Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to 5 things it should be doing (but isn't!)
Similar to 5 things it should be doing (but isn't!) (20)
Recently uploaded
Recently uploaded (20)
5 things it should be doing (but isn't!)
- 1. VARONIS SYSTEMS We protect your most sensitive information from insider threats. 5 Things IT Should Be Doing … But Isn’t!
- 2. VARONIS SYSTEMS Mike Egli, Engineer 20 years in: Professional Services Management Helpdesk Management IT Leadership About Me
- 3. VARONIS SYSTEMS Started operations in 2005 Over 4350 Customers We secure your sensitive data from the inside out About Varonis
- 4. The Varonis Origin Story
- 5. VARONIS SYSTEMS Why should IT care about Unstructured Data?
- 6. VARONIS SYSTEMS The Impact of Online Attacks Source: informationisbeautiful.net
- 7. VARONIS SYSTEMS 3.8 insider attackers per organization per year (on average) 45% of organizations can’t tell if they’ve suffered an insider breach 34% estimate the cost of an insider breach to be > $1 million Reputational damage is immeasurable CEOs and CISO are losing their jobs due to breaches The Impact of Insider Threats … and, according to the NSA, the national average in 2014/2015 for realizing a breach occurred within an organization was 270 days!
- 9. VARONIS SYSTEMS Employees make mistakes
- 10. VARONIS SYSTEMS By the Numbers
- 11. VARONIS SYSTEMS Phishing Works Really Well 23% of recipients open phishing messages. 11% of recipients click on attachments. – 2015 Verizon Data Breach Investigations Report
- 13. VARONIS SYSTEMS Risk and Irrational Biases
- 14. VARONIS SYSTEMS How do I mitigate the risk of exposure?
- 15. VARONIS SYSTEMS Inside-Out Approach: 4 Phases, 5 Tips INSTRUMENT & ALERT LOCK DOWN & PREVENT SIMPLIFY OPTIMIZE Enable Audit Trail & Alerting Inventory Permissions Classify and Tag Sensitive, High Profile Data Remove Excess Access Remove Stale Data Standardize Permissions and Structures Data Ownership / Self-service data management Automate Retention & Disposition Automate Entitlement Secure Search Mobile Access and File Synchronization
- 16. VARONIS SYSTEMS Tip #1: Turn the lights on Classify sensitive content Inventory permissions Enable auditing
- 17. VARONIS SYSTEMS Tip #2 Fix your biggest problems Global access Excessive access Broken ACLs
- 18. VARONIS SYSTEMS Tip #3 Analyze & Alert on User Behavior Baseline normal activity Alert on anomalies React to alerts
- 19. VARONIS SYSTEMS Tip #4: Move the responsibility Assign owners Establish a process Automate that process
- 20. VARONIS SYSTEMS Tip #5: Get control of Active Directory Fix common mistakes Monitor changes Track KPIs
- 21. VARONIS SYSTEMS Free Threat Assessment http://bit.ly/threatcheck
Editor's Notes
- Hello everyone! Thanks for coming out today! Today we’re going to talk about 5 things that IT should be doing, particularly when it comes to all that human generated data you have sitting out there, but you probably are not doing.
- I'm Mike Egli, an engineer with Varonis. I’ve been in the industry for about 20 years. I spent the first 10 years managing professional services teams and consulting, and the second half in IT leadership and now with Varonis.
- Not to spend too much time on who we are because I think that how we solve some of IT’s current challenges speaks volumes about who we are, but I think its worth noting that we’re an 11 year old company that’s publicly traded, and growing rapidly. We have over 4000 customers who are using solutions that we have in 3 categories … enterprise search and ediscovery, enterprise secure collaboration, and secure data governance. I think what we do and why we’re growing will make a lot more sense once I tell a little story about how we got started.
- A little over a decade ago, there was a large scale project off the coast of Africa where a company was taking high resolution digital photos of the ocean floor. Obviously, a pretty expensive project with some very difficult to replace data. One day, the staff comes in and realizes that the data is no longer on their NetApp storage. They start asking questions like “Where did it go?” “What happened?” “Who could have done this?” and no one had any answers. Even when escalating it to two senior engineers at NetApp, they acknowledged that a way to answer those questions didn’t exist … but it would make an excellent product. NetApp’s leadership agreed, but it wasn’t a focus for them and so they helped those two engineers get funding to start Varonis and now over a decade later we’re helping other companies answer those important questions about their data.
- While there’s many reasons that your unstructured or human generated data and a governance strategy of that data matters, one of the newest and greatest risks your business faces is insider threat. Now let me ask you this … do any of these names here sound familiar? <CLICK> The industry we work in has changed dramatically in just the past 5 years due to the impacts of security breaches and data protection. Focusing on insider threat was never viewed as important prior to now because people focused so heavily on the edge they ignored what was inside and what someone could grab (exilftrate). Look at the diversity of industries .. There’s no common thread. Anyone is a target. And look how rapidly it grew in just 10 years I can barely fit more bubbles. What do you think it will look like in another 10 years?
- Now, let’s take a look at some interesting information on breaches from 2015. The folks at SANS and Crowd Research have shared some pretty overwhelming numbers. An average of 3.8 attacks occur per organization every year. Almost half of all organizations have no clue if they’ve been breached. And, to top it off … if you do realize you have a breach, the average is takes 270 to know it! Sources: https://www.sans.org/reading-room/whitepapers/analyst/insider-threats-fast-directed-response-35892 http://www.securonix.com/insider-attacks-were-the-most-costly-breaches-of-2015/ http://info.varonis.com/hs-fs/hub/142972/file-2194864500-pdf/ponemon-data-breach-study.pdf http://www.darkreading.com/vulnerabilities---threats/survey-shows-insider-threats-on-the-rise-organizations-experience-an-average-of-38-attacks-per-year/d/d-id/1321069
- There are 3 types of insider threats that we have to worry about. Turncloak. insider - maliciously leaking data -someone who is supposed to be on the network and has legitimate credentials, but is abusing their access for fun or profit. We've seen all sorts of motives that drive this type of behavior: things as sinister as selling secrets to foreign governments or as simple as taking a few documents over to a competitor upon resignation. Pawn. This is just a normal employee - makes a mistake exploited by a bad guy. Whether it's a lost laptop or emailing a sensitive document to the wrong person, mistakes are a part of life, but they hurt nonetheless. In a minute we'll take a look at the statistical breakdown of mistakes vs. malice. Imposter. Outsider w/ insider credentials. Locate information on behalf of the inside user and exfiltrate it. We should assume that we have attackers on the inside already. Our goal is to a.) minimize the damage any single account can do by reducing their access to need-to-know, and b.) put into place sophisticated detective controls to alert when sensitive data may be in jeopardy.
- Now, while the turncloak is the malicious insider who’s knowingly exfiltrating your data, the majority of breaches occur purely by accident. The biggest cause of your breaches really is the employee who makes a mistake. It could be leaving a USB key somewhere, clicking a link in an email, or sending an email to the wrong person. But, this is where you need to spend more time … protecting the organization from either the malicious intent or even the accidental drag and drop.
- Statistically speaking, the biggest threats businesses have faced over the past few years really do fall in to the category of “oops!” done by your average employee. Misdelivery, and publishing errors constitute almost 70% of threats, and roughly 50% of those assets involved are human generated data like your average word or excel document. And, how are people getting to those documents? They are leveraging the permissions of either their own account which can get to places it probably shouldn’t … or … they are using the credentials of someone else.
- Now, I mentioned some examples of how employees make mistakes. Here’s one of the most common and effective ones. Phishing. Verizon performed a data breach investigation last year and found that at least 1 in every 5 people will open an email and at least one in every 10 will open an attachment or click a link! That means if you have 100 employees, it is very likely you already have people clicking links and potentially have their credentials sitting out there in the hands of an imposter.
- What’s particularly scary about the 11% stat is that, if the attacker gets your employees to click, there are immediate and grave consequences. In most cases, it means that malware or ransomware has been staged and a has control of at least one machine on your network.
- But, phishing isn’t the only effective way to wreak havoc as an insider threat model. Ransomware is one of the newest ways to effectively cripple an organization and it functions as a innovative business model which just increases its adoption by nefarious people. If you’re not familiar with it … the basics are that you infect a user, and their computer uses their credentials to go to any file on the network it can reach and encrypts it with a key only they have. It also drops a document there with instructions on where you can pay the owner of the encryption key to get your documents back. Its brutal because it can encrypt anything it can get to, it’ll spread around like a virus, and most organizations cannot recover either fast enough or fully to ignore the threat. *click* But, its just gotten worse. Ransomware just because a service. Ransom32 is a service that lets you build your own ransomware, type in your bitcoin address, and target people. AND, it’s super small, and java based so its cross platform, can be embedded in websites, etc. This is literally a business that helps someone build ransomware by taking a cut of the profit. This is the world we live in as people in the IT industry.
- Ok, now let me ask this … who’s afraid of the shower? Ok, what about mountain lions? Makes sense right? Big scary cat with claws … thing that drops water. But, you’re 100x more likely to slip and fall in the shower than run across a mountain lion. So who here replaces their bath mat every 6 months? It’s all about irrational biases … one “looks” scary and so we focus there versus the other one. I hear it all the time .. “we’re too small to be a target” or “we’re a family company, we don’t have insider threat problems”. EVERYONE is at risk … from the 5 employee corner convenience market who’s employee snags some money out of the register and adjusts the day’s sales in the system to compensate, or the 1000 employee manufacturing company where an employee snags R&D documents on his last day before he goes to a competitor. What’s important is identifying what is a true risk by looking at the cold hard facts, the numbers, the frequency of events. Then develop a plan of attack.
- People often talk about he inside out approach to security … ie don’t just secure the edge … like candy you don’t want a hard exterior and a soft chewy core, right? So, start from your security permissions, your data, and how people are using it, and then work your way out. That means having a data governance strategy and this chart shows what that could look like. What we’ll do now is walk through some examples of this in terms of 5 overall tips to improving the situation with your unstructured data.
- Bi-Directional View Go through a short form of the standard DA introduction and go straight to: Who has access to the Finance Folder? Data Classification Show the classification results and discuss data classification: What kind of data is in the Finance Folder? Logs Right click and go to the Log to show: Who’s been touching data within the Finance Folder
- How can you protect your data if you don’t know anything about it? We start by taking inventory of your entire unstructured data environment. This means classifying sensitive content, crawling ACLs and Active Directory, and enabling comprehensive, non-intrusive auditing of how users interact with data. The result? You can finally see. You’ll know who has access to data and who is accessing it, where sensitive information lives, and where it’s overexposed and at-risk.
- How can you protect your data if you don’t know anything about it? We start by taking inventory of your entire unstructured data environment. This means classifying sensitive content, crawling ACLs and Active Directory, and enabling comprehensive, non-intrusive auditing of how users interact with data. The result? You can finally see. You’ll know who has access to data and who is accessing it, where sensitive information lives, and where it’s overexposed and at-risk.
- Bi-Directional View Go back to the Work Area and this time show them a now familiar concept but: What can “Everyone” (Group) get to? Recommendations Open and discuss the Recommendations panel on the: Finance Folder Report: Global Group Access Analysis Discuss and show how to How do I get a complete list of all folders that everyone has access to?
- Applying global access to the company’s holiday party photos is probably okay, but in the vast majority of cases, we should avoid global access like the plague. I’ve seen global access applied to folders with millions of credit card numbers, socials, and more. This problem can be very hard to remediate—you can’t just pull everyone’s access without inciting a riot. When everyone under the sun has access, it’s very difficult to know who really needs that access. The solution is to look at historical access activity in your audit trail to determine who has been accessing data exclusively via global access groups. Our DatAdvantage product shows you which information is globally accessible and who has actually been accessing it. From there you can apply tighter permissions and run a simulation that will tell you exactly which people will be impacted if you were to remove global access. This capability is indispensable when doing global access remediation, lest you get a bunch of angry phone calls. ☺
- Permissions creep plagues us all. It's hard to prevent and can be even harder to remediate. How often does the help desk receive a call from a user complaining that they have too much access? Never. - People change jobs, departments, responsibilities - Temporary projects often require temporary access, but temporary access has a way of becoming permanent - Consulting contracts start and end How do you know when someone no longer needs access to data? You can analyze a person’s activity. If they stop accessing EVERYTHING, then you can probably just disable their account. But to determine if they no longer need SPECIFIC permissions, you need correlate their access activity with their security groups. And even if a person no longer accesses data granted to them by a specific group, it’s not always a foolproof indicator that they no longer need access. A better answer is hidden in this little red X. I included a picture of Elon Musk because it feels like something he should’ve invented. :-) The X is Varonis telling us that Andrew Weiricc no longer needs access to the company’s finance data. It determines this through bi-directional cluster analysis. Not only has Andrew stopped using the data, but his fundamental data access behaviors no longer match a typical member of that security group. You can then manually accept the recommendation or have Varonis automatically execute revocations on your behalf.
- Alerts (Margaret Coakley) UBA
- Our customers have had a lot of success preventing insider breaches using some of the alerts you see here. We create a baseline of all user activity, allowing you to detect suspicious behavior, whether it’s an insider accessing sensitive content, an administrator abusing their privileges, or ransomware like CryptoLocker.
- By combining behavioral analysis with knowledge of what’s inside the files the insider is touching, alerts become much more accurate than traditional methods. You can send this hi-fidelity alerts into your SIEM for further analysis rather than flooding it with every event.
- One of my favorite use cases for file analysis is building profiles for strains of malware. This is a profile we’ve used to very successfully combat CryptoLocker. It works like this: All file access activity is monitored and threshold alerts are in place to detect rapid file modification from a single user. When that happens, an alert is triggered which notifies IT. The process then check the user’s machine for the presence of CryptoLocker registry values, and then automatically disables the user. And because you have the audit trail, you can see precisely which files were encrypted and use something like decryptcryptolocker.com to restore them.
- Statistics – Data Owner Entitlement Review
- The first task is to use the access activity to determine who the likely data owners are. Business users have more context than IT when it comes to making decisions about access, so lets give them that responsibility. Assigning ownership in a way that relies on hard evidence of usage vs. a qualitative survey asking “Do you own this file share?” increases your odds of success.
- Discuss the importance of cleaning up accounts Users with expired passwords + Expires Passwords & Audit GPO reports
- In order to monitor risk on your domain, you need to make sure to have the tools and rules that can detect AD changes and that can alert you when abnormal behaviors are happening
- That’s it! Be sure to sign up for a free threat assessment. We’ll perform all 3 steps of the Inside-Out Security playbook in your environment. There’s no commitment and you get a nice risk report at the end that’ll help you take action.