All posts by Jeff Petters

How to Protect GDPR Data with Varonis

How to Protect GDPR Data with Varonis

In the overall data security paradigm, GDPR data isn’t necessarily more important than other sensitive data, but demands specific monitoring, policy, and processing – with significant fines to encourage compliance. Once you discover and identify GDPR data, you need to be able to secure and protect that data.

GDPR Article 25, “Data Protection by Design and Default,” sets the rules for securing GDPR data. Varonis helps automate and implement a process to get to and maintain a least privilege model to help meet this part of the GDPR. Once you limit access to data, you can proactively protect GDPR data by analyzing file activity and user behavior, automating how to process that data, and actively monitoring your GDPR data.

Apply Security Analytics to GDPR Data

Varonis applies data security analytics to file activity and user behavior, and DatAlert can apply specific threat models to monitor and alert on suspicious activity on GDPR data. Below is a sample of some of our GDPR threat models:

Threat Model: Access to an unusual number of idle GDPR files

How it works: DatAlert triggers this alert when a user accesses a statically significant number of GDPR files that they have not accessed previously (i.e., did not create or modify).
What it means: This user account is looking for something containing GDPR data that they don’t normally access. This attack could be an infiltration attempt, a compromised account, or evidence of breached security.
Where it works: Dell Fluid, EMC, Hitachi NAS, HP NAS, NetApp, OneDrive, Sharepoint, SharePoint Online, Unix, Unix SMB, Windows, Nasuni, HPE 3PAR File Persona

Threat Model: Unusual number of GDPR files deleted or modified

How it works: DatAlert identifies when a user account is deleting or modifying an unusual amount of files that contain GDPR data, compared to that user’s typical behavior.
What it means: When users are deleting or changing many files, it could be an attempt to either cover their tracks, steal data, or modify information. It often indicates that an attacker is attempting to damage or destroy critical data as part of a denial-of-service attack. It’s possible that this user is simply doing clean-up, but more likely is an attempt to steal (or destroy) data.
Where it works: Dell Fluid, EMC, Hitachi NAS, HP NAS, NetApp, OneDrive, Sharepoint, SharePoint Online, Unix, Unix SMB, Windows, Nasuni, HPE 3PAR File Persona

Threat Model: Unusual number of GDPR files with denied access

How it works: DatAlert detects an increase in the number of GDPR files a user has failed to access.
What it means: When a user gets that many denies in a set amount of time, they are looking for – or trying to access – something that they likely shouldn’t be touching. Most likely they are not supposed to be looking for this kind of data, and someone is trying to use this account to access GDPR data in order to exfiltrate it.
Where it works: EMC, Windows, Hitachi NAS

DatAlert highlights suspicious activity and unusual behavior on GDPR data, and helps streamline investigation and pursue forensics on potential threats. DatAlert will also give you the all-important heads up you need to be able to report a data breach discovery within the GDPR mandated 72 hours.

It’s best practice to develop an alert response plan that makes sense with your organization’s security practices and policies so that you have an actionable plan to investigate unusual behavior and suspicious activity.

Automatically Quarantine GDPR Data

In order to stay compliant on a day-to-day basis, you need to be constantly detecting new unsecured GDPR data and protecting that data as quickly as possible.

As users create new files there is a possibility that GDPR data will be left unsecured. Because the Data Classification Engine continuously discovers new GDPR data in your shares, it can pass that information to the Data Transport Engine. The Data Transport Engine can move those newly discovered files containing GDPR data to a quarantine folder during its next scheduled run. Once the GDPR data is quarantined and secured, you can investigate the file and determine who should have access, where it should be stored, and any additional conditions to help comply with GDPR.

Monitor your GDPR Data

It’s vital to maintain a holistic perspective of your GDPR security status. Varonis provides several reports that allow you to keep track of your GDPR data, which can be delivered to your inbox or a shared folder.

Report 12.I.02, Open Access on Sensitive Data, will show you all the GDPR classification matches you have on the network that were discovered within your specified time slice. If you use Data Transport Engine to quarantine new matches, you’ll be able to use this report as a starting point for which files you want to investigate. If you aren’t using Data Transport Engine, you will have to ensure these files are locked down as quickly as possible.

GDPR regulations represent a shift in the way governments are broadly approaching data privacy and data security requirements – and it’s rooted in data security best practices.

Are you ready to see what how your current GDPR situation looks? Get a free 30-day GDPR Readiness Assessment and see how Varonis can help protect your GDPR data.

Role Based Access Control (RBAC): What is it and Why Implement?

swings on a swing set

Can a stolen password get you the keys to the entire kingdom? Well, it turns out that 81% of data breaches in 2017 used stolen or weak passwords to get onto the network.

We need to be better than that in 2018. We need to go back over our permissions standards and implement Role Based Access Control (RBAC) to keep users within their assigned seats on the network.

Role Based Access Control (RBAC): What is it?

Role Based Access Control (RBAC) is a network security paradigm where the network grants users permissions based on their role in the company. It’s dead simple: the Finance department donesn’t get to look at HR data and vice versa.

Each user on the network has an assigned role, and each role has a set of access permissions to resources across the organization. For example, our Finance humans have access to the CRM based on their use cases, access to email, and access to the Finance share on the network. And that could be it.

When implemented correctly, an RBAC implementation will be transparent to the users. Role assignment happens behind the scenes, and each user has access to the applications and data that they need to do their job.

Why Implement RBAC?

cement walls in a line

Implementing Role-Based Access Control helps maximize operational efficiency, protects your data from being leaked or stolen, reduces admin and IT support work, and makes it easier to meet audit requirements.

Users should have access to the data they need to do their job – granting access to data they don’t need is a security liability, increasing the risk of that data getting leaked, stolen, corrupted, or compromised. Hackers love to access a single account and move laterally around the network looking for the sellable data. If you have a good RBAC implemented, the hackers will get stonewalled as soon as they try to get outside the bubble of their hacked user’s role.

Sure it’s bad that someone’s account got hacked, but it could be so much worse if that user has access to all of the sensitive data. Even if the affected user is in HR and has access to personally identifiable information (PII)o, the hacker won’t be able to easily move to the Finance team’s or Executive team’s data.

RBAC also reduces IT and administrative load across the organization and increases the productivity of the users. While this seems counterintuitive, if you think about it for a second, it makes sense. IT doesn’t have to manage personalized permissions for every user, and it’s easier for the right users to get to the right data.

Managing new users or guest users can be time consuming and difficult, but if you have RBAC that defines these roles before a user joins the network, it’s a fire and forget situation. Guests and new users join the network, and their access is pre-defined.

Lastly, implementing RBAC is proven to save lots of dollars for your company. RTI published a report in 2010, “The Economic Impact of Role-Based Access Control” that indicates there is a substantial return on investment in an RBAC system. For a hypothetical financial services firm of 10,000 employees, RTI estimates that RBAC will save IT $24,000 in labor, and employee downtime will save the company $300,000 per year. Automating the user access process will save you even more than that in IT labor reduction alone. That’s big-time-get-you-a-raise money.

At the end of the implementation, your network will be vastly more secure than it was, and your data will be much safer from theft. And you get the other benefits of increased productivity for your users and IT staff. It’s a no-brainer if you ask us.

RBAC: 3 Steps to Implement

toy man climbing up ladder

What’s the best way to implement Role-Based Access Controls? Consider the following steps to get started:

  1. Define the resources and services you provide to your users (i.e., email, CRM, file shares, CMS, etc.)
  2. Create a library of roles: Match job descriptions to resources from #1 that each function needs to complete their job
  3. Assign users to defined roles.

The good news is that you can automate this process: Varonis DatAdvantage provides data about who actively uses the file shares on a regular basis, and who doesn’t. While assigning file permissions to roles, you will also designate a data owner for the shares. This data owner is responsible for access to their data in the long term, and can easily approve or deny access requests from the Varonis DataPrivilege interface. Varonis also provides modeling capabilities as you are assigning roles, so that you can see what happens if you revoke access to a folder from this role, before committing.

Once the implementation is done, it’s imperative to keep the system clean. No user should be assigned privileges outside of their role on a permanent basis. DataPrivilege allows for temporary access to file shares on a per request basis, which doesn’t break the first rule. It will be necessary, however, to have a change process in place to adjust roles as needed.

And of course, you want to have regular auditing and monitoring on all of these critical resources. You need to know if a user is trying to access data outside of their assigned seat, or if a permission gets added to a user outside of their role.

There are several methods bad actors will use to break through your security. A good monitoring and data security analytics platform will enforce the rules set in your RBAC, provide your security team alerts and details to discourage hacking attempts and prevent data breaches before they get off the ground.

Rootkit: What is a Rootkit and How to Detect it?

shadow of man walking behind glass walls

“Geez, my computer is really running slow all of a sudden.”

“Hmm, I don’t recall seeing this odd application in my task manager before.”

If you have ever asked these questions, there is a chance you caught a rootkit virus. One of the most infamous rootkits, Stuxnet, targeted the Iranian nuclear industry, infecting 200,000 computers and physically degraded 1,000 machines inside Iran’s uranium enrichment facilities.

What is a Rootkit?

Rootkits are the toolboxes of the malware world. They install themselves as part of some other download, backdoor, or worm. They then take steps to prevent the owner from detecting their presence on the system. Once installed, Rootkits provide a bad actor with everything they need to take control of your PC and use it for DDoS or as a zombie computer.

Rootkits operate near or within the kernel of the OS, which means they have low-level access to instructions to initiate commands to the computer. Hackers have recently updated rootkits to attack new targets, namely the new Internet of Things (IoT), to use as their zombie computers. Anything that uses an OS is a potential target for a rootkit – your new fridge or thermostat included.

Rootkits do provide functionality for both security and utility to end-users, employers, and law enforcement. Veriato is a rootkit that gives employers monitoring capabilities for their employees’ computers. Law enforcement agencies use rootkits for investigations on PCs and other devices. Rootkits are the bleeding edge of OS development, and research for rootkits helps developers counter possible future threats.

What is a Rootkit Scan?

white security camera on white wall

Rootkit scans are the best attempt to detect a rootkit infection, most likely initiated by your AV solution. The challenge you face when a rootkit infects our PC is that your OS can’t necessarily be trusted to identify the rootkit. They are pretty sneaky and good at camouflage. If you suspect a rootkit virus, one of the better strategies to detect the infection is to power down the computer and execute the scan from a known clean system.

Rootkit scans also look for signatures, similar to how they detect viruses. Hackers and security developers play this cat and mouse game to see who can figure out the new signatures faster. A surefire way to find a rootkit is with a memory dump analysis. You can always see the instructions a rootkit is executing in memory, and that is one place it can’t hide.

Behavioral analysis is one of the other more reliable methods of detecting rootkits. Instead of looking for the rootkit, you look for rootkit-like behaviors. Or in Varonis terms you apply Data Security Analytics to look for deviant patterns of behavior on your network. Targeted scans work well if you know the system is behaving oddly. Behavioral analysis will alert you of a rootkit before a human realizes one of the servers is under attack.

Rootkit Protection Best Practices

The good news is that rootkits as a method of cyberattack are in decline. OS developers and security researchers continue to improve operating systems and endpoint defenses to protect users from all types of malware, and their efforts have been especially effective against rootkits. Rootkits require high privilege access to install their hooks into the OS. Most systems prevent these kinds of attacks with built-in kernel protection modes. Many companies apply the principle of least privilege, which also prevents users from being able to install software to the kernel, thereby preventing rootkits from taking hold.

Behavior analysis is considered a best practice to defending your data against rootkit based attacks. Behavioral analysis will find evidence of a rootkit while a hacker is using the tools. They could trip a threat monitor by trying to access a folder the user account doesn’t normally access or when they try to promote their account to higher privilege levels. With a well-developed permissions policy based on principles of least privilege and data security analytics a hacker will have a difficult time stealing data with a rootkit.

Rootkits Over the Years

black and white canyon

Below are a few different rootkits for further research. The rootkits highlighted below are both significant in their development or impact.

Even though rootkits are largely no longer being developed to target personal computers, the new Internet of Things (IoT) is providing hackers a whole new set of systems to take over and use as zombie computers. I expect the IoT to see the same kind of security concerns as early computers experienced in the early 2000s. Which makes a monitoring solution that protects you from threats, like DatAlert, even more important. You also want to check out Varonis Edge to add further context to our threat prediction models. Varonis Edge gathers data from the Proxies, DNS, and Routers to better analyze the attack vectors that hackers use to get in your network.

Check out a demo of the Varonis Data Security Platform to see how DatAlert and Edge can defend you from rootkit and other threats!

How to Discover GDPR Data With Varonis

How to Discover GDPR Data With Varonis

GDPR goes into effect in less than 85 days – but there’s still time to prepare. The first step in getting ready for the upcoming deadline is to discover and classify your GDPR data.

More often than not, we’re seeing that customers have much more GDPR eligible data than they thought they had – or even knew existed. A recent GDPR Readiness Assessment for a mid-sized insurance company revealed some eye-opening results. In the below example, we focused on a single data store with 12 TB of data in 20+ million files across 1.36 million folders.

Excerpt of GDPR data from a Varonis GDPR Readiness Assessment

On that single data store we found over 15,000 files with GDPR sensitive data. 90% of the files that held German data – ranging from DE passport numbers to Personalausweisnummer (German identity card number) – were open to the entire company…and the German data was in the best shape. France, Spain, and Sweden classification hits were 100% exposed!

How Can I Identify My GDPR Data?

It can be difficult to discover and classify what data falls under the GDPR – so difficult, in fact, that we built GDPR-specific patterns on top of our classification engine to do just that.

The Varonis Data Security Platform maps your data stores, so that you can monitor and analyze data that falls under the GDPR. This map contains the folders and permissions for all storage volumes where GDPR sensitive data can exist, from a NetApp server to EMC Isilon to Windows to Office 365 (and beyond).

Once you have that map of data, you can begin the process of scanning those files for GDPR data. We see GDPR data in word documents, spreadsheets, notepad files, even XML files. Our Data Classification Engine is file type agnostic, so we will find the data even if it’s zipped.

Varonis GDPR Patterns has over 250 patterns and regexes for GDPR data, covering all 28 EU countries. It identifies and flags data that looks like an IBAN number, social security number, passport number, personal ID card, VAT number, mobile phone number, license plate number, tax registry number, and much more.  You’ll be able to review the results in the DatAdvantage console with a GDPR category tag.

Sample of data classification matches for GDPR data – Germany

It can take a few weeks to scan all of your unstructured data stores if you run the system 24×7. This is one task where throwing processor power at the problem does make it go faster. You can also distribute the work across several Varonis Collector Servers to multiply the number of CPUs doing the work. The more, the merrier! And don’t worry – the Collector caps the amount of CPU the Data Classification Engine can use, so there’s minimum performance impact, and plenty of space left for the rest of the OS to do work.

On an 8 CPU system, Data Classification Engine can scan around 100GB per hour per Varonis Collector Server. In a day, that comes to 2.4 TB of data per Collector.

Disclaimer: These numbers are based on internal testing, your mileage may vary.

How Can I Find New GDPR Data?

Data Classification Engine continues to scan your data after the initial scan is complete, since users will update and add data faster than you can lock them down. Varonis updates the previously mentioned folder and permissions map daily (or whatever you configure) and then adds modified folders back into the queue to get scanned again. Data Classification Engine does not stop, it doesn’t feel pity or remorse, it will find all the GDPR data, and then it still won’t stop.

Once you discover your GDPR data, you need to figure out what to do with it – how to manage, process, and report on it – which I’ll cover in the next few parts of this series.

If you already know you need to prepare for GDPR, see how you’re doing with a free GDPR Readiness Assessment. We’ll do an assessment of your current state and present a report highlighting GDPR data, potential vulnerabilities, and strategies to protect that data.

12 Ways Varonis Helps You Manage Mergers and Acquisitions

12 Ways Varonis Helps You Manage Mergers and Acquisitions

How Varonis Helps with Mergers and Acquisitions

A well-constructed Merger & Acquisition (M&A) playbook reduces the overall time, cost and risk of the upcoming merger and/or acquisition. Gartner advises that organizations who intend to grow through acquisitions involve the CIO and IT teams early in the process by “sharing models with their business executives that raise the right questions and issues to consider.” Further, according to Gartner analysts Cathleen E. Blanton and Lee Weldon, CIOs should “create a reusable IT M&A playbook that can be quickly deployed when an idea or opportunity arises” and to share this data with senior management.

One of the key challenges with any Merger & Acquisition is how to protect, classify, manage, and migrate unstructured data throughout the entire process. Varonis not only helps protect M&A data prior to, during, and after the announcement – but can help organizations with each stage along the way: Due Diligence, Integration, and Realization.

With Varonis, organizations can:

  • Assess risk and catalog resources during due diligence
  • Gain insight into security practices and procedures of the target organization
  • Discover domains and user accounts to prepare for integration into the new organization
  • Classify sensitive data in acquired data storage
  • Help create an audit strategy for inherited unstructured data
  • Migrate data to consolidated storage during integration
  • Eliminate the potential of service interruption to critical data

“CIOs in organizations that plan to grow through mergers and acquisitions must help executives appreciate how technology, data, and analytic capabilities support operational and strategic objectives. A few simple models can make the difference between M&A success and failure.”

-Cathleen E. Blanton and Lee Weldon, Gartner Inc.

Due Diligence

Due diligence is the phase of M&A where decision makers weigh the pros and cons of moving forward with the acquisition, and according to Gartner, is the phase that underutilizes IT resources the most.

Asking important questions like “is there a danger of a security breach disrupting our M&A?” or “is the acquisition target providing all of the information or hiding some important detail?” as well as having data to answer those questions is vital in the decision-making process.

50-70% of any organization’s data lives in unstructured repositories. This data can either be a goldmine or a landmine for a successful M&A. Varonis helps determine which of those two options you are getting.

“CIOs and their teams can quickly grasp and highlight the severity of lax security and the consequent risk to operations.”

-Cathleen E. Blanton and Lee Weldon, Gartner Inc.

Sensitive Content Discovery

Varonis Data Classification Engine classifies sensitive data in unstructured repositories, including email, cloud storage, and NAS devices. You will be able to assess if the acquisition target adequately manages their sensitive data, identify current security vulnerabilities, discover critical data that needs to be locked down, and if they are vulnerable to – or in some cases have already experienced – a major data breach.

Domain and User Discovery

Varonis DatAdvantage analyzes and gathers data about each domain and every user account in the acquisition target. Varonis automatically identifies executive, service, and privileged accounts – and helps prepare existing account management for the upcoming merger or acquisition. With this data, you can determine if the company has policies in place to manage and monitor user accounts and identify stale accounts that a hacker could use to steal data.

File System Discovery

Varonis DatAdvantage crawls the folder structure of data repositories, including all permissions on each folder. Is the company using least privilege permissions or global access groups? Does everyone have full read/write access on all folders?

With Varonis, you can instantly visualize or report on potential access for any user or group in Active Directory, Azure AD, or a local system; pinpoint over-exposed sensitive data; and identify excessive permissions.

Assess Risk

Varonis DatAlert has built-in risk dashboards that give teams the insight into what data is at risk, identify potentially suspicious user behavior, and track remediation efforts. You will be able to assess if there is a risk of an undisclosed data breach in the acquisition target.

It can be a career-ending mistake to move forward with an acquisition only to later discover a massive data breach in the acquired company’s data. Not to mention a potential loss of expected revenue that drove the acquisition in the first place.

Additionally, you’ll get a good idea of the amount of work required to integrate the acquired domains and file systems while analyzing the data from the Varonis discovery process. You will be able to provide a more accurate estimate of the amount of time before you reach value realization, which also influences decisions made during due diligence.


Varonis has several out-of-the-box reports that can be distributed to the M&A team and analyzed during the due diligence process. These reports will provide a clear picture of the unstructured data and security practices of the acquisition target. CIOs and IT teams can use data from Varonis to empower the M&A team to make the best decision during the due diligence phase for their organization.


Merging two companies IT infrastructures is not trivial. Throughout the process, you must be aware of possible security threats – both internal and external. There’s no rewinding the clock at this point: the deal is done, and the IT systems need to be consolidated and protected in order for the new organization to thrive.

A successful integration phase will be free of service disruptions and move quickly into the value realization phase of M&A.

Varonis provides key functionality you will use throughout the Integration process that will both speed up the integration and provide visibility to all stakeholders.

Domain Consolidation

The first and most immediate challenge in integration is “how do we get all of the users using the same systems with the correct permissions?”

Merging one or more domains into a single primary entity is very difficult with the basic toolset. Varonis DatAdvantage provides a single pane of glass into all domains and users and groups, streamlining that process while taking steps to preserve the integrity of permissions and data access.

DatAdvantage gives a clear picture of the current domain setup, so that the team can mirror the existing users and groups in the primary domain. Varonis provides a complete audit trail of the changes made, including the IT staff person who made the change. Reports on users and groups can help the M&A team verify that each user has the correct permissions in the new organization.

These reports also highlight potential problems in the domain configuration that could lead to data breaches, interrupted service, or data leaks – like orphaned or nested groups. That domain data will be refreshed and available for audit in DatAdvantage so that any issues created one day are resolved the next.

Folder Permissions

Nothing limits productivity like not having access to the resources you need to do your job. Varonis optimizes the process of changing and updating share and folder permissions. With the single-pane-of-glass view discussed above to consolidate the domains, you can view and modify folder permissions with a complete audit trail. You can easily add acquired users to the ACLs of existing resources, which keeps them productive throughout the integration.

Varonis DataPrivilege enables data owners to manage access directly, and makes the process for users to request access to data even easier. With DataPrivilege, new users request folder access from a simple interface, and the data owners review to approve or deny the request, removing IT from the burden of user access management.

The Varonis Automation Engine addresses any of the broken permissions issues that can occur when this much change is introduced into your company data. The Automation Engine makes it easy to revoke unnecessary access that users no longer need or use, keeping your data safe. Automatically fix inconsistent ACLs on folders, a hierarchy, or even an entire server – and eliminate inconsistent file permissions.

Data Migration and Storage Consolidation

Most merger and acquisition processes require a significant amount of data migration and storage consolidation, while also readdressing the newly acquired and expensive storage devices that you may or may not need.

The Varonis Data Transport Engine automates and simplifies large data migrations. Using the Data Transport Engine, you can move data from one storage server to another to save money and reduce overhead while maintaining or updating file access permissions.

The Data Transport Engine mirrors the existing permissions on the new storage using the information it already discovered from crawling the file structure, and can update permissions to achieve least privilege. The ability to consolidate storage systems can result in tens of thousands of dollars in savings to the new company moving forward. Data Transport Engine streamlines the process while maintaining least privilege permissions and protecting your data.

Lock Down Sensitive Data

The Varonis Data Classification Engine continues to scan acquired data for sensitive files throughout the due diligence and integration phases. As you discover new sensitive data you can use Varonis to help manage the files, folders, and subsequent permissions to keep the data safe, making sure that only the right people have access to the right data. You can also use the Data Transport Engine to move the files to quarantine.

Value Realization

Once due diligence and integrate are complete, organizations need to practice and maintain data-centric security in order to maintain the security and integrity of the data post-merger, and for potential future M&As.

Data Discovery and Classification

The Varonis Data Classification Engine has a wide array of built-in compliance packs for regulations such as GDPR, HIPAA, SOX, PCI-DSS, etc., while providing the ability to create custom rules, perform algorithmic verification, add manual flags, and even automatically quarantine or delete sensitive content that is out-of-policy.

Permissions Management

Varonis helps manage permissions and data access as a company grows, simplifying the permission structure on all platforms and revoking unnecessary permissions without affecting end users by simulating permission changes before applying new permissions.

Security Analytics

Varonis continuously monitors and analyzes user activity and behavior across hybrid environments and builds behavioral baselines for every account. Security teams can analyze data access events in context with data sensitivity, permissions, and Active Directory metadata, resulting in accurate alerts and fewer false positives.

With over 100 threat models, Varonis alerts on everything from unusual mailbox activity to insider threats to known malware behavior. Security teams have the flexibility to use the DatAlert dashboard or send alerts to an integrated SIEM.

Curious to see how Varonis can help with your M&A playbook? Get a customized demo and we’ll show you.

Malware Protection: Defending Data with Varonis Security Analytics

Malware Protection: Defending Data with Varonis Security Analytics

Malware has become the catch-all term for any bit of code that attempts to hide and then subvert the intentions of the computer’s owner. Viruses, rootkits, lock-screens, and Trojan horses are as common today as a web browser and used by everyone from criminals, governments, and security researchers.

Malware detection on endpoints is commonplace, but as WannaCry and NotPetya taught us, malware can end up in your servers as well, creating vulnerabilities and backdoors to exfiltrate the lion’s share of your sensitive information. That’s where Varonis comes in.

We’ve developed over 100 threat models to detect and arrest malware, data leaks, and potential security risks to your data. Let’s identify some of the more common types of malware, and dive in to Varonis can help you detect and defend against those attacks.


Viruses are one of the oldest kinds of malware out there. They exist to cause mayhem and to make your life miserable.

There are certain viruses, for instance, that target NAS devices. Those are particularly dangerous due to the sheer volume of data they attack. The most notable recently was the SambaCry vulnerability that hackers used for ransomware attacks, DDoS, or backdoors.

This kind of attack will not only spread to other computers but will start to attack any attached data stores, like the NAS with all the really important data on it (company financial statement, HR records) or the email server. In a blink of an eye, your entire data storage could be encrypted or deleted.

How to Stop a Virus with Varonis

Varonis doesn’t just monitor file events, but also builds a behavioral baseline of normal activity for each user. This analysis lets us separate activity consistent with a particular user’s historical pattern of access (human activity) from a virus (machine activity) and very quickly pull the plug on this user, stopping the virus from inflicting further damage.

Below are some of the threat models that would help detect this type of malware attack:

Threat Model: Encryption of multiple files

How it works: DatAlert triggers this when there are multiple file modify events by the same user in a short amount of time, AND when those modifications include suspected malware encryption file extensions. The known extensions are configurable via dictionary.

What it means: This usually indicates a malware attack with the intent to deny access to data.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Threat Model: Abnormal Behavior: Unusual number of files deleted

How it works: DatAlert triggers this when there are multiple file delete events by the same user in a short amount of time.

What it means: This means that a single user has deleted many files on a monitored storage device in a short amount of time. This could be a user doing clean-up work, but it also could be malware.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Threat Model: Abnormal Behavior: Unusual number of sensitive files deleted

How it works: DatAlert triggers this when there are multiple file delete events by the same user in a short amount of time, and those files have been marked as sensitive by the Varonis Data Classification Engine.

What it means: Like the previous threat model, this means that a single user has deleted many files on a monitored storage device in a short amount of time. This could be a user doing clean-up work, but it also could be malware.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Varonis will detect the virus, lock out the user, and then the SOC can take action to limit or restore the damage done and get the virus under control.

Time is a virus’ best friend. The longer it has to gallivant around uninterrupted, the more times it can copy itself and destroy data. Varonis triggers an immediate, automated response, stopping the virus before it has time to do significant damage.

Trojan Horse

Trojan Horse attacks get their name from that famous story from antiquity. These attacks are similar to viruses in that they hide with other downloads, but their payloads tend to be different.

Trojans try to install backdoors or rootkits into your computer, which provides hackers with access to that computer and whatever that computer is also able to access.

How to Stop a Trojan with Varonis

Varonis defends against some Trojans by monitoring the startup folders where these bugs want to install their payload.

Threat Model: Suspicious access activity: non-admin access to startup files and scripts

How it works: DatAlert identifies any file activity by a non-admin user on folders identified as startup folders as suspicious.

What it means: Activity by non-admin users on startup folders is suspicious: users should not be accessing these folders. The attack could be a Trojan, but it also could be an attempt to install files to this folder manually from an already hijacked computer.

Where it works: Windows, Unix, Unix SMB, HP NAS

One thing Trojans want to do is persist through shutdown, so they’ll try to embed themselves into these folders and hide amongst the other running processes to avoid detection.

Now if for some reason the Trojan is trying to be smart and doesn’t try to access the Startup folder, and instead drops its payload elsewhere – a different threat model will still catch Trojan activity.

Threat Model: Exploitation software accessed

How it works: DatAlert detects file events that contain filenames known as part of the hacker toolkit, which is an ever-evolving list.

What it means: It could mean that a user downloaded a hacker tool for a valid reason, but most likely it’s an attempt to infiltrate the network and needs to be stopped.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS

Rootkits and Backdoors

Rootkits and backdoors are payloads that allow hackers to access a computer and its attached network, run commands to move laterally, and steal data. Rootkits are usually prepackaged executables, while backdoors are routes hackers can take to bypass standard authentication on the network.

Once a hacker has a rootkit or backdoor installed and access to the network established, they will start to poke around and look for the profitable stuff to steal – which these days run from anything from a social security number to credit card numbers to emails.

How to Stop Rootkits and Backdoors with Varonis

Hackers often use service accounts to move around the network: a service account often has more privileged access, and therefore access to more valuable data.

Threat Model: Abnormal service behavior: access to atypical files

How it works: Service accounts typically behave in a consistent manner – performing the same actions over and over again. When a service account starts performing actions on file types that is outside of its usual behavior – something suspicious is likely going on. Because Varonis classifies all AD accounts as Admin, Executive, Service, or User – we can recognize when an account that is classified as service starts to access files outside of its usual behavior.

What it means: Someone is using this service account to look at other files, most likely in an attempt to exploit the service account privileges to navigate through the file structure. There’s never a valid reason for a service account to access files outside of normal operation, and the account should be locked out and the credentials changed.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS

Another tactic linked with these types of attacks is brute force – which Varonis can help thwart with threat models that focus on lockout events.

Threat Model: Abnormal admin behavior: accumulative increase in lockouts for individual admin accounts

How it works: DatAlert detects statistically significant increases in loc-out events over time – and can identify an unusual amount of lock-out events on an admin account compared to their typical behavior.

What it means: It means that the account is trying to login and failing repeatedly. This could be a misconfigured password for a valid user, or it could be an attempt to brute force or guess the password by an outsider. This account is probably the target of a gradual brute-force attack aimed at stealing admin credentials or denying access.

Where it works: Directory Services

A third tactic associated with these types of attacks is privilege escalation: hackers may try to elevate the privileges of a user that they already have access to – in order to extend their access to more sensitive data.

Threat Model: Membership changes: admin group

How it works: Varonis monitors membership changes, and can flag when members are added to or removed from an admin group.

What it means: If the change was made outside of change control then it’s likely an attempt to steal data by using a privileged account.

Where it works: Directory Services

Remote Access Trojans (RATs)

Remote Access Trojans (RATs) are a different type of malware that open a back door to give hackers access. A now-relic from the 90s, they’re still in use today.

How to Stop Remote Access Trojans (RATs) with Varonis

Varonis Edge analyzes perimeter devices including VPNs, Web Proxies, and DNS (like what’s leveraged in DNSMessenger), and you can leverage threat models specifically designed for suspicious DNS activity or remote access behavior.

Threat Model: Abnormal behavior: activity from new geolocation to the organization

How it works: Any activity that originates outside of known geolocations will trigger this threat model.

What it means: Someone attempted to reach into the network through the VPN from a new geolocation.

Where it works: VPN

Another tactic associated with this type of malware is DNS Tunneling, which encodes data or protocols in DNS queries and responses.

Threat Model: Data Exfiltration via DNS Tunneling

How it works: Varonis monitors DNS and will detect commands that are sent through the DNS channel that aren’t DNS requests. DNS tunnels depend on using the DNS protocol to pass and execute commands on the target. As soon as Varonis sees a non-standard DNS request this threat model will be triggered.

What it means: Someone is trying to use DNS to execute commands that aren’t DNS requests. This is most likely a hacking attempt.

Where it works: DNS

What Did I Miss?

That’s just a handful of examples on how our threat models detect suspicious activity and help protect against three types of common malware. Have you had to investigate a malware incident? If you feel like sharing leave a comment below – we’d love to hear it.

You can also check out DatAlert for yourself and see these threat models in action, or get a free 30-day Data Security Risk Assessment.

SIEM Tools: Varonis Is the Solution That Makes the Most of Your SIEM

SIEM Tools: Varonis Is the Solution That Makes the Most of Your SIEM

SIEM applications are an important part of the data security ecosystem: they aggregate data from multiple systems, normalize that data, then analyze that data to catch abnormal behavior or data security attacks. SIEM provides a central place to collect events and alerts – so that you can initiate a security investigation.

But what then?

The biggest issue we hear from customers when they use SIEM is that it’s extremely difficult to diagnose and research security events. The volume of low-level data and the high number of alerts cause a ‘needle in a haystack’ effect: users get an alert but often lack the clarity and context to act on that alert immediately.

And that’s where Varonis comes in. Varonis provides additional context to the data that a SIEM collects: making it easier to get more value out of a SIEM by building in-depth context, insight, and threat intelligence into security investigations and defenses.

Limitations of SIEM Applications as a Full Data Security Ecosystem

SIEM applications provide limited contextual information about their native events, and SIEMs are known for their blind spot on unstructured data and emails. For example, you might see a rise in network activity from an IP address, but not the user that created that traffic or which files were accessed.

In this case, context can be everything.

What looks like a significant transfer of data could be completely benign and warranted behavior, or it could be a theft of petabytes of sensitive and critical data. A lack of context in security alerts leads to a ‘boy that cried wolf’ paradigm: eventually, your security will be desensitized to the alarm bells going off every time an event is triggered.

SIEM applications are unable to classify data as sensitive or non-sensitive and therefore are unable to distinguish between sanctioned file activity from suspicious activity that can be damaging to customer data, intellectual property, or company security.

Ultimately, SIEM applications are only as capable as the data they receive. Without additional context on that data, IT is often left chasing down false alarms or otherwise insignificant issues. Context is key in the data security world to know which battles to fight.

How Varonis Complements SIEM

The context that Varonis brings to SIEM can be the difference between a snipe hunt or preventing a major data security breach.

Varonis captures file event data from various data stores – on-premise and in the cloud – to give the who, what, when, and where of each file accessed on the network. With Varonis Edge monitoring, Varonis will also collect DNS, VPN, and web proxy activity. You’ll be able to correlate the network activity with the data store activity in order to paint a complete picture of an attack from infiltration through file access to exfiltration.

Varonis classifies unstructured files based on hundreds of possible pattern matches, including PII, government ID numbers, credit card numbers, addresses, and more. That classification can be extended to search for company-specific intellectual property, discover vulnerable, sensitive information, and help meet compliance for regulated data – and Varonis reads files in place without any impact to end users.

Varonis also performs user behavior analytics to provide meaningful alerts based upon learned behavior patterns of users, along with advanced data analysis against threat models that inspect patterns for insider threats (exfiltration, lateral movement, account elevation) and outsider threats (ransomware).

How Varonis Works with SIEM

Varonis integrates with SIEM applications to give security analytics with deep data context so that organizations can be confident in their data security strategy.

Integration highlights:

  • Out of the box analytics
  • Integrated Varonis dashboards and alerts for streamlined investigation
  • Alert specific investigation pages
  • Critical information highlighted at a glance, with actionable insights and context
  • Integration into your SIEM workflow

Investigating an Attack with Varonis and SIEM

This contextual data that Varonis brings gives security teams meaningful analysis and alerts about the infrastructure, without the additional overhead or signal noise to the SIEM. SOC teams can investigate more quickly by leveraging SIEM with Varonis, and get insight into the most critical assets they need to protect: unstructured data and email.

Investigating a ransomware incident using Varonis DatAlert, for instance, is much faster than looking through the SIEM logs to piece together what happened.

With the added visibility provided by DatAlert, you get an at-a-glance overview on what’s happening on your core data stores – both on-premise and in the cloud. You can easily investigate users, threats, and devices – and even automate responses.

Here, it looks like Hijacked Helen has 21 alerts – something suspicious is going on. You can easily click through to Helen’s alerts to find out what it might be: including a potential malware attack.

You can dive into those individual alerts to understand and investigate the situation. In the alert details, it looks like the alerted events have originated from outside our company.

Scrolling down the Alert page, you can see that there is one computer involved, and 24 sensitive files have been accessed. Additionally, 10% of all events for this computer occurred outside of Helen’s normal work hours. It sure does look like Helen’s PC is being used by some outsider to access files in the network.

On that same alert page, you can see that the files accessed from Helen’s PC are owned by Payroll Pete – it looks like a hacker is trying to access payroll data.

That’s just the beginning of investigating suspicious behavior and activity with Varonis and your SIEM. DatAlert can kick off a script to disable the user account and shut down the attack as soon as it is first detected – in which case, that hacker might not have been able to get to the payroll files at all!

With the context you have at your disposal, you can quickly and easily respond to – and manage – the alerts that you receive in your SIEM. Security analysts spend countless hours to get meaningful alerts from SIEM: fine-tuning use cases, building rules, and adding in data sources – Varonis gives a head start with 120 out-of-the-box analytics models, intuitive dashboards, and intelligent alerting.

OK, I’m Ready to Get Started!

If you’re already using a SIEM, it’s simple to add Varonis and get more out of your SIEM investment. If you’re looking to start your data security plan, start with Varonis and then add your SIEM.

Once you have Varonis in place, you can then add your SIEM for data aggregation and additional monitoring and alerting. Varonis gives you more initial data security coverage, and adding a SIEM will make Varonis and your SIEM better able to correlate and store data for analysis and auditing.

Want to see more? Click here for a personalized demo to see how Varonis and SIEM work together.

Add Varonis to IAM for Better Access Governance

Add Varonis to IAM for Better Access Governance

Managing permissions is a colossal job fraught with peril, and over-permissive folders are the bane of InfoSec and a hacker’s delight. Many organizations employ IAM (Identity Access Management) to help manage and govern access to applications and other corporate resources.

One of the challenges that remains after implementing an IAM solution, however, is how to apply its principles to unstructured data. IAM may be able to help you manage group memberships in Active Directory, but can’t tell you which data each group gives access to. It’s like managing the keys on a keyring without knowing which doors they unlock.

That’s where Varonis comes in. DatAdvantage has a bi-directional permissions view: just double-click on a folder, site, or mailbox to see who has access to it or click on a user or group to see everything they can access – across all your data stores.

Our customers often find that IAM is overprovisioning access based on roles, and Varonis will bring attention to those issues and help you fix them.

Varonis integrates with IAM to enhance and increase their capabilities, bringing together a holistic data security solution.

How Varonis Integrates with IAM

Varonis DataPrivilege enhances the IAM process by taking the IT staff out of the approval chain for data access and putting that decision back with the data owners. Once that’s taken care of, you can implement a workflow to maintain least privilege permissions.

Varonis facilitates the integrations with both SOAP and REST API. With the API, you can synchronize managed data with your IAM/ITSM solution, and return instructions to DataPrivilege to execute and report on requests and access control changes. You’ll be able to use the integration to externally control DataPrivilege entitlement reviews, self-service access workflows, ownership assignment, and more.

The integrations allow for several standard use cases:

  • Data-Side Entitlement Review: From the IAM system, a user can request a report of the permissions on a folder for auditing, with options for removal
  • Line Manager User Side Entitlement Review: A manager selects one of their direct reports to pull a list of all groups/permissions that user is a member, and can request changes directly from the list
  • Self Service Access Request Workflow: Users request folder or group access, and DataPrivilege manages the approval process
  • Provisioning/Deprovisioning Workflow: Creating a new user in the IAM triggers a process to provide that user with standard permissions based on their job function, and conversely deprovisioned users get removed from all groups, so there are no orphaned accounts left in groups

Advantages of Adding Varonis to Your IAM Strategy

On top of the IAM integration capabilities, Varonis helps build out a strong data security strategy: adding monitoring, classification, threat detection, and more to your arsenal.

If you have an IAM or you are planning on implementing an IAM as part of your 2018 data security initiatives, we’ll show you how to get even more out of your IAM by integrating with the Varonis Data Security Platform – click here for a personalized demo to get started.

Automating Permissions Cleanup: An In-Depth ROI Analysis

Automating Permissions Cleanup: An In-Depth ROI Analysis

Implementing a least privilege model can be time-consuming and expensive, but important in any data security strategy. The Varonis Automation Engine helps you automate the process, and drastically reduces the time required get there.

Previously, we discussed automating data access requests to achieve incredible ROI by cutting down on help desk tickets. We also briefly mentioned the enormous amount of work involved in finding and fixing global access–a task which can drastically reduce the risk of data leaks and security breaches.

But what goes on behind the curtain? And how much work and expertise is required to remediate overly permissive folders to get to a least privilege model? Let’s take a look.

The Global Access Epidemic

Overexposed data is a common security vulnerability that we see. In fact, our 2017 Data Risk Report revealed that 47% of companies have at least 1,000 sensitive files open to everyone in the company. This issue often stems from the default Global Access groups like Everyone or Authenticated Users.

This is an example of a common issue we see, Everyone has Read and Write access to the Legal folder.

Every hacker in the universe knows how to hunt for globally exposed files on the command line. Once a hacker has control of any account in this company, they automatically have free reign of all the data in the Legal folder, and who knows what all else.

Here’s what that remediating this issue might look like in practice:

  • Create a role-based Legal group for the legal team (if it doesn’t already exist)
  • Work with the business stakeholders to validate the group members
  • Add the Legal group to the ACL
  • Remove the Everyone group from the top-level ACL
  • Wait for the users that aren’t in the Legal group to call with complaints that they can’t access their data

On average, it takes about 6 hours to locate and manually remove the global access groups, create and apply new groups, and subsequently populate them with the right users that need access to the data.

The Cost of Manually Fixing Permissions

How many teams do you have? How many folders do you have on your main storage?

Whatever that number is, multiply it by 6 and you’ll have a rough estimate of how long it’s going to take to rid your environment of global access.

For 1,000 folders, that’s 6,000 human hours of work. That’s 250 days–50 work weeks. It’s a lot of work. And that’s why permissions management is still a huge job. So let’s do a quick little cost analysis of this situation.

To get started, it’s likely going to require several people of varying levels of seniority to manage and implement the move to a least privilege model. Typically, this requires a 3 person team: a senior leader who makes $100/ hour unloaded, a sysadmin that makes $50/hour, and a junior team member that makes $25/hour.

Math: (2000 * 100) + (2000 * 50) + (2000 * 25) = $350,000

So for our 3-person team, the total spend to get 1,000 folders to least privilege is a $350,000 investment over 250 total work days. And that only covers 1,000 folders.

How many folders do you have on your main storage?

The amount of enterprise data generated by an average sized organization in the 21st century is staggering on a slow day: and far exceeds that 1,000 folder baseline.

Not only is permissions cleanup time-consuming, but there’s risk involved with making such a broad change. What if you accidentally crash a mission-critical application that needs write access to a folder you’ve just remediated?

So how can we remediate global access quickly and safely?

A 3,600% Efficiency Gain with DatAdvantage

When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. But if we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage continually monitors and analyzes data access and correlates that activity to access control lists to highlight which users would be impacted if you removed global access. You can run a simulation in a sandbox and commit the changes when you’re happy with the projected outcome.

That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

DatAdvantage reduces the time it takes to remediate those global access group permissions, down to less than 10 minutes per folder.

That’s a 3,600% efficiency gain!

On top of that, you can reduce the resources required to maintain and manage these permissions, bringing that 3 person team down to 1.

Our new calculation then goes like this:

((10 minutes * 1000 folders) / 60 min) * $25 + Software cost = $4,166 in 166 hours!

The job went from a major capital investment to a quick month-long project with a small up front software cost.

Staggering ROI with Automation Engine

Countless Varonis customers have had success remediating global access and other hard-to-fix permissions issues with DatAdvantage alone, but many of them started asking, “Can you fix these issues automatically?”

Enter the Varonis Automation Engine. If you can tackle hundreds of folders per day with a small team leveraging DatAdvantage, you can remediate thousands of folders per day with the Automation Engine.

Once configured, the Automation Engine will safely remove global access groups by replacing them with single purpose groups, putting the right users in every time. With flexible configuration options, you can fix tactical issues on a folder-by-folder basis or perform complete global remediation.

Automation is the Future

Global access groups with permissions to your sensitive data is like leaving the vault door open with a giant neon sign that says “FREE”! hanging on the outside of your building. Getting to a least privilege model ultimately saves time, resources, closes that vault door, and locks it down.

And once you’re there, you still need to keep an eye on inconsistent ACLs–the permissions that are supposed to be inheriting access, but are different than the parent. Even if there’s a single folder with an inconsistent ACL that contains sensitive data, you might have a major security issue. Compounding this problem is that remediating inconsistent ACLs is another time consuming and tedious process without automation.

The Automation Engine not only takes the guesswork out of it for you, but frees up your team to focus on bigger and better things. You’ll be able to automatically fix inconsistent ACLs on folders, a hierarchy, or even an entire server – and eliminate inconsistent file permissions.

Ready to take stock of your current situation? Get a free Risk Assessment and we’ll show you where those global access groups are and how much data is vulnerable.

Want to skip the line and see the Automation Engine in action? Click here for a demo.

8 Tips to Surviving the Data Security Apocalypse

8 Tips to Surviving the Data Security Apocalypse

These days, working in data security can feel like surviving a zombie apocalypse – mindless hordes of bots and keyloggers are endlessly attempting to find something to consume. Just like in “The Walking Dead,” these zombies are an ancillary threat to other humans. The bots and keyloggers are pretty easy to defeat: it’s the human hackers that are the real threat.

How prepared are you to deal with the real threats out there?

Get Global Access Groups Under Control

Are you still using global access groups? That’s the dystopian equivalent of leaving your walls unmanned!  Giving the default “everyone” group access to anything is a hacker’s dream scenario.  They get a free pass to move from share to share, looking for anything and everything, and you’ll never know they were there.

Removing all permissions from the default global access groups is an easy way to improve data security. Varonis DatAdvantage highlights folders with Global Access Groups so that you can see who’s got access to what at-a-glance – and then you can use the Automation Engine to quickly remove those global permissions from your shares.  All you need to do is set the Automation Engine to remove Global Access Groups and it will move users out of those generic groups and into a new group that you can then modify.  The important thing is to stop using Global Access Groups, and keep your walls manned at all times!

Identify (and Lock Down) Your Sensitive Data

Effective survivors hide their resources and food stores from the prying eyes of outsiders. The most organized groups stash backup caches and keep records of their stores. Do you do the same with your PII and intellectual property data?  Can you, right now, tell me where every social security number or credit card string is stored on your file shares? If you can’t, then who knows what kind of treasures potential thieves will find as they poke around?

Knowing where your sensitive data is stored is vital to surviving the data security apocalypse – our Data Classification Framework quickly and easily identifies PII and intellectual property data in your unstructured files, so you know where your sensitive data is – and where you can lock it down.

Track Your Dangerous Data

Imagine that the guard on the North wall got eaten – and now the map with the weapons caches for the entire region is MIA.  Can another group of survivors find that map and steal your stuff? You might be leaving the same breadcrumbs on your network by leaving behind old files that have valuable information a hacker could use for profit.  

Identifying and deleting or archiving this data is just as important as moving that cache of weapons to the safety of your base camp. DatAdvantage can report on stale data and give you visibility into what might be leaving you vulnerable to hackers. Managing stale data is an excellent strategy to limit exposure, and keeps you one step ahead.

Practice Good Password and Account Policy

Say you use a certain whistle to communicate with your group – and you’ve used that same whistle for the past 8 months. What are the chances that a rival group will ambush you by using that whistle?

It’s the same if you have passwords that never change, or accounts that are no longer active, which should have been removed or deactivated.  Hackers can use those accounts to try to access resources over and over again without setting off any alarms.  

It’s always best to change the “whistle,” or password, on a consistent basis – and have a policy in place to revoke access privileges when people leave the group. Perhaps something less drastic than chopping their head off before they go full zombie.  With DatAdvantage, you can report on these kinds of accounts in your Active Directory so that you can take action and remove this threat without using an axe.

Fix Inconsistent Permissions

Once you have redundancies and processes to keep everything running smoothly, what happens when that one guy in your survivor group just can’t follow simple instructions?  What if they’re an important part of the plan, but can never quite complete their part?  You might say that part of the plan is broken, like when you have a share that is set to inherit permissions from the parent – but for some reason isn’t. In data security terms, you have inconsistent permissions, which can cause confusion as to exactly how the permissions on these folders are set.  

Fixing all of these broken links in the fence will help keep the outsiders from getting into your data stores. You can automate the process of repairing inconsistent permissions with the Automation Engine – so that you’re maintaining a least privilege model and only the right people can access that data. Or get through that fence.

Identify Data Owners

If your survival group is going to be a self-sustaining society, you’ll need leaders to support your growth.  You wouldn’t want the horticulturist in charge of weapons, and you probably wouldn’t want the weapons master in charge of your vegetables.  The same holds true for your data and the data owners.

You need to be able to identify the owners of your data so that you know who’s responsible for managing permissions and access to those shares. When there’s one person in the Legal department who can grant access to the legal shares, you’re in a much better situation than if the IT department handles that for every department.  

The first step is to identify data owners – and DatAdvantage provides reports and statistics to help you do just that. You can automate the process with DataPrivilege, and enable those data owners to approve and revoke permissions from their shares and audit permissions on their shares on a regular basis. Now that the data owners are in charge of who gets access to their data, things are starting to make a lot more sense – not to mention run much more smoothly.

Monitor File Activity and User Behavior

As your society of survivors grows into a full-fledged community, you want to make sure that everyone is contributing and utilizing the resources of the community correctly.  So you put in some monitoring systems.  Assign chain of commands and reporting structures and even make some rules.  

And so, you need to do the same thing by monitoring your file and email servers. DatAdvantage gives you visibility on the file and email servers – even user behavior – which is paramount to data security: outsiders can sometimes get in, and once they get in they might look like they belong.  But when they start stealing extra bread or copying gigs of data to an external drive, we need to know.

Set Up Alerts and Defend Your Data

Alerts can warn you about a herd tripping a bell on the perimeter or that Jeff from marketing has started encrypting the file server with ransomware.  The faster and more that you know about potential threats, the better you can respond.  Conversely, the longer the outsiders have to do bad things, the worse it will be for us every time.

You can set those tripwires to automatically respond to specific types of threats with DatAlert, so that your security team can lessen the impact and get straight to the investigation phase. DatAlert establishes behavioral baselines for every user – so that you know when somebody’s acting out of the ordinary, or if their account has been hijacked. With DatAlert, you can monitor your sensitive data for unusual activity and flag suspicious user behavior so that you know when you’re under attack. 

Want to check your own preparedness level for the data security apocalypse? Get a risk assessment to see how you measure up.  We’ll  check your environment for all of these potential threats and provide a plan of action to get you up to true survivor status.

Maximize your ROI: Maintaining a Least Privilege Model

Maximize your ROI: Maintaining a Least Privilege Model

TL;DR: Managing permissions can be expensive. For a 1,000 employee company, the overhead of permissions request tickets can cost up to $180K/year. Automating access control with DataPrivilege can save $105K/year or more and reduce risk. Read on to see the math.

One of the most important requirements of implementing a data security plan in today’s breach-a-day era is to implement and maintain a least privilege model across your enterprise.

The principle of least privilege says that users should only have access to resources that they need to do their work. What does this mean? The marketing team, for example, probably shouldn’t be able to access to corporate finance and HR data. You’d be shocked how often they do.

A least privilege model can drastically limit the damage insiders can do but, perhaps more importantly, it prevents hackers from moving laterally across the organization with a single compromised account.

Without least privilege, hackers can likely move from one share to another, grabbing as much private data they can. On the other hand, if (and when) that least privilege model is implemented, the hacker will be limited to the same resources that the compromised account is able to access.

The downside? Achieving least privilege permissions is no minor feat. You need to analyze access control lists, correlate them to users and groups in Active Directory, and remediate issues like global access, which should be a major red flag. Hackers actively seek out common issues like overly permissive service accounts, broken permissions inheritance, and weak admin passwords.

Once you grab the low-hanging fruit by closing common loopholes, you’ll need to involve business owners to figure out whether current entitlements are legitimately needed and, if not, revoke them.

We’ve helped thousands of companies get to least privilege and, on average, it takes 6 human hours or more per folder to implement a least privilege model manually.

How Much Does it Cost to Manually Maintain a Least Privilege Model?

It’s a major investment to implement least privilege model in money, resources, upkeep, and human capital. Once you’re there, the IT Service Desk traditionally takes on the burden of maintaining that least privilege model.

Based on 2016 industry data, the average service desk call costs the company $15.56 Seems like a reasonable price for a quick service call. Say the end user calls requesting access to a share. IT has to contact the end-user’s manager–or someone else in the approval chain–and then either approve or deny the request. Based on surveys of our customer base, this process on average, takes about 20 minutes over the course of a day for the help desk to complete.

Now, how many times do you think they get this call in a month? 50? 100? 1,000? Some of our customers process up to 7,000 permission changes a month – all in the name of data security, and to maintain a least privilege model.

Here’s a quick chart of that scenario: the number of (service desk calls/month) * (cost per call), for the entire year.

Number of cases per month Cost per case Cost per month Cost per year
100 15 $1,500 $18,000
500 15 $7,500 $90,000
1,000 15 $15,000 $180,000
2,500 15 $37,500 $450,000
5,000 15 $75,000 $900,000
7,000 15 $105,000 $1,260,000

You read that right. Without a way to streamline that access request process, it would cost our customer over one million dollars a year just to keep their permissions in a good place.

Fun desk exercise: if you know your service desk cost-per-case and how many AD changes you process each month, you can do this same calculation for yourself. Now ask yourself, what’s it worth to you?

Besides the monetary cost, there’s the human element to consider.

Based on the above chart, if you’re in the 1,000 AD changes per month range, you’re at a baseline cost of $180,000 dollars per year in service desk calls which, at 20 minutes per call, ends up taking 333 human hours each month just to manage those requests. That’s 2 full time hires working more than 40 hours each month, dedicated to fielding permissions requests. Even if you had a team working non-stop around the clock and on weekends, that would be nearly two weeks of dedicated man hours on permissions requests.

And that’s just the mid range.

In a larger enterprise those 7,000 AD updates roughly comes out to 2,310 work hours a month. That’s 14 people dedicated full time to maintain least privilege permissions per month!

A Better Way to Manage Permissions

DataPrivilege takes the burden off of the Service Desk and gives the data owners – the ones that actually *know* who should be accessing that information – the ability to grant and remove access from their own shares.

This makes removing and granting access as simple as responding to an email: and each data owner will only be doing for their shares – not the entire domain.

We can all probably agree that putting the IT Service Desk in charge of access to the Corporate Finance folder is a bad idea. However, putting the Controller or the Lead Corporate Accountant in charge of access to that folder is a great idea – and you should pat yourself on the back for coming up with it!

DataPrivilege will also automate your entitlement reviews and create reports for auditing and compliance. We provide APIs to integrate with your IAM or ITSM systems. And of course DataPrivilege will integrate with any other Varonis software you own.

But Wait, How Much is That Going to Cost Me?

Let’s consider an average-sized shop in the 1,000 user and 1,000 AD changes range. As we saw earlier, those 1,000 AD changes per month could cost $180,000 per year, and 333 man hours dedicated to permissions management. By using DataPrivilege to help manage permissions, you’ll not only free up resources, but that same shop will save $105,000 a year.

And of course your Service Desk resources are more effective and flexible without the load of permissions changes. Your data owners are in charge of their data – and your auditors have nothing to worry about in regards to access to sensitive data. In one year DataPrivilege pays for itself – and you’ve reduced the ongoing load of permissions management into the future, making your company more secure in the process.

Let’s again look at our 10,000 user enterprise that processes 7,000 AD updates per month. That would cost the organization $1.26 million per year in Service Desk cost and 2,310 human hours per month. By using DataPrivilege in that first year, you’re saving $960,000 – and significantly cut down the dedicated human hours required to manage those permissions! That’s just year one.

In year two and beyond, you save over $1,000,000.

What could your Service Desk accomplish without 7,000 AD changes per month on their plate? Could they increase productivity for the rest of the company by responding faster to more urgent cases? Could you reallocate headcount and move resources to other departments?

Are You Pulling My Leg?


Those numbers are legit. But keep in mind, they’re specific to maintaining a least privilege model. To get there, you have to (and really should) implement least permissive permissions.

And of course you have to balance all of this outlay against the cost of doing nothing and the risks associated with doing nothing. How much do you think the breach at Equifax is going to end up costing them?

The Wall Street Journal says “billions”.

Not to mention you don’t want to have to testify in front of Congress and explain how you messed up. The Cybersecurity and Infrastructure Protection Subcommittee don’t have time for that.

OK, What Next?

There are a few ways to begin to get started with DataPrivilege and Varonis. One of the easiest ways is to get a free Risk Assessment.

Our engineers will analyze your current data security situation – including global group access and overexposed data – and you’ll get a detailed report with recommendations on where your biggest vulnerabilities are and how to manage them. Or, skip all that and go straight for a demo of DataPrivilege. Your call.

Getting to and maintaining a least privilege model is one of the most important steps in protecting your sensitive data – it significantly reduces the risk of your sensitive data being overexposed, leaked, or stolen – and DataPrivilege will help you get there.