Pen Testing Active Directory

You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger ending — spoiler alert — where we applied graph theory to find the derivative admin!

We know from the many emails we received that you demanded a better ‘long-form’ content experience. After all, who’d want to read about finding hackable vulnerabilities using Active Directory while being forced to click six-times to access the entire series?

Thanks to the miracle of PDF technology, we’ve compressed the entire series into an easy-to-ready, comfy ebook format. Best of all, you can scroll through the entire contents without having to touch messy hyperlinks.

Get The Ebook Now
Or check it all out online, here.
Data Security
What is a Data Security Platform?

What is a Data Security Platform?

A Data Security Platform (DSP) is a category of security products that replaces traditionally disparate security tools. DSPs combine data protection capabilities such as sensitive data discovery, data access governance, user behavior analytics, advanced threat detection, activity monitoring, and compliance reporting, and integrate with adjacent security technologies. They also provide a single management interface to allow security teams to centrally orchestrate their data security controls and uniformly enforce policies across a variety of data repositories,…
Data Security

Varonis Data Security Platform Listed in Gartner 2017 Market Guide for Data...

In 2005, our founders had a vision to build a solution focused on protecting the data organizations have the most of and yet know the least about – files and emails.  Executing on this vision, Varonis has built an innovative Data Security Platform (DSP) to protect enterprise data against insider threats, data breaches and cyberattacks. To this end, we are pleased to be listed as a representative vendor in Gartner’s 2017 Market Guide for Data-Centric…
Data Security

[Podcast] Americans’ Cyber Hygiene

Recently, the Pew Research Center released a report highlighting what Americans know about cybersecurity. The intent of the survey and quiz was to understand how closely Americans are following best practices recommended by cybersecurity experts. One question on the quiz reminded us that we’re entitled to one free copy of our credit report every 12 months from each of the three nationwide credit reporting companies. The reason behind this offering is that there is so much financial fraud. And in…
Data Security, IT Pros

Practical PowerShell for IT Security, Part III: Classification on a Budget

Last time, with a few lines of PowerShell code, I launched an entire new software category, File Access Analytics (FAA). My 15-minutes of fame is almost over, but I was able to make the point that PowerShell has practical file event monitoring aspects. In this post, I’ll finish some old business with my FAA tool and then take up PowerShell-style data classification. Event-Driven Analytics To refresh memories, I used the Register-WmiEvent cmdlet in my FAA…
Data Security

Ransomware: What happens when the first layer of defense fails?

76% of respondents see ransomware as a major business threat today, according to a recent Information Security Media Group (ISMG) survey, “2017 Ransomware Defense Survey: The Empire Strikes Back,” aimed at understanding the true impact of ransomware on organizations. While this news isn’t worthy of breaking into the latest episode of Madame Secretary, what follows in the Varonis sponsored survey is an alarming disconnect between perception and reality of how these attacks happen and how…
Compliance & Regulation

Data Security Compliance and DatAdvantage, Part I:  Essential Reports for ...

Over the last few years, I’ve written about many different data security standards, data laws, and regulations. So I feel comfortable in saying there are some similarities in the EU’s General Data Protection Regulation, the US’s HIPAA rules, PCI DSS, NIST’s 800 family of controls and others as well. I’m really standing on the shoulders of giants, in particular the friendly security standards folks over at the National Institute of Standards and Technology (NIST), in…
Data Security

[Podcast] What CISOs are Making, Reading and Sharing

Besides talking to my fav security experts on the podcast, I’ve also been curious with what CISOs have been up to lately. Afterall they have the difficult job of keeping an organization’s network and data safe and secure. Plus, they tend to always be a few steps ahead in their thinking and planning. After a few clicks on Twitter, I found a CISO at a predictive analytics SaaS platform who published a security manifesto. His…
Varonis News

The Varonis Connect Customer Conferences Are Coming: Education and Network ...

This April we will kick off our annual series of Varonis Connect customer events where attendees will learn about new Varonis product innovations and share experiences and success stories. The series, in its 6th year, runs through June across 33 cities in North America and Europe.  In fact, we’ve added 11 more cities than last year, and we expect attendance to increase as well! Varonis Connect attendees, from the company’s rapidly expanding customer base, will…
Data Security
Office Documents with Malicious Metadata

Detecting Malware Payloads in Office Document Metadata

Ever consider document properties like “Company,” “Title,” and “Comments” a vehicle for a malicious payload? Checkout this nifty PowerShell payload in the company metadata: #powershell payload stored in office metadataDocument Properties -> Advanced Properties -> Summary -> Companyhttps://t.co/S8GfQt7Gei pic.twitter.com/BQqMe9uit0 — JaromirHorejsi (@JaromirHorejsi) March 27, 2017 Here’s the full VirusTotal entry. The target opens the Office document and, with macros enabled, the payload stored within the document’s own metadata executes and does its work. No extra…
Data Security

How to Protect Yourself from Leaky Apps: Varonis on CNBC’s On the Money

This past weekend, Varonis’ Brian Vecci, Technical Evangelist, appeared on CNBC’s On the Money with Jennifer Schlesinger to discuss how consumers can protect themselves from leaky apps – both legitimate and illegitimate ones. From a consumer perspective, there are a few things to keep in mind: Any app could potentially be breached or broken in some way, so be careful about what kinds of information you provide. Try not to use the same password everywhere,…
Data Security

[Podcast] No Data Left Behind

Over the past few weeks, we’ve been debating a user’s threshold for his personal data seen in the public domain. For instance, did you know that housing information has always been public information? They are gathered from county records and the internet has just made the process of gathering the information less cumbersome. However, if our personal information leaks into the public domain – due a security lapse – it’s still not as serious as, say,…
Data Security

[Podcast] How Diversity & Inclusion Drives Innovation and Market Growt...

In part two of my interview with Allison F. Avery, a Senior Diversity & Inclusion Specialist at NYU Langone Medical Center, she clarified common misconceptions about Diversity & Inclusion (D&I) and offered a framework and methodology to implement D&I. She reminded me, “You should not be doing diversity for diversity sake.” I’ve put together a few interview highlights below. By the way – they’re perfect for cutting-and-pasting into an email to your company’s HR executives and…