Cyril Simonnet, Sales Director Varonis, explains all the ins and outs about how to build a Data Governance framework. For more information about Varonis, check: https://www.wesecure.nl/producten/varonis/

1. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL
Our mission is to help enterprises realize
value from their unstructured data.
June 2015
How to build a Data Governance
framework

2. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL2
Introduction

3. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL3
About Me
Cyril Simonnet –
csimonnet@varonis.com
Hooked by IT Security for 29 years!
@csimonnet
https://fr.linkedin.com/in/csimonnet
http://blog.varonis.com

4. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL4
About Varonis
Started operations in 2005
Over 3300 Customers
(as of December, 2014)
Software Solutions for
Human Generated Data

5. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL5
90’s-10’s SECURITY MODEL

6. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL6
90’s Model

7. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL7
00’s Model

8. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL8
2010’s model

9. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL9
DATA IS KING

10. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL10
UNSTRUCTURED
HUMAN-GENERATED DATA
UNSTRUCTURED
MACHINE-GENERATED DATA
STRUCTURED
BUSINESS APPLICATIONS DATA
Emails Word Files Spreadsheets
Presentations PDF Files
Time Series Data
(No Pre-defined Schema)
Generated by All IT
Systems; Highly-Diverse
Formats
Massive Volumes
Relational Databases
Financial Records
Math Data
Multi-dimensional Data
Monthly Reporting Data
(Pre-Defined Schema)
Image, Audio,
and Video Files
Generated by every
employee in every
organization
Massive volumes
Focus of
Varonis’ solutions
We Deal With Human-Generated Data

11. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL11
Human Generated Data Challenges
Poor Productivity High Risk High Cost
PRODUCTIVITY RISK COST

12. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL12
The Problem is Getting Worse
Source: IDC Digital Universe
By 2020, Data Centers Will Manage:
14x
Data
10x
Servers
1.5x
IT Staff
With

13. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL13
2.8
40.0
2012 2020
Data Growth: Both Challenge and Opportunity
Only 0.5% is analyzed
(Zettabytes)
Rapid Growth in the Next Decade
Opportunity to extract
more value through
tagging and analysis
Enterprises are responsible for
protecting 80% of all data
Source: IDC Digital Universe

14. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL14
Who has access to files, folders, mailboxes?
Who is accessing, modifying, moving, deleting files and email?
Which files contain critical information?
Which data is exposed to too many people?
Who owns data?
What data isn’t being used?
Root of the Problem
There are
many
questions
IT and the
business
can’t
answer:

15. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL15
PULLED not PUSHED

16. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL16
Question
What is or will be the main driver to justify Human Generated
Data Management ?
Insider Threats
Regulations
Ransomware / Worm Threats
All of the above
None of them

17. The Varonis Origin Story

18. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL18
The Script
Get inside
(if not there already) Snoop around
Exfiltration
Get the data out without
sounding alarmsEnumerate current access;
attempt to elevate
Visa cards anyone?
Usually done by phishing or
social engineering
PS C:Userseddard> findstr /r "^4[0-9]{12}(?:[0-9]{3})?$"

19. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL19
By the Numbers

20. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL20
Privilege Abuse

21. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL21
71% of end users say
that they have access
to company data they
should not see.

22. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL22
Only 22% of employees
say their organization
can tell them what
happened to lost data,
files, or emails.

23. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL23
Insider Misuse + Miscellaneous Errors
“It may not be obvious at first glance, but
the common denominator…for nearly 90%
of all incidents — is people. Whether it’s
goofing up, getting infected, behaving
badly, or losing stuff, most incidents fall in
the PEBKAC and ID-10T über-patterns”
- Verizon 2015 Data Breach Investigations Report

24. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL24
By the Numbers

25. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL25
Privilege Abuse

26. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL26
A trusted insider took hundreds of thousands of files without
anyone noticing and sold them. The organization had tens of
millions of dollars invested in every security technology you can
think of – firewalls, IAM, IPS, DLP, and SIEM – but none of these
systems made a sound.
IMMEDIATE RESULTS
Caught over 20 attempts to steal data in a single year
Reduced unnecessary user access by over 50%
Started tracking all data usage
BUSINESS PROBLEM: Stolen Data
Hundreds of files were stolen from a large military
organization
No record of access or automated analysis to flag insider
abuse
No way of knowing what files were taken or by whom
BUSINESS SOLUTION
Automatically monitor every touch on every file
Complete audit trail on access activity
Make sure only the right users can access the right data
Alert on abnormal behavior
Reduce risk and keep data secure
GOVERNMENT
Varonis Customer: Large Military Organization

27. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL27
Regulations

28. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL28
Question
When do you think the new EU Data Protection Legislation will
come into effect?
This Year
Next Year
Never
Not sure

29. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL29
Regulations
Will Vary By Country and by Industry
Using ISO 27002 as a base for Control Checks
Regulations Can Be Complicated:
EU – 1995 Data Protection Directive (DPD) Provides Framework
For Separate Laws In EU Member Nations
In 2012, EU Introduced A Revision To DPD To Make Laws More
Uniform – E.G., Personal Data Identifiers Vary By Nation –
And Placed Under Single Authority.
Meldplicht Datalekken

30. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL30
Getting Ready for the EU GDPR
Minimize Data Collection
Prompt Data Breach Reporting
Retain Carefully
New Definition of Personal Identifier
Clear Language
Erase Button
Whither the Cloud?
Companies can’t avoid the EU law by outsourcing it to the cloud.
The EU law still follows the data.

31. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL31
“We were missing file server monitoring…review and
clean-up of all of our unstructured data – which included
all of our folder access. This wasn’t something we could do
manually, nor did we have existing tools to help, so we had
to look for a solution.”
– Kash Sharma
Identity Management Analyst for ING DIRECT
IMMEDIATE RESULTS
Full roll out in 3 weeks
Achieved regulatory compliance
Archived stale data in critical business units
Increased data intelligence
BUSINESS PROBLEM: Manage Sensitive Data
Insufficient file monitoring to meet regulations
Manual reporting on critical files was expensive,
inefficient and time-consuming
No way to review and manage unstructured data
Difficult to report on compliance and activity
BUSINESS SOLUTION
Automated and scheduled reporting on critical files
DatAdvantage monitors every touch of every file
Sysadmins are empowered to manage permissions
and clean up stale data with access provisioning and
bi-directional views
FINANCE

32. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL32
The Crypto Locker

33. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL33
Crypto Locker
Cryptolocker is a well know Trojan/virus that is spread all over
the internet.
Basically it entered the company within an email. The latest
variant was not detected by any anti-virus nor firewall.
If a user click on it, it starts immediately scanning your network
drives, and then it renames all the files & folders and encrypt it.
The only method to counter, identify & limit the damage, is to
use DatAdvantage & DatAlert.

34. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL34 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL34
Actions and behavior
Actions Notes Events on files
Encrypt files Uses a RSA 2048bits key to encrypt the files
Encryption cypher seems to be symmetrical (depending on the
CryptoLocker variant).
OPEN then MODIFY
Add file
extensions
(next to
existing ones)
Adds one of these new extension to the end of the files
(depending on CryptoLocker variant) :
- « .encrypted »
OR
- « .cryptolocker »
OR
- « .<RANDOM 7 characters> »
RENAME
Instruction
files written in
each directory
Writes a file containing a link to a web page to get instructions to
decrypt the files (require the user to pay some bitcoins)
The file names are :
- « DECRYPT_INSTRUCTION.txt »
OR
- « DECRYPT_INSTRUCTIONS.html »
CREATE
« file.docx » Encryption Add extension
« .encrypted »
« file.docx » + OR
« .cryptolocker »

35. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL35 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL35
Filetypes affected
*.zip ; *.rar ; *.7z ; *.tar ; *.gzip ; *.jpg ; *.jpeg ; *.tif ; *.psd
; *.cdr ; *.dwg ; *.max ; *.bmp ; *.gif ; *.png ; *.doc ; *.docx
; *.xls ; *.xlsx ; *.ppt ; *.pptx ; *.txt ; *.pdf ; *.djvu ; *.htm ;
*.html ; *.mdb ; *.cer ; *.p12 ; *.pfx ; *.kwm ; *.pwm ; *.1cd
; *.md ; *.mdf ; *.dbf ; *.odt ; *.vob ; *.iso ; *.ifo ; *.csv ;
*.torrent ; *.mov ; *.m2v ; *.3gp ; *.mpeg ; *.mpg ; *.flv ;
*.avi ; *.mp4 ; *.wmv ; *.divx ; *.mkv ; *.mp3 ; *.wav ; *.flac
; *.ape ; *.wma ; *.ac3 ; *.epub ; *.eps ; *.ai ; *.pps ; *.pptm
; *.accdb ; *.pst ; *.dwg ; *.dxf ; *.dxg ; *.wpd ; *.dcr ; *.kdc
; *.p7b ; *.p7c ; *.raw ; *.cdr ; *.qbb ; *.indd ; *.qbw

36. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL36
“Using the Varonis DatAdvantage audit trail, I could identify
all the users that had accessed the corrupted files… I ran a
query on a specific user and realized that there were over
400,000 access events that had been generated from that
user’s account. It was at that point that we knew it was a
virus”
- http://blog.varonis.com/datadvantage-can-help-recover-
virus/
IMMEDIATE RESULTS
Identified all the users that had accessed the corrupted
files
Pinpoint and restored corrupted files almost immediately
Maximize time and resources by only having to restore the
data that was affected
Set up daily reports to automatically alert or quarantine
suspicious activity
BUSINESS PROBLEM: Cryptolocker Attack
Attacked by a variation of the Cryptolocker virus
Several users complaining that their files were
corrupted
Needed to recover corrupted files without restoring
the entire server
BUSINESS SOLUTION
Monitor sensitive files and user activity
Complete audit trail of access activity
Daily Reports on anomalous behavior
Reduce impact of Cryptolocker attack with minimal
downtime
FINANCE
Varonis Customer: Financial Institution

37. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL37
PULLED not PUSHED

38. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL38
Question
What percentage of your organisation’s data maybe exposed to
non-authorized users ?
None
Less than 20%
Between 20% to 50%
More than 50%
I have absolutely no clue …

39. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL39
Assess your environment
Express Risk Assessment will outline your problem areas,
prioritize risk, and give you concrete steps to take
to improve your data security.
 Identify overly accessible folders
containing important or regulated content
 Discover overly accessible hierarchies and
data structures
 Find folders with stale information
 Capture usage statistics
 Get a full permissions overview, including
stale permissions and identity
configurations

40. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL40
Proven Plan: Enterprise File Services
MAP
Instrument Environment
& Take Inventory
PROTECT
Simplify and Reduce Data
Risk
CONNECT
Give business and owners
their data back
OPTIMIZE
Automate and Extend
Enable Audit Trail
Inventory Permissions
Classify and Tag Sensitive,
High Profile Data
Standardize Permissions
and Structures
Remove Excess Access
Alert
Perform Entitlement
Reviews
Self-service data
management
Formalize and Enforce
Existing Policies &
Processes
Secure search,
mobile access and
file synchronization
Refine rules for
sensitive data
Archive, Migrate, Delete
REDUCE RISK
REDUCE COST
INCREASE PRODUCTIVITY

41. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL41
Reducing Risk, Complexity, and Cost
RISK
30+% of data can be archived
60+% of infrastructure is not utilized effectively
COMPLEXITY
COST
50+% of access is unwarranted
70+% of infrastructure is unmonitored
Rationalize domain structure, access control entities,
and supporting business processes
“Varonis DatAdvantage gave us the
visibility and recommendations to
limit user-to-data access by
business function and need. Now,
my team is able to audit the use of
any data set or group for our
compliance initiatives.”
─ James Nelson
IT Security Manager
Juniper Networks

42. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL42
Increasing Productivity and Functionality
PRODUCTIVITY
Extends functionality of existing investments
in infrastructure.
OPERATIONAL
EFFICIENCY
FUNCTIONALITY
Find and get access to data faster and more easily.
Access and share files from anywhere on any device.
10-40x Efficiency gains for daily data management
and protection tasks.
“A process that previously took
five or six days now takes just a
few hours...we’re able to
produce reports that weren’t
possible previously,”
─ Thibaud Desforges
Tool and Processing Manager
GDF Suez

43. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL43
How CIO / CISO Justify it
Users find and get access to data faster
Users can access data from the right devices
Better decisions based on usage analysis
Productivity
Gains
Probability of a breach is lower, response is faster and
more efficient
Efficient compliance with industry regulations
Quantifiable
Risk
Reduction
Automated manual processes, reduced storage costs,
retired technologies
Efficiency gains for many required data center tasks and
business functions
Cost
Reduction

44. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL44
Summary: Why Managing Human-Generated Data
Sustainably reduce risk
Identify where your most sensitive data
resides, see who has access to it, who is
accessing it, and safely lock it down.
Eliminate operational overhead
Run permissions reports, find lost files, assign
data owners, and conduct security
investigations more efficiently than ever.
Increase productivity
IT staff spend less time on manual data
management and protection tasks and can
focus on critical projects.
Achieve regulatory compliance
DatAdvantage covers many of the requirements
prescribed by SOX, HIPAA, PCI, GLB,
FERC/NERC, and more.
Adhere to change control policies
Automatically detect and correct changes that
don’t meet your organization’s change
management policies.
Prevent data breaches
Receive alerts on anomalous behavior, privilege
escalations, and unauthorized access to critical
files and folders.

45. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL
Thank You
CYRIL SIMONNET
Sales Director