All posts by Brian Vecci

[Podcast] I’m Brian Vecci, Technical Evangelist at Varonis, and This is H...

[Podcast] I’m Brian Vecci, Technical Evangelist at Varonis, and This is How I Work

 

Leave a review for our podcast & we'll send you a pack of infosec cards.


If you’ve ever seen Technical Evangelist Brian Vecci present, his passion for Varonis is palpable. He makes presenting look effortless and easy, but as we all know, excellence requires a complete devotion to the craft. I recently spoke to him to gain insight into his work and to shed light on his process as a presenter.

“When I first started presenting for Varonis, I’d have the presentation open on one half of the screen and Evernote open on the other half and actually write out every word I was going to say for each slide,” said Brian.

From there, he improvises from the script.

“I’d often change things up while presenting based on people’s reactions or questions, but the process of actually writing everything out first made responding and reacting and changing the presentation a lot easier. I still do that, especially for new presentations.”

According to Varonis CMO David Gibson:

Brian’s high energy, curiosity, and multi-faceted skills – technical aptitude, communication skills, sales acumen, and organizational capabilities -make him an exceptional evangelist.

Read on to learn more about Brian – this time, in his own words.

What would people never guess you do in your role?

I’m really lucky that my role at Varonis lets me engage with people all over the company, including Marketing, Sales, Support, Engineering, and Product Management, so I’m not sure that there’s anything anyone would never guess about what I do.

When it comes to the more public aspects of what I do, like press, Connect events, and customer meetings, I spend more time drilling and practicing what I’m going to say so that when I’m on stage or in front of a camera, I can improvise off a script rather than trying to remember what I’m supposed to be talking about.

What did you learn about yourself after working at Varonis?

That I need to spend more time listening and less time talking. One of my first trips I made at Varonis was going to a few customer meetings in California and before I left David Gibson reminded me to “make the meeting about them,” meaning the people I was meeting with. It’s still something I’m working to get better at and have to consistently remind myself of.

How has Varonis helped you in your career development?

It would be hard to come up with ways that Varonis hasn’t helped me in my career.

I’ve become way more confident in front of audiences. I’ve gotten better at confidently talking about things I know well and I’ve gotten more comfortable with saying, “I don’t know.”

I was always in technical roles before coming to Varonis and sometimes it’s hard to admit that you don’t know something when it’s your job to.

What advice do you have for prospective candidates?

Varonis more than anywhere else I’ve ever worked rewards energy, enthusiasm, and hard work.

We’re much bigger than we were when I joined back in 2010, but there’s still so many things that we’re learning how to do well as a company.

The people who succeed here are the ones that do, fail, and get better.

What do you like most about the company? 

I admire how much of our leadership has been here for so long, and I think that’s reflective of everyone having the same goal.

It’s been rare in my career before coming to Varonis to feel like a part of an organization on a mission. That’s never been an issue here.

I know what it’s like to work somewhere where the leaders have no vision, let alone the ability to execute on it.

What’s the biggest data security problem your prospects are faced with?

When I first got here we were spending a lot of time just teaching our prospects that security on file systems was possible!

Making sure the right people had access to what they were supposed to was an impossible problem to solve for so many people for so long that we had to spend a lot of time just education people that we understood the root of their problems and could actually fix them.

These days everyone seems to know it’s a problem and the biggest challenge our prospects face is knowing how to get there.

“I get what you (Varonis) do, but tell me how we can actually get there” is something I hear a lot. That’s probably because I spend a lot of time talking about our Operational Journey these days.

What certificates do you have?

I’ve got a CISSP, which is the only certification I ever put a lot of work into.

Fave book?

I love to read and have a bunch. I read The Count of Monte Cristo every few years, so that’s up there. Dune is another one that I try and read every now and then. Gateway by Frederick Pohl as well. The book that helped me most with my job is Working with Emotional Intelligence by Daniel Coleman.

What is your fave time hack?

Adding my flights and hotels to my wife’s Gmail calendar because what do you mean you didn’t know I was going to be in London this week?

What’s your favorite quote?

Decisions are made by those who show up. I’m not sure who to attribute it to, but the first person I remember saying it to me was my father.

Interested in becoming Brian’s colleague? Check out our open positions, here!

Brian Vecci

Hi, my name is Brian Vecci and I’m currently a technical evangelist at Varonis, and this is how I work.

Cindy Ng

Thanks, Brian, for joining us today. How long have you been with Varonis?

Brian Vecci

That’s an interesting question. I’ve been with Varonis since March of 2010. But as some or many people may know, I actually left for about 10 months before coming back. I’m in my second term at Varonis, and I’ve been here now for…in my second stint for about two and a half years. But when I introduce myself I say I’ve been here since 2010.

Cindy Ng

What was your background prior to joining Varonis?

Brian Vecci

I went to college and studied computer science and music. And I came out of college and immediately went to work as a web developer. So I was an engineer, and I spent time doing web and applications development. And I discovered that I’m generally better at talking about the kinds of things that I was doing and helping other people understand the technology that I was building than actually building the technology which people that know me probably won’t surprise anybody.

So I was an engineer, an applications developer then I moved into project management. I was a project manager for a while, a systems architect. And right before I came to Varonis, I was in desktop architecture for an investment bank. And before that I had done project management at a law firm and I’d been in a publishing company. So I’d kind of been in IT and IT applications and a few different roles and hopped around a few different industries before coming to Varonis.

Cindy Ng

And how did you know that Varonis was a good fit for you?

Brian Vecci

I knew immediately that Varonis was a good fit for me because I needed a job and they offered me a job. So the fact that I got a job offer was the first big clue but really I connected with an old manager of mine at a law firm, Chadbourne & Parke who’s one of the best managers that I’d ever had up until that point, introduced me. He know I was looking for a job and introduced me to a friend of his at another law firm who had a friend who worked for this tiny startup company called Varonis who was looking for someone to do what they were calling technical marketing which is something that I’d never done before.

And so I interviewed with this guy, his name is David Gibson, and he was a former SE and was looking for someone technical, and I met him and we got along great. And then a couple of days later I met a guy named Mark Wilcox and we got along really well, and a couple of days later I sat in a windowless conference room in New York City, then a couple of guys named Ken Spinner and Jim O’Boyle and a few. About 30 minutes into that meeting I met a guy name Yaki Faitelson, and every single person that I met along the way was passionate and enthusiastic and super intelligent and seemed to work really hard and really believed really strongly in what they were doing, and I had no idea what we were doing at that point. I didn’t really know what Varonis did. I had some kind of inkling.

So it was less the company itself and more the people that I was about to start working with that made me pretty confident that this was gonna be a good fit and it turned out to be right.

Cindy Ng

And what did you learn about yourself after working at Varonis?

Brian Vecci

That I need to spend way less time talking and way more time listening. It’s one of the first lessons that David tried to impart on me. I remember before in one of my first trips out to do some customer meetings, he said to me, “You know, Brian, you’ve got to always remember make the meeting about them not about you.” And anybody who knows me well will hear me say that out loud and laugh at me because they realize that’s still something that I struggle with sometimes.

But learning how to shut up and listen, have a little bit of empathy and think about the people that you’re talking to and what they care about was one of the hardest lessons for me to learn because it’s something that I’m not naturally good at but it’s something that stuck with me for eight years and something that I continue to work on. I think about it as something that I’m hopefully a little bit better at than I used to be and that I continue to improve on. And every time I’m mindful and focused on listening to others I find that I get better at what I do and feel better about what I do.

Cindy Ng

And when you go to a meeting, when you talk to them, what is the biggest data security problem your prospects are faced with?

Brian Vecci

Well, I spend a lot of time in meetings talking these days about our operational journey. And that means the biggest data security problem, the prospects that I’m talking to when I’m talking to, the biggest problem that they face is, they know they have a big problem. They know they have a ton of data.

They may know that some of it is sensitive, they may not, they may have some ideas of where it is, they may have some sense of the scale of the problem that they’re facing trying to help the right people have access to the right data but the biggest problem they face is, “All right. We know we have these huge problems, we get it. How do we get there? How do we go from the state where everything is chaos to this vision that you’re talking about where only the right people have access to just what they’re supposed to and everything’s monitored. When something goes wrong we know about it?”

So the biggest problem these days is just how to get there. It’s less about a specific technical problem and more about, “I don’t know what I need to do first, second, third or fourth,” which is really different like even when you and I started here. Like seven, eight years ago the biggest problem that we faced was that our prospects had no idea that they had these problems. We spent so much time just educating people first of all, unstructured data or data on file systems is important and it was exposed and they had no idea how big of a problem they had, let alone what they needed to do to fix it. That’s changed. These days most people know that they have a big problem, they just don’t know how to get there.

So what I’m finding is when I am talking to a prospect it’s because they wanna learn about, you know, what our operational journey looks like. Those are words that we use, but what it really means is, “I know I have big problems. I have a sense that you can help me. How can we actually get to the state that you’re talking about?” If that makes some sense

Cindy Ng

Yeah. Take us through an operational journey from start to finish that you think might be helpful for our listeners to understand the important work you do. Let’s start with verticals. Do verticals matter? Does this journey apply to every company?

Brian Vecci

I think the journey applies to every company because every company has data but that doesn’t mean that verticals don’t matter. Verticals do matter because the ways a bank thinks about their data because they’re so highly regulated, because they know they’ve got, for instance, customer information, that if it was exposed or leaked improperly could result in big fines, the kinds of things highly regulated industries think about when it comes to their data are a little bit different than, for instance, a media company or somebody who’s not as regulated.

Everybody’s got the same problems but the vertical can really dictate sometimes how a prospect thinks about or even talks about their data. That said, the operational journey, it’s pretty much the same. We don’t have to change what our journey looks like depending on the vertical. Everybody gets a lot of data, and if they’ve never worked with Varonis before I’m pretty sure they don’t really have a handle on what kind of data they have, meaning what sensitive and what’s not. They really don’t have a handle on where it all is.

They’re probably not monitoring how it’s used. There’s a sound bite that I use often, you can’t catch what you can’t see, and you can’t manage what you don’t monitor, which sounds trite but are absolutely true. It’s really difficult to make decisions about something when you know nothing about it and so many companies know nothing about their data.

So the journey starts with, and this is gonna sound kind of sales-y because we spend a lot of time building content for Salesforce to learn, but turning on the light, just helping somebody understand, “Listen, here’s where your data is. Here’s who got access to it. Here’s what’s sensitive, here’s where it’s exposed, and look, here’s how it’s being used.” And when you do that, when you just start with that you’re often so much further ahead than you were before.

The journey then kind of moves on to not only understanding what you’ve got but fixing the biggest problems. When you turn on the lights you can start to prioritize and understand where you’re exposed and where you’re at risk.

One of the things that I talk a lot about, many of the presentations that I give is that risk is a pretty simple equation. It’s how valuable is something and how likely is it that something’s gonna go wrong with that asset or that data? So how valuable is our data? What’s the likelihood that it’s gonna get lost or stolen or misused? And our operational…a big part of our operational journey is helping our prospects to quantify that.

How many folders do you have that have sensitive data that are exposed to many people, that are exposed to global access groups? That’s easy for us to put numbers behind, very hard for someone to do without Varonis. But once you understand where you’re exposed, we call it prevent. We detect and then prevent, but preventing disaster means reducing exposure, making sure only the right people have access to what they’re supposed to, locking down sensitive data, getting rid of global access, and starting to figure out who this data belongs to so that you can get them involved in making decisions.

Finally, the last step of the journey is to automate things like entitlement reviews. Why should somebody at the helpdesk or somebody in security or somebody in IT be making regular decisions about who should and shouldn’t have access? It’s the data owners, it’s the people who understand and have real context that should be.

So automating entitlement reviews, automating authorization workflows, automating quarantining and retention and disposition, these are all kind of technical ways of saying, “Once you understand your data and you lock it down, you can start to treat it like you would anything else that’s valuable,” and Varonis can help you do that in an automated way so that you’re not going through endless projects for annual clean-ups and things like that, which is what we see our prospects either are doing or have done in the past in trying to solve some of these problems.

Cindy Ng

So how can you turn on the lights for our customers? How do they acknowledge their problem? Do they know that they have problems? How do they respond?

Brian Vecci

Customers who or prospects, I should say, who we do risk assessment for and we’re completely shocked by what we found. I hear stories a lot of sale teams being kicked out of the room when somebody says, “You know what? We had no idea that this much sensitive data was this exposed, that you can’t see this, like we could all get in a lot of trouble, you have to leave the room.” So sometimes it’s really surprising.

Other times and this is becoming more common these days, a prospect will know that they have a big problem but they didn’t realize maybe the extent of it or they’ve never seen it presented in such a comprehensive way. Our risk assessments are so valuable, and it’s one of the reasons we talk about or evaluations or our proofs of concept as a risk assessment these days because that’s really what they are.

We can go in and give somebody a pretty clear picture of what their environment looks like without a whole lot of work. We can tell them concretely, “Here’s how much data you have, here’s how much of it is sensitive and here’s how much of it is open. Here’s literally how much risk you’re facing right now and here’s how you can kind of fix all these problems.”

So, to answer it, I think your question is, “Do they know it’s a problem?” Sometimes they do, sometimes they don’t. Oftentimes they have no idea of the real scale of the problem or even if they do know they have a big problem it’s still eye-opening for us to do a risk assessment and show them really specifically exactly where the problems are and how they can actually fix them.

Cindy Ng

So after they kick you out and hopefully they bring you back in and that you try to convince them that our methodology is the right one to follow, how do you convince them that there’s so many solutions to a problem? Why is the Varonis way the right way?

Brian Vecci

I’m going to disagree with you that there’s so many solutions to a problem because this particular problem, especially when we’re talking about a data stores like file systems that are pretty chaotic, there aren’t a lot of solutions to that problem.

What we’re very fortunate in that Varonis has technology that’s unique. Nobody else does what we do the way that we do it. And I can speak from personal experience. Having spent some time at one of our competitors, nobody else does what we do the way that we do it. So when we can come in and present not just, “Hey, look, we showed you, you have a big problem, but we showed you you have a big problem and we have the technology to help you solve it, and we have the track record and experience to show you that we’re good at actually doing this.” Our methodology, it’s not pie in the sky, it’s not in theory. We’ve got more than 6250 as our last earnings call.

That’s a lot of customers who have used Varonis to actually solve some of these problems. So our methodology is based on experience and that carries a lot of weight. There’s lots of ways to solve this problem, it’s really, in our experience, there’s very, very few ways to solve this problem, and we’re fortunate enough that if you wanna solve it you need not only a methodology to do it, you need an approach, you need technology to enable that approach to actually work.

And I speak honestly in my experience, Varonis is the only way to do it, which it’s a lot of fun to work for a place where you can not only identify a big problem but help people solve it and you’re the only ones that can do it. We’re in a really unique situation.

Cindy Ng

What do they initially buy when they decide that Varonis is the only way?

Brian Vecci

Everybody has Windows data or CIFs data, whether it’s NAS or on Windows File Servers. So, most commonly it’s DatAdvantage for Windows because that’s what gives you the ability to not only monitor everything but map all of the identities and all of the permissions. That’s pretty critical to turning on the lights. Another big part of turning on the lights is understanding where sensitive data is. So data classification. And our data classification engine is kind of a no-brainer. So that’s a big…that’s a pretty common piece of that initial package.

And then the great thing about DatAlert and DatAlert suite is that it becomes more powerful the more ingredients, the more we call them behavior streams or metadata streams that you give it. The more information the DatAlert has to analyze and alert you the more valuable it is. So with DatAdvantage for Windows you’re mapping permissions, you’re monitoring Windows data and access activity for the users on that data. Data classification gives you some context in what’s sensitive and what’s not which is really important.

And Directory Services allows you to monitor Active Directory too, everybody has Active Directory. So those I think are the most common but I wanna be careful about saying what are, you know, our most common package is.

Cindy Ng

And then how do you quantify the improvement so that customers know that you’ve helped them and they wanna continue the journey with you?

Brian Vecci

It’s a really excellent question. And it’s a big part of our risk assessment, is to quantify what their risk is, what their risk profile is. And we quantify that by how much data do you have? How much of that is sensitive and how much of that is open? And if you just track those things, “All right. How many folders do I have? How many of those folders are open to everybody or, you know, open to lots of people? How many of those folders that are open are also contain sensitive information?”

If you take that number and you start tracking it over time and you see the number of, you know, folders that are sensitive and open and you see that number going down, you see the number of folders that are stale and you see that number going down because you’re deleting or archiving it, you see the number of things like users who are enabled but not active, or users that have passwords set not to expire or the number of file system artifacts like orphaned SIDs or individuals on access control lists or the number of issues that we find in Active Directory, there’s lots of really specific metrics that only we can measure, and I say only we because we’re the only ones that have the ability to scan every single folder and subfolder and every single sharepoint site and sub-sites, and we monitor every single data touch. We’re the only ones that can really do that especially at scale.

We can start to put really specific metrics behind, “All right. Here’s what you’ve got. Here’s where you’re at risk, and here’s how you can measure the improvement over time.” And that’s what we show our prospect in a risk assessment, and hopefully, that’s what we’re tracking as they go through our operational journey.

Cindy Ng

And describe what utopia would look like in a company’s file system?

Brian Vecci

I would say, here’s what utopia looks like, and this is part of a lot of the presentations that I give these days. Like what is the Varonis’ vision for how you can think about your data? And it’s pretty straightforward. You know where all your sensitive data is, you can make sure that only the right people have access to it, and really, people, users only have access to what they’re supposed to, that everything is monitored. Every time someone touches data it’s monitored and recorded.

So just like how a bank has a pretty good idea when your credit card is being misused because they know a lot about you, right? They know who you are, they know where you live, they know what you shop for, they know in the amounts that you shop for and where you shop, and really, really critically, they watch every dollar that goes in and out of your account because that’s their business.

Well, you can start to treat data that way if you know everything about your users and what they have access to and where sensitive data is and really critically, you watch every time someone opens, creates, moves, modify it and deletes data, you can start to treat your data like a bank treats your credit card, and that means you know when something goes wrong.

So not only do you know where your sensitive data is and you can make sure the right people have access to it but you also watch everything that every user in every service account does. So you know what’s normal and then you know what’s abnormal, and if something goes wrong you can respond to it intelligently and really really quickly. And then you can automate things like retention and dispositions.

And what that means is, when you don’t need data anymore you can delete it, archive it, move it somewhere else. If somebody put something sensitive where it’s not supposed to be, you’ve got automation in place to quarantine it. Somebody drops a sensitive file in an open share, it automatically gets moved somewhere else, that’s locked down and properly protected.

You know who data belongs to and you’ve got those owners involved. So when someone needs access to data it’s your data owners that are saying yes or no, and that whole process is recorded. The data owners are reviewing access on a regular basis. They’re doing access recertification, we call them entitlement reviews.

So once a quarter your owners are looking at who has access to the data and they’re making decisions about who should and shouldn’t have access to data. And then from a compliance standpoint, not only do you know what’s happening to your data and you know what’s sensitive, and you can make sure that it’s locked down, but when someone needs access to it you’ve got a record of who asked for it, who approved it, when they approved it, why they approved it because you’ve got DatAvantage monitoring everything for every single thing that they did while they had that data.

The vision is just to start treating data like a smart company treats anything else that’s valuable. And the biggest journey that we’ve been on as a company over the last…since I’ve been here since the last…in the last eight years, it’s helping the rest of the world understand just how valuable this data is and that it’s possible to put the kind of controls and protections and processes around file systems as they do anything else that’s really valuable in the company.

Cindy Ng

What other byproducts have you been able to help our customers find since they were looking to achieve these privilege model? Where they able to find other solutions that they didn’t initially realize that Varonis helped them with?

Brian Vecci

As for the kinds of things that companies tend to discover and the kind of use cases that gets opened up, but once you start treating data this way you can start connecting things like your SIM to your file systems, which is a…it’s really, really difficult to do unless you’ve got Varonis, by sending alerts from DatAlert off to the SIM for instance or connecting identity management to your file systems.

Cindy Ng

Outside of work when you’re not presenting or traveling to another meeting, what do you like to do?

Brian Vecci

I like to read a lot and I spend a lot of time on planes so I spend a lot of time reading. I play the guitar and I’m pretty confident that’s one of the reasons that David Gibson hired me, was that I was a guitar player. I have a little home studio in my basement. I recently moved from Brooklyn out to New Jersey. And I’ve been joking with a lot of people that I bought a farm. I didn’t actually buy a farm although I looked at it, but I’m just spending a lot of time learning what it’s like to own and run a house.

Having a house and having a kind of a big piece of property is something that’s new to me. So over the last year, really, the last six, eight months since I’ve done that, I’ve been learning a lot about what it means to kind of be a homeowner, which is exciting and fun and may sound l kind of pedestrian and not as exciting as some of the other stuff that I get to do, but for me, it’s been really, really interesting.

Cindy Ng

Well, thank you so much, Brian. And we wish you the best.

Brian Vecci

Thank you. It’s been great talking to you. And, Cindy, it’s been great working with you for the past eight years. And when did you join Varonis? You were the first person that was hired in our team after I joined.

Cindy Ng

It was 2010.

Brian Vecci

Yeah, 2010. So we’ve been here for a while. It’s been great working with you and I look forward to lots more in the future.

Getting the Most Out of Data Transport Engine

Getting the Most Out of Data Transport Engine

If you don’t need it, get rid of it. If it’s sensitive, make sure sure it’s in the right place, and only accessible to those who need it. Old files are expensive and risky, which is why we have retention and disposition policies for what should happen to data that we don’t need anymore.

The Data Transport Engine (DTE) is a component of the Varonis Data Security Platform that lets you automate these kinds of policies at the file or folder level, so you can automatically move data to where it’s supposed to be.

How does it work?

DatAdvantage collects directory information (users and security groups from Active Directory and local accounts), file system permissions (access control lists, or ACLs), classification information on which files contain PII or other sensitive data, and a record of access activity by all users and service accounts. With all of this information, Varonis knows where your data is, who’s got access to it, which files might be sensitive, and exactly what’s being used (or not and by whom).

With DTE, you can create file and folder transportation rules based on this metadata, so DTE will move files from one location to another that match the rule. For example, you can automatically move files that haven’t been accessed (by a human being!) in more than seven years to meet your retention policy. You can also create rules based on content, so if someone puts something sensitive where it’s not supposed to be, like an open SharePoint site, a DTE rule could automatically put it some place safe.

What are some popular use cases?

Stale Data Cleanup

Setting up DTE to clean up old data is straightforward, and leaving stub files behind means that user can still have access to archived data if needed.

One customer had an interesting variation on this use case. They needed to archive a lot of data, but with one important exception: any financial records that met certain criteria couldn’t be moved or modified in any way because of a compliance issue. They used DTE to identify and move the special financial records to separate folders with a unique naming scheme. Then they created their automated retention policy with a clause to exclude those folders from the retention rule’s scope.

You can run stale data cleanup jobs manually with DTE or configure automated retention rules that constantly scan for data that is old enough to archive.

Data Classification Rules

Sensitive Data Migration

Your security policy might dictate where sensitive or regulated data should live (or where it shouldn’t) and who should have access to it (or who shouldn’t). Customer data with PII can’t live in folders open to everyone in the company, for example, or in personal drives. Since DTE rules can use the sensitive data scans from our Data Classification Framework (DCF), you can move sensitive files where they’re supposed to be.

One customer took this a step further and enhanced the DTE rule to modify the permissions of the files in transit. DTE rules can be set to modify permissions so the destination data is more secure than the source. In this case, the DTE rule was set so that once files get to the destination folder, file system permissions were overridden to inherit from the parent folder. This simplifies their security and helps make sure the right people have access once the data it moved.

What if someone drops a sensitive file somewhere by accident? Just like with stale data, you can set DTE rules that affect sensitive data to automatically quarantine them some place safe.

Classification Rules

Migrating Everything, Even Between Domains

Migrations and consolidations can be massive projects, like in the case with one large telecom customer we have who went from hundreds of individually-managed, remote Windows file servers down to just a few very large NAS devices. Instead of having to manually migrate each server to a NAS and then re-create all of the file system permissions in the destination domain, DTE managed the whole process automatically.

In this case, the movement rules were set up to re-permission the data at the destination NAS devices, too. This is important if your migration is between Active Directory domains, since if you don’t re-permission the data, no one will be able to access anything if the old domain goes away. DTE will re-create the groups in the new domain so you can automate that part of the process as well.

Want to set DTE rules up for yourself? Check out this how-to guide or video. If you’re not running DTE, contact us about lighting up a trial license so you can see how it works.

The Differences Between DLP, IAM, SIEM, and Varonis Solutions

The Differences Between DLP, IAM, SIEM, and Varonis Solutions

You can’t always do it all alone and sometimes you need help from your friends. It’s good life advice, and as it turns out, good advice for a security solution. A multi-pronged security program that uses a mix of technologies and approaches is the best way to reduce risk and to protect your organization’s most important data resources.

For example, Data Loss Prevention (DLP) solutions are often used to help protect sensitive data as it moves around the network and makes its way to endpoint devices.  Identity and Access Management (IAM) solutions complement DLP by connecting disparate authentication services together, so that when users need to access systems or applications, they make a request through a single service. And Security Information Event Management (SIEM) tools aggregate, correlate, and help analyze the logs from a variety of different sources in a single repository.

Yes, organizations often employ some or all of DLP, IAM, and SIEM in a best-of-the best approach. But what are the differences in each of these technologies, and how do they relate to Varonis, which is neither DLP, IAM, or SIEM?

Let’s go through the distinctions.

Data Loss Prevention

To prevent a user’s sensitive data from making  its way outside the corporate network, DLP solutions execute responses based on pre-defined policies and rules, ranging from simple notification to active blocking.

DLP typically covers three high level use cases:  endpoint protection, network monitoring of data in motion, and classification of data at rest.

Endpoint protection use cases include hard drive encryption, optical drive and USB port locking to prevent exfiltration, and malware protection.

Data in motion technologies inspect email and web traffic to attempt to identify sensitive data potentially being exfiltrated so that data remains in the organization, and may also help ensure that content is only accessed over encrypted channels.

Data at rest classification inspects the content of file to identify where sensitive data may exist on server and cloud platforms so that additional action can be taken to ensure proper access controls.

IAM

While DLP is great for protecting sensitive data, it generally has no information about how data is being used or how access controls are granted.  To obtain this access information, many organizations turn to Identity and Access Management.

Identity Management serves as a gatekeeper in terms of user access rights . When a user starts a new role, he gets authorized and access rights to systems and applications. And when he leaves the organization, those rights are terminated.

What makes Access Management so critical is that  access rights, especially for unstructured data, typically accumulate over a time. The longer a user stays with a company, the more access the user usually has. Users with privileges beyond what is required to perform in their current role can put the company at risk. Moreover, if a hacker gains access to the account of a user with excessive access, it might further increase the company’s risk. Both scenarios can result in data breach.

Together, Identity and Access Management ties disparate applications together into a single repository for management of access and entitlements. IAM solutions will often provide access management workflows, user entitlement reporting, application owner entitlement reviews, and even single-sign-on (SSO) functionality between applications with the goal of providing a single entitlement store and workflow solution for managing access.

SIEM

SIEM systems store, analyze, and correlate a multitude of security information, authentication events, anti-virus events, intrusion events, etc. Anomalous events observed in a rule alerts a security officer/analyst to take swift action.

SIEM systems aggregate logs, most commonly through reading event viewer data, receiving standard feeds from SNMP traps or Syslog, or sometimes get log data with the help of agents.  These feeds come from user devices, network switches and other devices, servers, firewalls, anti-virus software, intrusion detection/prevention systems, and many more. Once all of the data is centralized, it runs reports, “listens” for anomalous events, and sends alerts.

For the SIEM tool to identify anomalous events, and send alerts, it’s important that an administrator create a profile of the system under normal event conditions. SIEM alerts can be pre-configured with canned rules, or you can custom create your own rules that reflect your security policies.

After events are sent to the system, they pass through a series of rules, which generate alerts if certain conditions are met. Keep in mind, with potentially thousands of devices, and different sources to monitor, each generating potentially thousands of records or more a day, there will be plenty of data to sift through.  The goal is to use SIEM rules to reduce the number of events down to a small number of actionable alerts that signal real-world vulnerabilities, threats, or risk.

Varonis

Varonis does not provide DLP, IAM, or SIEM functionality, and is not designed to replace any of those solutions. In fact, Varonis tends to enhance each one by providing visibility into and context around the unstructured data – which can prevent insider and outsider threats, malware activity, lateral movement, data exfiltration, and potential data breaches.

What sets Varonis solutions apart from traditional file-level DLP solutions?

Identifying sensitive data on your server and/or blocking it is DLP’s strong suit. Yes, it  knows where all your sensitive files reside, but it has a weak point:  if a hacker or insider compromises an account who is authorized to access sensitive docs, DLP can’t stop it.

To really protect your organization’s sensitive data, you should also know:

  • who is accessing it
  • who has access to it
  • who likely no longer needs access
  • who outside of IT the data belongs to, and
  • also when a user or users start accessing that data in strange ways.

Varonis makes DLP better by providing all of that additional context. After absorbing the classification scans from DLP, Varonis provides activity monitoring, alerting, and behavior analysis along with intelligent permissions management. DLP tells you where your sensitive data is, and Varonis helps make sure that only the right people have access to it and that you know when access is abused.

What sets Varonis solutions apart from IAM solutions?

Even though IAM connects various applications and systems into a single solution for entitlements, that functionality tends to stop when it comes to unstructured data. Because access to unstructured data is controlled both by directory users and groups and file system ACLs together, there’s no single “application” for IAM to connect to. This means that IAM has a blind side when managing access to unstructured data.

Moreover, access to unstructured data tends to be chaotic and unmanaged—permissions are complex and not standard, multiple groups often have access to data, folders and SharePoint sites are open globally, etc—managing unstructured data entitlements through IAM is often impossible.

This is where Varonis can help.

DatAdvantage allows IAM to extend to unstructured data through many use cases:

  • Map out the functional relationships between the users/groups, and the data necessary for a role.
  • Restructure permissions so that they can be efficiently managed through single purpose groups.
  • Analyze user behavior over time and provide recommendations to owners on who likely no longer needs access
  • Leverage data classification to help ensure sensitive data is owned and managed appropriately

DataPrivilege can complement IAM by empowering data owners, and users by:

  • Enabling ad-hoc requests so users can get access to data, only for as long as necessary, without having to redefine a role
  • Giving data owners insight into activity on their data sets
  • Allowing for regular reviews of access to ensure only the right people have access to the right data

What sets Varonis solutions apart from SIEM?

SIEM will read event viewer logs from network devices, systems, and AD, but has no view into actual data activity since those logs often don’t exist natively and can be difficult to parse.

With our file activity monitoring system, Varonis closes this gap by collecting and analyzing all access activity on platforms SIEM can’t usually see.

We can tell your SIEM when someone’s accessing the CEO’s mailbox, changing critical GPOs, encrypting large numbers of files in a short period of time, or otherwise misbehavior when it comes to your data and directory services.

Moreover, Varonis baselines user activity and provides alerts that can be passed directly to SIEM for further correlation, analysis or action. Varonis alerts can be sent via Syslog to any SIEM, and there are pre-built templates for connection with some specific platforms.

Summing Up

DLP, IAM, and SIEM are all useful, important technologies for enterprise security. There is no single product or category that an organization needs to protect their data and systems, and defense in depth is becoming increasingly important. When it comes to unstructured data, all of these technologies have significant gaps in the kinds of detective and preventive controls they can provide, and all of them are made more useful by integrating with the Varonis Metadata Framework.

Using Varonis: Involving Data Owners (Part I)

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Almost every organization is now data driven. With all the talk about data growth and big data analytics over the past couple of years, people have started to ask: “How do we maximize the value of our data? How can we make sure we’re deriving real business benefit?”

The keys to maximizing the value of our data are to gather the right intelligence about it, and then give the right people the ability to take action using the intelligence you’ve gathered.

Now that we know who our Data Owners are, it’s time to start getting them involved. Remember that it’s the owners—not IT—that have adequate context to make decisions about who should and shouldn’t have access to their assets.

The next step in operationalizing Varonis is to provide owners intelligence about their data assets.  DatAdvantage can deliver data-driven reports that shed light on what is happening with their data: who can access it, what they’re doing with it, which data is stale, etc. These reports greatly simplify and optimize reporting by delivering reports to all owners which contain information about only the data they own.

An Example

Say you’ve spent a few weeks identifying and confirming business owners for all of the top-level folders on a large NAS (or two, or three…). Depending on the size of the company, this might be a few dozen or a few thousand people. One of the most common next steps is to provide permissions reports on all of these data sets to the relevant owners. So the HR owner gets a report on all of the users who have access to the HR folder, for instance. It’s the same with Finance, Marketing, R&D, etc. In the past, you would have to create and deliver a separate report for each owner, which depending on the complexity of your reporting process might be an onerous undertaking all by itself. DatAdvantage gives you a far better alternative.

In DatAdvantage, to accomplish the same thing, you’d only need to create a single report, and all owners would get permissions reports once a quarter (or however often you like). Create the report, include the proper filters and formatting, and then set up a data-driven subscription to be delivered on the first day of the first month of the quarter. That’s it you’re done.

Every quarter, every data owner is going to get that report in their inbox, and the report will contain information about only the data that they own—they won’t see anything that doesn’t belong to them. As you add and change owners over time, the subscription will continue to work without intervention. If my job role changes and suddenly I’m the owner of additional folders, my permissions report will show those as well. If I’m no longer an owner, my report won’t contain information about what I no longer own.

Permissions reporting is a great use case for data driven reports, and it’s not the only one. Reports that show actual access can be useful, too.  What if every data owner could see exactly who on their team was accessing data most? What about those people who weren’t accessing any? Or people from outside their team bumbling around?  Who creates content? Showing owners what data is stale or which folders are growing the fastest can help give them understanding of how their using resources. Providing owners intelligence about where their sensitive data is, where it’s exposed, and who has been accessing it lead to informed decisions about how they can reduce risk.

Once you’ve started putting intelligence into the hands of your owners, the next step is to give them the power to take action without bugging IT. We’ll cover that next.

Using Varonis: Who Owns What?

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

All organizational data needs an owner. It’s that simple, right? I think most of us would be hard pressed to argue against that as a principle—the data itself is an organizational asset, so of course it’s not the Help Desk or AD Admin folks who own it, it’s the users or business units that should own it. Of course, that’s great in theory, but with 1, 5, 10, or even 20 years’ worth of shared, unstructured data, figuring out who owns data is far from simple, let alone involving those owners in any meaningful way.

Before we get into using Varonis to locate owners, I want to talk about why finding a single data owner can be such a problem. IT probably knows who owns the Finance folder.  It’s the CFO or a delegated steward. Same with HR, Marketing or Legal—these tend to be clearly-delineated departmental shares and it’s not hard to figure out whom to go to if we need an informed decision. (Regularly involving those owners in data governance is a different problem, and one I will cover in future posts.)  The identification for these folders is relatively straightforward.

But what happens if you need to find the owner of a folder that has a less obvious name? What if the folder’s name is a project ID, or an acronym of some kind? In my experience, a majority of unstructured data resides in folders that aren’t obviously owned by anyone.

What IT tends to do then is a few different things:

  • Check the ACL and see which groups have access. If it’s a single group with an obvious owner, that’s a likely candidate. If the ACL contains many different groups or a global access group like Domain Users, though, this tactic tends to fail.
  • Check the Windows owner under Special Permissions. This metadata can be helpful, but can also be a red herring since it’s often just set to the local Administrator of the server. Even if there’s actually a human user there (who likely created the folder), that value may be outdated or inaccurate.
Special Permissions Dialog

  • Check the owner of files within the folder. Same problems as above.
File Properties Dialog
  • Enable operating system auditing to identify the most active user. Anyone out there excited about turning on file level auditing in Windows? I have yet to talk to anyone who answers yes to this question because of the performance hit on the server as well as the storage required and expertise to parse the logs effectively.
  • Turn off access and see who complains. Not an optimal strategy when it comes to critical data.
  • Email the world and hope for a response. In general, people don’t want to take ownership of something without good reason, since it may mean more work. How confident are you that the proper owners (who may be at a management or director level) are going to know exactly which data sets their teams are using regularly? If they’re not sure, are they going to jump to take responsibility?

So finding owners is hard, let alone finding owners at scale. If you’ve got thousands of unique ACLs and you want owners for all of them (or at least the ones that make sense) you’re going to have to go through some version of this process for each one. It’s no wonder we haven’t done a good job of this over time. Thankfully, there’s a better way.

Step 4: Identify Data Owners

The key difference between attempting to solve this problem manually and attacking it intelligently with Varonis is the DatAdvantage audit trail. A normalized, continuous, non-intrusive audit record of all data access is a key piece of DatAdvantage, and it allows us to actually identify data owners at scale without having to hunt and peck. Once you start gathering usage data and rolling it up into high level stats you can start to see the likely owners of any data set, not just the obvious ones.

DatAdvantage gives you two straightforward ways to get this information: First, we can quickly take a look at a high-level view of a single folder within the Statistics pane of the DatAdvantage GUI. This will show us the most active users of a particular folder. We like to say that at most, you’re one phone call away, since if the most active user isn’t the data owner, they almost certainly know who is.

You can operationalize this process even further by creating a statistics report, which can be run on an entire tree or even a server. A single report can show the top users of every unique ACL, and it’s possible to set up advanced filters to make this even more useful—showing only users outside of IT or in a specific OU, for example. You can even add additional properties from AD to the report, showing each user’s department or line manager, if available. None of this is possible without constantly gathering access activity and providing an interface to combine it with other available metadata.

Identifying owners is useful, but actually involving them is where IT can really start to make headway when it comes to ongoing governance. We’ll tackle that next.

Using Varonis: Fixing the Biggest Problems

(This one entry in a series of posts about the Varonis Operational Plan – a clear path to data governance.  You can find the whole series here.)

Now that we have a pretty good idea where the highest-risk data is, the question naturally turns to reducing that risk. Fixing permissions problems on Windows, SharePoint or Exchange has always been a significant operational challenge. I’ve been in plenty of situations as an admin where I know something is broken—a SharePoint site open to Authenticated Users for instance—but I’ve felt powerless to actually address the problem since any permissions change carries the risk of denying access to a user (or process) who needs it. Mistakes can have significant business impact depending on whose access you broke and on what data. Since we’re defining “at-risk” as being valuable data that’s over-exposed, that means that any accessibility problems we create will impact valuable data, and that can create more problems than we started with.

Step 3: Remediate High-Risk Data

The goal is to reduce risk by reducing permissions for those users or processes that don’t require access to the data in question.

The next step in the Varonis Operational Plan is fixing those high-risk access control issues that we’ve identified: data open to global access groups as well as concentrations of sensitive information open to either global groups or groups with many users. Since simply reducing access without any context can cause problems, we need to leverage metadata and automation through DatAdvantage.

Let’s tackle global access first. When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. If we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage analyzes the data’s audit record over time in conjunction with access controls, showing folders, SharePoint sites, and other repositories that are accessible by global access groups, and those users who have been accessing that data who wouldn’t have had access without a global access group. In effect, it’s doing an environment-wide simulation to answer the question, “What if I removed every global access group off every ACL tomorrow. Who would be affected?” This report gives you some key information:

  • Which data is open to global access groups
  • Which part of that data is being accessed by users who wouldn’t otherwise be able to access

And it’s not just global groups that DatAdvantage lets you do this with. Because every data touch by every user on every monitored server is logged, Varonis lets you do this kind of analysis for any user, in any group, on any file or folder. That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

The next step is to start shifting decision making from your IT staff to the people who actually should be making choices about who gets access to data: data owners.

Image credit: harwichs

SharePoint Permissions Cheat Sheet

Complexity is dangerous in the security world.  The harder something is to understand, the harder it is to protect.  SharePoint falls squarely into this category.  Configuring permissions in SharePoint can be daunting, especially if you don’t understand the core concepts and terminology.  Unfortunately, managing access controls in SharePoint is often left end-users, not IT administrators, and that can spell disaster.

Learn more about permissions management with our free guide. 

This mini cheat sheet is designed to point out the various gotchas with SharePoint permissions so you don’t make the typical mistakes (now you’ll only make atypical mistakes).

  • SharePoint has “local” groups that can contain Active Directory Groups
    • For example, you can have a SharePoint permissions group called “Sales” which can contain Active Directory groups “Sales” and “Sales Engineering” and “Chess Team”
    • Unlike file shares where local groups are generally avoided, SharePoint specific groups are very common – this is makes it much harder to answer the question “Which human beings can access my data?”
  • There are more default permissions types than you can keep in your head at one time (33 in all):
    • 12 permissions types for Lists
    • 3 permissions types for Personal actions (e.g., views)
    • 18 permissions types for Sites
    • Each permissions type can be grouped into Permissions Levels.
      • For example, the default “Contribute” site permission level contains 8 of the 12 site permission types.
  • In addition to the built-in permissions types, admins can create custom levels
    • For a given site or list, a custom level might be applied, making it really hard to determine who can do what
    • A malicious admin could create a custom level called “Extremely Limited” (sounds innocent, no?) but grant that level permission to do everything
  • If you’re running a version of SharePoint prior to 2010, watch out for the “Authenticated Users” button
    • Before 2010, there was a button that let admins grant access to everyone who authenticated to the domain
    • The button was a common cure-all for frustrated admins trying to grant access to frustrated users

OK, now that I’ve primed you for the worst, I’m going to give you a link that should be your best friend.  Bookmark it, study it, and hope for the best:

http://technet.microsoft.com/en-us/library/cc721640.aspx

Did you really think I’d leave you hanging here?

Varonis DatAdvantage for SharePoint abstracts away the complexity of SharePoint permissions.  You’re only ever a double click away from figuring out who has access to SharePoint document libraries, lists, sites, sub-sites, etc.

Don’t just take my word for it – try DatAdvantage free for 30 days.  At the very least, you can point Varonis at your existing sites and immediately lockdown data that is wide open.

Image credit: keenanpepper

Learn more about permissions management with our free guide. 

Improve Data Protection, Win $500 Gift Card

Regulation in IT is nothing new, especially for those of us who’ve ever worked in the financial, government or health care sectors. What’s changing is the breadth of regulations–how much we actually need to do–and the types of information and systems these regulations apply to. No longer is it just the mainframes and other transactional systems, for instance. People now have to ask themselves “How safe is our unstructured data?” and  “Are we in compliance with new regulations?” One comment I heard recently was along the lines of, “The terrifying thing is that we have no idea whether anything on the NAS is subject to regulation because we’ve never done anything to audit it.” Of course, data security has always been a concern but with the growing threat from internal and external breaches, and a new major Wikileaks story in the news seemingly every month, companies are up against a wall and need some help to analyze the scope of the problem and figure out solutions. I think many of us would just like some help knowing where to begin.

At Varonis we have a lot of experience helping our customers with these problems, and we want to help you see where you stack up compared to other organizations. Take our free 2 minute assessment on your data protection preparedness and we’ll enter you to win a $500 gift card! Click here to access the assessment or copy the following link into your browser:

http://www.surveymonkey.com/s/DataProtectionAssessment

Everyone who fills out the survey will get our comprehensive report on the state of data protection preparedness once the results have been analyzed.

Big Data Management On Your NAS Made Easy

Got data? Got a lot of it? Most companies with NAS devices are struggling with how to manage permissions and understand usage patterns, find data owners, and identify and lock down sensitive information. If any of that sounds familiar, we’ve got the webinar for you. As part of our new partnership with HP, Varonis is co-presenting a webinar on how we can help you master big data.

We enable customers to get control of the information stored within HP IBRIX X9000 storage systems and file shares to help you realize:

  • Visibility into your permissions (set in Active Directory, LDAP, SharePoint, and Exchange)
  • A detailed audit trail of every file and e-mail touch on your servers
  • Recommendations into where access can be reduced without affecting user activity
  • Identification of data owners so they can be directly involved in the management and protection of their data
  • Sensitive content analysis so you can assess risk to your most critical data, allowing you to focus on high-priority areas for remediation

Read the press release announcing our partnership here.

Sign up to attend the webinar here.

Data Connectors Chicago

I just got back from a fantastic Data Connectors event in Chicago where I had the opportunity to speak to a group of IT security professionals about how we think about unstructured data governance. The theme of the presentation was on Authentication, Authorization and Accountability, and how we need the right metadata and automation to ensure secure collaboration and protect unstructured data.

The feedback after the presentation was (and usually is) really the best part—it’s clear that so many of us in IT are starting to really think hard about how to correctly manage access to data. In the past, we haven’t had necessary information we need or the automation in place to manage access in any meaningful way, which is why we’re suddenly scrambling to protect against insider threats. A number of the folks I was fortunate enough to meet told me that five years ago unstructured data was pretty much “out of sight, out of mind” from a security standpoint. Things are changing, though, and quickly. Every time there’s another public data breach due to an insider, more CIOs and CISOs start mandating governance of all organizational data, including unstructured and semi-structured stores. IT professionals are searching for the right solution, and at Varonis we feel very fortunate to be in a position to help.

You can find similar upcoming events on the Varonis events page

Why Do SharePoint Permissions Cause So Much Trouble?

SharePoint permissions can be the stuff of nightmares.  At Varonis, we get a chance to meet with a lot of SharePoint administrators and it’s rare that they’re not exhausted trying to manage user permissions. SharePoint’s a useful collaboration platform—and Microsoft’s fastest selling product ever—but helping to ensure proper permissions and access control is probably not its strongest suit.

The first challenge with SharePoint permissions is that, like file servers, SharePoint has “local” or SharePoint-specific groups that can contain AD groups and users. Unlike file shares, however, where server local groups are rarely used on the shared folders, SharePoint local groups are much more common.  This adds a layer of complexity, especially in large organizations where the SharePoint administrative team may be completely separate from the group managing Active Directory.

Next, the actual permissions themselves are more complicated. NTFS file systems are usually Full, Modify, Read & Execute, List, Read and Write. With SharePoint, you get 12 permissions types for lists, 3 for “personal” actions like views and 18 different types for sites themselves. These permission types can be grouped into “permission levels.” For example, the default “Contributor” site permission level contains 8 of the 12 permission types. In addition to the handful of built-in permission levels, Administrators can create custom permission levels. To top it off, a given user, group, or SharePoint group can be granted multiple permission levels on a given list or site, so it can quickly become very difficult to understand what a given user or group can actually do with the data they’ve been granted access to.

Even though SharePoint permissions can be confusing even for technology teams, Microsoft is designed to allow non-technical folks to manage permissions directly. Prior to SharePoint 2010, there was even a built-in button to easily grant access to all Authenticated Users, or everyone in the organization that’s logged into the domain. What ended up happening is that business users would use this as a short-cut to get people access when needed, rather than managing permissions in a more secure way. With more and more sensitive data being shared on SharePoint servers, this represents a significant area of risk.

The good news is that Varonis DatAdvantage for SharePoint helps organizations make sense of SharePoint permissions by providing intelligence and unobtrusive metadata collection for SharePoint, as it has for years for file systems and (more recently) for Exchange. The SharePoint permissions nightmare ends as critical data governance questions can finally be answered: Who has access to a SharePoint site and what level of access do they have? What have they been accessing? Which SharePoint sites are exposed and contain sensitive data? Most importantly, how do we fix them without disrupting business? SharePoint can be a powerful collaboration tool, but it’s important to understand the data that’s there, who’s using it and what permissions are in place and how those controls are changing.