Cloud Data Protection and Risk Identification

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.
Fighting a different battle than
conventional cybersecurity companies
Cloud Data Protection
Benjamin NATHAN
Director of Sales Engineering Enablement
Varonis Systems
bnathan@varonis.com

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.2
Operational Plan
Risk identification
Set detective controls
Fix
Sustain

Risk identification – Pre-migration to O365
Define the proper site and permission structures for SharePoint Online based on:
Identification of sensitive data
Mapping of existing permissions
Actual user activity
Removal recommendation analytics
Define acceptable sharing policies for SharePoint Online and OneDrive
Sharing data with external users?
Which users can share data and who cannot?
Identify high risk data that should remain “on-prem”
Employee PII
PCI Data
Sensitive Business Critical Data
Identification of Stale Data
Identify Stale Data that provides NO value
Identify Stale “Sensitive” Data that provides little or no value but creates unnecessary risk
Map risk state, decide which data to move and how.

Risk identification – External exposure risk indicators
Number of files/folders shared externally (and publicly)
And sensitive
And stale
Concentrations of files/folders shared externally
Organizational sharing structure
Most sharing users/departments
Most “shared with” external users
Most active external users
External users that are stale
External users that are stale on specific links
External users with domains I don’t do business with (with no email traffic to/from my organization)

Risk identification – Internal overexposure risk indicators
Amount of files/folders open to everyone
And sensitive, and stale
Amount of files/folders overexposed internally
Files with greater permissions than their parent folder
Unique folders with greater permissions than their protected parent
Concentrations of files/folders overexposed internally (Amount per site/folder)
Organizational sharing structure
Most sharing users/departments
Most “shared with” internal users (users with greater permissions to files and unique folders)
“shared with” internal users that are stale
“shared with” internal users that are stale on specific links

Risk prioritization
Prioritize sites and folders to remediate based on concentrations of the
mentioned risk indicators

Set detective controls
Audit and Identify what you need to set alerts on
Alert on public/external/internal sharing of sensitive data
Alert on public/external/internal sharing of stale data
Alert on sharing with external users from domains I don’t do business with (with no
email traffic to/from my organization)
Alert on sharing with external users based on threat intel
Alert on suspicious behaviors

Set Policies (Fix and sustain)
Remove public links
Remove global access groups
Remove stale external links
Remove stale internal links (stale
greater permissions)
Per site collection - Make sure
permission levels are correctly set
Ethical walls
Remove sharing with external users
from domains I don’t do business
with
Remove sharing with external users
based on threat intel
User attributes. E.g. AD attributes
Data Classification
Move data
Move stale and sensitive data to a
secure location
Move alerted data to an admin
quarantine

Sustain
Provide owners an easy-to-use method to control access to their
data, while still allowing sharing
Identify owners (based on activity and site collections administrators/owners)
Send mail/trigger ER to owners when sensitive data is shared externally/with
everyone/with insiders
Ease entitlement review process
Show sharing information (external + internal)
Show activity information
Analysis engine to recommend on shared links removal (external + internal) based on activity
Cleanup
Remove redundant internal sharing (that does not add permissions)

Is my data at risk? Am I compliant? Can I detect a breach?
Is my data exposed?
Who can access it?
Who does access it?
Who does it belong to?
Is anyone stealing it?
From which devices and
locations?
Can I investigate quickly?
Where is my regulated
data?
Should I delete it?
Can I prove compliance?
Many questions

DATA PROTECTION COMPLIANCE THREAT DETECTION & RESPONSE
THREE USE CASES
ONE PLATFORM

DATA PROTECTION
COMPLIANCE
THREAT DETECTION &
RESPONSE
Varonis Data Security Platform
ENTERPRISE DATA STORES AND
INFRASTRUCTURE
USE CASESANALYTICS & AUTOMATION
PermissionsUsers &
Groups
Perimeter
Telemetry
Access
Activity
AD
Telemetry
Content
Classification
Windows Exchange
SharePoint
Office 365
NASUnix/Linux
Directory
Services
Edge
Services
Box

What if security started with data?
DATA
DETECT
PREVENT
SUSTAIN
We’d know where our sensitive data lives
We’d monitor it for abuse
Only the right people would have access
We’d efficiently sustain our secure state

Varonis eliminates blind spots with unstructured data
present in IAM, DLP, threat detection, and incident
response systems.
Provides data-centric entitlements and automation for
IAM.
Adds context to DLP, e.g. where sensitive data is
concentrated and exposed, who uses, who owns.
Adds clean file system events, data context, & role/peer
mining based on data usage to SIEM and UBA solutions.
www.Varonis.com/tap
Varonis in the Security Ecosystem
DLP
SIEM
IAM
UBA

Least privilege achieved
Permissions rationalized & owners assigned
Authorization & attestations are automated
Stale data archived
Multiple data stores covered
Set alerting & have plan for investigations
How to protect Data (from insider threats and cyber attacks)

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.16 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL.
DATA PROTECTION

Understand Potential Access
Review Actual Access
Remediate Permission
Manually or Automatically
Being able to see impact of the
changes
Permission visibility
Achieve least privilege data access model

Set KPI to identify risk
Stale data
Get rid of it to reduce cost and administration overhead –
Automatically remove stale data from main storage – creating rules to either delete or archive automatically to
different storage and at the same time secure it (limit access permissions to archived folders)
Data exposure
Identify which data is over exposed either internally or externally
Folders / Document Librairies opened to global access groups, sharepoint online/onedrives folders that are shared
widely internally and or externally – reducing exposure by automatically fixing widely exposed data in order to limit
the risk
Data sensitivity
Identify sensitive data and whether this data is accessible by the right people in the organization in order to prioritize
risk
Automated Reports sent to Business / Data Owners to constantly keep track and take actions
Data discovery – Understand Risk & Exposure (sensitive, stale data…)

Set and maintain “secured state for the data”
Automatically securing sensitive data discovered
Automatically archiving/deleting Stale Data
Automatically fix newly over exposed data – automated remediation
Identify and Involve Data Owners
Identify Data Owners (based on data usage and reports)
Identify Data Owners using statistics and specific business data
Target Tailored Reports to Data Owners
Involve data owners in entitlement reviews and ability to control who is accessing their data
Remediation & Data Owners

COMPLIANCE & CLASSIFICATION

Indexing data
Identify risk related to company critical data
Based on compliance needs (GDPR, PCI DSS, HIPAA, CCPA…)
Or on important data (company intellectual property, sensitive keywords, product names…)
Labelling
Make sure sensitive data is protected using labels and encryption to avoid data leakage
Protect from insider threats (someone willing to steal information or doing data exposure by mistake) and
cyber attacks (phishing attacks, APT…)
DSAR – Set a plan to easily being able to identify where personal data resides and take action

THREAT DETECTION & RESPONSE

Audit
Understand what users are doing with the data, which data is being accessed, by whom
from where and when, including not only insider threats, but also external potential attacks
(ransomware, phishing, APT…)
Alert on misusage, attacks and specific behaviors
Either depending on usage or type of data (sensitive, stale…)
Security, Forensics
Have a complete investigation plan with playbooks to understand what is happening and
have dedicated action to set.

Threat Detection (Insiders / Cyber) – profiling

Threat Detection (Insiders / Cyber) – Machine learning
Hackers are constantly
changing their way of working
Understand your organization habits and leverages machine learning to
build and maintain extensive behavioral profiles on all users and devices
Standard users act the same from the same
devices - They are predictable

DatAlert - Dashboard

DatAlert – Investigation

Recommendations

Data Security Highlights
✓ Implement “privacy by design” across
ALL platforms
✓ Enforce least privilege access
✓ Remove excessive access to critical
folders
✓ Monitor and record all activity
✓ Identify and monitor sensitive data
✓ Create a behavioral profile for all users
✓ Automate and track risk based on “Key
Risk Indicators”
✓ Define Data Classification Requirements
✓ Implement classification rules to support
compliance regulations such as PCI,
CCPA, etc…
✓ Define acceptable use policy for
classified data
✓ Identify and assign data owners
✓ Automate access recertification or
entitlement review process

Governance & Compliance
• Classification
• Permissions Cleanup
• Data Ownership Identification
• Attestations/Entitlement Reviews
Data Migrations & Disposition
• Stale Data Identification
Active Directory Cleanup & Monitoring
Threat Detection & Response
• Insider Threats
• Ransomware
Compliance – NYDFS, SOX, PCI…
Adjacent technologies
• Identity & Access Management
• Privilege Account Management
• Classification, tagging & DLP
• SIEM & UBA
• Endpoint protection
• Malware detection
• FIM
Deprecated point technologies
• Permissions reporting tools
• Native audit logs & auditing tools
• AD monitoring tools
• Migration tools
Project/Use Case Alignment

DATA PROTECTION
RISK ASSESSMENT
PCI, HIPAA, GDPR, CCPA, SOX, ITAR,
GLBA, EXPORT CONTROL
Insider Threats
Cyber Attacks
Data Exposure
Remediation

Thank You

Cloud Data Protection and Risk Identification

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cloud Data Protection and Risk Identification

Similar to Cloud Data Protection and Risk Identification (20)

More from aOS Community

More from aOS Community (20)

Recently uploaded

Recently uploaded (20)

Cloud Data Protection and Risk Identification