All posts by Jennifer LuPiba

How to Protect Yourself from Leaky Apps: Varonis on CNBC’s On the Money

How to Protect Yourself from Leaky Apps: Varonis on CNBC’s On the Money

This past weekend, Varonis’ Brian Vecci, Technical Evangelist, appeared on CNBC’s On the Money with Jennifer Schlesinger to discuss how consumers can protect themselves from leaky apps – both legitimate and illegitimate ones.

From a consumer perspective, there are a few things to keep in mind:

  • Any app could potentially be breached or broken in some way, so be careful about what kinds of information you provide.
  • Try not to use the same password everywhere, since if you do, one bad app or website breach could lead to your credentials from other, more secure sites like Amazon or Facebook being compromised.
  • Set up alerts for your email address on a site like com, which will alert you if your information shows up in a data breach
  • Both iOS and Android devices let you control what an app can access on your device. Be careful about giving an app access to information it may not need, like your photos or GPS location, or the phone’s camera or microphone

In order to help consumers protect themselves online, Varonis teamed up with renowned security expert Troy Hunt to produce a series of short video tutorials.

The online course, “Internet Security Basics, 5 Lessons for Protecting Yourself Online,” was created exclusively for Varonis and is designed to teach the everyday connected individual about the top five online security risks they face and how to protect themselves, including:

  • Practicing better password hygiene
  • Identifying website trustworthiness and phishing
  • Understanding the importance of software maintenance
  • Establishing mobile device and app security
  • Minimizing the risks of household and corporate IoT devices

The on-demand course, intended to be consumable by anyone with basic familiarity with computers, web browsers and mobile devices, is divided into seven bite-sized modules that take just a few minutes to watch. The course can also provide an effective supplement to organizations’ ongoing efforts to keep their employees trained and vigilant about online risks.

Troy Hunt is a world-renowned security expert and trainer, author, and creator of the free data breach service, “Have I been pwned?” As a leader in online training for technology professionals, Hunt expertly distills complex technology and cybersecurity subjects into relatable explanations.

Start protecting yourself online, take the video course today:

Varonis Cited by Forrester for Data Classification Capabilities

Varonis Cited by Forrester for Data Classification Capabilities

When I signed up for home insurance, I remember filling out a worksheet that forced me to catalog all the important, expensive and irreplaceable items within the property so we could make an accurate prediction of the costs to replace them if something were to happen, like theft or arson.

This is similar to the same kind of analysis organizations should be doing with their data. Asking ourselves: What information am I storing? Where is it? Does it fall within regulatory compliance?

This kind of data classification is an important activity every organization must undertake to meet regulatory compliance and protect their data. A February 2017 Forrester reporter, Market Overview: Data Classification For Security And Privacy, states, “Data classification is a core component of defining and understanding data that security and risk (S&R) pros must protect, as well as identifying the way employees should handle it and the types of security controls that are necessary.”

In other words, organizations cannot protect what they don’t know they have.

Within this report, Forrester cites Varonis as among vendors that “have data classification capabilities in addition to data discovery and remediation capabilities.”

The Varonis Data Security Platform (DSP) analyzes and profiles user roles, file systems and email activity, permissions, file content and directory service information. The automated classification capabilities within the platform combine these metadata streams and results from other classification solutions for increased visibility into the content of data. Classification information enables actionable intelligence for data security and compliance, including a prioritized list of folders with the most exposed permissions and containing the most sensitive data, access points to that data, users and owners, and effectively setting access limitations without disrupting business processes.

Data classification is a critical step for security and risk professionals in defining and understanding how to protect sensitive data. The report gives guidance on why data classification should maintain a priority spot in an organization’s security budget, “Although targeted attacks may be the new norm, a reactive approach to security is inefficient and ineffective. You still need an actual security strategy — and knowing what it is that you’re trying to protect — as the foundation for your efforts.”

However, many organizations are still too focused on responding to threats and don’t properly understand or control sensitive data. In fact, the January 2017 Forrester Consulting study commissioned by Varonis, “The Data Security Money Pit: Expense In Depth Hinders Maturity,” found that 62% of respondents have no idea where their most sensitive unstructured data resides. Understanding what is considered sensitive, or toxic, data lends insight and context for developing controls and policies for data awareness and proper data handling.

The Market Overview found that 54% of global client security decision-makers have implemented a data classification solution, and an additional 22% plan do so in the next year. As more organizations recognize the need to boost data awareness, solutions like the Varonis DSP can give security professionals confidence in their systems and build a foundation for data security and privacy.

Find out where your sensitive data lives, take a free risk assessment to experience the automated classification solution within the Varonis DSP.

It’s Not Just Waymo: IP Most at Risk According to Our RSA Survey

It’s Not Just Waymo: IP Most at Risk According to Our RSA Survey

This year, the RSA Conference boasted over 43,000 attendees and 557 exhibitors spread across two enormous and cacophonous halls. Even in the quiet of the hotel room, my ears rang with echoes of the discordant noise about new potential threats. Let’s just say I’ll be eyeing every public outlet from which I charge my phone with suspicion.

Tom Foremski, ex-Financial Times journalist and editor/publisher of Silicon Valley Watcher, summed up the experience nicely via ZDNet:

[G]oing to RSA show will likely cause your mind to race in panic at all the vectors of malice that the security vendors will happily tell you about.

Foremski and those he interviewed discussed the implications of a widening security pit: how we could buy every tool on the market and still not be 100% secure. Forrester Consulting has coined this “expense in depth” in a recently released study, writing:

The reality is that companies have spent a lot of money on individual technology — instead of a unified data security strategy — and are judging their maturity based on money spent.

Or in other terms, companies are focused on threats (as the RSA newsfeeds testified) rather than the data – customer, employee, intellectual property and financial data – any of which would be toxic if stolen or made public (e.g., Waymo IP theft – keep reading).

The RSA Data Security Results

We surveyed security professionals who stopped by our booths at RSA about how their companies identify, classify, protect and monitor data.  The results are in and echo the Forrester study:

  • 72% use 3 or more data security tools (and over 50% use 5 or more).
  • Respondents are not confident in the ability to identify, classify, protect and monitor their enterprise data, with few stats crossing the 50% line:
    • Employee data fares the best with 67% completely confident in knowing exactly where this data resides on the network, 59% enforce a least privilege model against it and only 45% audit access to it and alert on abuse.
    • Less than 50% of respondents can identify the location and monitor for anomalous behavior on customer and financial data.
    • Coming in last for all categories is intellectual property — one of the most toxic and costly data sets. Well under 45% are confident in their ability to identify, classify and restrict access on a need-to-know-basis to this data set: even more concerning, only 30% monitor IP for access and abuse.

While the similarities to the Forrester study are validating, real world examples showing how these data sets quickly turn toxic drive the point home even more. Let’s take a look at one of those examples.

Waymo and the Alleged Toxic IP Leak

Last week, Waymo, pioneers in self-driving car technologies, announced legal action against competitors Otto and Uber for the alleged theft at the hands of several former employees of more than 14,000 highly confidential and proprietary design files.

Mention this theft to any R&D head, CEO or CISO and they’ll cringe at the thousands of man hours, millions of R&D dollars and expected revenue that drove off the parking lot.  To put more context around this, Waymo spent seven years in R&D on self-driving technologies including their own in-house hardware, accumulated 1.5 million miles of experience on public roads and billions of miles in simulation tests.  Self-driving technology is how they make their money; now key components of that technology appear to have fallen into the hands of a competitor.

The loss and future damage of stolen IP is enough to cripple any company, maybe even put them out of business. Yet we see time and again in our risk assessments that sensitive data like IP is not identified, classified or monitored for abuse. Both the Forrester Study and our RSA survey results found that 60% of organizations do not enforce a need-to-know access model for this type of highly confidential information and even fewer monitor access for abusive behavior – like a sudden flurry of access activity on files an employee may not normally access (cue Paul Harvey: “And now for the rest of the story”… employee gives his resignation a few days later).

The allegations of IP theft at the hands of multiple former employees who are now at a competitor is a story we’ve seen (and blogged about) before: an ambitious insider not only steals IP but recruits other colleagues to do the same, and then he takes both to a competitor. The Waymo complaint outlines how the alleged ringleader, the founder of Otto, stole 9.7 GB of highly confidential data and tried to cover his tracks, and it alludes to collusion with several employees who followed suit:

A number of Waymo employees subsequently also left to join Anthony Levandowski’s new business, downloading additional Waymo trade secrets in the days and hours prior to their departure [emphasis mine].

Regardless of the court’s decision in the Waymo case, this serves as a wake-up call for any company who has data that would be toxic to the company’s revenues and reputation if it were stolen or made public.

And Now for the Rest of the Story

Data has real value.  Self-driving technology alone has the power to change the world and save lives. And there are many other types of innovations being worked on and invested in.  Organizations need to start seeing this data and data security as a driver of business growth. Ensuring that the right people and only the right people have access will accelerate bringing this innovation to market and drive competitive advantage – the flip side to this coin is very real, and we see it playing out in the Waymo/Uber case, where too much unmonitored access can give a competitive advantage to the other guy.

The final piece to our RSA survey asked respondents about the benefits they would receive with a unified data security platform – in other words, a solution that would have stopped or greatly reduced the damage of the Waymo IP theft. The top rated benefits include:

  • quicker response to breaches (60%)
  • improved ability to identify data (60%)
  • improved ability to spot anomalous behavior (56%)
  • increased visibility on access and usage of sensitive data (55%)

Want to see what type of data might be overexposed in your company?  Our Data Risk Assessment gives a snapshot of your data security to quickly ascertain the level of risk associated with your data: exposing high risk areas and where you can safely and swiftly pull back access, reducing your risk profile.

Get more details on our Data Risk Assessment.