All posts by Jeff Petters

The Security Threats are Coming From Inside the House!

The Security Threats are Coming From Inside the House!

Think of any of the big data breaches: Equifax, Target, NSA, Wikileaks, Yahoo, Sony. They all have one thing in common: the data breaches were an inside job.

That’s not to say that all the hackers were employees or contractors, but once the hackers get inside the perimeter security, is there any difference? Their activities all look the same to an outside observer.

We write about this phenomenon so often. Once a hacker gets access inside the network, they often have everything they need to find (and attempt to exfiltrate) the good stuff that will make the headlines – the personal data, emails, business documents, credit card numbers, etc.

So the question becomes – can your data security team realize that they’re inside, before it’s too late?

It’s imperative that in addition to your firewall, routers and network monitoring software, you monitor what’s inside as well: the user behavior, file activity, folder access and AD changes.

The Perimeter Has Been Breached

Here’s a scenario: a hacker has gained access to a user account and is attempting to download Intellectual Property data that is stored in OneDrive. The first few attempts to access the data have failed, but they’re persistent, so they poked around until they found an account that has the access they needed to read the files.

Even with monitoring at the file operation level, this kind of activity is hard to discern from the end user clicking on that folder and trying to get access.

And that’s where we come in. Varonis analyzes all of these attempts to access this OneDrive share in context, with user behavior analytics (UBA). From there, you can leverage Varonis threat models to analyze and compare that activity to known behaviors both by the user who’s trying to access that data, their peers, and by hackers to exploit and infiltrate company networks.

In this scenario, this account is suddenly accessing classified, sensitive data that they have never touched before. That’s a red flag – and we’ve got threat models built specifically to detect that type of behavior.

This is outside of normal behavior patterns for the account that the hacker is leveraging – and because Varonis has been monitoring all the activity in OneDrive for over a year now, you have all the evidence you need to act immediately.

Without Varonis, you’d likely never even see the attempts to access this OneDrive folder. You would never notice the files being copied from this folder, and you wouldn’t see which folder they accessed next.

Investigation & Forensics

The first step is to programmatically lock out and log out this account – which you can set up as an automatic response with Varonis. At the same time, emails and alerts can be sent to the infosec team and/or a SIEM system. Once the relevant parties are informed the investigative work can begin.

So where to start? Find out what happened, how it happened, what vulnerabilities were exploited, and what you can do to defend against it in the future. With the Varonis DatAdvantage UI, you can pull up the file audit history of the hacked userid to see where else that account has been before the alert was triggered.

Use the full file audit trail to see what – if any – damage was done and lock down access to the entire system if necessary. And after the initial threat is neutralized, the work to close the security holes can begin.

The Varonis Security Platform is a key component of a layered security system. Layers create redundancy, and redundancy increases security. Hackers will find and exploit any opening they can; it is our responsibility to protect each other’s private data.

By learning and using the correct tools and principles for good data security, we can make it much harder for the bad guys to profit from their hacking, and limit the impact of data security breaches.

Want to see how Varonis will work in your environment to catch these types of insider threats? Click here to set a demo with one of our security engineers.


3 Tips to Monitor and Secure Exchange Online

3 Tips to Monitor and Secure Exchange Online

Even if you don’t have your sights on the highest office in the country, keeping a tight leash on your emails is now more important than ever.

Email is commonly targeted by hackers as a method of entry into organizations. No matter if your email is hosted by a 3rd party or managed internally, it is imperative to monitor and secure those systems.

Microsoft Exchange Online – part of Microsoft’s Office365 cloud offering – is just like Exchange on-prem but you don’t have to deal with the servers. Microsoft provides some tools and reports to assist securing and monitoring of Exchange Online like encryption and archival, but it doesn’t cover all the things that keep you up at night like:

  • What happens when a hacker gains access as an owner to an account?
  • What happens if a hacker elevates permissions and makes themselves owner of the CEO’s email?
  • What happens when the hackers have access to make changes to the O365 environment, will you notice?

These questions are exactly what prompted us to develop our layered security approach – which Andy does a great job explaining the major principles of here. What happens when the bad people get in – and they have the ability to change and move around the system? At the end of the day, Exchange Online is another system that provides an attack vector for hackers.

Applying these same principles to Exchange Online, we can extrapolate the following to implement monitoring and security for your email in the cloud:

  1. Lock down access: Make sure only the correct people are owners of mailboxes, and limit access make changes to permissions or 0365 to a small group of administrators.
  2. Manage user access: Archive and delete inactive users immediately. Inactive users are an easy target for hackers as they are usually able to use those accounts without being noticed.
  3. Monitor behavior: Implement a User Based Analytics (UBA) system on top of your email monitoring. Being able to spot abnormal behavior (ie an account being promoted to owner of the CEO’s email folder, another forwarding thousands of emails to the same email address) early is the key to stopping a hacker in hours or days instead of weeks or months.

Wondering if there’s a good solution to help monitor your Exchange Online? Well, we’ve got you covered there too.