All posts by Jeff Petters

Automating Permissions Cleanup: An In-Depth ROI Analysis

Automating Permissions Cleanup: An In-Depth ROI Analysis

Implementing a least privilege model can be time-consuming and expensive, but important in any data security strategy. The Varonis Automation Engine helps you automate the process, and drastically reduces the time required get there.

Previously, we discussed automating data access requests to achieve incredible ROI by cutting down on help desk tickets. We also briefly mentioned the enormous amount of work involved in finding and fixing global access–a task which can drastically reduce the risk of data leaks and security breaches.

But what goes on behind the curtain? And how much work and expertise is required to remediate overly permissive folders to get to a least privilege model? Let’s take a look.

The Global Access Epidemic

Overexposed data is a common security vulnerability that we see. In fact, our 2017 Data Risk Report revealed that 47% of companies have at least 1,000 sensitive files open to everyone in the company. This issue often stems from the default Global Access groups like Everyone or Authenticated Users.

This is an example of a common issue we see, Everyone has Read and Write access to the Legal folder.

Every hacker in the universe knows how to hunt for globally exposed files on the command line. Once a hacker has control of any account in this company, they automatically have free reign of all the data in the Legal folder, and who knows what all else.

Here’s what that remediating this issue might look like in practice:

  • Create a role-based Legal group for the legal team (if it doesn’t already exist)
  • Work with the business stakeholders to validate the group members
  • Add the Legal group to the ACL
  • Remove the Everyone group from the top-level ACL
  • Wait for the users that aren’t in the Legal group to call with complaints that they can’t access their data

On average, it takes about 6 hours to locate and manually remove the global access groups, create and apply new groups, and subsequently populate them with the right users that need access to the data.

The Cost of Manually Fixing Permissions

How many teams do you have? How many folders do you have on your main storage?

Whatever that number is, multiply it by 6 and you’ll have a rough estimate of how long it’s going to take to rid your environment of global access.

For 1,000 folders, that’s 6,000 human hours of work. That’s 250 days–50 work weeks. It’s a lot of work. And that’s why permissions management is still a huge job. So let’s do a quick little cost analysis of this situation.

To get started, it’s likely going to require several people of varying levels of seniority to manage and implement the move to a least privilege model. Typically, this requires a 3 person team: a senior leader who makes $100/ hour unloaded, a sysadmin that makes $50/hour, and a junior team member that makes $25/hour.

Math: (2000 * 100) + (2000 * 50) + (2000 * 25) = $350,000

So for our 3-person team, the total spend to get 1,000 folders to least privilege is a $350,000 investment over 250 total work days. And that only covers 1,000 folders.

How many folders do you have on your main storage?

The amount of enterprise data generated by an average sized organization in the 21st century is staggering on a slow day: and far exceeds that 1,000 folder baseline.

Not only is permissions cleanup time-consuming, but there’s risk involved with making such a broad change. What if you accidentally crash a mission-critical application that needs write access to a folder you’ve just remediated?

So how can we remediate global access quickly and safely?

A 3,600% Efficiency Gain with DatAdvantage

When everyone can access data, it’s very difficult to know who among the large set of potential users actually needs that access. But if we know exactly who’s touching the data, we can be surgical about reducing access without causing any headaches.

DatAdvantage continually monitors and analyzes data access and correlates that activity to access control lists to highlight which users would be impacted if you removed global access. You can run a simulation in a sandbox and commit the changes when you’re happy with the projected outcome.

That means you can safely remediate access to all of the high-risk data without risking productivity. You can actually fix the problem without getting in anyone’s way.

DatAdvantage reduces the time it takes to remediate those global access group permissions, down to less than 10 minutes per folder.

That’s a 3,600% efficiency gain!

On top of that, you can reduce the resources required to maintain and manage these permissions, bringing that 3 person team down to 1.

Our new calculation then goes like this:

((10 minutes * 1000 folders) / 60 min) * $25 + Software cost = $4,166 in 166 hours!

The job went from a major capital investment to a quick month-long project with a small up front software cost.

Staggering ROI with Automation Engine

Countless Varonis customers have had success remediating global access and other hard-to-fix permissions issues with DatAdvantage alone, but many of them started asking, “Can you fix these issues automatically?”

Enter the Varonis Automation Engine. If you can tackle hundreds of folders per day with a small team leveraging DatAdvantage, you can remediate thousands of folders per day with the Automation Engine.

Once configured, the Automation Engine will safely remove global access groups by replacing them with single purpose groups, putting the right users in every time. With flexible configuration options, you can fix tactical issues on a folder-by-folder basis or perform complete global remediation.

Automation is the Future

Global access groups with permissions to your sensitive data is like leaving the vault door open with a giant neon sign that says “FREE”! hanging on the outside of your building. Getting to a least privilege model ultimately saves time, resources, closes that vault door, and locks it down.

And once you’re there, you still need to keep an eye on inconsistent ACLs–the permissions that are supposed to be inheriting access, but are different than the parent. Even if there’s a single folder with an inconsistent ACL that contains sensitive data, you might have a major security issue. Compounding this problem is that remediating inconsistent ACLs is another time consuming and tedious process without automation.

The Automation Engine not only takes the guesswork out of it for you, but frees up your team to focus on bigger and better things. You’ll be able to automatically fix inconsistent ACLs on folders, a hierarchy, or even an entire server – and eliminate inconsistent file permissions.

Ready to take stock of your current situation? Get a free Risk Assessment and we’ll show you where those global access groups are and how much data is vulnerable.

Want to skip the line and see the Automation Engine in action? Click here for a demo.

8 Tips to Surviving the Data Security Apocalypse

8 Tips to Surviving the Data Security Apocalypse

These days, working in data security can feel like surviving a zombie apocalypse – mindless hordes of bots and keyloggers are endlessly attempting to find something to consume. Just like in “The Walking Dead,” these zombies are an ancillary threat to other humans. The bots and keyloggers are pretty easy to defeat: it’s the human hackers that are the real threat.

How prepared are you to deal with the real threats out there?

Get Global Access Groups Under Control

Are you still using global access groups? That’s the dystopian equivalent of leaving your walls unmanned!  Giving the default “everyone” group access to anything is a hacker’s dream scenario.  They get a free pass to move from share to share, looking for anything and everything, and you’ll never know they were there.

Removing all permissions from the default global access groups is an easy way to improve data security. Varonis DatAdvantage highlights folders with Global Access Groups so that you can see who’s got access to what at-a-glance – and then you can use the Automation Engine to quickly remove those global permissions from your shares.  All you need to do is set the Automation Engine to remove Global Access Groups and it will move users out of those generic groups and into a new group that you can then modify.  The important thing is to stop using Global Access Groups, and keep your walls manned at all times!

Identify (and Lock Down) Your Sensitive Data

Effective survivors hide their resources and food stores from the prying eyes of outsiders. The most organized groups stash backup caches and keep records of their stores. Do you do the same with your PII and intellectual property data?  Can you, right now, tell me where every social security number or credit card string is stored on your file shares? If you can’t, then who knows what kind of treasures potential thieves will find as they poke around?

Knowing where your sensitive data is stored is vital to surviving the data security apocalypse – our Data Classification Framework quickly and easily identifies PII and intellectual property data in your unstructured files, so you know where your sensitive data is – and where you can lock it down.

Track Your Dangerous Data

Imagine that the guard on the North wall got eaten – and now the map with the weapons caches for the entire region is MIA.  Can another group of survivors find that map and steal your stuff? You might be leaving the same breadcrumbs on your network by leaving behind old files that have valuable information a hacker could use for profit.  

Identifying and deleting or archiving this data is just as important as moving that cache of weapons to the safety of your base camp. DatAdvantage can report on stale data and give you visibility into what might be leaving you vulnerable to hackers. Managing stale data is an excellent strategy to limit exposure, and keeps you one step ahead.

Practice Good Password and Account Policy

Say you use a certain whistle to communicate with your group – and you’ve used that same whistle for the past 8 months. What are the chances that a rival group will ambush you by using that whistle?

It’s the same if you have passwords that never change, or accounts that are no longer active, which should have been removed or deactivated.  Hackers can use those accounts to try to access resources over and over again without setting off any alarms.  

It’s always best to change the “whistle,” or password, on a consistent basis – and have a policy in place to revoke access privileges when people leave the group. Perhaps something less drastic than chopping their head off before they go full zombie.  With DatAdvantage, you can report on these kinds of accounts in your Active Directory so that you can take action and remove this threat without using an axe.

Fix Inconsistent Permissions

Once you have redundancies and processes to keep everything running smoothly, what happens when that one guy in your survivor group just can’t follow simple instructions?  What if they’re an important part of the plan, but can never quite complete their part?  You might say that part of the plan is broken, like when you have a share that is set to inherit permissions from the parent – but for some reason isn’t. In data security terms, you have inconsistent permissions, which can cause confusion as to exactly how the permissions on these folders are set.  

Fixing all of these broken links in the fence will help keep the outsiders from getting into your data stores. You can automate the process of repairing inconsistent permissions with the Automation Engine – so that you’re maintaining a least privilege model and only the right people can access that data. Or get through that fence.

Identify Data Owners

If your survival group is going to be a self-sustaining society, you’ll need leaders to support your growth.  You wouldn’t want the horticulturist in charge of weapons, and you probably wouldn’t want the weapons master in charge of your vegetables.  The same holds true for your data and the data owners.

You need to be able to identify the owners of your data so that you know who’s responsible for managing permissions and access to those shares. When there’s one person in the Legal department who can grant access to the legal shares, you’re in a much better situation than if the IT department handles that for every department.  

The first step is to identify data owners – and DatAdvantage provides reports and statistics to help you do just that. You can automate the process with DataPrivilege, and enable those data owners to approve and revoke permissions from their shares and audit permissions on their shares on a regular basis. Now that the data owners are in charge of who gets access to their data, things are starting to make a lot more sense – not to mention run much more smoothly.

Monitor File Activity and User Behavior

As your society of survivors grows into a full-fledged community, you want to make sure that everyone is contributing and utilizing the resources of the community correctly.  So you put in some monitoring systems.  Assign chain of commands and reporting structures and even make some rules.  

And so, you need to do the same thing by monitoring your file and email servers. DatAdvantage gives you visibility on the file and email servers – even user behavior – which is paramount to data security: outsiders can sometimes get in, and once they get in they might look like they belong.  But when they start stealing extra bread or copying gigs of data to an external drive, we need to know.

Set Up Alerts and Defend Your Data

Alerts can warn you about a herd tripping a bell on the perimeter or that Jeff from marketing has started encrypting the file server with ransomware.  The faster and more that you know about potential threats, the better you can respond.  Conversely, the longer the outsiders have to do bad things, the worse it will be for us every time.

You can set those tripwires to automatically respond to specific types of threats with DatAlert, so that your security team can lessen the impact and get straight to the investigation phase. DatAlert establishes behavioral baselines for every user – so that you know when somebody’s acting out of the ordinary, or if their account has been hijacked. With DatAlert, you can monitor your sensitive data for unusual activity and flag suspicious user behavior so that you know when you’re under attack. 

Want to check your own preparedness level for the data security apocalypse? Get a risk assessment to see how you measure up.  We’ll  check your environment for all of these potential threats and provide a plan of action to get you up to true survivor status.

Maximize your ROI: Maintaining a Least Privilege Model

Maximize your ROI: Maintaining a Least Privilege Model

TL;DR: Managing permissions can be expensive. For a 1,000 employee company, the overhead of permissions request tickets can cost up to $180K/year. Automating access control with DataPrivilege can save $105K/year or more and reduce risk. Read on to see the math.

One of the most important requirements of implementing a data security plan in today’s breach-a-day era is to implement and maintain a least privilege model across your enterprise.

The principle of least privilege says that users should only have access to resources that they need to do their work. What does this mean? The marketing team, for example, probably shouldn’t be able to access to corporate finance and HR data. You’d be shocked how often they do.

A least privilege model can drastically limit the damage insiders can do but, perhaps more importantly, it prevents hackers from moving laterally across the organization with a single compromised account.

Without least privilege, hackers can likely move from one share to another, grabbing as much private data they can. On the other hand, if (and when) that least privilege model is implemented, the hacker will be limited to the same resources that the compromised account is able to access.

The downside? Achieving least privilege permissions is no minor feat. You need to analyze access control lists, correlate them to users and groups in Active Directory, and remediate issues like global access, which should be a major red flag. Hackers actively seek out common issues like overly permissive service accounts, broken permissions inheritance, and weak admin passwords.

Once you grab the low-hanging fruit by closing common loopholes, you’ll need to involve business owners to figure out whether current entitlements are legitimately needed and, if not, revoke them.

We’ve helped thousands of companies get to least privilege and, on average, it takes 6 human hours or more per folder to implement a least privilege model manually.

How Much Does it Cost to Manually Maintain a Least Privilege Model?

It’s a major investment to implement least privilege model in money, resources, upkeep, and human capital. Once you’re there, the IT Service Desk traditionally takes on the burden of maintaining that least privilege model.

Based on 2016 industry data, the average service desk call costs the company $15.56 Seems like a reasonable price for a quick service call. Say the end user calls requesting access to a share. IT has to contact the end-user’s manager–or someone else in the approval chain–and then either approve or deny the request. Based on surveys of our customer base, this process on average, takes about 20 minutes over the course of a day for the help desk to complete.

Now, how many times do you think they get this call in a month? 50? 100? 1,000? Some of our customers process up to 7,000 permission changes a month – all in the name of data security, and to maintain a least privilege model.

Here’s a quick chart of that scenario: the number of (service desk calls/month) * (cost per call), for the entire year.

Number of cases per month Cost per case Cost per month Cost per year
100 15 $1,500 $18,000
500 15 $7,500 $90,000
1,000 15 $15,000 $180,000
2,500 15 $37,500 $450,000
5,000 15 $75,000 $900,000
7,000 15 $105,000 $1,260,000

You read that right. Without a way to streamline that access request process, it would cost our customer over one million dollars a year just to keep their permissions in a good place.

Fun desk exercise: if you know your service desk cost-per-case and how many AD changes you process each month, you can do this same calculation for yourself. Now ask yourself, what’s it worth to you?

Besides the monetary cost, there’s the human element to consider.

Based on the above chart, if you’re in the 1,000 AD changes per month range, you’re at a baseline cost of $180,000 dollars per year in service desk calls which, at 20 minutes per call, ends up taking 333 human hours each month just to manage those requests. That’s 2 full time hires working more than 40 hours each month, dedicated to fielding permissions requests. Even if you had a team working non-stop around the clock and on weekends, that would be nearly two weeks of dedicated man hours on permissions requests.

And that’s just the mid range.

In a larger enterprise those 7,000 AD updates roughly comes out to 2,310 work hours a month. That’s 14 people dedicated full time to maintain least privilege permissions per month!

A Better Way to Manage Permissions

DataPrivilege takes the burden off of the Service Desk and gives the data owners – the ones that actually *know* who should be accessing that information – the ability to grant and remove access from their own shares.

This makes removing and granting access as simple as responding to an email: and each data owner will only be doing for their shares – not the entire domain.

We can all probably agree that putting the IT Service Desk in charge of access to the Corporate Finance folder is a bad idea. However, putting the Controller or the Lead Corporate Accountant in charge of access to that folder is a great idea – and you should pat yourself on the back for coming up with it!

DataPrivilege will also automate your entitlement reviews and create reports for auditing and compliance. We provide APIs to integrate with your IAM or ITSM systems. And of course DataPrivilege will integrate with any other Varonis software you own.

But Wait, How Much is That Going to Cost Me?

Let’s consider an average-sized shop in the 1,000 user and 1,000 AD changes range. As we saw earlier, those 1,000 AD changes per month could cost $180,000 per year, and 333 man hours dedicated to permissions management. By using DataPrivilege to help manage permissions, you’ll not only free up resources, but that same shop will save $105,000 a year.

And of course your Service Desk resources are more effective and flexible without the load of permissions changes. Your data owners are in charge of their data – and your auditors have nothing to worry about in regards to access to sensitive data. In one year DataPrivilege pays for itself – and you’ve reduced the ongoing load of permissions management into the future, making your company more secure in the process.

Let’s again look at our 10,000 user enterprise that processes 7,000 AD updates per month. That would cost the organization $1.26 million per year in Service Desk cost and 2,310 human hours per month. By using DataPrivilege in that first year, you’re saving $960,000 – and significantly cut down the dedicated human hours required to manage those permissions! That’s just year one.

In year two and beyond, you save over $1,000,000.

What could your Service Desk accomplish without 7,000 AD changes per month on their plate? Could they increase productivity for the rest of the company by responding faster to more urgent cases? Could you reallocate headcount and move resources to other departments?

Are You Pulling My Leg?


Those numbers are legit. But keep in mind, they’re specific to maintaining a least privilege model. To get there, you have to (and really should) implement least permissive permissions.

And of course you have to balance all of this outlay against the cost of doing nothing and the risks associated with doing nothing. How much do you think the breach at Equifax is going to end up costing them?

The Wall Street Journal says “billions”.

Not to mention you don’t want to have to testify in front of Congress and explain how you messed up. The Cybersecurity and Infrastructure Protection Subcommittee don’t have time for that.

OK, What Next?

There are a few ways to begin to get started with DataPrivilege and Varonis. One of the easiest ways is to get a free Risk Assessment.

Our engineers will analyze your current data security situation – including global group access and overexposed data – and you’ll get a detailed report with recommendations on where your biggest vulnerabilities are and how to manage them. Or, skip all that and go straight for a demo of DataPrivilege. Your call.

Getting to and maintaining a least privilege model is one of the most important steps in protecting your sensitive data – it significantly reduces the risk of your sensitive data being overexposed, leaked, or stolen – and DataPrivilege will help you get there.

The Security Threats are Coming From Inside the House!

The Security Threats are Coming From Inside the House!

Think of any of the big data breaches: Equifax, Target, NSA, Wikileaks, Yahoo, Sony. They all have one thing in common: the data breaches were an inside job.

That’s not to say that all the hackers were employees or contractors, but once the hackers get inside the perimeter security, is there any difference? Their activities all look the same to an outside observer.

We write about this phenomenon so often. Once a hacker gets access inside the network, they often have everything they need to find (and attempt to exfiltrate) the good stuff that will make the headlines – the personal data, emails, business documents, credit card numbers, etc.

So the question becomes – can your data security team realize that they’re inside, before it’s too late?

It’s imperative that in addition to your firewall, routers and network monitoring software, you monitor what’s inside as well: the user behavior, file activity, folder access and AD changes.

The Perimeter Has Been Breached

Here’s a scenario: a hacker has gained access to a user account and is attempting to download Intellectual Property data that is stored in OneDrive. The first few attempts to access the data have failed, but they’re persistent, so they poked around until they found an account that has the access they needed to read the files.

Even with monitoring at the file operation level, this kind of activity is hard to discern from the end user clicking on that folder and trying to get access.

And that’s where we come in. Varonis analyzes all of these attempts to access this OneDrive share in context, with user behavior analytics (UBA). From there, you can leverage Varonis threat models to analyze and compare that activity to known behaviors both by the user who’s trying to access that data, their peers, and by hackers to exploit and infiltrate company networks.

In this scenario, this account is suddenly accessing classified, sensitive data that they have never touched before. That’s a red flag – and we’ve got threat models built specifically to detect that type of behavior.

This is outside of normal behavior patterns for the account that the hacker is leveraging – and because Varonis has been monitoring all the activity in OneDrive for over a year now, you have all the evidence you need to act immediately.

Without Varonis, you’d likely never even see the attempts to access this OneDrive folder. You would never notice the files being copied from this folder, and you wouldn’t see which folder they accessed next.

Investigation & Forensics

The first step is to programmatically lock out and log out this account – which you can set up as an automatic response with Varonis. At the same time, emails and alerts can be sent to the infosec team and/or a SIEM system. Once the relevant parties are informed the investigative work can begin.

So where to start? Find out what happened, how it happened, what vulnerabilities were exploited, and what you can do to defend against it in the future. With the Varonis DatAdvantage UI, you can pull up the file audit history of the hacked userid to see where else that account has been before the alert was triggered.

Use the full file audit trail to see what – if any – damage was done and lock down access to the entire system if necessary. And after the initial threat is neutralized, the work to close the security holes can begin.

The Varonis Security Platform is a key component of a layered security system. Layers create redundancy, and redundancy increases security. Hackers will find and exploit any opening they can; it is our responsibility to protect each other’s private data.

By learning and using the correct tools and principles for good data security, we can make it much harder for the bad guys to profit from their hacking, and limit the impact of data security breaches.

Want to see how Varonis will work in your environment to catch these types of insider threats? Click here to set a demo with one of our security engineers.


3 Tips to Monitor and Secure Exchange Online

3 Tips to Monitor and Secure Exchange Online

Even if you don’t have your sights on the highest office in the country, keeping a tight leash on your emails is now more important than ever.

Email is commonly targeted by hackers as a method of entry into organizations. No matter if your email is hosted by a 3rd party or managed internally, it is imperative to monitor and secure those systems.

Microsoft Exchange Online – part of Microsoft’s Office365 cloud offering – is just like Exchange on-prem but you don’t have to deal with the servers. Microsoft provides some tools and reports to assist securing and monitoring of Exchange Online like encryption and archival, but it doesn’t cover all the things that keep you up at night like:

  • What happens when a hacker gains access as an owner to an account?
  • What happens if a hacker elevates permissions and makes themselves owner of the CEO’s email?
  • What happens when the hackers have access to make changes to the O365 environment, will you notice?

These questions are exactly what prompted us to develop our layered security approach – which Andy does a great job explaining the major principles of here. What happens when the bad people get in – and they have the ability to change and move around the system? At the end of the day, Exchange Online is another system that provides an attack vector for hackers.

Applying these same principles to Exchange Online, we can extrapolate the following to implement monitoring and security for your email in the cloud:

  1. Lock down access: Make sure only the correct people are owners of mailboxes, and limit access make changes to permissions or 0365 to a small group of administrators.
  2. Manage user access: Archive and delete inactive users immediately. Inactive users are an easy target for hackers as they are usually able to use those accounts without being noticed.
  3. Monitor behavior: Implement a User Based Analytics (UBA) system on top of your email monitoring. Being able to spot abnormal behavior (ie an account being promoted to owner of the CEO’s email folder, another forwarding thousands of emails to the same email address) early is the key to stopping a hacker in hours or days instead of weeks or months.

Wondering if there’s a good solution to help monitor your Exchange Online? Well, we’ve got you covered there too.