Assuming the exfiltration can be differentiated from normal behavior!

Seeing large amounts of encrypted traffic leaving via a DNS tunnel during non-standard business hours for instance would be an example of such an anomaly. It's not always that easy to detect however.

Didn't Sony pick up exfiltration through exceptional data flows?

Sony was hacked 19 times in two weeks. There was a lot they didn't pick up on due to the difficulties involved with that.