During my conversations with our customers, it is always great to hear how they are leveraging Varonis to support their data governance initiatives. It is even better when we hear about scenarios that reach outside their original use-cases, like recovering from a virus. Today we are sharing a story from a customer who was recently the victim of a variation of the CryptoLocker virus, and was able to use Varonis DatAdvantage to minimize the recovery time.
One of the key features of Varonis DatAdvantage is a complete audit trail of access activity. DatAdvantage collects every access event (e.g. open, read, write, modify, delete) on monitored file and email servers without requiring native auditing, and presents them in a searchable and sortable interface. In this particular case, the audit trail was the feature that helped our customer reduce the virus recovery time.
Here’s how our customer described the situation:
“My Windows server admin notified me that there were several users complaining that their files were corrupted, and asked me if I could look into it. Using the Varonis DatAdvantage audit trail, I could identify all the users that had accessed the corrupted files. While investigating several files, I was able to identify a common user between them. Within DatAdvantage I ran a query on that specific user and realized that there were over 400,000 access events that had been generated from that user’s account. It was at that point that we knew it was a virus”.
They looked at the websites visited by this user, and with another tool, they were able to identify a second user account that had also accessed the same website. The second user’s machine was also infected with the same virus.
“Once we had identified the second user, we went back to DatAdvantage to identify the files they had accessed. There were over 200,000 access events generated from this user’s account.”
Once the virus was identified and removed, they had to recover the corrupted data from backups. Since they were able to use DatAdvantage to identify the files that were accessed (and corrupted) by these specific users, they were able topinpoint and restore those specific files, rather than having to restore the entire server from a snapshot.
The fact that they were able to quickly identify which files had been corrupted helped them reduce the impact of the virus on the environment and the downtime for the users. In addition, it allowed them to maximize their time and resources by only having to restore the data that was affected.
Next Day Checkup
DatAdvantage also provides daily reports on anomalous behavior. The next morning, our customer reviewed this report and was able to confirm that there were no other user accounts generating excessive amounts of access events.
To see how Varonis is helping other organizations visit our Customer Success Stories page.
Also, our brand new product, DatAlert, can help you identify potentially malicious activity in real-time. Visit our DatAlert product page to see more info.
Image credit (cc): http://www.flickr.com/photos/hj_barraza/415134620