.

Entre os métodos documentados estão phishing por e-mail e SMS (smishing), ataques de vishing (ligações telefônicas fraudulentas) em que os criminosos se passam por equipe de TI da própria empresa, e até esquemas elaborados de SIM swap – quando convencem operadoras de telefonia a transferir o número de celular de uma vítima para um chip sob controle deles. Essas táticas permitem interceptar códigos de autenticação multifator (MFA) enviados via SMS ou aplicativos, dando aos invasores as chaves para acessar sistemas internos.

Alguns incidentes recentes no cenário latino-americano já envolveram vetores parecidos, como uso de ferramentas legítimas em ataques e exploração de credenciais vazadas, o que reforça a necessidade de vigilância. Em 2024, por exemplo, houve casos de gangues de ransomware operando na região que abusaram de softwares legítimos e brechas em procedimentos internos de empresas, aplicando práticas muito similares ao do Scattered Spider.

Estratégias de mitigação

Diante da crescente ameaça representada por grupos como o Scattered Spider, Guimarães recomenda a adoção de estratégias com foco especial em fortalecer métodos avançados de autenticação multifator (MFA), preferencialmente resistentes a phishing, como chaves físicas de segurança ou soluções baseadas em certificados digitais. Técnicas como MFA com validação numérica e a restrição do uso de SMS para autenticação são essenciais para reduzir o risco de engenharia social e ataques por fadiga de notificações, muito usados pelo grupo.

Além disso, a adoção de uma abordagem mais robusta em relação à gestão de identidades e acessos (IAM) é uma estratégia muito importante na contenção desse tipo de ameaça. “As identidades digitais estão se tornando uma nova superfície de ataque; por isso, é fundamental que as empresas implementem políticas rígidas de gestão de identidades, controle granular de acessos e monitoramento contínuo das atividades dos usuários”, destaca.

“Também é muito importante o controle rigoroso sobre ferramentas de acesso remoto e a implantação de monitoramento avançado. É recomendável que as organizações restrinjam o uso dessas ferramentas por meio de listas autorizadas e adotem sistemas robustos como EDR e DLP para identificar rapidamente atividades suspeitas”, finaliza o especialista.