[VIDEO] The Data Maturity Model

Posted on May 17, 2013 by

Over the past couple of years we’ve gathered a rich set of data from both IT and non-IT people, and through research and analysis, we’ve come to some eye-opening conclusions about the state of organizational data protection.

The video below shows how organizations self-report the protection levels of sensitive data such as credit card numbers, health information, legal records, and financials.  Take a look.

Varonis is committed to helping organizations manage and protect their critical data with a new breed of automated data governance solutions. To see more videos like this one, visit our video gallery.

  Posted on May 17, 2013 in Data Protection | Leave a comment

The Internet Delete Button

Posted on May 16, 2013 by

Compliance Update: EU Data Protection Regulations Postponed Again

Over the past few months, I’ve mentioned that the EU’s Data Protection Directive is in the process of a major revision. The most controversial change to the DPD is the “Right to be Forgotten”, which has been making headlines recently. Last week, the European Parliament committee in charge of approving the proposed data protection regulations decided to delay their vote. Those who have been looking for an Internet delete button will have to wait longer.

Member state Ireland, which currently holds the EU Presidency, has been very public about wanting to see all EU countries vote by the end of its term in July 2013. That is looking more unlikely with the decision of the Civil Liberties, Justice, and Home Affairs Committee to delay its vote.

There is still more voting that needs to take place. Think of the EU Parliament as the US Congress, and member nations as US states. So even after the committee votes, the EU Parliament as a body would have to approve “DPD 2.0”, and then the new regulations would still have to be voted on by each EU country.

So we shouldn’t expect a GA date anytime soon if all goes to plan.

But it’s no secret that the “Right to be Forgotten”, as well as new rules on data retention, have been controversial for US and EU companies—both groups are heavily involved in lobbying to make changes to the regulations.

There also have been stirrings from one EU country in particular, the United Kingdom, about the burdensome nature of the new rules. The UK’s Information Commissioner’s Office (ICO)— the agency responsible for fulfilling the DPD requirements—just released a report noting that businesses are having difficulty estimating the cost of the new data protection rules.

In fact, the UK Government is seeking to opt-out of, if it’s ultimately approved, the Right to be Forgotten. The Government feels it gives consumers “unrealistic expectations” about the ability to control their personal data.

Meanwhile, back in the US, the Executive Chairman of Google, Eric Schmidt, raised eyebrows when he called for an Internet delete button at a conference held at New York University earlier this month.

He was clearly referring to the EU’s Right to be Forgotten, which Google has been actively lobbying against.

Will there be an EU-style Internet delete button? I don’t know the answer, but it’s clear that everything is still very unclear.

  Posted on May 16, 2013 in Compliance, Data Protection and tagged | Leave a comment

Varonis DatAdvantage Now Supports Hitachi NAS

Posted on May 15, 2013 by

Hitachi NAS DeviceIDC forecasts that by 2020 we will be generating 40ZB (that’s 40 trillion gigabytes) of data.  With this level of data growth, we need powerful, cost-effective hardware to store it and intelligent, scalable software to manage and protect it.

Today, I am happy to announce a new integration between Varonis DatAdvantage and Hitachi to provide unparalleled solutions for human generated big data.

We are grateful and proud that Varonis is increasingly seen as the de facto standard for monitoring large data stores. Historically, we’ve been approached by organizations considering the Hitachi platform that very much wanted to marry it with the full capability of DatAdvantage.

The truth is that, if you cannot monitor, then you cannot manage, and organizations are no longer willing to let their investments in unstructured data go unprotected.  That’s why they want Varonis there to collect metadata, provide information governance, and extract maximum value from their data. We’ve worked closely with Hitachi to make this a reality.

Download our datasheet for more information.

 

  Posted on May 15, 2013 in In The News | Leave a comment

The Top 6 Exploits Used by Government Hackers

Posted on May 13, 2013 by

Yes, hackers can be spies. Stay calm, all the same rules still apply.

Along with the rest of America, I read the headlines last week about the Chinese military hacking into US defense contractors’ computer systems. Though the words “cyber attack” take on a more ominous meaning when a government is involved, most of the press has correctly framed the news as a technology story, with the espionage part as an interesting footnote. It’s really just another example of cyber thieves, albeit working for a government, stealing data from corporate file servers.

My first instinct was to pore through the reporting to learn how this particular den of data thieves did their work—the threat actions or attack vectors used. There was very little to go on. The Pentagon’s Annual Report to Congress, which was the source of the headlines, was also silent on that aspect of the story. To shed some light, I went back to one of this blog’s favorite resources, Verizon’s Data Breach Investigations Report.

In analyzing breach data for 2012, the DBIR team points out that activity of state-affiliated actors—code words for spies and government intelligence agencies—was sharply up from previous years. Their analysis shows that foreign governments were involved in 121 of the DBIR’s tally of 621 validated breaches—their evaluation methodology, by the way, is quite strict. It is significant that 22% of all DBIR breaches were motivated by intelligence gathering of corporate IP and other sensitive data. But no need to panic.

As the report notes, the difference between government-sponsored intelligence gathering and ordinary hacking is that their exploits are multi-pronged, relying on a combination of email phishing, malware, and garden variety credential hacking.

By doing my own slicing of the raw data that DBIR generously provides, I got a little more insight into these government orchestrated attacks.  In the table above are listed the top six attack mechanisms used by state hackers. As the DBIR notes, these 121 breaches are based on well-rehearsed exploits in which certain actions almost always appear.

The breach incidents most likely go something like this: a user sitting at a desk somewhere—Fortune 500 company, defense contractor, research university—falls for an email phishing attack in which a backdoor is loaded onto the user’s computer. This bit of malware then contacts the foreign government’s command and control (C2) server. The C2 servers instruct the backdoor to perform some simple commands, which can include walking a file system and then exporting data that is considered interesting. Often the foreign government is also searching for the file of password hashes—password dumping—so that it can do a reverse lookup and then hack into these accounts remotely.

Of course, this is not an unusual scenario for a more sophisticated type of non-government hacker. The key point here is that traditional preventive methods and Plan B-type mitigation would still apply.

For example, the current DBIR yet again reminds readers—they’ve been saying this for years—that two-phase authentication would block 80% of attacks involving passwords. What works for ordinary cyber thieves does just as well for cyber spies logging in from mainland China. And auditing and monitoring of file activity would spot Jane military worker accessing documents and system files she doesn’t normally touch.

I’ve little doubt that the US military contractors who were compromised were victims of the scenario I sketched out. A more detailed account of an actual attack by the Chinese military can be found here. It roughly follows my scenario based on the DBIR data but has some interesting variations.

My advice to companies dealing with these types of attacks? Stay calm, carry on, and focus on the breach prevention and mitigation techniques—check out the 2013 DBIR for more ideas—you had always intended for using against standard cyber thieves.

  Posted on May 13, 2013 in Data Protection | Leave a comment

Varonis Comes Up Big at 2013 Network Products Guide Awards

Posted on May 8, 2013 by


We are very proud to announce that Varonis was awarded 3 Network Products Guide Awards this year!

As the demand for secure digital collaboration increases across all markets, data accessibility, protection and management continue to be three key issues for organization.  We’re very pleased that our technology solutions, as well as our thought leadership in this area, have been recognized with Network Products Guide Awards.

Thanks to Network Products Guide!

Want to read the winning whitepaper?

Children of the Digital Revolution discusses how, in a single generation, digital collaboration has completely changed the way we communicate and work.  Read it here.

  Posted on May 8, 2013 in In The News | Leave a comment

Path’s Debacle Sheds Light on Children’s Privacy Online

Posted on May 3, 2013 by

Over the last few years, the FTC has issued a string of complaints against social media companies for not living up to their advertised privacy terms. If you don’t honor online privacy while publicly saying you do, you’re guilty of violating some very long-standing laws on deceptive business practices. The latest social media company to get in the FTC’s cross-hairs is Path: in February they agreed to pay a civil penalty of $800,000 as well as implement a court-ordered privacy and security program.

The Path settlement is just another lesson for those who think that the compliance laws on the books are just for show. Not only did the government nail Path for their deceptive advertising, but also for ignoring one of the few US online consumer data privacy laws: the Children’s Online Privacy Protection Act or COPPA.

Passed in 1998 (and recently updated), COPPA requires web site operators—in practice, child-oriented web services —to gain “verifiable parental consent” from their under-13-year-old users. This law also gives parents the right, at any time, to opt out of disclosures of their child’s personal information—PIIs and other sensitive data—to third-parties. The operators are then free, of course, to terminate the service.

For those parents who give approval, the web site is required by COPPA “to protect the confidentiality, security, and integrity” of the online data. With  most US  data privacy  laws focused on financial or medical information, this is a rare obligation to protect general consumer data.

Promoting itself as a “private messaging and sharing service”, Path failed to gain parental consent from their young subscribers. It was a blatant violation of COPPA.

For web site operators , COPAA is not necessarily an issue. Many services—most significantly Facebook—get around COPPA by not accepting minors. Of course, kids being kids will lie about their age when they register, but then the operators are not held responsible —though this leads to other privacy issues involving data mining of children’s online identities.

Where is privacy on social web sites heading?

One of the advantages of working in the NYC area with its active startup scene is the opportunity to attend hi-tech gatherings and mingle with the startup elite. Earlier this week I caught up with Mark Weinstein, a privacy expert and entrepreneur, at TechCrunch Disrupt, a showcase for new tech offerings. Weinstein has been on a mission to put some real teeth into privacy agreements. With his own private message and document sharing service, he’s testing the theory that consumers will pay more for true online privacy.

The key idea is that subscribers should  own the data through easy-to-use functions to explicitly control access, make corrections, and delete data—“right to be forgotten”—as needed. In chatting with Weinstein and his CTO, it seemed that his service comes very close to meeting the ultimate privacy standard—the EU’s stricter Data Protection Directive. He’s also a believer in a consumer privacy bill of rights—though he feels this will come from a free market solution rather than government rules.

In any case, while I may differ with him on that last point we both agreed that true ownership of data is important and worth paying some extra money.

Image Credit: GeographBot

  Posted on May 3, 2013 in Secure Collaboration and tagged , , | Leave a comment

Personally Identifiable Information Hides in Dark Data

Posted on April 30, 2013 by

To my mind, HIPAA has the most sophisticated view of PII of all the US laws on the books. Their working definition encompasses vanilla identifiers: social security and credit card numbers, and all the other usual suspects. With the additional words “reasonable basis to believe that the information can be used to identify the individual”, HIPAA’s definition takes in digital handles such as emails, IP addresses and even facial imagery. But there’s a little more to HIPAA’s PII definition, and it applies specifically to free form text (commonly found in word processing documents, spreadsheets, presentations, etc.)

The complete list of HIPAA’s PIIs is enumerated in the law’s Safe Harbor guidelines. In plain-speak, these guidelines tell health IT administrators what information is considered private, requiring special authorization to view or process. It includes the aforementioned identifiers, as well as medical record numbers, health insurance IDs, and some others. By the way, we’ve conveniently put this PII list in our omnibus data protection compliance whitepaper.

An unstated assumption made by many is that PII only lives in structured formats—in other words, fields in a database. Readers of this blog of course know that PIIs are often likely to be harvested from the massive amounts of human generated dark data found on corporate files servers.

The HIPAA regulators have understood this as well. In clarifying the rules for removing PII —“de-identifying”—data for publication and general usage, they explicitly cover the possibility that PII can also reside in free-form text. I’ve excerpted the key paragraph from their de-identification best practices below :

PHI [protected health information] may exist in different types of data in a multitude of forms and formats in a covered entity.  This data may reside in highly structured database tables, such as billing records. Yet, it may also be stored in a wide range of documents with less structure and written in natural language, such as discharge summaries, progress notes, and laboratory test interpretations … The de-identification standard makes no distinction between data entered into standardized fields and information entered as free text (i.e., structured and unstructured text)— an identifier listed in the Safe Harbor standard must be removed regardless of its location.

Got that? PHI, which is essentially PII along with other sensitive medical information, embedded in spreadsheets, docs, and presentations is just as worthy of HIPAA privacy protections as fields in databases.

So if we follow these ideas—PIIs can be anything that reasonably links to an individual, and this data can exist in text—to their logical conclusion, then we need to consider a new possibility. Suppose this sentence from a doctor’s notes were uploaded to a file server:

The patient, a technical content specialist at Varonis, a software company, has been complaining about tennis elbow.

The natural question to ask is whether “technical content specialist at Varonis” is a PII?

It’s not a PII in the sense of a uniquely coded key such as social security number or health insurance ID that links back to a person. But in another sense, it acts very much like PII. Don’t believe me? Try typing that phrase into Google and see what comes up.

We’re really talking more about the meaning of the text—or as experts would say, the semantic value—rather than actual letters, numbers, and other syntax. But HIPAA’s Safe Harbor rule even takes this into account: it specifically notes that the “knowledge” in free text can also be used to point back to a person.

As a practical matter, the HIPAA rules mean that any reference to a patient’s job title and company is a violation of the law’s privacy protections.

This leads to a broader discussion on what’s called the “semantic web”. In brief, Google and a few others are already doing leading edge work on extracting meaning and knowledge from web content. You can see for yourself how well Google does this by entering the keywords “height of the empire state building” in a search. You’ll get back an actual answer, 1454’, in addition to all the docs with that exact phrase.

The larger point is that along with stealing PIIs, hackers and cyber thieves are also getting better at mining and interpreting human generated text for personal details, and then building more convincing fake identities to be used in social attacks, such as phishing and pretexting.

Bottom line: these bits and pieces of personal information that are scattered across file servers in clear-text documents can be used to identify an individual with very high likelihood.

That’s important to keep in mind when someone in your company asks, “do we know what’s in our files and the risks involved if our servers are breached?”

  Posted on April 30, 2013 in Data Protection and tagged , , | Leave a comment

The State of the Breach

Posted on April 24, 2013 by

By coincidence, Verizon’s Data Breach Investigations Report (DBIR) for 2012 was released this week along with the results of our Privacy Survey. So it’s a good  time for a quick tour of the state of the breach. In reviewing this latest DBIR, much has stayed the same. However, Verizon’s report emphasizes two key points that caught my attention: 80% of breaches could be easily prevented with two-factor authentication; and it still takes months for most breaches to be discovered.

As in past DBIRs, hacking and malware again make it into the top threat categories, and the difficulty level of the hack-craft employed is still very primitive. This is a polite way of saying that vanilla password cracking—guessing or re-using credentials—is by far the most popular way to pass through the security gate. According to Verizon, this particular type of attack accounted for four out of five breaches involving  hacked data.

The solution is, in Verizon’s words, “to overthrow single-factor passwords” with a new king, two-factor authentication. Varonis is also hoping that TFA will gain the throne.

There are some encouraging signs, however. In our just-published Privacy Survey, over 47% told us they use multi-factor authentication for their personal email accounts. If this trend can carry over to corporate email and intranet access, then we may finally see a dip in these low-skill, but still very effective, password-based hacks.  It’s a stat will check again next year.

Another critical point made by Verizon is that companies must think beyond prevention, and come up with a second line of defense involving rapid discovery and response. Prevention is still important, but no security barrier is hack-proof.

They note that for most breaches the lag between the initial hack and the first action is far too long: 67% of incidents take several months to be discovered.  And perhaps even more dispiriting is that companies more often than not—about 70% of the time—find out about breaches through their customers and third parties (law enforcement, government agencies) instead of their own IT departments.

The obvious (and depressing) brick-and-mortar analogy?  A jewelry store owner puts a toy lock on the door, fails to install an alarm system, and then waits for a customer to say that the diamond ring she was interested in is not in its case anymore.

I’ll end this post with a link to the SANS Institute’s security controls, which were mentioned in the DBIR and which we also recommend as well. The Account Monitoring Control is a good starting point in any breach mitigation program.

The principle in account tracking and auditing is simple to state, but practically impossible to implement efficiently with standard techniques: monitor who is accessing file data and alert administrators as soon as unusual patterns of behavior are detected, likely indicating a breach-in-progress.

And by the way, I just happen to know of software that efficiently handles this problem.

Image credit: Paligari

  Posted on April 24, 2013 in Data Protection and tagged | Leave a comment

Varonis Privacy and Trust Report

Posted on April 23, 2013 by

Even in an age of social media and voracious over-sharing, there are still times we need privacy online. When we engage in old-fashioned point-to-point communication, we expect the person or business at the other end to ensure that our interactions remain private. But it’s complicated.

In a new study conducted by Varonis, 91% of respondents say they trust businesses to keep their data safe despite a rise in breaches that now affects nine out of ten companies. In addition to expecting absolute security from service providers, the survey shows that 53% of consumers would be willing to pay a premium for organizations that reliably protect their data.

At the same time, consumer online habits have room for improvement. Though almost three out of four password protect their mobile phones, an alarmingly high 67% say they send unencrypted personal information in their emails.

Download the full report to learn how consumers deal with security and privacy challenges in their digital lives.



Enjoy, share, embed our infographic:

Varonis Privacy and Trust Report

Embed this infographic on your own site

Copy and paste the code below into your blog post or web page:

<a href="http://blog.varonis.com/varonis-2013-privacy-and-trust-report/"><img title="Varonis Privacy and Trust Report - Infographic" src="http://www.varonis.com/assets/infographics/privacy-and-trust.png" alt="Varonis Privacy and Trust Report" width="600" /></a>
<p><small>Like this infographic? Get more <a href="http://blog.varonis.com">data privacy</a> tips from <a href="http://www.varonis.com/">Varonis</a>.</small></p>
  Posted on April 23, 2013 in In The News, Secure Collaboration | Leave a comment

EU to Google: We Really Mean it About Data Retention Limits

Posted on April 19, 2013 by

“Are these data and privacy protection regulations serious or are they just for show?”  I’ve been hearing that question lately from the tech reporters and journalists who’ve been contacting me. Even after pointing out extensive case files and other documented incidents on government and legal sites, I’m still left with the feeling that it’s just not proof enough.

Fate has finally intervened.

With the EU Commission’s complaint against Google’s privacy policies reaching a conclusion, I now have a teachable moment to convince the naysayers that this stuff is serious business.

When Google changed its privacy terms in early 2012, the fine print was also being looked at by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently. The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed a letter to Mr. Page.

In so many words, the Article 29 folks said the search engine company had not done enough to follow DPD rules on consumer privacy.

Security experts, compliance gurus, CIOs, and other interested players would normally have to get the real story about this intersection of legal and tech in niche publications or in the back pages of certain business sections, or perhaps in a blog of a major data governance player. Since this is Google, and it appears that the EU is willing to go to the mat on this one—in other words, there will be fines—the story is now moving up in importance and appearing more prominently in business sections of main-stream publications.

You can read from the regulator’s report to learn about the long list of Google’s privacy shortcomings, which are conveniently bold-faced. I offer a few of their choice phrases: “no valid consent”, “incomplete or approximate information”, and “retention periods must be appropriate in regards to the purpose.”

Whoa! The EU—technically the individual national data protection authorities led by France’s CNIL— will fine a major American online service provider over their …  data retention policy?

Of course, having data retention policies and procedures —what to keep, what to archive—in place is just IT common sense. But you’re probably thinking that just because an organization doesn’t have explicit data retention or migration plans doesn’t mean it has broken the law.

Actually, it’s not only the EU that takes this IT procedure seriously. Data retention limits also show up in the US’s HIPAA rules for personal health data and in some financial data security regulations. But usually the limits—measured in years—are the amount of time an electronic document must be kept.

The EU, though, views data collection and retention with a goal of “data minimization” in mind: companies should store the minimum amount of personal data and limit the duration to what “must be appropriate in regards to the purpose”. That’s essentially the language of the DPD law. In other words, you just can’t keep personal consumer data unless there’s a legitimate business reason, you have to say what that reason is, and you have to say how long you’re going to keep it.

According to France’s CNIL, Google has to this date refused to provide any information about its data retention policies after being requested to do so.

And the EU Commission has been very clear that there will be consequences for not following its rules. How bad could the fines be for violating, either willfully or negligently, the DPD? The head of the Commission is suggesting they could run as high as 2% of global sales.

Last year Google earned revenues of over $45 billion. You do the math on what it means for not taking data compliance regulations seriously.

Image credit: Dschwen

  Posted on April 19, 2013 in Data Protection and tagged , | Leave a comment
1 2 3 4 5 6 7 8 9 10 ... 20 21   Next Page »
powered by SEO Pager

Twitter Feed

    Follow @Varonis on Twitter