How does an Incident Response Team
Respond to Threats with Varonis?
With Varonis, Security starts with data — which is a different approach to many of the security tools we are used to commonly working with. Traditionally, we have protected the perimeter of our world, and our security efforts have focussed on keeping people out of our perimeter, using technologies such as Firewalls, VPN’s, and more. With Varonis, your security starts from the inside out, by pulling in data about your own data stores, such as in Office 365, SharePoint, Box, FTP’s, NAS, and Windows and correlating this with metadata from Directory stores and Edge services, Varonis gives you a full picture of your data, and who may be using, or perhaps even abusing it.
You may be asking yourself, why is it so important to understand who has access to your data, or where it is stored, but when we propose the question of “how do you respond to a data breach?”, a lot of light bulbs start to light up. The fact is that if you cannot answer some basic questions surrounding the who, what, where and why of your data, you can never get to a state of continual compliance and a sustainable secured environment.
Four key basic questions:
Who has access to your data?
What type of data is it?
Where is the data located, and where has it been shared?
Why does this person or group need this data?
Once you understand the answers to these questions, the response time to a data breach can be greatly reduced, as you have already got a strong plan in place for how you can respond, and what triggers you want to create an alert for a potential threat, such as elevation of privilege, accessing an unusual data location, or even as simple as finding a strange USB stick on the floor of the office. By having this level of knowledge of your data landscape, you are also far less susceptible to these threats, as users have more restricted access and documents are better protected from sharing, moving, or deleting.
Varonis learns as you grow with it and develop your alert rules and become more granular in your permission controls. This results in faster containment of threats, for both long and short term, by having automated actions being taken to actively detect, prevent and remove potential threats, or back-doors that could lead to one. Similarly, Varonis can easily assist in eradicating any existing or future threats, by showing you access and permission level changes to document stores, directories, and edge devices in one centralised platform.
So the Varonis approach to respond to incidents is as follows:
- Preparation — Creating a finely tuned machine for when the inevitable time of a threat comes, will allow you to move smoothly through your steps and ensure nothing is left out.
- Identification — Identifying threats in a fast time is integral for quicker resolutions and a more robust security practice can be formed by being able to identify even small seemingly non-critical changes to the data stores or user identities.
- Containment — Being able to quickly identify which drives are affected, where the threat has spread to and potentially what files have been touched will allow you to effectively and efficiently triage and manage the short term spread, and long-term backups for forensics.
- Eradication — Removing the threat from your infrastructure in its entirety is essential for a quick recovery, and to prevent further data leaks or insider threats that can be laying dormant before making their move.
- Recovery — Bringing systems back into production and verifying they are free of any further issues and that system and user accounts have been audited for any changes and reset.
Then follows the most integral part to creating a sustainable Data Security plan, the Lessons Learned. By reviewing documentation of the incident, and adding in feedback on identified deficiencies, warning signs and troubleshooting steps — you can create a sustainable data security platform with continuous compliance and advanced threat detection.
