All posts by Sarah Hospelhorn

Introducing a new security dashboard, enhanced behavioral analysis, and mor...

Introducing a new security dashboard, enhanced behavioral analysis, and more

Every day we hear new stories about how our customers are using DatAlert to stop cyberattacks: detecting and disabling ransomware infections, discovering misconfigurations and vulnerabilities, and setting up automatic responses to malware infections.

And so, we’ve updated DatAlert to be more intuitive, powerful, and insightful than ever: 6.3.150 includes major updates to DatAlert, additional platform support, and performance enhancements.

New Security Dashboard: DatAlert is easier than ever to use as a starting point for investigating suspicious behavior, spotting unusual activity on file servers, and finding security vulnerabilities.  We’re introducing a configurable dashboard where you can easily identify and prioritize at-risk areas like global access, stale data, and overexposed sensitive information.

Alert investigation page: A new alert page enables quick triage on individual alerts – drill down on suspicious activity that might indicate that an attack is under way and triage for further investigation.  The alert investigation page offers additional security insights about users, data, time, and affected devices.

Enhanced behaviors and analysis:

  • Behavioral Peers: DatAlert can compare file and email touches of one user – along with other activity – to that of her peers. Behavioral peer comparisons are available directly within the alerts page to streamline investigation and help identify the severity of alerted behavior.
  • Device Insight: Review device context cards, and get insight through the DatAlert UI to see alerts triggered on specific devices.  Insights into devices also help highlight abnormal device usage per user account to pinpoint a computer that’s been compromised for insider activities.
  • Normal Working Hours: Varonis determines normal working hours for each individual based on email & file activity – and compares activity against their peers, to catch suspicious activity more quickly than ever.
  • Flags & Watch list: Customers can now flag suspicious users, putting them on a watch-list for tracking – making it easier to keep an eye on suspicious users and devices. Users can be highlighted based on past alerts or based on information from legal, HR, or other departments.

Want to see DatAlert in action?  Schedule a free demo and see how it works in your environment.



Enterprise Security Gaps: a Ponemon Institute Study

Enterprise Security Gaps: a Ponemon Institute Study

We recently sponsored a study about data protection and enterprise security with the Ponemon Research institute: Closing Security Gaps to Protect Corporate Data: A Study of U.S. and European Organizations.

A primary focus was to research security gaps within organizations that lead to data breaches and ransomware attacks – what are the leading causes?  How frequently does data theft occur?  How does ransomware affect organizations?  Where are these security gaps most evident?

Some key findings include:

  • 76% of IT practitioners say their organization experienced the loss or theft of company data over the past two years.
  • 62% of end users say they have access to company data they probably shouldn’t see.
  • 35% of organizations have no searchable records of file system activity, leaving them unable to determine which files have been encrypted by ransomware.
  • Only 29% of enterprises enforce a least privilege model to ensure that insiders have access to company data on a strictly need-to-know basis.

One of the biggest takeaways from these findings is that you can’t prevent what you don’t know about: overexposed data and users with excess privilege present a huge risk to enterprise security, leaving file and email servers vulnerable to data breaches and theft.

In order to close these security gaps and protect organizations from data theft and ransomware attacks, organizations need to monitor file activity & user behavior – and get to a least privilege model so that sensitive data is locked down and secure.

Find out how Varonis closes these security gaps and protects enterprise data.

6.2.51 (including DLX) is now GA

6.2.51 (including DLX) is now GA

We’re excited to announce the GA release of 6.2.51: this release includes a range of enhancements focusing on data security, new integrations, and a more intuitive user interface.

Some of the highlights that are now generally available include:

New DatAlert Threat Models: Get inside-out security with sophisticated threat models built on advanced analytics, user behavior, and machine learning.  DatAlert threat models protect your data and trigger alerts on what looks unusual, uncovering potential security issues.

New DatAlert Web UI: DatAlert’s new web UI makes it easy to spot threats to your data – who’s behaving suspiciously and which data assets are threatened – and identify ransomware activity before it’s too late.  The new DatAlert UI includes:

  • A dashboard displaying alerts at a glance, top alerted users, assets, and threat models, along with a kill chain analysis.
  • In-depth views of alert data
  • Context cards with detailed information on alerts and activity

Varonis behavior research laboratory: A dedicated team of security experts, analysts, and data scientists who stay up-to-date on the latest security issues, APTs, and insider threats, and how to defend against them. The laboratory continually introduces new threat models to DatAlert – including the latest threat model introduced in 6.2.51 that actively detects patterns and user actions that resemble ransomware.

SIEM Integration: Users can automatically send DatAlerts into these external platforms, thereby increasing the speed and accuracy with which they are able to identify threats by correlating unstructured data behavior with alerts from other systems.

DatAdvantage for Microsoft Office 365: Get actionable insight and bi-directional visibility in the cloud with permissions visibility for Microsoft Exchange Online, SharePoint Online, OneDrive, and visibility into Active Directory for Azure.

Directory Services: Manage risk reduction and business intelligence more effectively by viewing authentication statistics, tracking GPO policy settings, and with real-time alerts on permissions and policy changes. See account authentication and access requests; when GPO settings were modified, and more.

Reporting enhancements: Varonis reports give insight into trends, help track and monitor activity and use, and give greater visibility into your data.  New reports include: Most active users per folder, GPO setting changes, Open access on sensitive data, and more.  The report API provides customers with restful APIs that enable accessing and extracting data from DatAdvantage.

Commit Management Platform: a centralized console enables managing individual and bulk changes to access control lists and group memberships, viewing history and dependencies of each change before it happens.  We’ve also added notifications on completion, configurable security options, and a rollback option for previously committed changes – saving time and eliminating potential mistakes while managing access control securely.

DataPrivilege for SharePoint: Customers can now use DataPrivilege to manage SharePoint sites and folders, setting permissions and membership requests, entitlement reviews, automatic rules and ethical walls, and more. DataPrivilege puts identity management in hands of decision makers: reducing IT burden, empowering decision makers, and sustaining a least-privilege model. Support for on-premises SharePoint entities includes:

  • Managing SharePoint site collections, protected sites and folders
  • Defining SharePoint permission levels and their inheritance structure
  • Managing SharePoint groups
  • Configuring and managing entitlement reviews for SharePoint entities
  • Ownership synchronization – Logical folder owners added through DataPrivilege are synchronized to the mapped physical folder in DatAdvantage.

DatAnswers: Search smarter with DatAnswers with more customization and control on how you manage enterprise search:

  • Users can run elevated searches, either by seeing unfiltered results or by impersonating a different user.
  • New methods are now available to retrieve a document’s metadata and the contact information of document authors, business owners and users who performed Create or Modify events on the document.
  • Limit the search scope to a specific folder or a set of folders
  • View more metadata for each item in the search results with the metadata pane

Additional Platform Support:

  • Red Hat 7, Ubuntu 12.04.4 LTS Kernal 3.2.1; Ubuntu 14.04 LTS Kernal 3.13.0
  • IBM Storwize v7000
  • AIX 7.1
  • Azure Active Directory and Office 365
  • Isilon 7.2 or higher for NFS events
  • SQL Server AlwaysOn availability groups.
  • NetApp 8.3 RC, GA; 8.3.1 RC; 8.3 P1 – Also supported for cluster mode
  • Nexenta

The Cyber Kill Chain or: how I learned to stop worrying and love data breac...

The Cyber Kill Chain or: how I learned to stop worrying and love data breaches

Pulling off a heist is no easy feat – and in order to prevent theft, you best understand the plan of attack. Like any good ol’ traditional heist, there are multiple stages to consider in a cyber-attack. To help prevent and detect cyber-attacks and security breaches, we look to the cyber kill chain. Lockheed Martin derived the kill chain framework from a military model – originally established to identify, prepare to attack, engage, and destroy the target.

So what is a cyber kill chain?

It maps a potential security breach: tracing stages of attack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs). Since its inception, the kill chain has evolved to better anticipate and recognize insider threats, social engineering, advanced ransomware and innovative attacks.

How does a cyber kill chain work?

Varonis Cyber Kill Chain

Reconnaissance. In every heist, you’ve got to scope the joint first. Same principle applies in a cyber-heist: it’s the preliminary step of an attack, the information gathering mission. During reconnaissance, an attacker is seeking information that might reveal vulnerabilities and weak points in the system. Firewalls, intrusion prevention systems, perimeter security – these days, even social media accounts – get ID’d and investigated. Reconnaissance tools scan corporate networks to search for points of entry and vulnerabilities to be exploited.

Intrusion. Once you’ve got the intel, it’s time to break in. Intrusion is when the attack becomes active: malware – including ransomware, spyware, and adware – can be sent to the system to gain entry. This is the delivery phase: it could be delivered by phishing email, it might be a compromised website or that really great coffee shop down the street with free, hacker-prone wifi. Intrusion is the point of entry for an attack, getting the attackers inside.

Exploitation. You’re inside the door, and the perimeter is breached. The exploitation stage of the attack…well, exploits the system, for lack of a better term. Attackers can now get into the system and install additional tools, modify security certificates and create new script files for nefarious purposes.

Privilege Escalation. What’s the point of getting in the building, if you’re stuck in the lobby? Attackers use privilege escalation to get elevated access to resources. They’ll modify GPO security settings, configuration files, change permissions, and try to extract credentials.

Lateral Movement. You’ve got the run of the place, but you still need to find the vault. Attackers will move from system to system, in a lateral movement, to gain more access and find more assets. It’s also an advanced data discovery mission, where attackers seek out critical data and sensitive information, admin access and email servers – often using the same resources as IT and leveraging built-in tools like PowerShell – and position themselves to do the most damage.

Obfuscation (anti-forensics). Put the security cameras on a loop and show an empty elevator so nobody sees what’s happening behind the scenes. Cyber-attackers do the same thing: conceal their presence and mask activity to avoid detection and thwart the inevitable investigation. This might mean wiping files and metadata, overwriting data with false timestamps (timestomping) and misleading information, or modifying critical information so that it looks like the data was never touched.

Denial of Service. Jam the phone lines and shut down the power grid. Here’s where the attackers target the network and data infrastructure, so that the legitimate users can’t get what they need. The denial of service (DoS) attack disrupts and suspends access, and could crash systems and flood services.

Exfiltration. Always have an exit strategy. The attackers get the data: they’ll copy, transfer, or move sensitive data to a controlled location, where they do with the data what they will. Ransom it, sell it on ebay, send it to buzzfeed. It can take days to get all of the data out, but once it’s out, it’s in their control.

The Takeaway

Different security techniques bring forward different approaches to the cyber kill chain – everyone from Gartner to Lockheed Martin defines the stages slightly differently. Alternative models of the cyber kill chain combine several of the above steps into a C&C stage (command and control, or C2) and others into an ‘Actions on Objective’ stage. Some combine lateral movement and privilege escalation into an exploration stage; others combine intrusion and exploitation into a ‘point of entry’ stage.

It’s a model often criticized for focusing on perimeter security and limited to malware prevention. When combined with advanced analytics and predictive modeling, however, the cyber kill chain becomes critical for inside out security.

With the above breakdown, the kill chain is structured to reveal the active state of a data breach. User behavior analytics (UBA) brings advanced threat intelligence to every stage of the kill chain – and helps prevent and stop ongoing attacks before the damage is done.

Learn more about UBA

DatAnywhere 3.0 is here

DatAnywhere 3.0 is here

DatAnywhere just got better – in addition to the secure enterprise file sync and share features you know and love, we’re thrilled to announce enhanced auditing as part of the beta release for DatAnywhere 3.0.

What does it all mean?

Well, it means that not only do you now get better reporting about who’s doing what, but DatAnywhere now includes support for third -party MDM solutions like AirWatch.  DatAnywhere events can now be translated and displayed in the DatAdvantage log – giving you reports, statistics, and visibility into your shared data.

Want to know who’s been sharing what with external parties?  Need to report on file deletions and folder movement?  DatAnywhere 3.0 has you covered.

Try DatAnywhere Now

Visualize your risk with the DatAlert dashboard

Visualize your risk with the DatAlert dashboard

Last week, we introduced over 20 new threat models to help defend your data against insider threats, ransomware attacks and threats to your most sensitive data.

But with all this analysis – and all these threat models – how do you interpret and prioritize what to do next?

Enterprises have been using our UBA threat models to stop insider attacks and catch ransomware before their data gets compromised: and with so much attention to data security and heightened risk of data breaches, they need a better way to interpret and prioritize their investigations.

So we’ve created a new dashboard and web interface for DatAlert: an intuitive interface where you can quickly recognize whether your data is under attack, prioritize your investigation, drill down, and take action.

The new UI gives you a clean visualization of your data, designed to show a clear state of the system.


Context cards give you all the information you need on one screen with detailed analysis of alerts and activity, in order to simplify security processes and take next steps.


DatAlert’s web UI makes it easy to spot threats to your data: who’s behaving suspiciously, which data assets are threatened, and identify ransomware before it’s too late.

Curious to see how DatAlert looks with your data?   Get a free demo and find out.

Cryptolocker, lockouts and mass deletes, oh my!

Cryptolocker, lockouts and mass deletes, oh my!

DatAlert Analytics just got some new threat models. Our research laboratory is tracking new ransomware, finding vulnerabilities in common security practices, and setting up new threat models to keep your data safe from insider threats.

What’s included in the latest batch?

Executive account discovery

DatAlert Analytics now discovers executive accounts automatically. This means that you can easily find out when there’s unusual activity on c-level accounts: abnormal actions using c-level credentials, suspicious attempts to access critical files, and more.

Advanced ransomware behaviors

Is somebody creating and deleting files frequently?  Are there unusually high instances of renaming and modifying files?  This set of threat models finds and tracks actions that resemble ransomware behavior, triggering alerts on activity that raises red flags.

Abnormal lockout behaviors

An unusual amount of lockouts can often mean that somebody’s trying to steal privileges using a brute force attack or perpetrating a denial-of-service.  These threat models compare lockout events to a standard behavioral profile to see if it’s a simple misconfiguration, lateral movement or DOS.

Accumulative analysis on idle and sensitive data

We’re keeping track of what’s normal and what’s not – even at a gradual level.  DatAlert Analytics doesn’t just catch sudden spikes of unusual behavior, but is set up to track subtle deviations over time – catching illicit scanning actions, or subtle attempts at exfiltration.

Mass delete behaviors

Mass deletions could indicate anything from an attempt to destroy data assets to a denial of service attack.  DLX will sound the alarms if an unusual number of file deletions occurs – keeping data assets protected.

Want to see what DatAlert Analytics will find on your network?

Find out with a free risk assessment.

DatAlert Analytics and the Varonis Behavior Research Laboratory

DatAlert Analytics and the Varonis Behavior Research Laboratory

Last November, we introduced Varonis UBA threat models to automatically analyze behavior and detect insider threats throughout the lifecycle of a breach.  Our UBA threat models, which are major enhancements to Varonis DatAlert and are in beta availability, have been helping our customers protect their data – from spotting signs of ransomware activity to catching unusual activity on sensitive data.

But with news of more data breaches rolling out every day and brand new variants of ransomware popping up all the time, how can you keep up?

We’ve established a professional behavior research laboratory for just that reason.

Security experts and data scientists from Varonis now continually introduce new behavior-based threat models as part of DatAlert Analytics, keeping you up-to-date with the latest in security issues, APTs, and insider threats. This dedicated team is focused exclusively on creating new threat models to better protect your data, including privileged and service account detection and integration with all up-to-date malware and crypto repositories.

As insider threats become more sophisticated, so do our security tactics.  Some of the things our experts will focus on in the coming months include:

  • Account detection and auto-profiling, so you can automatically detect executive accounts and see unauthorized attempts to gain access to c-level data.
  • Threat models designed to alert on new variants of CryptoLocker so you can spot ransomware attacks before they get out of hand.
  • Threat models that detect mass deletes and lockout activity so you can find out when somebody’s attempting to damage or destroy data before it’s gone.

DatAlert Analytics is like having your very own behavior research laboratory to stay on top of the latest in security attacks and develop more ways to fight back against insider threats. Want to get see DatAlert Analytics in action?  Get in touch.

Introducing Mobile Editing: Edit your docs in DatAnywhere 2.9 from… well...

Introducing Mobile Editing: Edit your docs in DatAnywhere 2.9 from… well… anywhere!

Need to copyedit the latest version of your manifesto while on the subway?   Want to update the TOC of your PowerPoint deck on the run?  Run a new pivot table on the latest financials during a (literal) standup?

Good news: you can now edit files[1] directly in the DatAnywhere app on your smartphone or tablet, in iOS and android.

With DatAnywhere 2.9, you can edit your documents from your DatAnywhere app, and they’ll sync back to the server directly from within DN.   Collaborate on the fly without jeopardizing your security.

We made DatAnywhere as a secure solution to collaborate, share, and sync your data – and now you can be more productive than ever by editing on the go.

We’re excited for you to try it out.

Download It Now

[1] File types include .docx, .xlsx, .pptx <40 MB; .txt <5MB

Anatomy of a breach: Sony

Anatomy of a breach: Sony

Our new UBA Threat Models are built on a kill chain, in order to protect your data throughout the entire life cycle of a data breach.

But what does that mean, exactly?   Let’s take a look at the anatomy of a breach.

How did the Sony breach happen?

We know a few things for certain: a group called Guardians of Peace (GoP) claims to have taken over 100 terabytes of data, they used Wiper malware on the infrastructure to erase data from the servers, and released an alarming amount of unstructured data: from over 47,000 social security numbers to an early script of Spectre to over 170,000 confidential (and at times embarrassing) emails between executives.

Let’s go through the kill chain and figure out how it might have happened, step by step.


The attackers used phishing emails to steal credentials – in this case, it’s likely that they used fake apple ID verification emails to get personal information and passwords, which, when combined with public information from sources like LinkedIn and Facebook profiles, gave them enough information to get into the network.

They then likely downloaded additional recon/network mapping tools to map the environment.  The attackers released detailed network diagrams gathered from found documents.


Wiper malware dropped on servers (with embedded employee credentials for execution) – wiper malware destroys data on windows computers, while spreading itself across network files to further attack windows servers.  The latest evidence in the case suggests that the intrusion had been happening for more than a year before its discovery.

Lateral Movement

Attackers searched the file servers to locate password files so they could continue to expand, or elevate rights and permissions.  They later released massive amounts of files (most even with “password” in the name) containing usernames, and passwords for everything from internal systems to corporate Twitter accounts: one document released from the HR\Benefits directory, for example, contained 402 social security numbers, internal emails, plain-text passwords, and employee names.

Privilege Escalation

Through recon and lateral movement, the attackers were able to discover treasure troves of plain-text passwords which gave them even more access to everything they needed to own the organization.  They were even able to obtain certificates and RSA token information to secure their foothold.   A new piece of malware called Destover was later spotted in the wild using stolen Sony certificates.

Data Exfiltration

Hundreds of GB of sensitive data was released, mostly comprised of unstructured data (PDFs, Word docs, Excel documents, PowerPoint presentations, text files, video files, email, etc.) containing everything from personally identifiable information (PII) for celebrities and current/former employees, confidential business documents including budgets, scripts, and upcoming projects, unreleased films, and internal correspondence.

What now?

A year later, and Sony is still dealing with the devastating aftermath of the breach.  Business is disrupted, reputations fractured, and millions of dollars allocated to settle claims from the breach over identity theft losses.

All because hackers got inside the network, and nobody was watching the unstructured data from the inside.


DatAnywhere 2.8

DatAnywhere 2.8

We’re excited to announce the beta release of DatAnywhere 2.8, with version control and mapped drive features that enhance collaboration and development, tracking, sharing, and file management.

DatAnywhere Version Control

DatAnywhere now supports file version control. This includes creating new versions of files when they are modified or uploaded by DatAnywhere users: previous file versions can be downloaded and synced, ensuring important data is never irretrievably lost.

Mapped Drive Stubs

Administrators can now configure the DatAnywhere Windows clients to sync stub files and folders as users browse through DatAnywhere folders on their PCs.  They look and behave like the mapped drives – with which end users are familiar, but are actually stubs.

These folders and files appear local: VPN access is not required, they’re browsable when not connected, and files can be cached locally for offline use – but most files are stubs, or links to the actual files that remain in the data center. New files saved locally are automatically ingested and saved on the file share when network connectivity is re-established.

By enabling file shares with DatAnywhere, employees work as if terabytes or even petabytes of data are stored on their laptops, while those files are safely stored on the organization’s SMB shares.

Do you have feature requests for DatAnywhere?  Let us know.

Have you tried DatAnywhere yet?

Download It Now