SIEM applications are an important part of the data security ecosystem: they aggregate data from multiple systems, normalize that data, then analyze that data to catch abnormal behavior or data security attacks. SIEM provides a central place to collect events and alerts – so that you can initiate a security investigation.
But what then?
The biggest issue we hear from customers when they use SIEM is that it’s extremely difficult to diagnose and research security events. The volume of low-level data and the high number of alerts cause a ‘needle in a haystack’ effect: users get an alert but often lack the clarity and context to act on that alert immediately.
And that’s where Varonis comes in. Varonis provides additional context to the data that a SIEM collects: making it easier to get more value out of a SIEM by building in-depth context, insight, and threat intelligence into security investigations and defenses.
Limitations of SIEM Applications as a Full Data Security Ecosystem
SIEM applications provide limited contextual information about their native events, and SIEMs are known for their blind spot on unstructured data and emails. For example, you might see a rise in network activity from an IP address, but not the user that created that traffic or which files were accessed.
In this case, context can be everything.
What looks like a significant transfer of data could be completely benign and warranted behavior, or it could be a theft of petabytes of sensitive and critical data. A lack of context in security alerts leads to a ‘boy that cried wolf’ paradigm: eventually, your security will be desensitized to the alarm bells going off every time an event is triggered.
SIEM applications are unable to classify data as sensitive or non-sensitive and therefore are unable to distinguish between sanctioned file activity from suspicious activity that can be damaging to customer data, intellectual property, or company security.
Ultimately, SIEM applications are only as capable as the data they receive. Without additional context on that data, IT is often left chasing down false alarms or otherwise insignificant issues. Context is key in the data security world to know which battles to fight.
How Varonis Complements SIEM
The context that Varonis brings to SIEM can be the difference between a snipe hunt or preventing a major data security breach.
Varonis captures file event data from various data stores – on-premise and in the cloud – to give the who, what, when, and where of each file accessed on the network. With Varonis Edge monitoring, Varonis will also collect DNS, VPN, and web proxy activity. You’ll be able to correlate the network activity with the data store activity in order to paint a complete picture of an attack from infiltration through file access to exfiltration.
Varonis classifies unstructured files based on hundreds of possible pattern matches, including PII, government ID numbers, credit card numbers, addresses, and more. That classification can be extended to search for company-specific intellectual property, discover vulnerable, sensitive information, and help meet compliance for regulated data – and Varonis reads files in place without any impact to end users.
Varonis also performs user behavior analytics to provide meaningful alerts based upon learned behavior patterns of users, along with advanced data analysis against threat models that inspect patterns for insider threats (exfiltration, lateral movement, account elevation) and outsider threats (ransomware).
How Varonis Works with SIEM
Varonis integrates with SIEM applications to give security analytics with deep data context so that organizations can be confident in their data security strategy.
- Out of the box analytics
- Integrated Varonis dashboards and alerts for streamlined investigation
- Alert specific investigation pages
- Critical information highlighted at a glance, with actionable insights and context
- Integration into your SIEM workflow
Investigating an Attack with Varonis and SIEM
This contextual data that Varonis brings gives security teams meaningful analysis and alerts about the infrastructure, without the additional overhead or signal noise to the SIEM. SOC teams can investigate more quickly by leveraging SIEM with Varonis, and get insight into the most critical assets they need to protect: unstructured data and email.
Investigating a ransomware incident using Varonis DatAlert, for instance, is much faster than looking through the SIEM logs to piece together what happened.
With the added visibility provided by DatAlert, you get an at-a-glance overview on what’s happening on your core data stores – both on-premise and in the cloud. You can easily investigate users, threats, and devices – and even automate responses.
Here, it looks like Hijacked Helen has 21 alerts – something suspicious is going on. You can easily click through to Helen’s alerts to find out what it might be: including a potential malware attack.
You can dive into those individual alerts to understand and investigate the situation. In the alert details, it looks like the alerted events have originated from outside our company.
Scrolling down the Alert page, you can see that there is one computer involved, and 24 sensitive files have been accessed. Additionally, 10% of all events for this computer occurred outside of Helen’s normal work hours. It sure does look like Helen’s PC is being used by some outsider to access files in the network.
On that same alert page, you can see that the files accessed from Helen’s PC are owned by Payroll Pete – it looks like a hacker is trying to access payroll data.
That’s just the beginning of investigating suspicious behavior and activity with Varonis and your SIEM. DatAlert can kick off a script to disable the user account and shut down the attack as soon as it is first detected – in which case, that hacker might not have been able to get to the payroll files at all!
With the context you have at your disposal, you can quickly and easily respond to – and manage – the alerts that you receive in your SIEM. Security analysts spend countless hours to get meaningful alerts from SIEM: fine-tuning use cases, building rules, and adding in data sources – Varonis gives a head start with 120 out-of-the-box analytics models, intuitive dashboards, and intelligent alerting.
OK, I’m Ready to Get Started!
If you’re already using a SIEM, it’s simple to add Varonis and get more out of your SIEM investment. If you’re looking to start your data security plan, start with Varonis and then add your SIEM.
Once you have Varonis in place, you can then add your SIEM for data aggregation and additional monitoring and alerting. Varonis gives you more initial data security coverage, and adding a SIEM will make Varonis and your SIEM better able to correlate and store data for analysis and auditing.
Want to see more? Click here for a personalized demo to see how Varonis and SIEM work together.