Using Varonis: The Path Beyond Data Classification

Posted on March 13, 2012 by

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Data Classification is important because it helps us figure out where the most important data sits, but it should be a goal on its own. Just understanding what data is sensitive isn’t enough to protect it. You need to understand how it’s being used, including who has access, who’s using it, and who it belongs to. You need context around the data in order to really begin to protect it. Rob Sobers put together a recent white paper on the importance of enterprise context awareness, which is worth a read and offers some great background on this topic.

Step 2: Identify Data That’s Most at Risk

The first step in our plan was to figure out what’s the most valuable by defining criteria that describe likely valuable data (e.g. content, access activity, accessibility) and then using automation to identifying where the data that matches those criteria exists in the environment. This is basically what we’re doing with DLP data at rest, if you recall. But just scanning for sensitive data isn’t enough to fix any problems, a point I’d like to illustrate by relaying a conversation I had with a customer last year. They were a mid-size educational institution of about 15,000 users and had just implemented data classification through a DLP tool. The scan took a fair amount of time, and at the end they’d identified 193,000 some-odd violations, or instances of a file containing possibly sensitive information. What the CISO told me was, “Yesterday I had one problem: where’s the sensitive data. Today I have 193,000 problems.”

It was a really concise way to summarize the problem: just finding data doesn’t really get you much. You already knew there was a lot of it out there, but knowing where it is doesn’t actually fix the problem. The goal is to restrict access to just those who need it and then monitor access so none of it is lost. To do that, you need context, and that means learning more about the data.

Since Varonis can synthesize multiple types of metadata, the next step in our methodology is to identify exactly what data is most at-risk. Which of the folders that contain those 193,000 files need to be fixed immediately?

To answer that question, Varonis combines data classification–either from our own scanning engine or from a DLP or another classification product–along with the other metadata we have available: permissions, access activity, and the user and group information from directory services. Which should be higher on your triage list for access control cleanup, a folder that contains 40 credit card numbers open to 20 people that nobody ever touches, or a folder open to the Everyone group with 300 credit card numbers that’s being constantly accessed? The latter represents a much greater risk to the organization, since looser permissions and a higher level of activity mean that data is far more likely to be deleted, stolen or misused in some way. By the way, Varonis has a built in report for this, and it’s usually one of the first things reports our customers do review when they evaluate the product.

It’s not always just about sensitive data, either. Many of our customers simply want to clean up permissions, whether sensitive or not. We’ve been hearing a lot about “open share” projects and the like lately, and it’s basically the same thing: find shared data that’s at-risk and then remediate that. DatAdvantage also has reports that help you identify where folders are open to global access groups like Everyone, Domain Users and Authenticated users as well as who is accessing data via these groups. It’s a similar example to the one above: which is more important? Data open to Everyone that nobody users or data open to Everyone that lots of people are using (and who wouldn’t have access otherwise)? Varonis can point all that out with built-in reports.

Next, we’ll look at how to go about fixing these problems.

Image credit: jurvetson

  Posted on March 13, 2012 in Varonis Operational Plan | Leave a comment

Case Study: Matanuska Telephone Association

Posted on March 6, 2012 by

Matanuska Telephone Association (MTA) is a co-operative telecommunications service provider that offers its members local telephone services, high-speed Internet access, wireless phone service, digital television and managed business services.

Like many organizations, there were occasions when MTA’s employees would inadvertently move, rename, or accidentally delete files. Finn Rye, MTA’s Information Security Officer, and his team would try to locate or recover the information. The hours spent manually tracking down data were significant, which meant that Rye’s team was often unable to attend to other, more pressing matters.

Further, for internal compliance requirements, MTA’s Performance Integrity office mandates that Rye’s team be able to verify who has access to which data and what files those individuals actually access.

MTA recently deployed Varonis® DatAdvantage® for Windows. DatAdvantage provides a searchable and sortable complete audit trail, which includes “delete” events in files and folders. The Audit Trail provided Rye’s team the ability to find deleted or moved files and to determine how it happened.

“Without DatAdvantage®, we simply weren’t able to do the investigation or incident responses we can now,” Rye said.

Rye’s team has configured automatic alerts and reports to obtain the visibility and control they needed, fulfilling their compliance requirements. Now they can identify sensitive files and folders, and determine who should and should not have access to them.

“It was virtually impossible before Varonis®,” he said. “We just didn’t have the logging capacity or a way to search in an efficient manner.”

Varonis® DatAdvantage® for Windows provided MTA ability to analyze and audit access, visibility into their permissions structure and actionable intelligence on how to remediate excessive permissions; this is why MTA chose Varonis. To read the complete case study, click here.

Finn Rye is MTA’s information security officer – his department oversees the company’s information security initiatives for MTA’s 400+ full-time employees.

  Posted on March 6, 2012 in Success Stories | Leave a comment

In Data Security, You’re Only As Strong As Your Weakest Link

Posted on March 5, 2012 by

Reporter: “Why do you rob banks?”

Willie Sutton (bank robber): “Because that’s where the money is.”

That’s Sutton’s law.  It seems obvious, but it’s so very true.  The law also holds true for hackers– they will attack systems that  store valuable data.

So where might that be?  My first guess would be the iron-clad data centers of the world’s largest banks, pharmaceutical companies, defense contractors, governments, and Fortune 500 corporations.  They are the big juicy targets, right?  But attractive targets aren’t necessarily easy targets.

Today, banks and other high profile institutions have state-of-the-art data protection in the form of firewalls, two-factor authentication, sophisticated encryption, and Varonis.  Hence the term “bank-level security.”  As a result, hackers have to weigh the value of a successful attack against the difficulty of breaching the target.

What if there were a way to seize a corporation’s digital secrets without having to penetrate their heavily fortified walls?  A group of Chinese hackers figured out a rather cunning way to do it – infiltrate the company’s much more vulnerable law firm instead!

According to Mandiant, a Virginia-based security firm, 80 major US law firms were hacked last year.  Clearly, law firms are becoming a primary back door that hackers are using to gain access to valuable corporate data.  But it’s not just law firms we have to worry about, unfortunately.

Any time you send an email to another party—e.g., law firms, accountants, consultants—or transfer confidential documents to DropBox or Google Docs, you’re implicitly trusting that they take security as seriously as your own security admins do, and that they can determine, at all times, who can access your data and who is accessing your data.

The fact is that many organizations, including the growing number of cloud service vendors, haven’t even scratched the surface when it comes to serious data protection and security.  The message is clear: start now.  Your customers will demand it.

  Posted on March 5, 2012 in Secure Collaboration | Leave a comment

Who Is TRYING To Access Your Data?

Posted on March 1, 2012 by

In our previous post we discussed how over 80% of data breaches are considered “opportunistic.” The majority of them are regular employees who have excess permissions, who abuse their access to obtain sensitive information. When we take these two things into account we can confidently say that a primary area of risk is where regular employees have excess permissions and access to valuable information.

Organizations often have difficulty answering a critical question in order to effectively protect their data: Who or what might be TRYING to determine if they have access to data that they shouldn’t?

Varonis DatAdvantage Accessed Denied Events

Varonis DatAdvantage can show exactly who's trying to access data

In addition to its already powerful and complete audit trail of successful activities, Varonis DatAdvantage version 5.7 now leverages its Metadata Framework to collect, process, and report on “access denied” events on Windows servers. These events occur when people try to access a folder or file and the ACL does not permit them. If we see a lot of access denied events, this may indicate that the computer is infected with a worm, or the user is poking around looking for valuable data or tying to search/index a large amount of information that they don’t have access to.

DatAdvantage also provides the functionality to alert when it detects statistically significant spikes in activity; these alerts now include access denied activity. Organizations can use this information as a trigger for further investigation to determine why a user may be trying to access data that he doesn’t have permissions to access.

By adding “access denied” events, Varonis has enhanced its audit trail, providing our customers with an efficient and effective way to know who is accessing their data, what are they doing with it, where sensitive data is overexposed, how to fix it, and now who is trying to access data they don’t have access to.

Organizations will be able to implement preventive controls and detect a possible threat at a much earlier stage, before a potential data breach takes place. They’ll have more detailed visibility and control over the primary area of risk: regular employees with excessive permissions.

To request a demo of Varonis DatAdvantage 5.7 click here

  Posted on March 1, 2012 in Access Control Reporting, Back To Basics and tagged | Leave a comment

Big Data Management On Your NAS Made Easy

Posted on February 28, 2012 by

Got data? Got a lot of it? Most companies with NAS devices are struggling with how to manage permissions and understand usage patterns, find data owners, and identify and lock down sensitive information. If any of that sounds familiar, we’ve got the webinar for you. As part of our new partnership with HP, Varonis is co-presenting a webinar on how we can help you master big data.

We enable customers to get control of the information stored within HP IBRIX X9000 storage systems and file shares to help you realize:

  • Visibility into your permissions (set in Active Directory, LDAP, SharePoint, and Exchange)
  • A detailed audit trail of every file and e-mail touch on your servers
  • Recommendations into where access can be reduced without affecting user activity
  • Identification of data owners so they can be directly involved in the management and protection of their data
  • Sensitive content analysis so you can assess risk to your most critical data, allowing you to focus on high-priority areas for remediation

Read the press release announcing our partnership here.

Sign up to attend the webinar here.

  Posted on February 28, 2012 in Big Data, Data Ownership, In The News, Permissions Management, Secure Collaboration and tagged , , | Leave a comment

Thoughts on the 2011 Data Breach Investigations Report

Posted on February 24, 2012 by

While reading through the 2011 Data Breach Investigations Report, there were two things that caught my attention:

The first one is that approximately 83% of the data breach attacks are considered “opportunistic.” According to the report, “the victim was identified because they exhibited a weakness or vulnerability that the attacker could exploit.” In other words, the attack took place because the attacker noticed a weakness—if that weakness had not existed or had not been noticed, the attack would not have been conceived, or the attacker would have moved on to an easier target.

The second one is that the ones who are taking advantage of these weaknesses are its own employees. The report mentions that “it is regular employees and end-users – not highly trusted ones – who are behind the majority of data compromises. This is a good time to remember that users need not to be super users to make off with sensitive and/or valuable data.” Contrary to what most of us might think, in many situations we don’t always have specialized criminals attacking our organizations. Regular users are responsible for many of the attacks; employees that are tempted after discovering that they have access to valuable information.

Putting these two things together, it makes sense that a primary area of risk is where employees have access to valuable data, and where access is too permissive. Many organizations are already looking for sensitive, valuable data (e.g. with data classification technologies). More recently, organizations are starting to look for better context awareness, linking content with permissions, activity, and ownership information to identify significant exposures, and accelerate data protection and remediation efforts.

In our next post, we’ll discuss how you can use metadata framework technology to identify users that might be looking for weaknesses in your environment.

  Posted on February 24, 2012 in In The News | Leave a comment

File system audit data taking up too much space? Read on…

Posted on February 22, 2012 by

I had the privilege of speaking about eliminating data security threats at Data Connectors in Houston a couple weeks ago, and I was asked by several people about how much space “all that audit log data” would take up, and how long you could realistically keep it while still being able to report on it.  One person that asked explained that he had a product to collect audit data on a single busy file server, but it could only hold a month or so of data before it consumed a full terabyte of space, and (worse) became almost unusable when generating reports.

If you’ve ever enabled native auditing (like audit object access success in windows or BSM in Solaris) and taken a look at the logs, you’ve certainly noticed, among other things, the astounding number of events they generate. I just enabled native auditing on my workstation while writing this to get some numbers. I then opened one (existing) file, edited one line, saved it, and closed it– this generated 130 distinct events by itself (46 4656 events, 46 4658 events, and 38 4663 events). With numbers like this, it’s no wonder that collecting and storing raw audit logs can take up so much space, and be so slow to parse through.

This is one of the areas where metadata framework technology really shines in unstructured data protection. Not only can a metadata framework replace the inefficient native operating system auditing functionalities on many platforms, it can also normalize the audit information and store it within intelligent data structures. Normalization eliminates redundant information, and the data structures are much easier to process after the computationally intensive parts of the audit trail (like the path and SID) are converted into integers.

With normalization and intelligent data structures, not only can audit information be stored more efficiently, it is also quicker to search and easier to analyze.

  Posted on February 22, 2012 in File System Protection | Leave a comment

Using Varonis: Start With Classification

Posted on February 16, 2012 by

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Start with ClassificationWe spend a lot of time talking here and elsewhere about the many and varied problems IT faces when it comes to access control. What I’ve found, though, is that some of our customers end up with either DatAdvantage or DataPrivilege (or both) to fix a specific need. For instance, one customer I met recently bought DatAdvantage for Windows because they discovered that a particularly sensitive file had been exposed and they wanted to make sure they both cleaned up and tracked access to it in the future. It’s not uncommon for folks to come to us with one use case in mind, and after quickly addressing the initial need, they want to know what they should do next.

What we’re all really looking to do is understand where access is broken, fix it and then maintain correct controls in the future, including auditing use and flagging abuse. Making sure that the right people have access to the right data means being continuously vigilant in identifying fixing these problems. Usually it also means identifying data owners and shifting the burden from IT to the business–the data belongs to them, after all.

Without a roadmap or methodology, it can be hard to know where to begin, which brings us back to the customer I mentioned earlier. They wanted to know how to get from a chaotic file sharing environment–where they don’t even know what’s broken, let alone how to fix it–to controlled collaboration that’s continuously secure. The answer isn’t just in the technology you use, it’s embracing a methodology and a culture that treats data as a business asset rather than a technology asset. What I’d like to do over a series of posts is lay out the basics of our approach, as well as talk about how we’ve seen it work with some recent customers.

Step 1: Figure Out What’s Valuable

Not everything on unstructured shares has the same value. The first challenge is figuring out exactly what’s important, and what’s not. The problem is that 80% of a company’s data is unstructured, and a lot of it is accessible to too many people, so it can be difficult to prioritize where you should focus your time and energy.

The last few years have seen a huge investment in DLP products, including classification of data “at rest“ (data sitting on servers, basically). Classification can involve a lot of things, but at it’s core what we’re doing is taking a close look at as much of the data as possible to figure out what’s important to the organization and what’s not. For example, a heath care provider probably wants to locate all the patient records, so they may scan for Social Security or patient ID numbers. Another example might be a bank looking for credit card or account numbers. Content inspection alone isn’t always enough–sometimes you want to look for a pattern in those files that are created or accessed by specific people. Either way, the first step in our methodology is going to be identifying those sensitive data patterns: what do we think is important? Until we decide what’s important, it can be hard to know where to begin fixing things. It also gets to the real heart of the problem: if this stuff is valuable, we need to protect it.

In future posts I’ll continue to lay out the Varonis methodology. Stay tuned.

Image credit: mamsy

  Posted on February 16, 2012 in Varonis Operational Plan and tagged , , | Leave a comment

Forensic Investigation of Trade Secret Theft (Part 2)

Posted on February 14, 2012 by

In our recent blog post, we discussed a hypothetical situation where the General Counsel of “Alpha Chemicals” approached you and requested a whole bunch of information about “Allen Carey,” including documents he accessed and email messages he read related to the company’s blockbuster product, “Transparent Aluminum”, and a list of permissions that “Allen” had to various IT resources. Well, in parallel to his request for this information, the General Counsel also questioned the HR department and discovered that though “Allen Carey” had performed malicious activities, according to the HR department, “Allen Carey” didn’t exist!!

While not directly relevant to IT Security (but directly relevant to this scenario), in 1973, the most popular show on television was M*A*S*H. In one episode the lead character, Hawkeye Pierce, created a fictitious character, “Captain Tuttle.” During the episode, Captain Tuttle’s persona morphed from imagination to legend within the hospital, as “Captain Tuttle” was responsible for a number of very heroic actions, yet no one ever saw him. The episode ends with “Captain Tuttle” dying in a tragic accident, the only proof of his existence the dog-tags found near the accident site. That was the extent of forensics performed in this very funny comedy.

While our hypothetical situation may seem like it was created for a Hollywood comedy, what would you do if it was determined that a fictitious person named “Allen Carey” performed malicious activities that resulted in the loss of your companies trade secrets? What type of information would you require to perform an investigation? Minimally, you would require the ability to answer the following questions:

  1. Who created Allen Carey’s user account, and when?
  2. Was Allen Carey’s user account added to or removed from any group or Access Control List, and by whom?
  3. Can you provide a record of any email accounts where Allen Carey might have had send-as or send-on-behalf of privileges, when he got those permissions, and who granted them?
  4. Which, if any, other user accounts accessed files from the workstation that Allen Carey used?

In order to provide the General Counsel with the answers to the above questions, you would need to be auditing administrative access to Active Directory and Exchange. You would also need to correlate access activities from a specific workstation to the user accounts that used that workstation. Most importantly, you would require a product that would provide historical reporting with the ability to correlate all relevant variables. AND, you would need to provide this information quickly. Of course, the General Counsel also requires the previous information he requested, as he still needs to know about the documents that Allen Carey accessed, the email messages that he read, and a list of the permissions that he had to various IT resources.

In the next blog, we will dissect the forensics process in detail.

  Posted on February 14, 2012 in File System Protection, In The News and tagged | Leave a comment

Accelerate Data Protection with Context Awareness

Posted on February 10, 2012 by

I’ve been reading a lot about DLP technology lately.  Almost every article, discussion, and whitepaper I’ve stumbled upon focuses on content awareness — scan my files, find sensitive data, and ensure that it doesn’t escape.

This is a great place to start–locating critically sensitive files is a terrific first step–but a massive list with hundreds of thousands of “alerts” across petabytes of data can be extremely daunting if you don’t have any actionable intelligence accompanying it.

After a scan, there are usually far more questions than answers:

  • Who is using this data?
  • Who owns the data?
  • Which data is most at risk?
  • Once we’ve remediated exposures, how can we keep things under control?

This is why context is King.  And the key to context is metadata.

Forrester states, “To manage and protect information effectively, particularly from insiders and business partners, information risk and security professionals must integrate identity and access management with data life-cycle management. Forrester refers to this as protecting information consistently with identity context (PICWIC).”

Download our new whitepaper, Accelerate Data Protection with Context Awareness, where we talk much more about how identity context awareness can close the loop on DLP.

Photo: http://farm4.staticflickr.com/3109/2659027985_065d5c9ff0_m.jpg

  Posted on February 10, 2012 in Secure Collaboration | Leave a comment
« Previous Page  1 2 ... 12 13 14 15 16 17 18 19 20 21   Next Page »
powered by SEO Pager

Twitter Feed

    Follow @Varonis on Twitter