Archive for: January, 2012

Varonis Webinar: Eliminating Data Security Threats

On last week’s North American webinar, Eliminating Data Security Threats, Brian Vecci talked about how unstructured data presents some unique challenges to IT organizations, when it comes to identifying who has access, who is accessing and who should have access to Windows, NAS and UNIX folders, SharePoint sites and Exchange mailboxes and public folders. And how new metadata framework technologies can help organizations eliminate data security threats.

Some of the main topics were:

  • Latest advancements for managing unstructured and semi-structured data
  • How to leverage metadata framework technology to instantly remediate risk
  • The fastest process for finding data owners
  • How to identify sensitive data 90% faster than traditional data classification methods
  • Why file systems, SharePoint, NAS, and Exchange audits no longer impact system performance

If you missed our webinar last week, click here to play the recording.

Varonis hosts monthly webinars on data governance related topics. Our next North American webinar will be on February 22nd. Stay tuned to get details and registration information on our News & Events page.

The Light Is Better Over Here

An analyst reminded me of a joke the other day where a man is looking for his lost keys under a street-light. A passerby asks the man if he is sure about where he dropped them, and the man replies, “I’m actually pretty sure I dropped them in the grass over there.”

“Then why aren’t you looking where you think you dropped them?”

“Because the light is better here.”

As Brian Vecci noted, unstructured data has been in the dark, or “out of sight, out of mind” until recently – even though it’s clear it’s where the most data is most at risk.  Business plans, financial statements, blueprints, intellectual property, credit card numbers, medical and other personal information all reside on file servers, email servers, and SharePoint sites where too many people have access, and their access activity isn’t audited.

This data has value (or else why are we keeping it?), and those assets that are at risk for loss, theft, or misuse are an IT security professional’s “lost keys,” where annualized loss expectancy is highest. So why haven’t we been looking in unstructured data stores for our lost keys?

Quite simply, the search area is enormous (terabytes, or even petabytes of data) and before recent advances in metadata framework technology, we pretty much had to crawl around on our hands and knees searching the ground by candlelight.

Those that chose to try quickly discovered lost keys all over every small area of the field they started looking in—open shares that contained all sorts of important information, with no clear indication of who should have access, who was using them, or even who they belonged to. When people don’t know how to fix something, they don’t usually advertise that it’s broken.

It’s exciting to see this changing as more and more regulations are mandating that unstructured data stores be protected, and organizations are converging on metadata framework technology to “illuminate” and protect them – identifying areas of risk and automating their remediation.

Data Connectors Chicago

I just got back from a fantastic Data Connectors event in Chicago where I had the opportunity to speak to a group of IT security professionals about how we think about unstructured data governance. The theme of the presentation was on Authentication, Authorization and Accountability, and how we need the right metadata and automation to ensure secure collaboration and protect unstructured data.

The feedback after the presentation was (and usually is) really the best part—it’s clear that so many of us in IT are starting to really think hard about how to correctly manage access to data. In the past, we haven’t had necessary information we need or the automation in place to manage access in any meaningful way, which is why we’re suddenly scrambling to protect against insider threats. A number of the folks I was fortunate enough to meet told me that five years ago unstructured data was pretty much “out of sight, out of mind” from a security standpoint. Things are changing, though, and quickly. Every time there’s another public data breach due to an insider, more CIOs and CISOs start mandating governance of all organizational data, including unstructured and semi-structured stores. IT professionals are searching for the right solution, and at Varonis we feel very fortunate to be in a position to help.

You can find similar upcoming events on the Varonis events page

We Can’t Audit Our Lives But We Can Audit Our Data

Two weeks ago my fiancée came home from Christmas shopping. While she was unpacking, she realized she didn’t have her phone with her. She panicked! The idea of losing all her information: phone numbers, addresses, pictures, calendar, etc., was really scary and frustrating. Especially if we consider all the activities we use our phones for today, the data contained in the phone becomes a huge asset and a great risk for us if lost. We called the phone and there was no answer, then we started retracing all her steps during the day. What did she do? Where did she go? Who did she talk to? We had to try to figure out what happened with her phone but we couldn’t remember every place she had visited. We didn’t know if she left it somewhere or someone took it. Because the GPS service kills the battery very quickly, she had turned it off. Imagine the feeling: she had lost valuable and sensitive information, and she didn’t know what happened, how it happened or when it happened. There was no way for us to find it.

If you’ve ever staffed a help desk then you have probably experienced a similar situation when users called you because they couldn’t find their data. They know it was there yesterday but today it is not there anymore and they need you to find it. They don’t know who moved it, or deleted it, or when; they don’t have any idea what happened. If you had native Windows auditing turned on, you might be able to find it, but because of the impact native auditing has on the performance of file servers, most organizations do not use it. Like Brian Vecci said “It’s simply too resource-intensive and doesn’t offer enough functionality.” On the other hand, manual processes are time consuming and ineffective; it takes a long time to try to determine what happened and most of the time we can’t. We can’t identify what exactly happened to the file. Was it deleted? Was it moved to a different folder? Who moved it? At the end you really have no way of finding it, other than restoring a backup, which most likely won’t be up-to-date if it’s there at all. To find lost files, as well as to perform many other data governance activities like identify stale data, remove excessive permissions and identify access abuse, it is necessary to have an audit trail.

Unfortunately we couldn’t locate my fiancées phone; she lost pictures, phone numbers, emails, calendar events, and other valuable information. We will get a new one and load some information from the backup, but the backup is not up to date. It will be impossible to recover all the data stored in that phone, and now it is at risk in the hands of the person who found it or took it which we have no way to find. We still don’t know what happened, but we’ll just have to hope for the best. While we may not yet have a good solution for auditing our daily lives, we do have one when it comes to unstructured data.

Forensic Investigation of Trade Secret Theft

Imagine this:

You’re working in Security Operations for a major chemical company and the General Counsel shows up at your desk and asks you to provide the following information about the company’s next generation space-aged polymer, commonly known as “transparent aluminum:”

  • All documents accessed by a specific employee, “Allen Carey”
  • Any documents that contain the name of a chemical compound known only by its code name, “transparent aluminum”
  • A list of email messages that:
    • were sent by “Allen Carey”
    • include in the email subject field the words “transparent” or “aluminum”
    • include any attachments that were sent by “Allen”
    • include the names of the recipients that Allen communicated with
    • include how these email messages were sent, i.e. via Outlook Web Access, the Outlook client, etc.
  • A list of the permissions that Allen has had on all relevant systems since the development of the “transparent aluminum” began in 2010, including
    • Windows File Servers
    • Unix Development Servers
    • Exchange Email Servers
    • SharePoint Servers
  • A list of all locations where documents or email messages which contain the word  “transparent aluminum” were transmitted or taken
  • A list of the permissions of the recipients of the messages Allen has sent and what they have done with the information they received from him

The General Counsel goes on to say that the company’s financial future depends on it.  He doesn’t give you any other information, but apparently Allen Carey is suspected of selling the formula for this polymer to a group of individuals with ties to organized computer crime. He seemed like such a nice guy…

Before we get into the forensic requirements of these scenarios, it’s important to understand why protecting trade secrets is different than protecting normal business data.  As most Security Administrators know, the protection of electronic data is a challenge for most companies.  Protection of trade secrets presents even more of a challenge. While Security Administrators are usually very good at protecting ordinary business data, they usually don’t have either the forensic tools to proactively address discovery requests for information about trade secrets or to determine that a trade secret has been compromised. In addition, trade secrets are typically the result of years of research, marketing efforts and development and usually incur a high cost. Examples of commercial trade secrets could be the formula for your favorite beer or the design schematics for the next generation iPhone.  Federal trade secrets might include the plans for a new military intelligence device or a chemical compound used in the creation of a new aircraft.

From a legal perspective, in the United States trade secrets are protected by Federal laws and regulations.  For example, the Economics Espionage Act of 1996 governs industrial espionage and trade secret theft.  These laws were developed to promote economic security and protect innovation so that companies can develop products with the assurance that the government will intervene if important intellectual property is compromised.   According to the Economic Espionage Act, a trade secret, has three parts to it: 1. information, 2. reasonable measures taken to protect the information, and 3. something which derives independent economic value from not being known.  While the courts are busy trying to interpret what the second component, “reasonable measures” actually means, Security Administrators must develop an electronic forensics, entitlement management, and control plans, and architect their security instrumentation accordingly.

Basically, the General Counsel wants a digital play-by-play for Allen Carey, reviewing every step that Allen took during his journey into computer crime.  Although this scenario has been painted as hypothetical, it does and has actually occurred in a number of trade secret theft cases, including those identified below.  Although the information included with each example is brief, the message is clear: trade secrets are a challenge to protect and instrumentation must be available to monitor when trade secret theft is occurring. Some examples:

  • United States v. Jin – In this case, while on Company A’s internal network, defendant Jin downloaded over 200 technical documents belonging to Company A.
  • United States v. Pani – Pani, the defendant in this case, was employed by both Intel and AMD.  Pani allegedly used his Intel issued laptop computer to download 13 Intel documents which were classified as  “Top Secret.”  Pani then copied the downloaded files to his external hard drive.
  • United States v. Roberts and Howley – In this case, the defendant allegedly used his mobile phone to take 7 photographs of “Goodyear’s roll over ply-down device.”  He then allegedly downloaded the 7 pictures to his personal email account and emailed the pictures to his work email account.  The defendants then transmitted the photographs to other Wyco employees to be used to assist Wyco in constructing their own roll over ply-down device so that they (Wyco) could complete a contract with a Chinese tire manufacturing company.
  • United States v. Zeng – The defendant, Zeng, was a chemist for International Paint.  He had access to an epoxy-based intumescent fireproofing material . He allegedly downloaded the formula for this material, printed it out.  He also emailed people in China with the goal of forming a chemical  company to develop and sell chemicals, including the identified fireproofing material.

Based on these actual cases, it’s clear that Security Administrators cannot rely solely on native tools or on products which provide a false sense of security about preventing data theft. Theft occurs via email, printing, mobile phones, cameras, and external media – no product alone will provide absolute prevention.

So, with these cards clearly stacked against the IT department, what should companies do to protect the most valued of valuable data, specifically their trade secrets?  How should Coke protect the formula for Coke?  How should McDonalds protect their special sauce?  How should Apple protect their designs for their new iPod or iPad?  How should your company protect what it considers the most important data that it owns? This type of data theft affects the brand and ultimately results in economic loss to the company.

In my next blog I’ll address the General Counsel’s requirements and demonstrate how forensics investigations are easily achieved using Varonis DatAdvantage and DataPrivilege.


Why You Need An Audit Trail

Imagine if a representative from your bank called you, and said, “Sir/Ma’am, for the next three days our system to audit account activity will be down, and we will be unable to track activity on your bank account. There will be no information on withdrawals or deposits available. Tracking will resume in three days. Would you like us to put a lock on your account so no one can withdraw funds until our auditing system is back up?” You’d probably say, “Yes, lock my account!” And you’d make plans to stop using that bank.

One of our predictions for 2012 was that organizations would start to consider access auditing mandatory—if you can’t audit who is using the asset and how they are using it, the asset is at risk. In honor of our prediction and the increasing importance of auditing access, we’ve created a new video about why auditing file system and email activity is important.

Why Do SharePoint Permissions Cause So Much Trouble?

SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying to manage user permissions. SharePoint’s a useful collaboration platform—and Microsoft’s fastest selling product ever—but helping to ensure proper permissions and access control is probably not its strongest suit.

The first challenge with SharePoint permissions is that, like file servers, SharePoint has “local” or SharePoint-specific groups that can contain AD groups and users. Unlike file shares, however, where server local groups are rarely used on the shared folders, SharePoint local groups are much more common.  This adds a layer of complexity, especially in large organizations where the SharePoint administrative team may be completely separate from the group managing Active Directory.

Next, the actual permissions themselves are more complicated. NTFS file systems are usually Full, Modify, Read & Execute, List, Read and Write. With SharePoint, you get 12 permissions types for lists, 3 for “personal” actions like views and 18 different types for sites themselves. These permission types can be grouped into “permission levels.” For example, the default “Contributor” site permission level contains 8 of the 12 permission types. In addition to the handful of built-in permission levels, Administrators can create custom permission levels. To top it off, a given user, group, or SharePoint group can be granted multiple permission levels on a given list or site, so it can quickly become very difficult to understand what a given user or group can actually do with the data they’ve been granted access to.

Even though SharePoint permissions can be confusing even for technology teams, Microsoft is designed to allow non-technical folks to manage permissions directly. Prior to SharePoint 2010, there was even a built-in button to easily grant access to all Authenticated Users, or everyone in the organization that’s logged into the domain. What ended up happening is that business users would use this as a short-cut to get people access when needed, rather than managing permissions in a more secure way. With more and more sensitive data being shared on SharePoint servers, this represents a significant area of risk.

The good news is that Varonis DatAdvantage for SharePoint helps organizations make sense of SharePoint permissions by providing intelligence and unobtrusive metadata collection for SharePoint, as it has for years for file systems and (more recently) for Exchange. The SharePoint permissions nightmare ends as critical data governance questions can finally be answered: Who has access to a SharePoint site and what level of access do they have? What have they been accessing? Which SharePoint sites are exposed and contain sensitive data? Most importantly, how do we fix them without disrupting business? SharePoint can be a powerful collaboration tool, but it’s important to understand the data that’s there, who’s using it and what permissions are in place and how those controls are changing.

Identifying Active Directory Privilege Escalation

One common headache for IT managers is tracking privileged access, for instance: who granted someone privileged access? When did it happen? What did they do? These questions have ramifications for change control, audit and security—many organizations have sought technologies to help answer them quickly and easily.

Varonis helps organizations see what administrators access and change in file shares, SharePoint, and Exchange for quite a while; recently Varonis augmented its audit trail so that organizations can also see exactly who granted privileged access, and when. DatAdvantage for Directory Services now includes granular audit information from Active Directory that helps put all the pieces together in single interface:

  • Who added Joe to Domain Administrators, and when?
  • What did Joe do once he had administrative access?
  • What files did he open, create, delete, or change or distribute via email?
  • What other changes did he make to ACLs or security groups?

With a single-interface view of permissions, users & groups, access activity, and classification data across multiple platforms, several of our customers have mentioned how the DatAdvantage interface is being used by more and more IT administrators and managers to analyze activity, access controls & group memberships, and then simulate and make changes. The Varonis Metadata Framework is uniquely suited to aggregate and analyze many types of metadata—granular activity from Active Directory was a natural metadata stream to absorb.  DatAdvantage for Directory Services is currently available for a free trial in your environment.

Case Study: Mercy Health and Aged Care

Mercy Health and Aged Care

Data governance and protection is extremely important for healthcare organizations and Mercy Health and Aged Care (MHAC) is no exception.  MHAC must comply with numerous industry security regulations in the face of rapid data growth and expanding infrastructure.

Read about the business benefits MHAC has been able to realize with Varonis DatAdvantage and DataPrivilege, including:

Compliance with information security standards

With a complete audit trail, MHAC can prove policies are in place and being adhered to to satisfy compliance with various national and international information security standards.

Transparency into who is accessing its data, and what they are doing with it

MHAC can not only classify its data, but also identify who is accessing the information and what they are doing with it.

An easier, holistic approach to control access

The process of provisioning users becomes far more efficient as people are now dealing directly with managers who can take immediate action on the request.

Read the complete case study here.