How Varonis enhances DLP, IAM, and SIEM
Agenda DLP, IAM, SIEM Overview Gaps in Protection How Varonis Enhances DLP, IAM, SIEM Live Demo Q&A
About Varonis Started operations in 2005 Over 4,800 Customers (as of June 2016) IPO in Feb 2014 We protect your data from insider threats and cyberattacks A little bit about Varonis before we get started. We were founded in 2005 and now have more than 4800 customers globally. Varonis sells on-premise software products—not appliances or cloud-based services—and our products help our customers protect their most critical data from insider threats and cyberattacks.
The Varonis Origin Story Before we dive in, I want to share the story about how Varonis was started. Our co-founders, Yaki Faitelson and Ohad Korkus, were working for NetApp on a project in Angola, on the western coast of Africa. One of the missions was to deploy deep-sea divers and submarines to take hi-res photos of the ocean floor. They were storing these photos, which were worth MILLIONS of dollars, on their file servers. And then one day, they were gone. Everyone turned to Yaki and Ohad and said, “You guys are the storage experts, tell us what happened? Were they stolen? Accidentally deleted? Who had access?” Unfortunately there was no audit trail and no easy way to determine what had happened. Luckily they were able to recover the files, but this near disaster prompted Yaki and Ohad to found Varonis to help organizations manage and protect their valuable information.
Data Loss Prevention (DLP)
What does DLP do? Endpoint Protection – locking down and monitoring user devices Network (data in motion) – monitoring for sensitive data on the network Data classification – identify or classify sensitive data at rest To prevent a user’s sensitive data from making its way outside the corporate network, DLP solutions execute responses based on pre-defined policies and rules, ranging from simple notification to active blocking. DLP typically covers three high level use cases: endpoint protection, network monitoring of data in motion, and classification of data at rest. Endpoint protection use cases include hard drive encryption, optical drive and USB port locking to prevent exfiltration, and malware protection. Data in motion technologies inspect email and web traffic to attempt to identify sensitive data potentially being exfiltrated so that data remains in the organization, and may also help ensure that content is only accessed over encrypted channels. Data at rest classification inspects the content of file to identify where sensitive data may exist on server and cloud platforms so that additional action can be taken to ensure proper access controls.
Gaps in DLP DLP isn’t context-aware: Who has access to the sensitive data your DLP found? Who is actually accessing that data? Who no longer needs access (because they don’t use it)? Which business user owns the data? How do you know when a user starts accessing critical data abnormally? Identifying sensitive data on your server and/or blocking it is DLP’s strong suit. Yes, it knows where all your sensitive files reside, but it has a weak point: if a hacker or insider compromises an account who is authorized to access sensitive docs, DLP can’t stop it. To really protect your organization’s sensitive data, you should also know: who has access to it who is accessing it who likely no longer needs access who outside of IT the data belongs to, and also when a user or users start accessing that data in strange ways.
How Varonis Enhances DLP Varonis makes DLP classification results actionable: Prioritize and lock down data that is most at risk (e.g., open to everyone) Revoke excessive permissions Detect and stop abuse, insider threats, and ransomware Varonis is not just for reporting, you can model, commit, and rollback changes back to your environment Varonis makes DLP better by providing all of that additional context. After absorbing the classification scans from DLP, Varonis provides activity monitoring, alerting, and behavior analysis along with intelligent permissions management. DLP tells you where your sensitive data is, and Varonis helps make sure that only the right people have access to it and that you know when access is abused. Not only can you see where you’re at risk, you can model and commit changes to your environment from within the Varonis interface. For example, what would happen if I revoke the Everyone group from this highly sensitive folder? Who would complain?
Integrating with DLP Varonis can absorb the classification from your existing DLP product Via a direct integration or via a structured data feed Varonis can classify data at rest using our Data Classification Framework if you don’t have DLP solution Side note: Varonis does incrementally classification, which tends to be more efficient than most DLP data-at-rest scans
Identity & Access Management
What does IAM do? IAM enables the right individuals to access the right resources at the right times for the right reasons While DLP is great for protecting sensitive data, it generally has no information about how data is being used or how access controls are granted. To obtain this access information, many organizations turn to Identity and Access Management. Identity Management serves as a gatekeeper in terms of user access rights . When a user starts a new role, he gets authorized and access rights to systems and applications. And when he leaves the organization, those rights are terminated.
What does IAM do? It ties disparate applications together into a single repository for managing access and entitlements Auto-provisioning for apps Entitlement reviews for apps Single Sign-On and password management for apps What makes Access Management so critical is that access rights typically accumulate over a time. The longer a user stays with a company, the more access the user usually has. Users with privileges beyond what is required to perform in their current role can put the company at risk. Moreover, if a hacker gains access to the account of a user with excessive access, it might further increase the company’s risk. Both scenarios can result in data breach. IAM ties disparate applications together into a single repository for managing access and entitlements Example: you add a new employee in your HR system and your IAM auto-provisions accounts with the correct access across cloud, on-prem, and mobile applications If that employee leaves the company, you can “off-board” them and instantly revoke access to all applications IAM helps you perform entitlement reviews to ensure that access to applications remain correct over time IT also provides Single Sign-On (SSO) and password management to allow one-click access to business applications
Gaps in IAM …but what about the data? Big blind spot in unstructured data (files, emails, etc.) More than 80% of all data in an organization Very sensitive (think Sony, Panama Papers, Snowden) Access to file shares, SharePoint, Exchange tends to be chaotic There’s no single “application” for IAM to connect to IAM is missing the connection between AD users/groups and the folder and mailbox ACLs Even though IAM connects various applications and systems into a single solution for entitlements, that functionality tends to stop when it comes to unstructured data. Because access to unstructured data is controlled both by directory users and groups and file system ACLs together, there’s no single “application” for IAM to connect to. This means that IAM has a blind side when managing access to unstructured data. Moreover, access to unstructured data tends to be chaotic and unmanaged—permissions are complex and not standard, multiple groups often have access to data, folders and SharePoint sites are open globally, etc—managing unstructured data entitlements through IAM is often impossible.
How Varonis Enhances IAM Maps relationships between users/groups and the data necessary for their role Helps restructure permissions to data so they are managed through single purpose groups Analyzes user behavior and recommends where data access is no longer needed Analyzes data sensitivity to help ensure critical folders are secured DataPrivilege provides IAM functionality on data—provisioning workflows, entitlement reviews, self-service Here’s how we enhance your IAM. DatAdvantage allows IAM to extend to unstructured data through many use cases: Map out the functional relationships between the users/groups, and the data necessary for a role. Restructure permissions so that they can be efficiently managed through single purpose groups. Analyze user behavior over time and provide recommendations to owners on who likely no longer needs access Leverage data classification to help ensure sensitive data is owned and managed appropriately DataPrivilege can complement IAM by empowering data owners, and users by: Enabling ad-hoc requests so users can get access to data, only for as long as necessary, without having to redefine a role Giving data owners insight into activity on their data sets Allowing for regular reviews of access to ensure only the right people have access to the right data
Integrating IAM with Varonis File Servers IAM Applications Many of our customers use traditional IAM for their business applications and use Varonis as IAM for their data. As a result, you will be able to map identities and roles to both application AND data access. And, with Varonis, the audit trail of data access events enables many more use cases for security operations and storage teams such as forensics investigations and eliminating stale data.
Security Information & Event Management
What’s SIEM? Log data aggregation Network, System, Databases, Applications Data correlation and analysis Alerting Investigation SIEM systems store, analyze, and correlate a multitude of security information, authentication events, anti-virus events, intrusion events, etc. Anomalous events observed in a rule alerts a security officer/analyst to take swift action. SIEM systems aggregate logs, most commonly through reading event viewer data, receiving standard feeds from SNMP traps or Syslog, or sometimes get log data with the help of agents. These feeds come from user devices, network switches and other devices, servers, firewalls, anti-virus software, intrusion detection/prevention systems, and many more. Once all of the data is centralized, it runs reports, “listens” for anomalous events, and sends alerts. For the SIEM tool to identify anomalous events, and send alerts, it’s important that an administrator create a profile of the system under normal event conditions. SIEM alerts can be pre-configured with canned rules, or you can custom create your own rules that reflect your security policies. After events are sent to the system, they pass through a series of rules, which generate alerts if certain conditions are met. Keep in mind, with potentially thousands of devices, and different sources to monitor, each generating potentially thousands of records or more a day, there will be plenty of data to sift through. The goal is to use SIEM rules to reduce the number of events down to a small number of actionable alerts that signal real-world vulnerabilities, threats, or risk.
Gaps in SIEM No view into file and email access activity These logs often don’t exist Native auditing is performance intensive Raw logs are voluminous and hard to parse If someone deleted 5,000 critical files on your NAS, would your SIEM know about it? SIEM will read event viewer logs from network devices, systems, and AD, but has no view into actual data activity since those logs often don’t exist natively and can be difficult to parse. With our file activity monitoring system, Varonis closes this gap by collecting and analyzing all access activity on platforms SIEM can’t usually see. We can tell your SIEM when someone’s accessing the CEO’s mailbox, changing critical GPOs, encrypting large numbers of files in a short period of time, or otherwise misbehavior when it comes to your data and directory services. Moreover, Varonis baselines user activity and provides alerts that can be passed directly to SIEM for further correlation, analysis or action. Varonis alerts can be sent via Syslog to any SIEM, and there are pre-built templates for connection with some specific platforms.
How Varonis Enhances SIEM Varonis’ alerts are more valuable to your SIEM or UBA product than raw logs We analyze behavior, profile key accounts, and develop a baseline for each user and device Fewer false positives because we have more context No need to pre-configure rules – our threat models are adaptive With our file activity monitoring system, Varonis closes the gap by collecting and analyzing all access activity on platforms SIEM can’t usually see. We can tell your SIEM when someone’s accessing the CEO’s mailbox, changing critical GPOs, encrypting large numbers of files in a short period of time, or otherwise misbehavior when it comes to your data and directory services. Varonis baselines user activity and provides alerts that can be passed directly to SIEM for further correlation, analysis or action.
Integrating with SIEM Integrates via Syslog DatAlert & DatAlert Analytics alerts are “clean” alerts You don’t have to send raw logs into your SIEM (that can be expensive) Send Varonis’ hi-fidelity alerts into your SIEM or UBA product Varonis alerts can be sent via Syslog to any SIEM, and there are pre-built templates for connection with some specific platforms. Varonis can integrate with most SIEM products via the syslog. Critically, we don’t send our entire feed of events into your SIEM, which can be expensive and noisy. We only send hi-fidelity alerts that our sophisticated threat models deem important. We have out-of-the box integrations with ArcSight, FireEye, and LogRhythm. Customers have also integrated Varonis with Splunk, Qradar, and others.
WINDOWS UNIX/LINUX NAS SHAREPOINT EXCHANGE Office365 MS ACTIVE DIRECTORY LOCAL ACCOUNTS LDAP NIS Platforms When we talk about data, we’re referring to the data that most organizations have the most of and know the least about. The documents, spreadsheets, presentations, image, audio, and video files—among others—sitting on file servers, NAS devices, SharePoint, Exchange, and on cloud platforms like Office 365, along with the directory services platforms that support this data—Active Directory, LDAP, NIS, and local accounts that may also control access.
Product Demo
Of all the expensive security products we’ve purchased, DatAlert is the only solution that has done, and is doing, all of the alerting and notification of anomalous behavior, especially ransomware. – A major bank in Western Canada https://medium.com/@networksecurity/locky-ransomware-virus-spreading-via-word-documents-51fcb75618d2#.urcbr7h94 This is a quote by Kevin Beaumont who’s done a lot of great work on analysing malware, the Locky ransomware variant in particular Kevin is a security researcher who did a lot of early work analysing the Locky ransomware in early 2016 Just do the maths on that for a moment – you only need a very small portion of these to pay only a very small amount for the attacker to be raking in the dollars
Free Data Risk Assessment