Your SlideShare is downloading. ×
  • Like
Varonis DatAdvantage For Windows
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Varonis DatAdvantage For Windows

  • 6,331 views
Published

Varonis® DatAdvantage® delivers the visibility and auditing you need to determine who can access your unstructured data, who is accessing it and who should have access. Continuously updated …

Varonis® DatAdvantage® delivers the visibility and auditing you need to determine who can access your unstructured data, who is accessing it and who should have access. Continuously updated information drawn directly from your environment shows you the individual users and the groups they are part of, every folder on your file systems, and each data access - open, delete, rename, etc. - for every user.

Click on a folder to see exactly who has access to it, what type of access they have - read, write, execute, etc., and where their permissions came from. Varonis DatAdvantage shows you detailed data access behavior and makes recommendations about whose access can be safely revoked.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
6,331
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
181
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • User and Group Information from Active Directory, LDAP, NIS, SharePoint, etc. Permissions information knowing who can access what data in which containers Access Activity knowing which users do access what data, when and what they’ve done Sensitive Content Indicators knowing which files contain items of sensitivity and importance, and where they reside
  • Sophisticated Data Structures Critical Pre-processing Core Varonis Intellectual Property
  • Here are some of the operational challenges in dealing with unstructured data. For each box, note the point on the left, and discuss the detailed supporting items on the right
  • Varonis DatAdvantage helps solve these problems by providing: 1. A bi-directional view into access permissions, meaning you can easily determine who has access to a given folder, or which folders a given user or group has access to. 2. A sortable, searchable audit trail for every access of unstructured data that does not impair system performance or require an unmanageable amount of storage. 3. By analyzing file system permissions and access history, Varonis identifies excessive permissions, and provides a method to test permissions changes outside of the production environment. 4. DatAdvantage also provides a method to systematically identify data owners through summarizing access the access activity.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • This is one section of the Varonis DatAdvantage Graphical User interface, known as the work area. On the left are users and groups gathered automatically from Active Directory, LDAP, NIS, and/or local files. On the right is the directory structure of a file server (or servers). By double-clicking on a folder, we see a list of users and groups that have access to that folder and their associated NTFS permissions. Conversely, we can double click on any user or group-- all the folders that turn green are folders that the user or group has access to; all the folders that remain yellow are those that the user or group does not have access to. In addition, you can see the level of permissions the user or group has on any given folder, as well as an explanation of how they are getting access-- whether it is through a global group, such as everyone or domain users, or through the finance group, as displayed here. (optional) Consider the native functionality for viewing permissions in windows– in order to view permissions on a folder, you must right-click on it in windows explorer and navigate to properties>security. This displays the groups and any explicitly named users that have access to the folder. In to see the users in each group, you must refer to active directory for each group listed. In order to determine all folders a user or group has access to, you must right click on every folder, record every group, and determine if the user or group is contained with each group.
  • Varonis DatAdvantage provides high-level views of user access behavior, including most/least active users, and most/least active directories. Varonis also has a built-in report to list inactive directories to facilitate disk cleanup projects. Varonis DatAdvantage also alerts on anomalous user behavior by looking for statistically significant deviations on each user’s normal day-to-day activity. Access deviations may signify a worm or automated process running under that user’s credentials, or the employee’s potential departure from the organization.
  • Varonis DatAdvantage provides high-level views of user access behavior, including most/least active users, and most/least active directories. Varonis also has a built-in report to list inactive directories to facilitate disk cleanup projects. Varonis DatAdvantage also alerts on anomalous user behavior by looking for statistically significant deviations on each user’s normal day-to-day activity. Access deviations may signify a worm or automated process running under that user’s credentials, or the employee’s potential departure from the organization.
  • Varonis DatAdvantage provides a straight-forward method to determine potential data-owners. When a folder is double-clicked in the statistics area, DatAdvantage displays a list of users that have accessed data within it. The data owner is often one of these users– if not, the data owner is likely to be one of the active user’s supervisors. At worst, the Active Users represent one degree of separation between the IT administrator and the data owner.
  • Varonis DatAdvantage provides a straight-forward method to determine potential data-owners. When a folder is double-clicked in the statistics area, DatAdvantage displays a list of users that have accessed data within it. The data owner is often one of these users– if not, the data owner is likely to be one of the active user’s supervisors. At worst, the Active Users represent one degree of separation between the IT administrator and the data owner.
  • Varonis DatAdvantage provides a straight-forward method to determine potential data-owners. When a folder is double-clicked in the statistics area, DatAdvantage displays a list of users that have accessed data within it. The data owner is often one of these users– if not, the data owner is likely to be one of the active user’s supervisors. At worst, the Active Users represent one degree of separation between the IT administrator and the data owner.
  • Varonis DatAdvantage provides a straight-forward method to determine potential data-owners. When a folder is double-clicked in the statistics area, DatAdvantage displays a list of users that have accessed data within it. The data owner is often one of these users– if not, the data owner is likely to be one of the active user’s supervisors. At worst, the Active Users represent one degree of separation between the IT administrator and the data owner.

Transcript

  • 1. Introduction to DatAdvantage for Windows © 2010 Varonis Systems.
  • 2. Unstructured Data Quantities – Present and Future © 2008 Varonis Systems. Proprietary and confidential. Unstructured and semi-structured data is exploding... Source: Gartner Jan 2010 650% growth over the next 5 years 80% of all data is unstructured or semi-structured
  • 3. Data Explosion – Are We Ready?
      • 91% lack processes for determining data ownership
      • 76% unable to determine who can access unstructured data
    © 2010 Varonis Systems. Proprietary and confidential. Page Data Collaboration Cross-Functional Teams + Security Requirements More Containers More ACLs More Management Source: Ponemon Institute
      • Can IT answer:
      • Who has access to this folder?
      • Which folders does this user or group have access to?
      • Who has been accessing this folder?
      • Which data is sensitive?
      • Who is the data owner?
      • Where is my sensitive data overexposed?
      • How do I fix it?
      • Where do I begin?
    ---------More---------
  • 4. Varonis IDU Framework – Foundation for Data Governance
    • Four types of metadata are collected, synthesized, processed, and presented:
      • Permissions information
      • User and Group Information
      • Access Activity
      • Sensitive Content Indicators
    • Actionable data governance information is presented:
      • Who has access to a data set?
      • Who has been accessing it?
      • Which data is sensitive?
      • Who is the data owner?
      • Where is my sensitive data overexposed, and how do I fix it?
    • Allows data owners to participate in data governance:
      • Automated Entitlement reviews
      • Authorization workflows
    © 2010 Varonis Systems. Proprietary and confidential. Page
  • 5. Varonis Data Governance Framework Components © 2010 Varonis Systems. Proprietary and confidential. The Varonis IDU Framework creates and manages a meta-data layer that enables IT and the business to work together to protect unstructured data IDU Retention/Storage Analysis & Modeling Aggregation & Normalization File System Meta Data Collection User Data Collection Commit Changes to File Systems and Directory Services DatAdvantage DataPrivilege Windows File Systems UNIX/ Linux SharePoint MS Active Directory LDAP NIS Local Accounts Data Content Classification Presentation NAS Access Activity Future FUTURE
  • 6. IDU Multi-tiered Architecture © 2010 Varonis Systems. Proprietary and confidential. Page
  • 7. Unstructured Data – Operational Challenges
    • As employee needs change, authorizations grow & grow
    • Permissions are seldom revoked
    • Tools are mostly manual: time consuming and error prone
    • Ensuring authorizations are based on business need
    • Metadata and folder location don’t reveal ownership
    • Time consuming and manual process to find owners
    • Significant amounts “orphan” data–unknown business context or relevance, wasted storage
    © 2010 Varonis Systems. Proprietary and confidential. Identifying data business owners
    • Native auditing impairs server performance, generates large volumes of difficult to decipher data
    • Audit trail often enabled only after incident has occurred
    • Most lack any audit information
    Understanding who accessed data & how
    • Searching through so much data takes a lot of time
    • Data constantly changes – hard to keep current
    • Results provide only the first step in the data’s protection
    Finding/classifying sensitive content
  • 8. Risks, Controls & Regulations
    • High Risk Levels
      • File System data is at great risk for loss, theft, and misuse
      • Access configuration changes are untested
    • File System Controls Gaps
      • Many access controls are “loose,” even broken
      • No audit trail exists
      • >50% of data has no known business owner
    • Regulatory Requirements
      • HIPAA
      • CMS
      • Sarbanes Oxley
    © 2010 Varonis Systems. Proprietary and confidential. Page
  • 9. Varonis Solution
    • Technological Breakthrough
      • Automatically Identify and Remediate Access Control Gaps
      • Provide a Usable Audit Trail of Data Usage
      • Identify Data Owners, Inactive Data, Sensitive Content
      • Automate and Enforce Access Control Processes
    • Efficient, Effective Risk Reduction
    • IT Data Protection Jumpstart
    • Proven Operational Execution
      • >600 customers
      • All Verticals
  • 10. DatAdvantage Functionality © 2010 Varonis Systems. Proprietary and confidential.
  • 11. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential.
  • 12. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential. Double-click any folder…
  • 13. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential. … to see all of the users and groups which have access
  • 14. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential. Including users within nested groups
  • 15. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential. Double-click any user or group…
  • 16. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential. … and see every folder where that user or group has access
  • 17. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential. Folder in green indicated some type of access, those in yellow do not
  • 18. Permissions - Bi-Directional Visibility © 2010 Varonis Systems. Proprietary and confidential. Also see explicit Windows permission levels and where they were inherited from
  • 19. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page
  • 20. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page Complete audit trail of file events
  • 21. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page Every open, create, move, modify and delete on the file system is recorded
  • 22. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page Who accessed the file
  • 23. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page When they did…
  • 24. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page When…
  • 25. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page Where…
  • 26. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page Search…
  • 27. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page Sort…
  • 28. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page And group
  • 29. Audit Trail © 2010 Varonis Systems. Proprietary and confidential. Page … to find exactly what you’re looking for
  • 30. Recommendations © 2010 Varonis Systems. Proprietary and confidential. Page
  • 31. Recommendations © 2010 Varonis Systems. Proprietary and confidential. Page By combining permissions and audit data with sophisticated analysis, Varonis makes recommendations on where excess access can be removed
  • 32. Recommendations © 2010 Varonis Systems. Proprietary and confidential. Page List of users with red X’s next to their names can be removed from this group
  • 33. Recommendations © 2010 Varonis Systems. Proprietary and confidential. Page What if?
  • 34. Recommendations © 2010 Varonis Systems. Proprietary and confidential. Page Double-click the red X…
  • 35. Recommendations © 2010 Varonis Systems. Proprietary and confidential. Page … and see the effects of making that change
  • 36. Recommendations © 2010 Varonis Systems. Proprietary and confidential. Page Varonis also makes recommendations by user
  • 37. Simulate Changes © 2010 Varonis Systems. Proprietary and confidential. Page
  • 38. Simulate Changes © 2010 Varonis Systems. Proprietary and confidential. Page With Varonis you can simulate permissions changes to your environment without affecting production
  • 39. Simulate Changes © 2010 Varonis Systems. Proprietary and confidential. Page By removing the Everyone group from a folder, you can see what the results would have been
  • 40. Simulate Changes © 2010 Varonis Systems. Proprietary and confidential. Page These users would have been affected by the change
  • 41. Simulate Changes © 2010 Varonis Systems. Proprietary and confidential. Page They can be added back to the ACL to avoid any interruption of service while reducing unneeded access
  • 42. Finding Data Owners © 2010 Varonis Systems. Proprietary and confidential.
  • 43. Finding Data Owners © 2010 Varonis Systems. Proprietary and confidential. By analyzing audit activity, Varonis can help identify business data owners
  • 44. Finding Data Owners © 2010 Varonis Systems. Proprietary and confidential. Double-click a folder…
  • 45. Finding Data Owners © 2010 Varonis Systems. Proprietary and confidential. View most active users…
  • 46. Finding Data Owners © 2010 Varonis Systems. Proprietary and confidential. The data owner is likely in this list
  • 47. Finding Data Owners © 2010 Varonis Systems. Proprietary and confidential. … or you’re one phone call away
  • 48. Common Use Cases for Varonis
    • Access Control Cleanup – Identify & Remediate:
      • “ Global” Groups -(everyone, authenticated users, etc)
      • Redundant, Excessive Group Memberships
      • Orphaned SID’s, Individual User SIDS on ACL’s
    • Find Lost & Deleted Files
    • Identify Anomalous Behavior
    • Track Permissions & Group Changes
    • Ongoing Entitlement Reviews
    • Automate Access Authorization & Revocation
    • Identify Inappropriate File Activity (mp3’s, etc.)
    • Enhance Other Data Protection Projects
    © 2008 Varonis Systems. Proprietary and confidential.
  • 49. Common Use Cases for Varonis (cont’d)
    • Efficient audit compliance - provide evidence of:
      • Effective permissions (preventive controls)
      • Usable audit trail (detective controls)
      • Authorization processes
      • Compliance with authorization processes
    • SharePoint Migration
      • Stale Data Identification
      • Data Owner Identification
    © 2008 Varonis Systems. Proprietary and confidential.