Varonis is a data security platform that protects your file and email servers from cyber attacks and insider threats. We analyze the behavior of the people and machines that access your data, alert on misbehavior, and enforce the least privilege model.
3. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.3
Ransomware detection
https://www.varonis.com/ransomware-solutions
Abnormal service account behavior
Access to atypical files & folders
Suspicious mailbox activity
Multiple messages marked as unread
Unusual amount of access to stale & idle data
Real-world detection examples
4. VARONIS SYSTEMS
Security neighbors and integration points
Varonis eliminates blind spots with
unstructured data present in IAM, DLP, threat
detection, and incident response systems.
Provides data-centric entitlements and
automation for IAM.
Adds context to DLP, e.g. where sensitive data
is concentrated and exposed, who uses, who
owns.
Adds clean file system events, data context, &
role/peer mining based on data usage to SIEM
and UBA solutions.
www.Varonis.com/tap
DLP
SIEM
IAM
UBA
5. VARONIS SYSTEMS
Varonis’ alerts are more valuable
to your SIEM or UBA product than
raw logs
We analyze behavior, profile key
accounts, and develop a baseline
for each user and device
Fewer false positives because we
have more context
No need to pre-configure rules –
our threat models are adaptive
Varonis enhances your SIEM
6. VARONIS SYSTEMS
Integrates via Syslog
DatAlert & DatAlert Analytics alerts are “clean” alerts
You don’t have to send raw logs into your SIEM (that can be expensive)
Send Varonis’ hi-fidelity alerts into your SIEM or UBA product
Integrating with SIEM
Once you’ve successfully mapped your environment, turned on monitoring, locked down exposed data, and cleaned up dangerous objects the trick is to sustain those efforts without doubling your IT staff.
You may be wondering how Varonis fits into the broader security ecosystem within an organization. Many of our customers have made investments in other technologies like Identity Management, Data Loss Prevention, log aggregation with SIEM, and even user behavior analytics. Varonis complements all of these technologies in various ways and can’t be replaced by them. All of them share many of the same issues when it comes to unstructured data: they’re blind. IAM’s focus is on access to structured systems and applications. DLP might classify data at rest, but it has no notion of hour that data is being used, or how people have access to it. SIEM and UBA are only as good as the information they get fed, and activity for unstructured data simply isn’t analyzed because native logging functionality either isn’t used or is too difficult to analyze. Varonis sits at the intersection of these technologies and enhances them all by providing visibility and analytics for unstructured data.
Varonis is able to enhance SIEM in a big way. We act like a smart filter for unstructured data activity. We have the ability to correlate unstructured data’s MetaData with User Behavior Analytics in order to help quickly identify threats and other anomalous activity within your environment.
We can tell your SIEM when someone’s accessing the CEO’s mailbox, changing critical GPOs, encrypting large numbers of files in a short period of time, or otherwise misbehavior when it comes to your data and directory services.
SIEM + Varonis is extremely beneficial to an organization because, you have the ability to correlate events of interest in a very real way. For example, if DLP picks up that a user plugged in a non-supported USB Keyfob and at the same time Varonis reports that several thousands/millions of files were copied from your filer to their workstation. You may correlate a potential data exfiltration attempt.
Varonis integrates with SIEM through native Syslog forwarding. It also offers pre-built templates to simplify the connection to specific platforms such as; ArcSight, FireEye, and LogRhythm.
What is most important about this integration is that Varonis does not forward its entire event feed to the SIEM. As mentioned before, this feed could be in the millions / day. This would be a significant expense to the SIEM, both cost and performance. In addition to the sheer noise you would need to weed through. On the contrary, Varonis only sends hi-fidelity alerts that our sophisticated threat models deem important. This greatly improves your organizations ability to act on insider threats detected by Varonis.
If you’re interested, a copy of this presentation is available at this URL.