Recommended
More Related Content
What's hot
What's hot (20)
Similar to Insiders Are The New Malware!
Similar to Insiders Are The New Malware! (20)
Recently uploaded
Recently uploaded (20)
Insiders Are The New Malware!
- 2. VARONIS SYSTEMS Varonis Customer: Large Military Organization
- 3. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.3 Ransomware detection https://www.varonis.com/ransomware-solutions Abnormal service account behavior Access to atypical files & folders Suspicious mailbox activity Multiple messages marked as unread Unusual amount of access to stale & idle data Real-world detection examples
- 4. VARONIS SYSTEMS Security neighbors and integration points Varonis eliminates blind spots with unstructured data present in IAM, DLP, threat detection, and incident response systems. Provides data-centric entitlements and automation for IAM. Adds context to DLP, e.g. where sensitive data is concentrated and exposed, who uses, who owns. Adds clean file system events, data context, & role/peer mining based on data usage to SIEM and UBA solutions. www.Varonis.com/tap DLP SIEM IAM UBA
- 5. VARONIS SYSTEMS Varonis’ alerts are more valuable to your SIEM or UBA product than raw logs We analyze behavior, profile key accounts, and develop a baseline for each user and device Fewer false positives because we have more context No need to pre-configure rules – our threat models are adaptive Varonis enhances your SIEM
- 6. VARONIS SYSTEMS Integrates via Syslog DatAlert & DatAlert Analytics alerts are “clean” alerts You don’t have to send raw logs into your SIEM (that can be expensive) Send Varonis’ hi-fidelity alerts into your SIEM or UBA product Integrating with SIEM
- 7. VARONIS SYSTEMS Free Data Risk Assessment
- 8. VARONIS SYSTEMS Data Risk Assessment - example
- 9. VARONIS SYSTEMS Where to get the slides http://bit.ly/InsiderThreatsVaronis
- 10. VARONIS SYSTEMS Thank You Dietrich Benjes @dietrichbenjes blog.varonis.com
Editor's Notes
- Once you’ve successfully mapped your environment, turned on monitoring, locked down exposed data, and cleaned up dangerous objects the trick is to sustain those efforts without doubling your IT staff.
- You may be wondering how Varonis fits into the broader security ecosystem within an organization. Many of our customers have made investments in other technologies like Identity Management, Data Loss Prevention, log aggregation with SIEM, and even user behavior analytics. Varonis complements all of these technologies in various ways and can’t be replaced by them. All of them share many of the same issues when it comes to unstructured data: they’re blind. IAM’s focus is on access to structured systems and applications. DLP might classify data at rest, but it has no notion of hour that data is being used, or how people have access to it. SIEM and UBA are only as good as the information they get fed, and activity for unstructured data simply isn’t analyzed because native logging functionality either isn’t used or is too difficult to analyze. Varonis sits at the intersection of these technologies and enhances them all by providing visibility and analytics for unstructured data.
- Varonis is able to enhance SIEM in a big way. We act like a smart filter for unstructured data activity. We have the ability to correlate unstructured data’s MetaData with User Behavior Analytics in order to help quickly identify threats and other anomalous activity within your environment. We can tell your SIEM when someone’s accessing the CEO’s mailbox, changing critical GPOs, encrypting large numbers of files in a short period of time, or otherwise misbehavior when it comes to your data and directory services. SIEM + Varonis is extremely beneficial to an organization because, you have the ability to correlate events of interest in a very real way. For example, if DLP picks up that a user plugged in a non-supported USB Keyfob and at the same time Varonis reports that several thousands/millions of files were copied from your filer to their workstation. You may correlate a potential data exfiltration attempt.
- Varonis integrates with SIEM through native Syslog forwarding. It also offers pre-built templates to simplify the connection to specific platforms such as; ArcSight, FireEye, and LogRhythm. What is most important about this integration is that Varonis does not forward its entire event feed to the SIEM. As mentioned before, this feed could be in the millions / day. This would be a significant expense to the SIEM, both cost and performance. In addition to the sheer noise you would need to weed through. On the contrary, Varonis only sends hi-fidelity alerts that our sophisticated threat models deem important. This greatly improves your organizations ability to act on insider threats detected by Varonis.
- If you’re interested, a copy of this presentation is available at this URL.