At the end of the previous post, we took up the nuts-and-bolts issues of protecting sensitive data in an organization’s file system. One popular approach, least-privileged access model, is often explicitly mentioned in compliance standards, such as NIST 800-53 or PCI DSS. Varonis DatAdvantage and DataPrivilege provide a convenient way to accomplish this.
Let’s start with DatAdvantage. We saw last time that DA provides graphical support for helping to identify data ownership.
If you want to get more granular than just seeing who’s been accessing a folder, you can view the actual access statistics of the top users with the Statistics tab (below).
This is a great help in understanding who is really using the folder. The ultimale goal is to find the true users, and remove extraneous groups and users, who perhaps needed occasional access but not as part of their job role.
The key point is to first determine the folder’s owner — the one who has the real knowledge and wisdom of what the folder is all about. This may require some legwork on IT’s part in talking to the users, based on the DatAdvantage stats, and working out the real-chain of command.
Once you use DatAdvantage to set the folder owners (below), these more informed power users, as we’ll see, can independently manage who gets access and whose access should be removed. The folder owner will also automatically receive DatAdvantage reports, which will help guide them in making future access decisions.
There’s another important point to make before we move one. IT has long been responsible for provisioning access, without knowing the business purpose. Varonis DatAdvantage assists IT in finding these owners and then giving them the access granting powers.
Anyway, once the owner has done the housekeeping of paring and removing unnecessary folder groups, they’ll then want to put into place a process for permission management. Data standards and laws recognize the importance of having security policies and procedures as part of on-going program – i.e., not something an owner does once a year.
And Varonis has an important part to play here.
Maintaining Least-Privileged Access
How do ordinary users whose job role now requires then to access a managed folder request permission to the owner?
This is where Varonis DataPrivilege makes an appearance. Regular users will need to bring this interface up (below) to formally request access to a managed folder.
The owner of the folder has a parallel interface from which to receive these requests and then grant or revoke permissions.
As I mentioned above, these security ideas for last-privilege-access and permission management are often explicitly part of compliance standards and data security laws. Building on my list from the previous post, here’s a more complete enumeration of controls that Varonis DatAdvantage supports:
- NIST 800-53: AC-2, AC-3, AC-5, CM-5
- NIST 800-171: 3.1.4, 3.1.5, 3.4.5
- PCI DSS 3.x: 7.1,7.2
- HIPAA: 45 CFR 164.312 a(1), 164.308a(4)
- ISO 27001: A.6.1.2, A.9.1.2, A.9.2.3, A11.2.2
- CIS Critical Security Controls: 14.4
- New York State DFS Cybersecurity Regulations: 500.07
Stale Sensitive Data
Minimization is an important theme in security standards and laws. These ideas are best represented in the principles of Privacy by Design (PbD), which has good overall advice on this subject: minimize the sensitive data you collect, minimize who gets to see it, and minimize how long you keep it.
Let’s address the last point, which goes under the more familiar name of data retention. One low-hanging fruit to reducing security risks is to delete or archive sensitive data embedded in files.
This make incredible sense, of course. This stale data can be, for example, consumer PII collected in short-term marketing campaigns, but now residing in dusty spread-sheets or rusting management presentations.
Your organization may no longer need it, but it’s just the kind of monetizable data that hackers love to get their hands on.
As we saw in the first post, which focused on Identification, DatAdvantage can find and identify file data that hasn’t been used after a certain threshold date.
Can the stale data report be tweaked to find stale data this is also sensitive?
You need to add the hit count filter and set the number of sensitive data matches to an appropriate number.
In my test environment, I discovered that C:Share\pvcs folder hasn’t been touched in over a year and has some sensitive data.
The next step is then to take a visit to the Data Transport Engine (DTE) available in DatAdvantage (from the Tools menu). It allows you to create a rule that will search for files to archive and delete if necessary.
In my case, my rule’s search criteria mirrors the same filters used in generating the report. The rule is doing the real heavy-lifting of removing the stale, sensitive data.
Since the rule is saved, it can be rerun again to enforce the retention limits. Even better, DTE can automatically run the rule on a periodic basis so then you never have to worry about stale sensitive data in your file system.
Implementing date retention policies can be found in the following security standards and regulations:
- NIST 800-53: SI-12
- PCI DSS 3.x: 3.1
- CIS Critical Security Controls: 14.7
- New York State DFS Cybersecurity Regulations: 500.13
- EU General Data Protection Regulation (GDPR): Article 25.2
Detecting and Monitoring
Following the order of the NIST higher-level security control categories from the first post, we now arrive at our final destination in this series, Detect.
No data security strategy is foolproof, so you need a secondary defense based on detection and monitoring controls: effectively you’re watching the system and looking for unusual activities.
By now everyone knows (or should know) that phishing and injection attacks allow hackers to get around network defenses as they borrow existing users’ credentials, and fully-undetectable (FUD) malware means they can avoid detection by virus scanners.
So how do you detect the new generation of stealthy attackers?
No attacker can avoid using the file system to load their software, copy files, and crawl a directory hierarchy looking for sensitive data to exfiltrate. If you can spot their unique file activity patterns, then you can stop them before they remove or exfiltrate the data.
We can’t cover all of DatAlert’s capabilities in this post — probably a good topic for a separate series! — but since it has deep insight to all file system information and events, and histories of user behaviors, it’s in a powerful position to determine what’s out of the normal range for a user account.
We call this user behavior analytics or UBA, and DatAlert comes bundled with a suite of UBA threat models (below). You’re free to add your own, of course, but the pre-defined models are quite powerful as is. They include detecting crypto intrusions, ransomware activity, unusual user access to sensitive data, unusual access to files containing credentials, and more.
All the alerts that are triggered can be tracked from the DatAlert Dashboard. IT staff can either intervene and respond manually or even set up scripts to run automatically — for example, automatically disable accounts.
If a specific data security law or regulations requires a breach notification to be sent to an authority, DatAlert can provide some of the information that’s typically required – files that were accessed, types of data, etc.
Let’s close out this post with a final list of detection and response controls in data standards and laws that DatAlert can help support:
- NIST 800-53: SI-4, AU-13, IR-4
- PCI DSS 3.x: 10.1, 10.2, 10.6
- CIS Critical Security Controls: 5.1, 6.4, 8.1
- HIPAA: 45 CFR 164.400-164.414
- ISO 27001: A.16.1.1, A.16.1.4
- New York State DFS Cybersecurity Regulations: 500.02, 500.16, 500.27
- EU General Data Protection Regulation (GDPR): Article 33, 34
- Most US states have breach notification rules