Cyril Simonnet, Sales Director Varonis, explains all the ins and outs about how to build a Data Governance framework. For more information about Varonis, check: https://www.wesecure.nl/producten/varonis/
WeSecure Data Security Congres: How to build a data governance framework
1. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL
Our mission is to help enterprises realize
value from their unstructured data.
June 2015
How to build a Data Governance
framework
3. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL3
About Me
Cyril Simonnet –
csimonnet@varonis.com
Hooked by IT Security for 29 years!
@csimonnet
https://fr.linkedin.com/in/csimonnet
http://blog.varonis.com
4. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL4
About Varonis
Started operations in 2005
Over 3300 Customers
(as of December, 2014)
Software Solutions for
Human Generated Data
10. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL10
UNSTRUCTURED
HUMAN-GENERATED DATA
UNSTRUCTURED
MACHINE-GENERATED DATA
STRUCTURED
BUSINESS APPLICATIONS DATA
Emails Word Files Spreadsheets
Presentations PDF Files
Time Series Data
(No Pre-defined Schema)
Generated by All IT
Systems; Highly-Diverse
Formats
Massive Volumes
Relational Databases
Financial Records
Math Data
Multi-dimensional Data
Monthly Reporting Data
(Pre-Defined Schema)
Image, Audio,
and Video Files
Generated by every
employee in every
organization
Massive volumes
Focus of
Varonis’ solutions
We Deal With Human-Generated Data
11. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL11
Human Generated Data Challenges
Poor Productivity High Risk High Cost
PRODUCTIVITY RISK COST
12. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL12
The Problem is Getting Worse
Source: IDC Digital Universe
By 2020, Data Centers Will Manage:
14x
Data
10x
Servers
1.5x
IT Staff
With
13. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL13
2.8
40.0
2012 2020
Data Growth: Both Challenge and Opportunity
Only 0.5% is analyzed
(Zettabytes)
Rapid Growth in the Next Decade
Opportunity to extract
more value through
tagging and analysis
Enterprises are responsible for
protecting 80% of all data
Source: IDC Digital Universe
14. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL14
Who has access to files, folders, mailboxes?
Who is accessing, modifying, moving, deleting files and email?
Which files contain critical information?
Which data is exposed to too many people?
Who owns data?
What data isn’t being used?
Root of the Problem
There are
many
questions
IT and the
business
can’t
answer:
16. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL16
Question
What is or will be the main driver to justify Human Generated
Data Management ?
Insider Threats
Regulations
Ransomware / Worm Threats
All of the above
None of them
18. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL18
The Script
Get inside
(if not there already) Snoop around
Exfiltration
Get the data out without
sounding alarmsEnumerate current access;
attempt to elevate
Visa cards anyone?
Usually done by phishing or
social engineering
PS C:Userseddard> findstr /r "^4[0-9]{12}(?:[0-9]{3})?$"
21. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL21
71% of end users say
that they have access
to company data they
should not see.
22. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL22
Only 22% of employees
say their organization
can tell them what
happened to lost data,
files, or emails.
23. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL23
Insider Misuse + Miscellaneous Errors
“It may not be obvious at first glance, but
the common denominator…for nearly 90%
of all incidents — is people. Whether it’s
goofing up, getting infected, behaving
badly, or losing stuff, most incidents fall in
the PEBKAC and ID-10T über-patterns”
- Verizon 2015 Data Breach Investigations Report
26. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL26
A trusted insider took hundreds of thousands of files without
anyone noticing and sold them. The organization had tens of
millions of dollars invested in every security technology you can
think of – firewalls, IAM, IPS, DLP, and SIEM – but none of these
systems made a sound.
IMMEDIATE RESULTS
Caught over 20 attempts to steal data in a single year
Reduced unnecessary user access by over 50%
Started tracking all data usage
BUSINESS PROBLEM: Stolen Data
Hundreds of files were stolen from a large military
organization
No record of access or automated analysis to flag insider
abuse
No way of knowing what files were taken or by whom
BUSINESS SOLUTION
Automatically monitor every touch on every file
Complete audit trail on access activity
Make sure only the right users can access the right data
Alert on abnormal behavior
Reduce risk and keep data secure
GOVERNMENT
Varonis Customer: Large Military Organization
28. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL28
Question
When do you think the new EU Data Protection Legislation will
come into effect?
This Year
Next Year
Never
Not sure
29. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL29
Regulations
Will Vary By Country and by Industry
Using ISO 27002 as a base for Control Checks
Regulations Can Be Complicated:
EU – 1995 Data Protection Directive (DPD) Provides Framework
For Separate Laws In EU Member Nations
In 2012, EU Introduced A Revision To DPD To Make Laws More
Uniform – E.G., Personal Data Identifiers Vary By Nation –
And Placed Under Single Authority.
Meldplicht Datalekken
30. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL30
Getting Ready for the EU GDPR
Minimize Data Collection
Prompt Data Breach Reporting
Retain Carefully
New Definition of Personal Identifier
Clear Language
Erase Button
Whither the Cloud?
Companies can’t avoid the EU law by outsourcing it to the cloud.
The EU law still follows the data.
31. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL31
“We were missing file server monitoring…review and
clean-up of all of our unstructured data – which included
all of our folder access. This wasn’t something we could do
manually, nor did we have existing tools to help, so we had
to look for a solution.”
– Kash Sharma
Identity Management Analyst for ING DIRECT
IMMEDIATE RESULTS
Full roll out in 3 weeks
Achieved regulatory compliance
Archived stale data in critical business units
Increased data intelligence
BUSINESS PROBLEM: Manage Sensitive Data
Insufficient file monitoring to meet regulations
Manual reporting on critical files was expensive,
inefficient and time-consuming
No way to review and manage unstructured data
Difficult to report on compliance and activity
BUSINESS SOLUTION
Automated and scheduled reporting on critical files
DatAdvantage monitors every touch of every file
Sysadmins are empowered to manage permissions
and clean up stale data with access provisioning and
bi-directional views
FINANCE
33. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL33
Crypto Locker
Cryptolocker is a well know Trojan/virus that is spread all over
the internet.
Basically it entered the company within an email. The latest
variant was not detected by any anti-virus nor firewall.
If a user click on it, it starts immediately scanning your network
drives, and then it renames all the files & folders and encrypt it.
The only method to counter, identify & limit the damage, is to
use DatAdvantage & DatAlert.
34. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL34 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL34
Actions and behavior
Actions Notes Events on files
Encrypt files Uses a RSA 2048bits key to encrypt the files
Encryption cypher seems to be symmetrical (depending on the
CryptoLocker variant).
OPEN then MODIFY
Add file
extensions
(next to
existing ones)
Adds one of these new extension to the end of the files
(depending on CryptoLocker variant) :
- « .encrypted »
OR
- « .cryptolocker »
OR
- « .<RANDOM 7 characters> »
RENAME
Instruction
files written in
each directory
Writes a file containing a link to a web page to get instructions to
decrypt the files (require the user to pay some bitcoins)
The file names are :
- « DECRYPT_INSTRUCTION.txt »
OR
- « DECRYPT_INSTRUCTIONS.html »
CREATE
« file.docx » Encryption Add extension
« .encrypted »
« file.docx » + OR
« .cryptolocker »
36. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL36
“Using the Varonis DatAdvantage audit trail, I could identify
all the users that had accessed the corrupted files… I ran a
query on a specific user and realized that there were over
400,000 access events that had been generated from that
user’s account. It was at that point that we knew it was a
virus”
- http://blog.varonis.com/datadvantage-can-help-recover-
virus/
IMMEDIATE RESULTS
Identified all the users that had accessed the corrupted
files
Pinpoint and restored corrupted files almost immediately
Maximize time and resources by only having to restore the
data that was affected
Set up daily reports to automatically alert or quarantine
suspicious activity
BUSINESS PROBLEM: Cryptolocker Attack
Attacked by a variation of the Cryptolocker virus
Several users complaining that their files were
corrupted
Needed to recover corrupted files without restoring
the entire server
BUSINESS SOLUTION
Monitor sensitive files and user activity
Complete audit trail of access activity
Daily Reports on anomalous behavior
Reduce impact of Cryptolocker attack with minimal
downtime
FINANCE
Varonis Customer: Financial Institution
38. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL38
Question
What percentage of your organisation’s data maybe exposed to
non-authorized users ?
None
Less than 20%
Between 20% to 50%
More than 50%
I have absolutely no clue …
39. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL39
Assess your environment
Express Risk Assessment will outline your problem areas,
prioritize risk, and give you concrete steps to take
to improve your data security.
Identify overly accessible folders
containing important or regulated content
Discover overly accessible hierarchies and
data structures
Find folders with stale information
Capture usage statistics
Get a full permissions overview, including
stale permissions and identity
configurations
40. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL40
Proven Plan: Enterprise File Services
MAP
Instrument Environment
& Take Inventory
PROTECT
Simplify and Reduce Data
Risk
CONNECT
Give business and owners
their data back
OPTIMIZE
Automate and Extend
Enable Audit Trail
Inventory Permissions
Classify and Tag Sensitive,
High Profile Data
Standardize Permissions
and Structures
Remove Excess Access
Alert
Perform Entitlement
Reviews
Self-service data
management
Formalize and Enforce
Existing Policies &
Processes
Secure search,
mobile access and
file synchronization
Refine rules for
sensitive data
Archive, Migrate, Delete
REDUCE RISK
REDUCE COST
INCREASE PRODUCTIVITY
41. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL41
Reducing Risk, Complexity, and Cost
RISK
30+% of data can be archived
60+% of infrastructure is not utilized effectively
COMPLEXITY
COST
50+% of access is unwarranted
70+% of infrastructure is unmonitored
Rationalize domain structure, access control entities,
and supporting business processes
“Varonis DatAdvantage gave us the
visibility and recommendations to
limit user-to-data access by
business function and need. Now,
my team is able to audit the use of
any data set or group for our
compliance initiatives.”
─ James Nelson
IT Security Manager
Juniper Networks
42. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL42
Increasing Productivity and Functionality
PRODUCTIVITY
Extends functionality of existing investments
in infrastructure.
OPERATIONAL
EFFICIENCY
FUNCTIONALITY
Find and get access to data faster and more easily.
Access and share files from anywhere on any device.
10-40x Efficiency gains for daily data management
and protection tasks.
“A process that previously took
five or six days now takes just a
few hours...we’re able to
produce reports that weren’t
possible previously,”
─ Thibaud Desforges
Tool and Processing Manager
GDF Suez
43. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL43
How CIO / CISO Justify it
Users find and get access to data faster
Users can access data from the right devices
Better decisions based on usage analysis
Productivity
Gains
Probability of a breach is lower, response is faster and
more efficient
Efficient compliance with industry regulations
Quantifiable
Risk
Reduction
Automated manual processes, reduced storage costs,
retired technologies
Efficiency gains for many required data center tasks and
business functions
Cost
Reduction
44. VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL44
Summary: Why Managing Human-Generated Data
Sustainably reduce risk
Identify where your most sensitive data
resides, see who has access to it, who is
accessing it, and safely lock it down.
Eliminate operational overhead
Run permissions reports, find lost files, assign
data owners, and conduct security
investigations more efficiently than ever.
Increase productivity
IT staff spend less time on manual data
management and protection tasks and can
focus on critical projects.
Achieve regulatory compliance
DatAdvantage covers many of the requirements
prescribed by SOX, HIPAA, PCI, GLB,
FERC/NERC, and more.
Adhere to change control policies
Automatically detect and correct changes that
don’t meet your organization’s change
management policies.
Prevent data breaches
Receive alerts on anomalous behavior, privilege
escalations, and unauthorized access to critical
files and folders.
Most malicious threats are a result of privilege abuse — that is, taking advantage of access privileges granted by an employer and using them to commit nefarious acts.
According to a survey we did with the Ponemon Institute of over 2,000 employees, 71% said that they have access to data they should not see. As a result, the surface area for privilege abuse is WAY bigger than it has any right to be.
So how do you stop someone when they’re simply using the access you’ve given them?
Protecting against insiders is so hard because:
- As humans, we naturally want to trust people, and we feel guilty (in a way) if we don’t implicitly trust our colleagues.
- We don’t always know where our most sensitive assets are: it’s a needle in a haystack problem that can’t be solved manually
- Tracking insider behavior across multiple platforms can be complicated (e.g., email, files, SharePoint).
We can find, access, and share data easily from the right devices.
We can save money by automating manual processes, reducing storage costs, and retiring unneeded technologies.
We can reduce risk in very quantifiable ways-- data is stored in the right places and archived when it’s not needed. Only the right users have access to it and the business is in charge. All use is monitored and abuse is flagged.
In summary, when the connections between users and data are made automatically, organizations become more productive, less at risk and spend less money.