All posts by Sarah Hospelhorn

Varonis DatAlert and IBM QRadar

Varonis DatAlert and IBM QRadar

Varonis now integrates with the IBM QRadar Security Intelligence Platform, with the Varonis App for QRadar.

The Varonis App for QRadar adds context and security analytics to simplify investigations, streamline threat detection, and build more context around security alerts and incidents.

How It Works

You can view Varonis alerts directly in IBM QRadar – and can drill down and investigate alerts in the Varonis Web UI for additional insight, accelerating security investigations.

We correlate Varonis alerts with events collected by IBM QRadar, so that you can visualize potential security breaches, misconfigurations, and at-risk data with additional context and security analytics from Varonis.

In QRadar, simply click on the DatAlert link in QRadar to investigate a security threat.

From here, you’ll get visibility and a high-level overview not only of alerts over time, but of top alerted users, top alerted devices, top alerted assets, and top alerted threat models – the alerts on suspicious activity or user behavior that have been triggered the most on your core data stores.

Drill down into the DatAlert web UI to investigate suspicious activity and get additional insight and context into what’s going on.

Together, Varonis and IBM QRadar enable customers to enhance their data security, streamline threat detection, and simplify investigations.

Varonis DataPrivilege and RSA® Identity Governance and Lifecycle

Varonis DataPrivilege and RSA® Identity Governance and Lifecycle

We’re thrilled to announce interoperability between Varonis DataPrivilege and RSA® Identity Governance and Lifecycle, with a new Implementation Blueprint.  This Implementation Blueprint will help the business to quickly detect security and compliance access risks and amend access entitlement issues associated with unstructured data.

How it Works

The Varonis Data Security Platform helps prepare enterprise data for RSA Identity Governance and Lifecycle by finding data owners, correcting inconsistent permissions, removing global security groups, and simplifying and maintaining permissions structures.

Companies that implement Varonis DataPrivilege interoperability with RSA Identity Governance and Lifecycle benefit from:

  • Enhanced visibility and control of unstructured file systems directly within RSA Identity Governance and Lifecycle;
  • Meeting access control policies by helping to ensure that users have appropriate access permissions;
  • Reducing attack surfaces and assisting with compliance by limiting access privileges and deactivating stale/orphaned accounts; and
  • Automating attestations, provisioning and de-provisioning of access permissions.

Learn more

 

Data Classification Labels: Integrating with Microsoft Information Protecti...

Data Classification Labels: Integrating with Microsoft Information Protection (MIP)

We’re thrilled to announce the beta release of Data Classification Labels: integrating with Microsoft Information Protection (MIP) to enable users to better track and secure sensitive files across enterprise data stores.

By integrating with Microsoft Information Protection, customers will be able to automatically apply classification labels and encrypt files that Varonis has identified as sensitive. Users can manually tag documents, and Varonis will ingest this information to provide additional context around the data.

Data Classification Labels utilizes our sophisticated rule capabilities to target specific data, and leverages our extensive pattern repository to build even more labeling rules.

In addition, Varonis can find mislabeled files that contain sensitive data based on our advanced classification engine and re-apply the correct labels. Varonis customers can analyze existing classification results for labeling, intercept existing labels and apply new ones automatically.

Data Classification Labels uses both Azure and AD RMS encryption to protect incoming and outgoing data.

Want to see it in action? Get in touch with your SE and ask for a tour of Data Classification Labels – and test it out on with your own policies.

Benefits Overview:

  • Classify a file based on its MIP label
  • Decrypt and scan the content of MIP encrypted files
  • Automatically apply an MIP label according to the configuration, while skipping any file which was manually labeled
  • Automatically correct (and report on) mislabeled files
  • Automatically perform bulk re-label when a policy is changed
  • Enrich Varonis classification report with classification labels data

Women in Tech: The Anatomy of a Female Cybersecurity Leader

women CISO CIO

Cybersecurity has a gender gap.

According to the 2017 Women in Cybersecurity study, a joint venture between the Center for Cyber Safety and Education and the Executive Women’s Forum on Information Security, women only make up 11 percent of the total cybersecurity workforce.

In addition to occupying a substantially small space in a massive global industry, the few women who are in cybersecurity hold fewer positions of authority and earn a lower annual salary than their male counterparts, on average.

Many think pieces have mused about the causes of the gender gap in cybersecurity, with theories ranging from industry discrimination to socialization differences. It’s a pipeline problem and a retention problem: while there are now more programs designed to encourage girls to get into tech, it remains a difficult field for young women to enter — and stay in.

With the worldwide deficit of qualified cybersecurity professionals projected to reach 3.5 million by 2021, one thing is clear: Cybersecurity needs more women.

So, what does it take to be a leader in an industry notorious for its lack of gender diversity? In an effort to answer this question, we analyzed the current Fortune 500 list to see which companies have female leaders in their top cybersecurity position, including the chief information security officer (CISO), chief information officer (CIO) or VP of information security. Out of the 500 companies we examined, only 13 percent — or 65 companies — had a women working as the corporation’s cybersecurity leader in one of these positions.

Who are these 65 women? Check out the full infographic below to learn more about the women leading the way in cybersecurity.

women leading cybersecurity positions

While the gender gap in cybersecurity remains a real issue, these women — and their contributions to the world of cybersecurity — are paving the way for more gender inclusion in the future.

Introducing Varonis Data Security Platform 6.4.100: Varonis Edge, GDPR Thre...

Introducing Varonis Data Security Platform 6.4.100: Varonis Edge, GDPR Threat Models, Geolocation and More

It’s the beginning of a new year, and we have a huge new beta release to share with you.  The beta release of the Varonis Data Security Platform 6.4.100 dropped earlier this month, and I wanted to share a few highlights:

Varonis Edge

We announced Varonis Edge back in November, and we’re excited for you to try it.  After over a decade of protecting core data stores, we’re extending that same data security approach to the perimeter: analyzing devices like DNS, VPN, and Web Proxy to detect attacks like malware, APT intrusion, and exfiltration.  With Edge, you’ll be able to correlate events and alerts from your perimeter with alerts and events about your data.

We’ve added new threat models for these perimeter devices: so that you can stay ahead of security events like brute force attacks, DNS tunneling, credential stuffing, and more.

Classification

Backed by popular demand, we’ve added new classification categories to our Data Classification Engine (formerly Data Classification Framework).  We’re shipping four predefined categories out of the box, to more easily identify and discover PII, PHI, PCI, and GDPR data.

GDPR Threat Models

With over 250 unique patterns to identify and classify EU data that will fall under the upcoming General Data Protection Regulation (GDPR), we’re making it easier than ever to see what’s happening to that data once it’s identified.  You’ll not only be able to identify regulated data, but monitor and track when suspicious activity occurs on it with specific GDPR threat models: from abnormal service behavior accessing atypical folders containing GDPR data, to global access groups added to a folder with a significant amount of GDPR data, and more.

Geolocation

Everybody likes a map – and DatAlert now tracks cyberattacks to a specific location, alerting when unusual access to your data is coming from a new or unusual physical locations, or geolocation.  New threat models track unreasonable geohopping, activity from a blacklisted geolocation, and activity from  new geolocation.

We’ve added maps and geolocation to the DatAlert web interface – so that you can see what’s going on and where at a glance.

Other updates include:

  • HPE 3PAR support
  • Enhancements to DatAlert search functionality: predefined searches, saved searches, and more
  • Improved performance and support for incremental search results
  • Office 365 Azure AD auditing and collection
  • Enhancements to AD authentication events
  • Automation Engine: support for multiple OU selection for new groups/per filer resolution
  • DataPrivilege request-related and owner-related API now supports both Windows and SharePoint
  • Reporting now supports relative mode for all date filters

Want to see it in action? Get a personalized demo and ask about the latest features today.

 

Announcing Varonis Edge – to the Perimeter and Beyond

Announcing Varonis Edge – to the Perimeter and Beyond

Email, web, and brute force attacks are the primary ways that malware gets through your defenses.  The Yahoo hacker’s favorite technique? VPN. The Sony hack? Phishing emails.  Remote Access Trojans? DNS.

We’ve spent over a decade working on protecting core data stores – we’re now extending that data security to the perimeter by using telemetry from VPN concentrators and DNS servers to spot signs of attack like DNS tunneling, account hijacking, and stolen VPN credentials. With Varonis Edge – coming soon in beta – you can monitor perimeter attacks and put them in context with activity and alerts in your core data stores for the full picture.

Extend your data security to the edge with enhanced security intelligence and additional threat markers, so that you can alert on external attacks, catch malware in its tracks, and defend your data better from insider threats. Find out more about Varonis Edge here.

Interested? Get a demo and be the first in line to try it.

Introducing Our New DataPrivilege API and a Preview of Our Upcoming GDPR Pa...

Introducing Our New DataPrivilege API and a Preview of Our Upcoming GDPR Patterns

GDPR Patterns Preview

We’re less than a year out from EU General Data Protection Regulation (GDPR) becoming law, and hearing that our customers are facing more pressure than ever to get their data security policies ready for the regulation.  To help enterprises quickly meet GDPR, we’re introducing GDPR Patterns with over 150 patterns of specific personal data that falls in the realm of GDPR, starting with patterns for 19 countries currently in the EU (including the UK).

Using the Data Classification Framework as a foundation, GDPR Patterns will enable organizations to discover regulated personal data: from national identification numbers to IBAN to blood type to credit card information. This means that you’ll be able to generate reports on GDPR applicable data: including permissions, open access, and stale data.  These patterns and classifications will help enterprises meet GDPR head on, building out security policy to monitor and alert on GDPR affected data.

Try it today and discover how GDPR Patterns will help prepare you for 2018 and keep your data secure.

IAM & ITSM Integration with DataPrivilege

We’ve been talking a lot lately about unified strategies for data security and management, and the challenge of juggling multiple solutions to meet enterprise security needs.

DataPrivilege puts owners in charge of file shares, SharePoint sites, AD security and distribution groups by automating authorization requests, entitlement reviews and more. DataPrivilege now includes a new API so customers can take advantage of its capabilities by integrating with other technologies in the security ecosystem, like IAM (Identity and Access Management) and ITSM (IT Service Management) Solutions.

Our new DataPrivilege API provides more flexibility for IT and business users so they can unify and customize their user experience and workflows. With the API, you’ll be able to synchronize managed data with your IAM/ITSM solution and return instructions to DataPrivilege to execute and report on requests and access control changes.  You’ll be able to use the integration to externally control DataPrivilege entitlement reviews, self-service access workflows, ownership assignment, and more.

Ask for a demo and see how it works with your current set up.

 

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

Here’s What We Know So Far

Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

  •  .WRNY
  • .WCRY (+ .WCRYT for temp files>
  • .WNCRY (+ .WNCRYT for temp files)

The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

Here’s What You Can Do

MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

DatAlert Customers

If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here: https://connect.varonis.com/docs/DOC-2749

If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)

Details

Vulnerabilities

The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Ransomware strains

WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

Other helpful links

 

Introducing the Automation Engine, DatAlert Analytics Rewind, and more

Introducing the Automation Engine, DatAlert Analytics Rewind, and more

Put Least Privilege on Autopilot

Getting to least privilege can be a nightmare. The first steps – tracking down inconsistent ACLs and remediating global access groups can turn even the most basic file share clean-up project into a huge to-do.

And so we’re thrilled to announce the upcoming availability of the Automation Engine, which will take the headache out of least privilege by discovering undetected security threats and fixing hidden vulnerabilities without all the manual legwork.

The Varonis Automation Engine automatically repairs and maintains file systems so that you’re less vulnerable to attacks, more compliant, and consistently enforcing a least privilege model.

  • Fix hidden security vulnerabilities like inconsistent ACLs and global access.
  • Revoke unnecessary access that users no longer need or use, reducing your risk profile.
  • Accelerate and automate least privilege.

Interested?  Get a demo now and be the first in line to try it.

What’s past is prologue

One of our earliest patents was our simulation capability in DatAdvantage – which our customers now use consistently to test access control changes against past access activity, highlighting users that would be disrupted or applications that might break if they had made those changes in the past.

We’re extending our simulation capabilities with Analytics Rewind.

DatAlert Analytics Rewind allows customers with three or more months of data to analyze past user and data activity with DatAlert threat models, and identify alerts that they would have gotten in the past. You can not only pre-emptively tune out false positives, but also look back at your data activity history to identify breaches that may have already occurred.

New Threat Models for Exchange and DS

You asked, we listened.  We’re adding more threat models to DatAlert Analytics to detect and prevent impersonation, exploitation, and account hijacking.  The latest set keeps you aware of suspicious mailbox and Exchange behaviors, password resets and unusual activity from personal devices.

Email security and Exchange:  New threat models flag abnormal amount of emails sent to accounts outside the organization, unusual mailbox activity from service accounts, and automated forwarding that might indicate an attacker trying to redirect and exfiltrate data.

Directory Services:  New threat models detect suspicious password resets that may indicate attempts to hijack a user account, unusual access to personal devices, suspicious attempts to access an unusual amount of resources, and unusual login activity that may indicate a credential stuffing attack.

Want to see them in action? Get a demo our data security platform and see how you can stop data breaches.

Varonis + Splunk: Epic Threat Detection and Investigations

Varonis + Splunk: Epic Threat Detection and Investigations

We’re bringing our powerful DatAlert functionality to Splunk® Enterprise to give you comprehensive visibility into data security with our new Varonis App for Splunk – now available for download on splunkbase!

DatAlert can now send alerts to the Varonis App for Splunk, providing Splunk additional context into anomalous file system, email, and Active Directory behavior. Users of the App can view Varonis alerts directly from Splunk Enterprise, and drill into DatAlert for additional insight into what’s going on and accelerate security investigations, reducing mean time to resolution.

At-a-glance Dashboards

Our at-a-glance dashboards set SysAdmins and Security Analysts up for success – correlating Varonis alerts with Splunk events, and providing additional insight and context into potential security threats.

Want to learn more?

You can take a closer look at selected entities in the drill-down dashboard – access a complete list of all alerts on a specific entity (user, asset, threat model, device) within the selected timeframe.

Streamline your investigation with the DatAlert Web UI – and determine whether suspicious activity is malicious or a misconfiguration.

Want to try out the Varonis for Splunk app? Download it directly from splunkbase to get started.

Not yet a Varonis customer? What are you waiting for! Check out a demo of our data security platform today and get a personalized walkthrough of the Varonis App for Splunk while you’re at it.

Introducing a new security dashboard, enhanced behavioral analysis, and mor...

Introducing a new security dashboard, enhanced behavioral analysis, and more

Every day we hear new stories about how our customers are using DatAlert to stop cyberattacks: detecting and disabling ransomware infections, discovering misconfigurations and vulnerabilities, and setting up automatic responses to malware infections.

And so, we’ve updated DatAlert to be more intuitive, powerful, and insightful than ever: 6.3.150 includes major updates to DatAlert, additional platform support, and performance enhancements.

New Security Dashboard: DatAlert is easier than ever to use as a starting point for investigating suspicious behavior, spotting unusual activity on file servers, and finding security vulnerabilities.  We’re introducing a configurable dashboard where you can easily identify and prioritize at-risk areas like global access, stale data, and overexposed sensitive information.

Alert investigation page: A new alert page enables quick triage on individual alerts – drill down on suspicious activity that might indicate that an attack is under way and triage for further investigation.  The alert investigation page offers additional security insights about users, data, time, and affected devices.

Enhanced behaviors and analysis:

  • Behavioral Peers: DatAlert can compare file and email touches of one user – along with other activity – to that of her peers. Behavioral peer comparisons are available directly within the alerts page to streamline investigation and help identify the severity of alerted behavior.
  • Device Insight: Review device context cards, and get insight through the DatAlert UI to see alerts triggered on specific devices.  Insights into devices also help highlight abnormal device usage per user account to pinpoint a computer that’s been compromised for insider activities.
  • Normal Working Hours: Varonis determines normal working hours for each individual based on email & file activity – and compares activity against their peers, to catch suspicious activity more quickly than ever.
  • Flags & Watch list: Customers can now flag suspicious users, putting them on a watch-list for tracking – making it easier to keep an eye on suspicious users and devices. Users can be highlighted based on past alerts or based on information from legal, HR, or other departments.

Want to see DatAlert in action?  Schedule a free demo and see how it works in your environment.