You can’t always do it all alone and sometimes you need help from your friends. It’s good life advice, and as it turns out, good advice for a security solution. A multi-pronged security program that uses a mix of technologies and approaches is the best way to reduce risk and to protect your organization’s most important data resources.
For example, Data Loss Prevention (DLP) solutions are often used to help protect sensitive data as it moves around the network and makes its way to endpoint devices. Identity and Access Management (IAM) solutions complement DLP by connecting disparate authentication services together, so that when users need to access systems or applications, they make a request through a single service. And Security Information Event Management (SIEM) tools aggregate, correlate, and help analyze the logs from a variety of different sources in a single repository.
Yes, organizations often employ some or all of DLP, IAM, and SIEM in a best-of-the best approach. But what are the differences in each of these technologies, and how do they relate to Varonis, which is neither DLP, IAM, or SIEM?
Let’s go through the distinctions.
Data Loss Prevention
To prevent a user’s sensitive data from making its way outside the corporate network, DLP solutions execute responses based on pre-defined policies and rules, ranging from simple notification to active blocking.
DLP typically covers three high level use cases: endpoint protection, network monitoring of data in motion, and classification of data at rest.
Endpoint protection use cases include hard drive encryption, optical drive and USB port locking to prevent exfiltration, and malware protection.
Data in motion technologies inspect email and web traffic to attempt to identify sensitive data potentially being exfiltrated so that data remains in the organization, and may also help ensure that content is only accessed over encrypted channels.
Data at rest classification inspects the content of file to identify where sensitive data may exist on server and cloud platforms so that additional action can be taken to ensure proper access controls.
While DLP is great for protecting sensitive data, it generally has no information about how data is being used or how access controls are granted. To obtain this access information, many organizations turn to Identity and Access Management.
What makes Access Management so critical is that access rights, especially for unstructured data, typically accumulate over a time. The longer a user stays with a company, the more access the user usually has. Users with privileges beyond what is required to perform in their current role can put the company at risk. Moreover, if a hacker gains access to the account of a user with excessive access, it might further increase the company’s risk. Both scenarios can result in data breach.
Together, Identity and Access Management ties disparate applications together into a single repository for management of access and entitlements. IAM solutions will often provide access management workflows, user entitlement reporting, application owner entitlement reviews, and even single-sign-on (SSO) functionality between applications with the goal of providing a single entitlement store and workflow solution for managing access.
SIEM systems store, analyze, and correlate a multitude of security information, authentication events, anti-virus events, intrusion events, etc. Anomalous events observed in a rule alerts a security officer/analyst to take swift action.
SIEM systems aggregate logs, most commonly through reading event viewer data, receiving standard feeds from SNMP traps or Syslog, or sometimes get log data with the help of agents. These feeds come from user devices, network switches and other devices, servers, firewalls, anti-virus software, intrusion detection/prevention systems, and many more. Once all of the data is centralized, it runs reports, “listens” for anomalous events, and sends alerts.
For the SIEM tool to identify anomalous events, and send alerts, it’s important that an administrator create a profile of the system under normal event conditions. SIEM alerts can be pre-configured with canned rules, or you can custom create your own rules that reflect your security policies.
After events are sent to the system, they pass through a series of rules, which generate alerts if certain conditions are met. Keep in mind, with potentially thousands of devices, and different sources to monitor, each generating potentially thousands of records or more a day, there will be plenty of data to sift through. The goal is to use SIEM rules to reduce the number of events down to a small number of actionable alerts that signal real-world vulnerabilities, threats, or risk.
Varonis does not provide DLP, IAM, or SIEM functionality, and is not designed to replace any of those solutions. In fact, Varonis tends to enhance each one by providing visibility into and context around the unstructured data – which can prevent insider and outsider threats, malware activity, lateral movement, data exfiltration, and potential data breaches.
What sets Varonis solutions apart from traditional file-level DLP solutions?
Identifying sensitive data on your server and/or blocking it is DLP’s strong suit. Yes, it knows where all your sensitive files reside, but it has a weak point: if a hacker or insider compromises an account who is authorized to access sensitive docs, DLP can’t stop it.
To really protect your organization’s sensitive data, you should also know:
- who is accessing it
- who has access to it
- who likely no longer needs access
- who outside of IT the data belongs to, and
- also when a user or users start accessing that data in strange ways.
Varonis makes DLP better by providing all of that additional context. After absorbing the classification scans from DLP, Varonis provides activity monitoring, alerting, and behavior analysis along with intelligent permissions management. DLP tells you where your sensitive data is, and Varonis helps make sure that only the right people have access to it and that you know when access is abused.
What sets Varonis solutions apart from IAM solutions?
Even though IAM connects various applications and systems into a single solution for entitlements, that functionality tends to stop when it comes to unstructured data. Because access to unstructured data is controlled both by directory users and groups and file system ACLs together, there’s no single “application” for IAM to connect to. This means that IAM has a blind side when managing access to unstructured data.
Moreover, access to unstructured data tends to be chaotic and unmanaged—permissions are complex and not standard, multiple groups often have access to data, folders and SharePoint sites are open globally, etc—managing unstructured data entitlements through IAM is often impossible.
This is where Varonis can help.
DatAdvantage allows IAM to extend to unstructured data through many use cases:
- Map out the functional relationships between the users/groups, and the data necessary for a role.
- Restructure permissions so that they can be efficiently managed through single purpose groups.
- Analyze user behavior over time and provide recommendations to owners on who likely no longer needs access
- Leverage data classification to help ensure sensitive data is owned and managed appropriately
DataPrivilege can complement IAM by empowering data owners, and users by:
- Enabling ad-hoc requests so users can get access to data, only for as long as necessary, without having to redefine a role
- Giving data owners insight into activity on their data sets
- Allowing for regular reviews of access to ensure only the right people have access to the right data
What sets Varonis solutions apart from SIEM?
SIEM will read event viewer logs from network devices, systems, and AD, but has no view into actual data activity since those logs often don’t exist natively and can be difficult to parse.
With our file activity monitoring system, Varonis closes this gap by collecting and analyzing all access activity on platforms SIEM can’t usually see.
We can tell your SIEM when someone’s accessing the CEO’s mailbox, changing critical GPOs, encrypting large numbers of files in a short period of time, or otherwise misbehavior when it comes to your data and directory services.
Moreover, Varonis baselines user activity and provides alerts that can be passed directly to SIEM for further correlation, analysis or action. Varonis alerts can be sent via Syslog to any SIEM, and there are pre-built templates for connection with some specific platforms.
DLP, IAM, and SIEM are all useful, important technologies for enterprise security. There is no single product or category that an organization needs to protect their data and systems, and defense in depth is becoming increasingly important. When it comes to unstructured data, all of these technologies have significant gaps in the kinds of detective and preventive controls they can provide, and all of them are made more useful by integrating with the Varonis Metadata Framework.