Archive for: December, 2011

The Holiday Season is Prime Time for Credit Card Fraud

Be careful while using your credit cards this season. According to PNC Bank, credit card fraud increases about 19% during the holiday season. Most of us tend to use our credit cards more than usual and since we are in such a rush, sometimes we aren’t as careful with whom and where we use them. At one company I used to work for, the highest number of credit card fraud reports were filed during the month of January, when many customers would call to let us know their credit card information had been compromised. Often, it would cost them thousands of dollars and a lot of time and aggravation to remediate the problem.

Most of the time, the victims didn’t know who was responsible for the fraudulent activity, or how they obtained the card information in the first place. It was usually almost impossible to determine how it happened—some of them might have visited an unsecure website; others weren’t careful who they handed their cards to. Critical questions about who had access to the card information, how they got access, and where they used the information were unanswerable, making it very difficult to understand how the fraud occurred, and how to prevent future incidents.

In order to protect any sensitive data, we need to be able control who has access to it, monitor who has been accessing it, and what they’ve been doing. We need to know which sensitive data is accessible to the wrong people or just too many, and we need to monitor and analyze actual usage to detect when access is being abused. Detecting fraud when it comes to unstructured data is a lot like detecting credit card fraud—make sure only the right people have access, and then pay attention (with automated systems) to what they’re doing.

By using automation to collect and analyze looking at various kinds of data about our data, or metadata, we’re able to identify where users have too much access and where sensitive data is overexposed, and then correct these problems by looking at access activity.

The right metadata can also help you protect your personal information. Where are your credit cards? Who has access to them? Where are they being used, and by whom? How often do you review your transactions? Does your credit card company use automated fraud detection? What is your liability in the event of a fraudulent charge? In addition, here are some ideas to be aware of while you do your holiday shopping this season:

  • If you shop online, shop at reputable stores, look for references with sources you trust
  • Make sure you use web-sites that encrypt your data—never submit credit card information unless the connection is secured using SSL
  • In the store, always keep your credit card in sight; if you hand it over to the cashier still keep an eye on it. It is even better if you swipe the card on your own
  • Always check the card when someone returns it to you; make sure it is yours
  • Make sure that printed credit card receipts obscure your information before throwing away
  • Be aware of where and when you use your credit card and check your statements regularly for anything that’s out of order
  • Be aware of which credit cards you are using and which you aren’t
  • At the ATM make sure you block the view when you enter your PIN

Enjoy this Holiday season and shop safely!

All I Want for the Fiscal Year End Holiday is an Optimized Security Group

In one of our recent posts, Rob Sobers talked a bit about the Varonis recommendations engine and how it compares with’s similar technology. I’m currently in the throes of last minute holiday shopping, and one of the things I find myself grateful for is Amazon’s recommendations engine. By analyzing the behavior of its busy shoppers, Amazon can point me towards items that might be of interest based on what I’ve been looking at. If I’m checking out some kitchen gadgets, Amazon will start to populate its pages with other things I might be interested in, like relevant cookbooks. The site is analyzing the activity of millions of users and then making actionable recommendations for me based on all of that behavior.  It’s not just browsing behavior, either. Amazon is able to use information from purchases over time, user wishlists and other relevant metadata to come up with these recommendations.

In an age of virtually unlimited choice, we can easily find ourselves trying to weigh the pros and cons from long lists of items that begin to blur together, making what would normally be a pleasant experience seem overwhelming.  Amazon makes my shopping easier, helping narrow down the choices I have and helping me figure out where I should best spend my energy.

Whether the behavioral analysis is being done on shopping sites, search engines or within your data center, leveraging metadata through automation is a crucial technique for getting better, more actionable information. Varonis helps IT administrators and data owners by providing recommendations on where users have access they likely no longer need. Varonis looks at permissions, user and group relations and access activity on multiple platforms over time in order to produce this analysis.

Big data analytics like this is changing how we make these kinds of decisions by giving us information that was impossible before automation. If you’re considering trying to clean up Active Directory membership next year, think how easy it would be if you had an accurate recommendations engine to get you started.

Substantially Reducing Risk by Cleaning Up Access Permissions

The article, “The Art of Profiling Cyber Criminals” within Dark Reading on December 8th, 2011 provides a brief outline of the characteristics of a typical cyber criminal.  The article is of interest because of its detailed description of the malicious insider.  Of particular interest is the following quote:

“Around 65 percent of malicious insiders have already lined up new job with a competitor or started their own firm at the time of the data theft. More than half begin stealing information within a month of leaving their employer. “  The article goes on to say, “Three-fourths take information that they have legitimate access to in their jobs, and more than half of these cases involve the theft of trade secrets.”  Therefore, based on this study, 25% of the insiders who steal sensitive company information should NOT have had access to the information to begin with.

In this age where most IT purchasing decisions are reduced to an ROI calculation, there can be no denial that providing the ability to reduce data theft by 25% (simply by better control of access permissions) provides a very obvious ROI to those companies who are challenged with protecting intellectual property.

Your Mailbox is Almost Full

This again. It happens a few times a year—an automated email telling me I’m going to have to make some decisions about my data. It’s not like it’s a small mailbox, either—as of this morning, I have filled up 9.3 GB out of my allotted 10 GB. Today I’ve been notified that I’m also out of space on my team’s file share, which will mean more data management decisions. It’s inevitable—no matter how big our mailboxes or file servers are, we’re going to fill them up before too long.

It reminds me of how even though so much has changed about the way we work; so much of our workflow hasn’t. We have multiple laptops and workstations, smart phones and tablets, cloud enabled file shares, and still—every day we create files, send them to each other to review, edit them, and send them back to each other, iterate, publish them, and repeat—word processing documents, spreadsheets, presentations, images, audio and video files. Every part of our work involves collaboration with these digital assets—I should probably be proud that we’ve done so much work that we’ve filled up our file shares and mailboxes, but instead of a gold star, we get what amounts to a machine initiated nasty-gram to clean up the mess.

Now the decisions need to be made: What data can I delete or put somewhere else? What needs to be archived? To make these decisions, I need to answer, what aren’t we using? What aren’t we using that’s big? If I move it somewhere else, who needs access to it when it gets there? Is there anything in there that I need to make sure stays private?

I sure could use some metadata to help me answer these questions. Fortunately, I work for Varonis—and our metadata framework is purpose-built to answer these questions in minutes. That’s a relief, because I have a lot of work to get done today that doesn’t involve shuffling files around to save space.

How to Assess Your Current Risk Profile and Effectively Reduce Risk

In our December 2011 newsletter, we highlight recent research from Gartner, “Security and Risk Management Lessons, Courtesy of WikiLeaks,” (Gartner subscription required) that begins, “The wholesale release of sensitive diplomatic cables by WikiLeaks serves as a reminder to organizations of the need to evaluate the benefits and risks of broader data access; the need for data access governance, controls and monitoring; and the need for data and infrastructure protection.”

Organizations now house all kinds of sensitive information – not only that of the organization itself, but data that belongs or affects its partners, clients, and employees. Governing access and monitoring use of data is critical for productivity and security, and is now necessary to be a viable business partner.

Metadata is critical in preventing unauthorized or inappropriate access to sensitive data. Read how to assess your current risk profile and effectively reduce risk with metadata framework technology in Preventing Data Leaks with Automated Data Governance.

The Challenges of Metadata Collection

In my recent post, Improving Authorization with Metadata, we talked about what kinds of information we need in order to start cleaning up access control. This time I want to talk a little bit about how we’ll actually get that metadata and what it will take to use it to do anything useful.

If you recall, the metadata streams we’re going to be primarily concerned with are user and group information, permissions from the ACLs and user access activity. In addition, data classification can help us prioritize the work by finding important data (and when combined with the other metadata streams) that are located and might have excessive or broken permissions. So where does all this metadata come from?

The simple answer is that there’s no simple answer. Each platform is going to have its own interfaces and challenges when it comes to gathering this data. In the Windows world, for instance, in order to see who has access to a folder, or what folders a user has access to you’ll need to traverse each file system to get the permissions—every folder might have a unique ACL. In order to interpret the ACL’s, you’ll need to grab the users and groups from Active Directory, as well as the local groups on the servers, some of which will contain groups in AD. And that’s just NTFS Permissions—you also need to consider Windows Share Permissions, and the effective permissions a user might have based on both.

SharePoint permissions are complex, too.  SharePoint objects have access control lists that refer to Active Directory users and groups and SharePoint groups, and each group is assigned one or more permission levels on the object, and each permission level is comprised of some combination of 33 individual permissions.

That’s interesting to compare with permissions on an Exchange mailbox, where access can be set at the server (mailbox permissions) and by the client through Outlook (sharing permissions). On top of that, think of all the actions you can perform within Exchange once you factor in message flagging and attachments.

UNIX file systems have NFS style permissions as well as POSIX ACLS, all of which can refer to local groups and users, and those in LDAP, NIS, or even Active Directory groups if you’re using an AD integration product like Centrify. NAS devices often have CIFS/NTFS style permissions, NFS permissions, and hybrid permissions modes to serve both CIFS and NFS clients on the same share.

As you can see, each of these platforms has its own idiosyncrasies, and we haven’t yet mentioned symbolic links, junction points, or DFS. And… this is just to see who has access. Who is actually accessing data is even trickier—we’ll talk about that in a future post.

On top of all that, think about the sheer amount of metadata you may be collecting—thousands of users in thousands of groups across hundreds of thousands of ACLs, that must be gathered carefully enough so it won’t significantly impact the environment, otherwise what’s the point? If monitoring the box is going to break the box, no one will do it. What this all means is that gathering up all of the relevant information across all the platforms you want to properly govern is no simple task, and analyzing and making sense of all the metadata is even harder—it requires a lot of platform expertise, and technology that is flexible and robust enough to handle the deep waters of today’s diverse file systems.

Hunch has the “Taste Graph”, Varonis has the “Access Graph”

HunchIt was recently announced that eBay has acquired New York-based startup Hunch for a reported $80 million (a tad over the reserve price).  Hunch is a recommendation engine created by Caterina Fake of Flickr fame, and Chris Dixon, a prominent entrepreneur and angel investor.

It’s pretty obvious how eBay intends to use Hunch: to provide a better experience for buyers and sellers by making personalized recommendations.

The acquisition got me thinking about Varonis’ recommendation engine and how it parallels Hunch’s in some respects.

How Does Hunch Work?

The technology behind Hunch is quite fascinating.  They’ve built a massive data structure called the “taste graph“, which connects users on the web to the things they like.  Hunch leverages its more than 30 billion connections (or what they call “edges”) to make accurate predictions about a user’s tastes and provide them with personalized recommendations.

But how does Hunch arrive at its recommendations?  It tracks your actions on the web–Facebook likes, Amazon ratings, Foursquare check-ins, and so on–and compares you to other users who have similar behavior. Hunch also gleans a lot about users from their social connections on networks like Twitter and Facebook.

If you follow Barack Obama, for example, you’re more likely to be a liberal who, as it turns out, tends to prefer crunchy tacos to soft tacos.  And the taste graph tells us that if you went to Yale, chances are you’re much more extroverted than your fellow Ivy-leaguers.

Varonis’ “Access Graph”

If Hunch has the web’s “taste graph” then Varonis has your organization’s “access graph.”
Varonis logs every user’s file system activity across your entire IT infrastructure and uses the audit log to predict which permissions you really need.  And, like Hunch, Varonis doesn’t restrict its prediction algorithms to a single user’s behavior; it also looks at other users who belong to intersecting access groups, which turns out to be extremely important.


Take for instance a case where Alice hasn’t been using the permissions she’s been granted via her membership to Active Directory group “Finance”. Our first instinct might be to remove her from the group. But Varonis takes the analysis a step further–even though Alice’s finance activity has tapered off, we can see that her other behaviors closely mirror her fellow “Finance” group members’, so we’d be actually better off leaving her membership in tact. This technique is one of the primary reasons Varonis’ recommendations are 99% accurate.

Image credit: