Archive for: July, 2012

Richard Stiennon on Packet Capture

Twisted Pair

About a decade ago I was fortunate enough to take a course at SANS on using Snort and tcpdump, taught by Stephen Northcutt, Judy Novak, and Marty Roesch. It was hands-down one of the best courses of any kind that I have ever taken and I’d recommend it for anyone remotely interested in network security. (Note to Stephen: It really works. I did actually jump up and down in my hotel room while reciting the tcp flags, and just like you said, I have never forgotten them).

I was reminded of my experience at SANS when I read the Forbes article by Richard Stiennon about the criticality of packet capture (Is Packet Capture Critical? Heck Yes.) Richard discusses how in the aftermath of the RSA breach, with an audit trail of network activity (and the attackers’ encryption keys), “They were able to de-crypt the network traffic they had recorded, leading to sure knowledge of the severity of the breach.”

Unfortunately, not all organizations have adopted fundamental auditing controls for critical infrastructure—network, file systems, email, etc. As an example, in our recent survey on the state of data protection, less than 20% of organizations claimed to monitor all access to critical collaboration infrastructure (File shares and SharePoint). Auditing activity (network and otherwise) represents an enormous opportunity for organizations to not only improve their response to a breach, but to better prevent them (or stop them in action) through automated analysis.

Being without an audit trail is like flying blind. Once I had learned to read and interpret network traffic, I never wanted to be without good auditing again. Not only is auditing an imperative for security, it is a pre-requisite for better management. For example, packet capture is critical for debugging or figuring out what the heck is eating up your bandwidth. On the data side, an audit trial helps figure out what data is active or stale, who (if anyone) is using it, and who it may belong to.

In IT and security, we will always have days where we ask, “What happened?” An audit trail and people that know how to read them are our only hope in being able to know what happened, and our only hope in learning how to prevent it from happening again.

Image credit public domain.

Varonis Research – Free Reports on Information Security, Big Data, Cloud,...

I’m pleased to announce new Varonis Research section on We’ve been doing a lot of original research lately and we wanted a single place where you could go to view and download all of our reports.

Some topics we’ve covered thus far include data protection, big data, cloud adoption, and most recently BYOS.

You can also check the Varonis Research page—or subscribe to this blog—for any surveys or polls we’re currently running.  We usually do some sort of giveaway to thank people for participating.

Let us know what you think! And if there’s a particular area of interest you’d like to see Varonis cover, please post a comment here.


Marco Arment on Dropbox: Don’t use it for anything valuable

If you haven’t heard of Marco Arment–creator of Instapaper, co-founder of Tumblr, and
Internet-famous software developer–go follow him on Twitter…now.

Not only is Marco an amazingly successful entrepreneur, but his blog ( and weekly podcast (Build and Analyze) are consistently packed with unique and thoughtful insights on technology and, on occasion, coffee.

Build and AnalyzeOn episode 85 of Build and Analyze, Marco responds to a listener question about the (in)security of Dropbox.  In a nutshell, the listener asked whether Marco felt comfortable storing his data in Dropbox given that they hold the encryption keys.

Marco’s response echoes my personal feelings about Dropbox and other public cloud services – treat Dropbox as though it’s nearly public. Marco’s rule of thumb is that he doesn’t put anything in Dropbox that could potentially be harmful or embarrassing if it were leaked.

Arment says:

“Anything that is really sensitive or extremely valuable or needs to be kept very secret, I wouldn’t store on anybody else’s servers. That, to me, seems ridiculous unless I held the encryption keys like with the online backup service that I use.”

Marco makes some salient points worth repeating here for users who may not be fully aware of how services like Dropbox typically work and the ramifications of storing your data off-premise.

In case you didn’t realize, Dropbox holds the keys to encrypt and decrypt your data on their servers.

This means that a Dropbox employee could theoretically view (or steal) your data. Why do they hold the keys?  Dropbox isn’t just online backup, it’s a collaboration tool.  In order to offer public file sharing features, they have to be able to decrypt data that is stored on their servers.

They also need to be able to decrypt data for legal reasons – if they get a DMCA takedown notice or a subpoena from the US government requesting certain files, servers, or even racks of servers [1].  And because Dropbox hosts data for 25,000,000+ users, some of which are undoubtedly doing very bad things, the likelihood of being served with a subpoena is far greater for them than for an individual person or organization.

For similar reasons, public cloud services are more likely to be hit by hackers because they are high value targets and, by definition, accessible over the Internet.  Also worth noting – you don’t get to decide who Dropbox hires and which employees have access to encryption keys.

Marco and co-host Dan Benjamin briefly discussed Dropbox’s most recent (at the time) security snafu which allowed anyone to login to any account without a password. Coincidentally, a little more than a week after the show aired, Dropbox is involved in another security investigation.

Marco concludes by saying that there are ways to use public cloud services responsibly, but you can’t use them for everything.

I’m with Marco on this.  Any time I store something in the cloud–be it Dropbox or Twitter or Facebook–I ask myself, “How would I feel if this data were on the front page of the New York Times tomorrow?”

Listen to episode 85 of Build and Analyze to hear Marco talk about this topic in detail (it starts around 57:36). He also has a really interesting viewpoint on how leaked source code usually has no meaningful consequences.

[1] Marco experienced this first-hand with Instapaper when his hosting provider DigitalOne was raided by the FBI and one of his servers was confiscated:

80% of Organizations are Scared of Moving to the Cloud

New research from IDG and Varonis reveals that even though 70% of organizations would like to use cloud sync services, only 20% allow cloud file sync because of security concerns.

What are they worried about?

  • 51% are worried about correct access rights and authorization
  • 39% are worried over authentication
  • 26% are worried about data loss or auditing access activity

How do they stop them?

  • 59% use (or plan to use) both policy and blocking
  • 20% use policy alone
  • 21% use neither

Download the full report here:

Varonis Data Governance Awards Deadline Extended to July 24

Varonis Data Governance AwardsWe’ve received some excellent submissions so far, but we wanted to give companies wrapped
up in the end-of-quarter blitz additional time to apply. Therefore, we’ve extended the application deadline to July 24, 2012.

Remember, the awards are free to enter, and are open to all of our customers, regardless of size, location, business type or product deployed. Winning an award will be a sign of excellence, and a distinction that shows that our customers have achieved something to be proud of.

More information including details of the awards, how to enter, terms and conditions and FAQ is available at

Does Data Security Require IT Tyranny in the BYOD Era?

The BYOD (Bring Your Own Device) and BYOS (Bring Your Own Software) movements within the enterprise have been somewhat of a revolution — workers want to be free from the (perceived) tyrannical reign of the IT department.


It’s easy to see why this trend is occurring — would you rather use Lotus Notes or Gmail? Macbook Air or 10 lb. “laptop” from 2005? DropBox or…you get it.

But the issue isn’t with the devices or the software, it’s the data.

Even the most progressive, independent nations have systems in place that govern and protect the people.  Likewise, the most progressive organizations — the ones that say use any device or any piece of software — still need to secure their data.

IT can’t be a dictatorship, but it can’t permit anarchy either.  Until recently there hasn’t been a need to strike such a delicate balance between independence and control because data was largely immobile.

Today, data has so many vehicles to escape — we have computers that fit in our pockets, 1TB flash drives embedded in Swiss army knives, and always-on services that are constantly moving data between our devices and the cloud.

In order to meet the challenge of security without tyranny we have to redefine what it means to be secure.  We need to start adopting the philosophy of visibility as security. If we have far more visibility into where our data is, who can access it, who’s using it, who owns it — maybe then we can be far more open about devices and software.

Image courtesy of rachaelvoorhees.

The Difference Between Everyone and Authenticated Users

access controls

In order to maintain proper access controls, it’s crucial to understand what every entity on an access control list (ACL) represents, including the implicit identities that are built into a Windows environment.

There are a lot of built-in accounts with obscure names and vague descriptions, so it can be confusing. One question I often get is: “What is the difference between the Everyone group and Authenticated Users?”

The Bottom Line

Authenticated Users encompasses all users who have logged in with a username and password.

Everyone encompasses all users who have logged in with a password as well as built-in, non-password protected accounts such as Guest and LOCAL_SERVICE.

A Bit More Detail

If the above descriptions were a tad oversimplified for you, here is some more detail.

The Authenticated Users group includes all users whose identities were authenticated when they logged on. This includes local user accounts as well as all domain user accounts from trusted domains.

The Everyone group includes all members of the Authenticated Users group as well as the built-in Guest account, and several other built-in security accounts like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, and others.

A Guest account is a built-in account on a Windows system that is disabled by default. If enabled, it allows anyone to login without a password.

Contrary to popular belief, anyone who is logged in anonymously—that is, they did not authenticate—will NOT be included in the Everyone group. This used to be the case, but was changed as of Windows 2003 and Windows XP (SP2).

Who Has Access To What?

When it comes to permissions, one critical question we need to be able to answer is: which humans have access to a particular resource?

Most of the time when you’re inspecting permissions on a given resource in Windows you’re not dealing with humans (this is actually a best practice); rather, you’re dealing with groups, some of which are built-in implicit identities with ambiguous names. As a result, we often have to do quite a bit of digging to get what we need.

With Varonis DatAdvantage, you’re only ever one click away from seeing which humans have access to a given resource. So when your CEO says, “Who has access to ‘Trade Secrets.doc’?” you can respond with a meaningful, actionable answer instead of going on a scavenger hunt.

What’s the Difference Between…

Looking for more helpful differentiators? We’ve written several!