Category Archives: Data Security

Adventures in Malware-Free Hacking, Part III

Adventures in Malware-Free Hacking, Part III

After yakking in the last two posts about malware-free attack techniques, we’re ready to handle a dangerous specimen. The Hybrid Analysis site is the resource I rely on to find these malware critters. While the information that HA provides for each sample —system calls, internet traffic, etc. — should be enough to satisfy a typical IT security pro, there is some value in diving into one of these heavily obfuscated samples to see what’s actually going on.

If you’re playing along at home, I suggest doing this in a sandbox, such as AWS, or if you’re working on your own laptop, just make sure to comment out the system calls that launch PowerShell.

Into the Obfuscated VBA Muck

The malware I eventually found in Hybrid Analysis is a VBA script that was embedded in a Word doc. As I mentioned last time, to see the actual script, you’ll need Frank Boldewin’s OfficeMalScanner.

After extracting the script, which I gave you a peek at in the last post, I decided to load the thing into the MS Word macro library. And then — gasp  —  stepped through it using the built-in debugger.

My goal was to better understand the obfuscations: to play forensic analyst and experience the frustrations involved in this job.

If you’re going into one of these obfuscated scripts for the first time in a debugger, you’ll likely be gulping espressos as you make your way through the mind numbing complex code and watch blankly as you look at the variable L_JEK being assigned the string “77767E6C797A6F6”.

It’s that much fun.

What I learned with this obfuscated VBA script is that only a very small part of it does any of the real work. Most of the rest is there to throw you off trail.

Since we’re getting into the nitty-gritty, I took a screen shot of the teeny part of the code that performs the true evil work of setting up the PowerShell command line that is ultimately launched by the VBA macro.

Tricky: just take the hex value and subtract 7 for the real ascii.

It’s very simple. The VBA code maintains a hex representation of the command line in a few variables and then translates it to a character string. The only “tricky” part is that hex values have been offset by 7.

So for example, the first part of the hex string comes from L_JEK (above). If you take 77 and subtract 7, you’ll get a hex 70. Do the same for 76 and you have obtain hex 6F. Look these up in any ascii table, and you’ll see it maps to the first two letter of “powershell”.

This ain’t a very clever obfuscation, but it doesn’t have to be!

All it has to accomplish is getting past virus scanners searching for obvious keywords or their ascii representations.  And this particular sample does this well enough.

Finally, after the code builds the command line, it then launches it through the CreateProcess function (below).

Either comment out system calls or set a breakpoint before it.

Think about it. A Word doc was sent in a phish mail to an employee. When the doc is opened, this VBA script  automatically launches a PowerShell session to start the next phase of the attack. No binaries involved, and the heavily obfuscated scripts will evade scanners.


To further my own education, I pulled out another macro from Hybrid Analytics (below) just to see what else is out there. This second one effectively does the same thing as the code above.

Secret code embedded in VBA.

It’s a little more clever in how it builds the command line. There’s a decode function, called “d”, that filters out characters from a base string by comparing against a secondary string.

It’s a high-school level idea, but it gets the job done: it will evade scanners and fool IT folks who are quickly looking at any logs for unusual activities.

Next Stop

In my first series of post on obfuscation, I showed that Windows Event logging captures enough details of PowerShell sessions — that is, if you enable the appropriate modules — to do a deep analysis after the fact.

Of course, the brilliance of malware-free attacks is that it’s hard to determine whether a PowerShell script at run-time is doing anything evil through a basic parsing of the command line by scanning event logs.


PowerShell sessions are being launched all the time, and one hacker’s PowerShell poison can be close to another IT admin’s PowerShell power tool. So if you want to alert every time a script downloads something from the Internet, you’ll be sending out too many false positives.

Of course, this leads to this blog’s favorite topic: the failure of perimeter defenses to stop phishing and FUD malware, and the power of User Behavior Analytics.

In short: it’s a losing battle trying to stop hackers from getting past perimeter defenses. The better strategy is to spot unusual file access and application behaviors, and then respond by de-activating accounts or taking another breach response measure.

That’s enough preaching for the day. In the next post, we’ll take a closer look at more advanced types of malware-free attacks.

[Podcast] Security Alert Woes

[Podcast] Security Alert Woes

Leave a review for our podcast & we'll send you a pack of infosec cards.

IT pros could use a little break from security alerts. They get a lot of alerts. All. The. Time.

While alerts are important, a barrage of them can potentially be a liability. It can cause miscommunication, creating over reactivity. Conversely, alerts can turn into white noise, resulting in apathy. Hence the adage: if everything is important, nothing is. Instead, should we be proactive about our security risks rather than reactive?

Articles discussed:

  • Heatmap reveals secret military bases
  • ICE gets access to license plate numbers
  • Does it matter if you put your password on a post-it?

Panelists: Kilian Englert, Forrest Temple, Kris Keyser

Malware Protection: Defending Data with Varonis Security Analytics

Malware Protection: Defending Data with Varonis Security Analytics

Malware has become the catch-all term for any bit of code that attempts to hide and then subvert the intentions of the computer’s owner. Viruses, rootkits, lock-screens, and Trojan horses are as common today as a web browser and used by everyone from criminals, governments, and security researchers.

Malware detection on endpoints is commonplace, but as WannaCry and NotPetya taught us, malware can end up in your servers as well, creating vulnerabilities and backdoors to exfiltrate the lion’s share of your sensitive information. That’s where Varonis comes in.

We’ve developed over 100 threat models to detect and arrest malware, data leaks, and potential security risks to your data. Let’s identify some of the more common types of malware, and dive in to Varonis can help you detect and defend against those attacks.


Viruses are one of the oldest kinds of malware out there. They exist to cause mayhem and to make your life miserable.

There are certain viruses, for instance, that target NAS devices. Those are particularly dangerous due to the sheer volume of data they attack. The most notable recently was the SambaCry vulnerability that hackers used for ransomware attacks, DDoS, or backdoors.

This kind of attack will not only spread to other computers but will start to attack any attached data stores, like the NAS with all the really important data on it (company financial statement, HR records) or the email server. In a blink of an eye, your entire data storage could be encrypted or deleted.

How to Stop a Virus with Varonis

Varonis doesn’t just monitor file events, but also builds a behavioral baseline of normal activity for each user. This analysis lets us separate activity consistent with a particular user’s historical pattern of access (human activity) from a virus (machine activity) and very quickly pull the plug on this user, stopping the virus from inflicting further damage.

Below are some of the threat models that would help detect this type of malware attack:

Threat Model: Encryption of multiple files

How it works: DatAlert triggers this when there are multiple file modify events by the same user in a short amount of time, AND when those modifications include suspected malware encryption file extensions. The known extensions are configurable via dictionary.

What it means: This usually indicates a malware attack with the intent to deny access to data.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Threat Model: Abnormal Behavior: Unusual number of files deleted

How it works: DatAlert triggers this when there are multiple file delete events by the same user in a short amount of time.

What it means: This means that a single user has deleted many files on a monitored storage device in a short amount of time. This could be a user doing clean-up work, but it also could be malware.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Threat Model: Abnormal Behavior: Unusual number of sensitive files deleted

How it works: DatAlert triggers this when there are multiple file delete events by the same user in a short amount of time, and those files have been marked as sensitive by the Varonis Data Classification Engine.

What it means: Like the previous threat model, this means that a single user has deleted many files on a monitored storage device in a short amount of time. This could be a user doing clean-up work, but it also could be malware.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS, Nasuni

Varonis will detect the virus, lock out the user, and then the SOC can take action to limit or restore the damage done and get the virus under control.

Time is a virus’ best friend. The longer it has to gallivant around uninterrupted, the more times it can copy itself and destroy data. Varonis triggers an immediate, automated response, stopping the virus before it has time to do significant damage.

Trojan Horse

Trojan Horse attacks get their name from that famous story from antiquity. These attacks are similar to viruses in that they hide with other downloads, but their payloads tend to be different.

Trojans try to install backdoors or rootkits into your computer, which provides hackers with access to that computer and whatever that computer is also able to access.

How to Stop a Trojan with Varonis

Varonis defends against some Trojans by monitoring the startup folders where these bugs want to install their payload.

Threat Model: Suspicious access activity: non-admin access to startup files and scripts

How it works: DatAlert identifies any file activity by a non-admin user on folders identified as startup folders as suspicious.

What it means: Activity by non-admin users on startup folders is suspicious: users should not be accessing these folders. The attack could be a Trojan, but it also could be an attempt to install files to this folder manually from an already hijacked computer.

Where it works: Windows, Unix, Unix SMB, HP NAS

One thing Trojans want to do is persist through shutdown, so they’ll try to embed themselves into these folders and hide amongst the other running processes to avoid detection.

Now if for some reason the Trojan is trying to be smart and doesn’t try to access the Startup folder, and instead drops its payload elsewhere – a different threat model will still catch Trojan activity.

Threat Model: Exploitation software accessed

How it works: DatAlert detects file events that contain filenames known as part of the hacker toolkit, which is an ever-evolving list.

What it means: It could mean that a user downloaded a hacker tool for a valid reason, but most likely it’s an attempt to infiltrate the network and needs to be stopped.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS

Rootkits and Backdoors

Rootkits and backdoors are payloads that allow hackers to access a computer and its attached network, run commands to move laterally, and steal data. Rootkits are usually prepackaged executables, while backdoors are routes hackers can take to bypass standard authentication on the network.

Once a hacker has a rootkit or backdoor installed and access to the network established, they will start to poke around and look for the profitable stuff to steal – which these days run from anything from a social security number to credit card numbers to emails.

How to Stop Rootkits and Backdoors with Varonis

Hackers often use service accounts to move around the network: a service account often has more privileged access, and therefore access to more valuable data.

Threat Model: Abnormal service behavior: access to atypical files

How it works: Service accounts typically behave in a consistent manner – performing the same actions over and over again. When a service account starts performing actions on file types that is outside of its usual behavior – something suspicious is likely going on. Because Varonis classifies all AD accounts as Admin, Executive, Service, or User – we can recognize when an account that is classified as service starts to access files outside of its usual behavior.

What it means: Someone is using this service account to look at other files, most likely in an attempt to exploit the service account privileges to navigate through the file structure. There’s never a valid reason for a service account to access files outside of normal operation, and the account should be locked out and the credentials changed.

Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, OneDrive, Dell FluidFS

Another tactic linked with these types of attacks is brute force – which Varonis can help thwart with threat models that focus on lockout events.

Threat Model: Abnormal admin behavior: accumulative increase in lockouts for individual admin accounts

How it works: DatAlert detects statistically significant increases in loc-out events over time – and can identify an unusual amount of lock-out events on an admin account compared to their typical behavior.

What it means: It means that the account is trying to login and failing repeatedly. This could be a misconfigured password for a valid user, or it could be an attempt to brute force or guess the password by an outsider. This account is probably the target of a gradual brute-force attack aimed at stealing admin credentials or denying access.

Where it works: Directory Services

A third tactic associated with these types of attacks is privilege escalation: hackers may try to elevate the privileges of a user that they already have access to – in order to extend their access to more sensitive data.

Threat Model: Membership changes: admin group

How it works: Varonis monitors membership changes, and can flag when members are added to or removed from an admin group.

What it means: If the change was made outside of change control then it’s likely an attempt to steal data by using a privileged account.

Where it works: Directory Services

Remote Access Trojans (RATs)

Remote Access Trojans (RATs) are a different type of malware that open a back door to give hackers access. A now-relic from the 90s, they’re still in use today.

How to Stop Remote Access Trojans (RATs) with Varonis

Varonis Edge analyzes perimeter devices including VPNs, Web Proxies, and DNS (like what’s leveraged in DNSMessenger), and you can leverage threat models specifically designed for suspicious DNS activity or remote access behavior.

Threat Model: Abnormal behavior: activity from new geolocation to the organization

How it works: Any activity that originates outside of known geolocations will trigger this threat model.

What it means: Someone attempted to reach into the network through the VPN from a new geolocation.

Where it works: VPN

Another tactic associated with this type of malware is DNS Tunneling, which encodes data or protocols in DNS queries and responses.

Threat Model: Data Exfiltration via DNS Tunneling

How it works: Varonis monitors DNS and will detect commands that are sent through the DNS channel that aren’t DNS requests. DNS tunnels depend on using the DNS protocol to pass and execute commands on the target. As soon as Varonis sees a non-standard DNS request this threat model will be triggered.

What it means: Someone is trying to use DNS to execute commands that aren’t DNS requests. This is most likely a hacking attempt.

Where it works: DNS

What Did I Miss?

That’s just a handful of examples on how our threat models detect suspicious activity and help protect against three types of common malware. Have you had to investigate a malware incident? If you feel like sharing leave a comment below – we’d love to hear it.

You can also check out DatAlert for yourself and see these threat models in action, or get a free 30-day Data Security Risk Assessment.

SIEM Tools: Varonis Is the Solution That Makes the Most of Your SIEM

SIEM Tools: Varonis Is the Solution That Makes the Most of Your SIEM

SIEM applications are an important part of the data security ecosystem: they aggregate data from multiple systems, normalize that data, then analyze that data to catch abnormal behavior or data security attacks. SIEM provides a central place to collect events and alerts – so that you can initiate a security investigation.

But what then?

The biggest issue we hear from customers when they use SIEM is that it’s extremely difficult to diagnose and research security events. The volume of low-level data and the high number of alerts cause a ‘needle in a haystack’ effect: users get an alert but often lack the clarity and context to act on that alert immediately.

And that’s where Varonis comes in. Varonis provides additional context to the data that a SIEM collects: making it easier to get more value out of a SIEM by building in-depth context, insight, and threat intelligence into security investigations and defenses.

Limitations of SIEM Applications as a Full Data Security Ecosystem

SIEM applications provide limited contextual information about their native events, and SIEMs are known for their blind spot on unstructured data and emails. For example, you might see a rise in network activity from an IP address, but not the user that created that traffic or which files were accessed.

In this case, context can be everything.

What looks like a significant transfer of data could be completely benign and warranted behavior, or it could be a theft of petabytes of sensitive and critical data. A lack of context in security alerts leads to a ‘boy that cried wolf’ paradigm: eventually, your security will be desensitized to the alarm bells going off every time an event is triggered.

SIEM applications are unable to classify data as sensitive or non-sensitive and therefore are unable to distinguish between sanctioned file activity from suspicious activity that can be damaging to customer data, intellectual property, or company security.

Ultimately, SIEM applications are only as capable as the data they receive. Without additional context on that data, IT is often left chasing down false alarms or otherwise insignificant issues. Context is key in the data security world to know which battles to fight.

How Varonis Complements SIEM

The context that Varonis brings to SIEM can be the difference between a snipe hunt or preventing a major data security breach.

Varonis captures file event data from various data stores – on-premise and in the cloud – to give the who, what, when, and where of each file accessed on the network. With Varonis Edge monitoring, Varonis will also collect DNS, VPN, and web proxy activity. You’ll be able to correlate the network activity with the data store activity in order to paint a complete picture of an attack from infiltration through file access to exfiltration.

Varonis classifies unstructured files based on hundreds of possible pattern matches, including PII, government ID numbers, credit card numbers, addresses, and more. That classification can be extended to search for company-specific intellectual property, discover vulnerable, sensitive information, and help meet compliance for regulated data – and Varonis reads files in place without any impact to end users.

Varonis also performs user behavior analytics to provide meaningful alerts based upon learned behavior patterns of users, along with advanced data analysis against threat models that inspect patterns for insider threats (exfiltration, lateral movement, account elevation) and outsider threats (ransomware).

How Varonis Works with SIEM

Varonis integrates with SIEM applications to give security analytics with deep data context so that organizations can be confident in their data security strategy.

Integration highlights:

  • Out of the box analytics
  • Integrated Varonis dashboards and alerts for streamlined investigation
  • Alert specific investigation pages
  • Critical information highlighted at a glance, with actionable insights and context
  • Integration into your SIEM workflow

Investigating an Attack with Varonis and SIEM

This contextual data that Varonis brings gives security teams meaningful analysis and alerts about the infrastructure, without the additional overhead or signal noise to the SIEM. SOC teams can investigate more quickly by leveraging SIEM with Varonis, and get insight into the most critical assets they need to protect: unstructured data and email.

Investigating a ransomware incident using Varonis DatAlert, for instance, is much faster than looking through the SIEM logs to piece together what happened.

With the added visibility provided by DatAlert, you get an at-a-glance overview on what’s happening on your core data stores – both on-premise and in the cloud. You can easily investigate users, threats, and devices – and even automate responses.

Here, it looks like Hijacked Helen has 21 alerts – something suspicious is going on. You can easily click through to Helen’s alerts to find out what it might be: including a potential malware attack.

You can dive into those individual alerts to understand and investigate the situation. In the alert details, it looks like the alerted events have originated from outside our company.

Scrolling down the Alert page, you can see that there is one computer involved, and 24 sensitive files have been accessed. Additionally, 10% of all events for this computer occurred outside of Helen’s normal work hours. It sure does look like Helen’s PC is being used by some outsider to access files in the network.

On that same alert page, you can see that the files accessed from Helen’s PC are owned by Payroll Pete – it looks like a hacker is trying to access payroll data.

That’s just the beginning of investigating suspicious behavior and activity with Varonis and your SIEM. DatAlert can kick off a script to disable the user account and shut down the attack as soon as it is first detected – in which case, that hacker might not have been able to get to the payroll files at all!

With the context you have at your disposal, you can quickly and easily respond to – and manage – the alerts that you receive in your SIEM. Security analysts spend countless hours to get meaningful alerts from SIEM: fine-tuning use cases, building rules, and adding in data sources – Varonis gives a head start with 120 out-of-the-box analytics models, intuitive dashboards, and intelligent alerting.

OK, I’m Ready to Get Started!

If you’re already using a SIEM, it’s simple to add Varonis and get more out of your SIEM investment. If you’re looking to start your data security plan, start with Varonis and then add your SIEM.

Once you have Varonis in place, you can then add your SIEM for data aggregation and additional monitoring and alerting. Varonis gives you more initial data security coverage, and adding a SIEM will make Varonis and your SIEM better able to correlate and store data for analysis and auditing.

Want to see more? Click here for a personalized demo to see how Varonis and SIEM work together.

The Difference Between IAM’s User Provisioning and Data Access Management

The Difference Between IAM’s User Provisioning and Data Access Management

Identity and access management (IAM)’s user provisioning and data security’s data access management both manage access. But provisioning is not a substitute, nor is it a replacement for data access management. The nuances between the two are enough to put the two in distinct categories. Both are important and knowing the difference between the two will help you figure out the right tool for the job.

What is User Provisioning?

User provisioning is the creation and management of access to the organization’s resources. Access can range from IT accounts (CRM, Salesforce, email etc) to non-IT equipment and resources such as an access badge, phone, car, etc.

IT administrators who are responsible for provisioning access know that when manually provisioning access, it can be tedious, complicated and even if you have a checklist, the risk for making mistakes are quite high.

Of course there’s always an option to leverage directory services to automate the provisioning workflow. And the process of maintaining those access rights continue as people’s responsibilities continue to evolve and when they leave the organization.

IAM systems further automate this process.  To streamline provisioning, organizations create templates – called “roles” – that package together and assign specific values to accounts.  For example, any full-time employee on the Finance team will receive the same types of access – an email account, authorization to the parking area, and access to the billing and payment systems.  Later in her career, the Finance user might change jobs, and join the legal team.  IAM will facilitate that role change – Since the user is still an employee, she will retain her email and parking access, but the system will revoked rights to the billing and payment systems, and then grant access to the eDiscovery and records management tool.

So far, there’s no reason to believe that you can’t provision access to data in the same way: make access available to users who need it and manage as needed.

So What’s the Problem?

Organizations with IAM solutions often assume that existing security groups and roles align with the underlying data structures that contain an organization’s data. Unfortunately, even though users might be in correct groups, they inevitability end up with far more access to data than is necessary or relevant to their jobs.

Sure, IAM solutions have complete lists of users and groups from directory services. However, one of the biggest challenges is mapping these users and groups to access control lists (ACLs) which control access to the data itself.

What’s more, IAM doesn’t identify which users are accessing which files and more importantly, it doesn’t identify which folders and files contain sensitive data.

How Data Access Really Works

ACLs control access to data.

What this means is that if a file object has an ACL that contains (Allen: read, write; Jared: read), this would give Allen permission to read and write data in the file and Jared would only be able to read it.

The best practice to manage access is through groups.  A typical ACL will consist of groups with various rights – for example, the ACL will have one group which as read permissions, and another group that has read & write permission.  Then, in order to grant access, simply add users to the groups that correspond to the desired access.

In theory, it seems simple enough to control and maintain access to data by keeping the correct users in the right group, and right groups on the ACLs.

Here’s what happens in reality: links between users, groups and the data get broken over time.  Often, users are added to groups and are never removed.  ACLs are modified to include groups that aren’t related to the data the ACL was originally intended to protect – or even worse, groups are added to other groups, further complicating the situation, and cause a wider ripple effect.

In order to manage data access properly, it’s vital to ensure that security groups are actually granting access to the right sets of data.  Having that link is key to avoiding unintended consequences – like adding a user to an innocuous seeming group, but through group nesting, actually allows access to critical, or sensitive business data.

It’s All in the Details

In short, we’ve detailed how intricate the practical details are in managing data access. Yes, user provisioning access to IT resources is a form of access management and very important to security, but it’s not a proper form of data access nor is it data security.

[Podcast] Manifesting Chaos or a Security Risk?

[Podcast] Manifesting Chaos or a Security Risk?

Leave a review for our podcast & we'll send you a pack of infosec cards.

Regular listeners of the Inside Out Security podcast know that our panelists can’t agree on much. Well, when bold allegations that IT is the most problematic department in an organization can be, ahem, controversial.

But whether you love or hate IT, we can’t deny that technology has made significant contributions to our lives. For instance, grocery stores are now using a system, order-to-shelf, to reduce food waste. There are apps to help drivers find alternate routes if they’re faced with a crowded freeway. Both examples are wonderful use cases, but also have had unforeseen side effects.

Even though profits are up, empty aisles at grocery stores are frustrating shoppers as well as employees. Quiet neighborhoods that became alternate routes are experiencing traffic due to a new influx of drivers as well as noise pollution.

When there are unforeseen consequences from a technological improvement, are we manifesting chaos or a security risk?

Other articles discussed:

Tool of the week: Pown Proxy

Panelists: Kilian Englert, Mike Buckbee, Matt Radolec

[Podcast] The Security of Legacy Systems

[Podcast] The Security of Legacy Systems

Leave a review for our podcast & we'll send you a pack of infosec cards.

It’s our first show of 2018 and we kicked off the show with predictions that could potentially drive headline news. By doing so, we’re figuring out different ways to prepare and prevent future cybersecurity attacks.

What’s notable is that IBM set up a cybersecurity lab, where organizations can experience what it’s like go through a cyberattack without any risk to their existing production system. This is extremely helpful for companies with legacy systems that might find it difficult to upgrade for one reason or another. But we can all agree what’s truly difficult are the technologies that you can’t just fix with a patch, such as the Spectre and Meltdown attacks.

Other articles discussed: Hotmail changed Microsoft and email

Panelists: Kris Keyser, Kilian Englert

The Difference Between Data Governance and IT Governance

The Difference Between Data Governance and IT Governance

Lately, we’ve been so focused on data governance, extracting the most value from our data and preventing the next big breach, many of us have overlooked IT governance fundamentals, which help us achieve great data governance.

The source of some of the confusion is that data and IT governance have very similar and interdependent goals. Broadly speaking, both processes aim to optimize the organization’s assets to generate greater business value for the organization.

Since IT and data governance are so inextricably connected and vital to an organization’s operations, how about we compare and contrast the two.

What is IT Governance?

IT governance ensures that the organization’s IT investments support the business objectives, manage the risks, and meet compliance regulations.

Examples of organization’s IT investments: physical and technical security, encryption, servers, software, computer and network devices, database schemas, and backups.

It’s often argued that these investments are considered a cost center rather than a money generator. Here’s some tough talk: organizations wouldn’t be able to operate, optimize or even generate revenue without IT.

In short: no IT, no data, and no business.

But good IT operations require dedicated leadership to ensure that tech investments are maximized.

Stakeholders involved in the success of IT governance include the board of directors, executives in finance, operations, marketing, sales, HR, vendors and, of course, the chief information officer (CIO) as well as other IT management.

The key individual who’s responsible for aligning IT governance to the organization’s business goals is the CIO.

To accomplish their goals, CIOs will often use existing data governance frameworks, created by industry experts. These frameworks also provide implementation guides, case studies and assessments. Here are some frameworks you may have heard of:

COBIT 5: A staple in the industry, this framework helps enterprises with IT governance, business optimization, and growth by leveraging proven practices. This framework is based on five key principles for governance and management of enterprise IT:

  1. Meeting Stakeholder Needs
  2. Covering the Enterprise End-to-End
  3. Applying a Single, Integrated
  4. Enabling a Holistic Approach
  5. Separating Governance From Management

ITIL: IT Infrastructure Library helps with aligning IT services with the needs of the business. Most known for their framework of five core publications, each book collects the best practices for each phase of the IT service lifecycle.

FAIR: This is new framework and according to their website, “they’re a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.  They provide information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective.”

When it comes to frameworks, you’ll have to decide which one works with your company culture and often times, organizations will find that a hybrid approach works the best.

And with proper IT governance, the chance for data governance success increases. Why? Execution and management of systems, applications, IT support and their management of data within a company will impact data governance.

So What Then is Data Governance?

Data governance refers to the management of data in order to improve business outcomes and fuel business growth.

So far, with the exception of asset type, data governance very similar to IT governance.

The stakeholders involved for data governance include all the individuals required for IT governance plus a few more executives: the board, executives in finance, operations, marketing, sales, HR, vendors, CIO, IT management.

However, the individual responsible for aligning data with the organization’s business metrics is the chief data officer (CDO). The CDO will also enlist data scientists, programmers, and any department that generates data, which is every department within an organization.

CDOs are a recent addition to the C-suite, and they help lead companies in generating business value from data. According to Gartner, 90 percent of large organizations will have a chief data officer by 2019.

Yes, a CDO is very much a technical role, but this position also requires business and change management skillsets. After all, they have to aggregate the data, analyze the data and the most challenging of all, get the business to act on the data.

Since this data governance is a relatively new field, there aren’t established frameworks, such as COBIT 5.

But based on my research and speaking with pros at conferences, a company’s executive suite should be asking some of the following questions:

  1. What is your business strategy?
    • A data strategy isn’t going to generate a single incremental dollar for your business, it’s simply an enabler.
  2. Have you defined and communicated key objectives throughout your organization?
    • You’re going to be wasting a lot of time, money and resources solving for a problem and if you don’t know what the business problem is.
  3. Do you have the right data and is it of sufficient quality?
    • Without data quality, your data projects and analytics will inevitably fall short.

In talking with Jeffery McMillian, CDO of Morgan Stanley, I learned that he spends 90% of his time focused on the first two questions.  Based on his experience, if you don’t get these right, everything else is pretty much null.

Keep data assets safe and secure– get a free a risk assessment today.

Introducing Varonis Data Security Platform 6.4.100: Varonis Edge, GDPR Thre...

Introducing Varonis Data Security Platform 6.4.100: Varonis Edge, GDPR Threat Models, Geolocation and More

It’s the beginning of a new year, and we have a huge new beta release to share with you.  The beta release of the Varonis Data Security Platform 6.4.100 dropped earlier this month, and I wanted to share a few highlights:

Varonis Edge

We announced Varonis Edge back in November, and we’re excited for you to try it.  After over a decade of protecting core data stores, we’re extending that same data security approach to the perimeter: analyzing devices like DNS, VPN, and Web Proxy to detect attacks like malware, APT intrusion, and exfiltration.  With Edge, you’ll be able to correlate events and alerts from your perimeter with alerts and events about your data.

We’ve added new threat models for these perimeter devices: so that you can stay ahead of security events like brute force attacks, DNS tunneling, credential stuffing, and more.


Backed by popular demand, we’ve added new classification categories to our Data Classification Engine (formerly Data Classification Framework).  We’re shipping four predefined categories out of the box, to more easily identify and discover PII, PHI, PCI, and GDPR data.

GDPR Threat Models

With over 250 unique patterns to identify and classify EU data that will fall under the upcoming General Data Protection Regulation (GDPR), we’re making it easier than ever to see what’s happening to that data once it’s identified.  You’ll not only be able to identify regulated data, but monitor and track when suspicious activity occurs on it with specific GDPR threat models: from abnormal service behavior accessing atypical folders containing GDPR data, to global access groups added to a folder with a significant amount of GDPR data, and more.


Everybody likes a map – and DatAlert now tracks cyberattacks to a specific location, alerting when unusual access to your data is coming from a new or unusual physical locations, or geolocation.  New threat models track unreasonable geohopping, activity from a blacklisted geolocation, and activity from  new geolocation.

We’ve added maps and geolocation to the DatAlert web interface – so that you can see what’s going on and where at a glance.

Other updates include:

  • HPE 3PAR support
  • Enhancements to DatAlert search functionality: predefined searches, saved searches, and more
  • Improved performance and support for incremental search results
  • Office 365 Azure AD auditing and collection
  • Enhancements to AD authentication events
  • Automation Engine: support for multiple OU selection for new groups/per filer resolution
  • DataPrivilege request-related and owner-related API now supports both Windows and SharePoint
  • Reporting now supports relative mode for all date filters

Want to see it in action? Get a personalized demo and ask about the latest features today.


Add Varonis to IAM for Better Access Governance

Add Varonis to IAM for Better Access Governance

Managing permissions is a colossal job fraught with peril, and over-permissive folders are the bane of InfoSec and a hacker’s delight. Many organizations employ IAM (Identity Access Management) to help manage and govern access to applications and other corporate resources.

One of the challenges that remains after implementing an IAM solution, however, is how to apply its principles to unstructured data. IAM may be able to help you manage group memberships in Active Directory, but can’t tell you which data each group gives access to. It’s like managing the keys on a keyring without knowing which doors they unlock.

That’s where Varonis comes in. DatAdvantage has a bi-directional permissions view: just double-click on a folder, site, or mailbox to see who has access to it or click on a user or group to see everything they can access – across all your data stores.

Our customers often find that IAM is overprovisioning access based on roles, and Varonis will bring attention to those issues and help you fix them.

Varonis integrates with IAM to enhance and increase their capabilities, bringing together a holistic data security solution.

How Varonis Integrates with IAM

Varonis DataPrivilege enhances the IAM process by taking the IT staff out of the approval chain for data access and putting that decision back with the data owners. Once that’s taken care of, you can implement a workflow to maintain least privilege permissions.

Varonis facilitates the integrations with both SOAP and REST API. With the API, you can synchronize managed data with your IAM/ITSM solution, and return instructions to DataPrivilege to execute and report on requests and access control changes. You’ll be able to use the integration to externally control DataPrivilege entitlement reviews, self-service access workflows, ownership assignment, and more.

The integrations allow for several standard use cases:

  • Data-Side Entitlement Review: From the IAM system, a user can request a report of the permissions on a folder for auditing, with options for removal
  • Line Manager User Side Entitlement Review: A manager selects one of their direct reports to pull a list of all groups/permissions that user is a member, and can request changes directly from the list
  • Self Service Access Request Workflow: Users request folder or group access, and DataPrivilege manages the approval process
  • Provisioning/Deprovisioning Workflow: Creating a new user in the IAM triggers a process to provide that user with standard permissions based on their job function, and conversely deprovisioned users get removed from all groups, so there are no orphaned accounts left in groups

Advantages of Adding Varonis to Your IAM Strategy

On top of the IAM integration capabilities, Varonis helps build out a strong data security strategy: adding monitoring, classification, threat detection, and more to your arsenal.

If you have an IAM or you are planning on implementing an IAM as part of your 2018 data security initiatives, we’ll show you how to get even more out of your IAM by integrating with the Varonis Data Security Platform – click here for a personalized demo to get started.

I’m Sean Campbell, Systems Engineer at Varonis, and This is How I Work

I’m Sean Campbell, Systems Engineer at Varonis, and This is How I Work

In April of 2013, after a short stint as a professional baseball player, Sean Campbell started working at Varonis as a Corporate Systems Engineer.

Currently a Systems Engineer for New York and New Jersey, he is responsible for uncovering and understanding the business requirements of both prospective and existing customers across a wide range of verticals. This involves many introductory presentations, proof of concept installations, integration expansion discussions, and even the technical development of Varonis channel partners. Sean also leads a team of subject matter experts(SME) for our innovative DatAlert platform.

According to his manager Ben Lui:

Sean Campbell is one of the most talented engineers on my team. He is the regional DatAlert SME and bridged valuable feedback from both customers and the field back to product management. Sean is also an excellent team player and excels at identifying critical data exposure during customer engagements. Overall, Sean is a key contributor to the Varonis organization.”

The fast paced environment, challenge of data security, and the fact that the sales cycle is far from “cookie cutter” is what Sean enjoys most about his role here. He also values the relationships he has been given the ability to build up over the years on both the Varonis and customer side.

Read on to learn more about Sean  – this time, in his own words.

What would people never guess you do in your role?

I’ve done a lot of interesting behind the scenes work – from creating new hire training materials to assisting with customer data breach investigations.

How has Varonis helped you in your career development?

I didn’t begin my career in sales, so my perspective on security was pretty narrow. Varonis has broadened that tremendously. I’ve developed the skills needed to tailor a conversation to different audiences whether it be a CISO, Cloud Admin, or a room full of other Sales Professionals. My technical skills have evolved as well, from basic Windows knowledge to more complex troubleshooting skills of the different platforms we support here. Pays a little better than minor league baseball!

What advice do you have for prospective candidates?

Humanize people, no matter the job title or status. Empathetic conversations begin and sustain smoothly that way. Be clear, be concise, be quick to listen and slow to speak! Something I’m always practicing.

What do you like most about the company? 

There is a maniacal yet focused approach with everyone here. We have crazy high standards for ourselves, but a culture of togetherness. You get things done and grow! I’m always excited to see what we are innovating next!

What’s the biggest data security problem your customers/prospects are faced with?

The elusive “starting point” or where to begin is a huge up front challenge. Everyone has data to protect, everyone typically has gaps, but similar to the NFL it’s all the same league just different playbooks. A successful playbook might resemble this one.

What certificates do you have?

Does birth count? Kidding, I have a security certification exam coming up next year. Wish me luck!

What’s your all-time favorite movie or tv show?

Movie is The Sandlot and there are too many TV Shows I like to just pick one.

If you could choose any place in the world to live, where would it be and why?

Just give me warm weather year round with easy access for family and friends to visit.

My wife and I are good with that. I also wouldn’t mind a golf course within walking distance.

What is the first thing you would buy if you won the lottery?

If it’s the big one, get me Richard Branson’s island broker.

Interested in becoming Sean’s colleague? Check out our open positions, here!