Tag Archives: DatAdvantage

Role Based Access Control (RBAC): What is it and Why Implement?

swings on a swing set

Can a stolen password get you the keys to the entire kingdom? Well, it turns out that 81% of data breaches in 2017 used stolen or weak passwords to get onto the network.

We need to be better than that in 2018. We need to go back over our permissions standards and implement Role Based Access Control (RBAC) to keep users within their assigned seats on the network.

Role Based Access Control (RBAC): What is it?

Role Based Access Control (RBAC) is a network security paradigm where the network grants users permissions based on their role in the company. It’s dead simple: the Finance department donesn’t get to look at HR data and vice versa.

Each user on the network has an assigned role, and each role has a set of access permissions to resources across the organization. For example, our Finance humans have access to the CRM based on their use cases, access to email, and access to the Finance share on the network. And that could be it.

When implemented correctly, an RBAC implementation will be transparent to the users. Role assignment happens behind the scenes, and each user has access to the applications and data that they need to do their job.

Why Implement RBAC?

cement walls in a line

Implementing Role-Based Access Control helps maximize operational efficiency, protects your data from being leaked or stolen, reduces admin and IT support work, and makes it easier to meet audit requirements.

Users should have access to the data they need to do their job – granting access to data they don’t need is a security liability, increasing the risk of that data getting leaked, stolen, corrupted, or compromised. Hackers love to access a single account and move laterally around the network looking for the sellable data. If you have a good RBAC implemented, the hackers will get stonewalled as soon as they try to get outside the bubble of their hacked user’s role.

Sure it’s bad that someone’s account got hacked, but it could be so much worse if that user has access to all of the sensitive data. Even if the affected user is in HR and has access to personally identifiable information (PII)o, the hacker won’t be able to easily move to the Finance team’s or Executive team’s data.

RBAC also reduces IT and administrative load across the organization and increases the productivity of the users. While this seems counterintuitive, if you think about it for a second, it makes sense. IT doesn’t have to manage personalized permissions for every user, and it’s easier for the right users to get to the right data.

Managing new users or guest users can be time consuming and difficult, but if you have RBAC that defines these roles before a user joins the network, it’s a fire and forget situation. Guests and new users join the network, and their access is pre-defined.

Lastly, implementing RBAC is proven to save lots of dollars for your company. RTI published a report in 2010, “The Economic Impact of Role-Based Access Control” that indicates there is a substantial return on investment in an RBAC system. For a hypothetical financial services firm of 10,000 employees, RTI estimates that RBAC will save IT $24,000 in labor, and employee downtime will save the company $300,000 per year. Automating the user access process will save you even more than that in IT labor reduction alone. That’s big-time-get-you-a-raise money.

At the end of the implementation, your network will be vastly more secure than it was, and your data will be much safer from theft. And you get the other benefits of increased productivity for your users and IT staff. It’s a no-brainer if you ask us.

RBAC: 3 Steps to Implement

toy man climbing up ladder

What’s the best way to implement Role-Based Access Controls? Consider the following steps to get started:

  1. Define the resources and services you provide to your users (i.e., email, CRM, file shares, CMS, etc.)
  2. Create a library of roles: Match job descriptions to resources from #1 that each function needs to complete their job
  3. Assign users to defined roles.

The good news is that you can automate this process: Varonis DatAdvantage provides data about who actively uses the file shares on a regular basis, and who doesn’t. While assigning file permissions to roles, you will also designate a data owner for the shares. This data owner is responsible for access to their data in the long term, and can easily approve or deny access requests from the Varonis DataPrivilege interface. Varonis also provides modeling capabilities as you are assigning roles, so that you can see what happens if you revoke access to a folder from this role, before committing.

Once the implementation is done, it’s imperative to keep the system clean. No user should be assigned privileges outside of their role on a permanent basis. DataPrivilege allows for temporary access to file shares on a per request basis, which doesn’t break the first rule. It will be necessary, however, to have a change process in place to adjust roles as needed.

And of course, you want to have regular auditing and monitoring on all of these critical resources. You need to know if a user is trying to access data outside of their assigned seat, or if a permission gets added to a user outside of their role.

There are several methods bad actors will use to break through your security. A good monitoring and data security analytics platform will enforce the rules set in your RBAC, provide your security team alerts and details to discourage hacking attempts and prevent data breaches before they get off the ground.

Detecting Malware Payloads in Office Document Metadata

Office Documents with Malicious Metadata

Ever consider document properties like “Company,” “Title,” and “Comments” a vehicle for a malicious payload? Checkout this nifty PowerShell payload in the company metadata:

Here’s the full VirusTotal entry. The target opens the Office document and, with macros enabled, the payload stored within the document’s own metadata executes and does its work. No extra files written to disk or network requests made.

The question  about whether DatAlert can detect stuff like this came up in the Twitter thread, so I decided to write up a quick how-to.

Finding Malicious Metadata with Varonis

What you’ll need: DatAdvantage, Data Classification Framework, DatAlert

Step 1: Add Extended File Properties to be scanned by Data Classification Framework.

  • Open up the Varonis Management Console
  • Click on Configuration → Extended File properties
  • Add a new property for whichever field you’d like to scan (e.g., “Company”)

Varonis Management Console

(Note: prior to version 6.3, extended properties are created in DatAdvantage under Tools → DCF and DW → Configuration → Advanced)

Step 2: Define a malicious metadata classification rule

  • In the main menu of DatAdvantage select Tools → DCF and DW → Configuration
  • Create a new rule
  • Create a new filter
  • Select File properties → Company (or whichever property you’re scanning)
  • Select “like” to search for a substring
  • Add the malicious value you’d like to look for (e.g., .exe or .bat)

Varonis DCF New Classification Rule

Step 3: Create an alert in DatAlert to notify you whenever a file with malicious metadata is discovered

  • In the main menu of DatAdvantage select Tools → DatAlert
  • Click the green “+” button to create a new rule
  • Click on the “Where (Affected Object)” sub menu on the left
  • Add a new filter → Classification Results
  • Select your rule name (e.g., “Malicious Metadata”)
  • Select “Files with hits” and “Hit count (on selected rules)” greater than 0

DatAlert Rule for Malicious Document Metadata

You can fill out the rest of the details of your alert rule–like which systems to scan, how you want to get your alerts, etc.

As an extra precaution, you could also create a Data Transport Engine rule based on the same classification result that will automatically quarantine files that are found to have malicious metadata.

That’s it! You can update your “Malicious Metadata” over time as you see reports from malware researchers of new and stealthier ways to encode malicious bits within document metadata.

If you’re an existing Varonis customer, you can setup office hours with your assigned engineer to review your classification rules and alerts. Not yet a Varonis customer? What are you waiting for? Get a demo of our data security platform today.

Here’s Why Most Companies Are Easy Prey for Cyberattackers

Here’s Why Most Companies Are Easy Prey for Cyberattackers

Today we announced the results of anonymous data that our DatAdvantage and Data Classification Framework solutions collected throughout 2015 during risk assessments conducted for potential customers on a limited subset of their file systems. The results show a staggering level of exposure in corporate file systems, including an average of 9.9 million files per assessment that were accessible by every employee in the company.

Varonis DatAdvantage provides full visibility into who can and does access file systems and unstructured data. Varonis Data Classification Framework identifies sensitive and regulated content, like credit card numbers and health records, and maps them to exposures in their host file systems. Even while assessment and remediation projects are in progress, Varonis DatAlert can detect and stop insider threats, unwanted privilege escalations and abuse, and ransomware like Cryptolocker.

Of the insights gleaned from dozens of customer risk assessments conducted in mid-to-large enterprises prior to remediation, Varonis found the average company had, in a subset of its file systems:


  • 35.3 million files, stored in 4 million folders
  • 1 million folders, or an average of 28% of all folders, with “everyone” group permission enabled –open to all network users
  • 9 million files that were accessible by every employee in the company regardless of their roles
  • 8 million folders, or 70% of all folders, contained stale data — untouched for the past six months
  • 25,000 user accounts, with 7,700 of them or 31% “stale” – having not logged in for the past 60 days, suggesting former employees, or consultants and contractors whose engagements have ended

The ‘everyone’ group is a common convenience for permissions when originally set up. That mass access also makes it astonishingly easy for hackers to steal company data.

Some individual companies’ lowlights that were gleaned from the Varonis risk assessments:

  • In one company, every employee had access to 82% of the 6.1 million total folders.

  • Another company had more than 2 million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.

  • 50% of another company’s folders had “everyone” group permission, and more than 14,000 files in those folders were found to contain sensitive data.

  • A single company had more than 146,000 stale users – accounts whose users had not logged in for the past 60 days. That’s nearly three times more users than the average FORTUNE 500 company has employees.

Although this data presents a bleak look at the average enterprise’s corporate file system environment, the organizations running these risk assessments are taking these challenges seriously. Most of them have since implemented Varonis, embracing a more holistic view of the data on their file and email systems and closing these gaping, often unseen security holes before the next major breach causes heavy damage. Our software is able to provide a granular look at where sensitive data lives, where it is over-exposed within an organization, who is accessing that data, and how to lock it down. While that remediation process is running, our ability to detect and stop many types of insider threats has been a major revelation for our customers.


Our Risk Assessments quickly show you where your most vulnerable data is stored, who is accessing it, and what needs to be done to secure it.

Request a Risk Assessment from the Varonis Professional Services Team visit: https://info.varonis.com/assessment


Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s ...

Varonis DatAdvantage and DatAlert Are Now Interoperable with LogRhythm’s Security Intelligence Platform

Today we’re happy to announce the interoperability of our DatAdvantage and DatAlert solutions with the LogRhythm Security Intelligence Platform.

With the new interoperability, customers can combine critical security insight from LogRhythm with Varonis intelligence about file systems and unstructured data – the type of data they typically have the most of and know the least about. Varonis and LogRhythm can help organizations proactively spot signs insider threats before they end up in the news because of a data breach.

How does it work?

Varonis can automatically send alerts from Varonis DatAdvantage and DatAlert into LogRhythm Security Intelligence Platform and thereby increase the speed and accuracy with which customers are able to identify, prioritize and investigate unusual user behavior surrounding unstructured data. Anomalous activity spotted by Varonis analytics includes unusual access to sensitive and stale data, mass deletions and modifications, malware and ransomware infections like CryptoLocker and Cryptowall, privilege escalations, unusual access to PII, multiple failed login attempts, and many more potential warning signs. Installation of Varonis DatAdvantage and DatAlert can take as little as an hour, and integration with LogRhythm is as simple as configuring an IP address.

Click here to learn more.