Any security practitioner that has had to perform forensic analysis on a cybersecurity incident likely describes the process as “searching for a needle in a stack of needles.” Even Tony Stark’s magnet isn’t going to help. Anyone who has used a SIEM or any other monitoring system to figure out how gigabytes of data was stolen knows how difficult that task can be.

Varonis leverages Solr to optimize and streamline the process of analyzing data related to a cybersecurity incident. Solr makes the stack of needles smaller – enabling security teams to analyze incidents faster.

How is Varonis using Solr?

The Solr server is a repository for the most current Varonis log and alert data, making searches in the Varonis WebUI lightning fast. The Varonis WebUI presents the searches in a clean and customizable view that you can filter and narrow down to find the correct needle in that stack of needles.

New events and alerts are available in the Varonis WebUI immediately, and Solr indexes the data as it is received. The Varonis WebUI correlates and contextualizes the data into understandable and actionable alerts, which can combine seemingly unrelated events into a clear picture of a coordinated cyberattack.

The new Solr search engine starts providing data while the search is running. The search field has autocomplete, so you can see possible search parameters as you type, just like in Google. You can save searches, set your favorite filters or queries, and easily access them again in the future.

What are the Advantages of Solr?

Solr is an open-source search optimized database that is used throughout the software industry. With the new WebUI powered by Solr, customers are seeing faster alerts, easier forensic analysis, and quicker query return.

Some of the features of Solr that Varonis uses are:

• Advanced Full-Text Search Capabilities: Solr uses the Lucene search engine to implement powerful and optimized searching and indexing
• Optimized for High Volume Traffic: Solr has proven its capability to operate at extremely large scales all over the world
• Easy Monitoring: Solr includes self-monitoring tools via Java Management Extensions (JMX) for system performance and uptime monitoring
• Highly Scalable and Fault-Tolerant: Solr scales up and down easily depending on your loads and use cases. Rebalancing and fault tolerance are built into Solr out of the box
• Near Real-Time Indexing: Solr can index and search at the same time

The Varonis WebUI is an awesome tool for advanced alerting and investigating cybersecurity incidents. The WebUI is fast and easy to navigate, but the real power is how Varonis analyzes the data and uses advanced threat models to paint an easy to understand picture of cybersecurity attacks.

See the new Varonis WebUI in a free 1:1 Demo – and experience how fast and easy responding to cybersecurity threats with Varonis can be.

In order to protect your sensitive data, you have to know what it is and where it lives.

Data Classification Defined

Data classification is the process of analyzing structured or unstructured data and organizing it into categories based on the file type and contents.

Data classification is a process of searching files for specific strings of data, like if you wanted to find all references to “Szechuan Sauce” on your network. Or if you needed to know where all HIPAA protected data lives on your network. Or if you want to prepare for data privacy regulations and need to identify any personally identifiable information (PII) on your data stores.

Data classification is usually based on a file parser combined with a string analysis system. A file parser allows the data classification engine to read the contents of several different types of files. A string analysis system then matches data in the files to defined search parameters.

RegEx –short for regular expression – is one of the more common string analysis systems that defines specifics about search patterns. For example, if I wanted to find all VISA credit card numbers in my data, the RegEx would look like:

\b(?<![:$._’-])(4\d{3}[ -]\d{4}[ -]\d{4}[ -]\d{4}\b|4\d{12}(?:\d{3})?)\b

That sequence tells the RegEx system that we are looking for a pattern with a 4 digit number starting with the number 4 followed by a dash and a second 4 digit number and… you get the idea. Only a string of characters that matches the RegEx directly generates a positive result.

Although there are some parallels between the two, data classification is not the same as data indexing. Classification looks for identifiers based on patterns and returns a list of files and how many matches it found for each pattern. It doesn’t necessarily index those files. Indexing enables search, and you’ll need to search those matches to fulfill data subject access requests and right-to-be-forgotten requests.

Reasons for Data Classification

The Center for Internet Security (CIS)- which devotes an entire section to data classification protections – says data classification is important because “in several high-profile breaches over the past two years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.”

Beyond data security concerns, there are several other reasons to implement a data classification process:

• Identify sensitive files, intellectual property, and trade secrets
• Secure (and lock down) critical data
• Track regulated data to comply with regulations like HIPAA, PCI, or GDPR
• Optimize search capabilities with data indexing
• Discover statistically significant patterns or trends inside data
• Optimize storage by identifying duplicate or stale data

Data Classification Process: 4 Steps

Data classification processes differ slightly depending on the objectives for the project. Any data classification project requires automation to process the astonishing amount of data that companies create every day. In general, there are some ubiquitous criteria required to create any data classification process:

1. Define the objectives of the data classification process. What are you looking for? Why?
2. Create workflows based on the selected classification tools. How does the classification process work? Is there a process in place to scan new data? Is there a process to create new classification criteria?
3. Define the categories and classification criteria. What kinds of data should you search for? What process will you follow to validate the classification results?
4. Define outcomes and usage of classified data. How are the results organized – and how do you plan to make business decisions based on those results?

Data Classification Tips

• Use automated tools to process large volumes of data quickly
• Leverage RegExes and Luhn: create custom classification patterns or implement software that does the heavy lifting for you
• Validate your classification results: nobody likes a false positive.
• Figure out how to best use your results and apply classification to everything from data security to business intelligence.

Data Classification FAQ

How does Varonis do Data Classification differently?

Varonis has over 400 pre-configured RegExes to discover all manners of PII, PHI, and GDPR data with a fully customizable classification engine you can configure for any business purposes. Varonis monitors over 60 file types out of the box (including documents, spreadsheets, and more), and identifies new data that needs to be re-scanned (without starting the whole thing over) to catch new and recently added sensitive files, including:

• Personal information: credit card numbers, passport numbers, driver’s license numbers, social security numbers, IBAN, and more
• Financial records
• Security file types (.cer, crt, p7b, etc.)
• Regulated data (GDPR, HIPAA, PII, PHI, PCI, Sarbanes Oxley, GLBA, etc.)

The Varonis Data Classification Engine can process ~100 GB of data in an hour (caveats about your own hardware and network capacity) and includes rigorous false positive checks that reduce the workload to analyze the classification results. Not every 16 character numeric string is a credit card number, for instance, and Varonis knows the difference.

What Comes After Data Classification?

Varonis brings context to that classification. Varonis not only identifies the data that you’re looking for, but shows you who can access to that data – and who is accessing that data. Once you identify and classify sensitive data, you can take action on it: apply labels, lock down permissions, monitor access, alert on suspicious activity, and meet compliance requirements like right-to-be-forgotten. The Varonis Data Classification Engine allows you to protect your most sensitive and important data from unwanted access, accidental data leaks, and security attacks.

See the Data Classification Engine in action with a 1:1 demo.

A zero-day vulnerability is a software bug or exploit that hasn’t been patched. It’s like a hole in the bottom of your shoe that you haven’t noticed yet, but a curly-mustachioed villain has found it and is considering putting rusty nails on your gas pedal. Hackers can use these bugs and exploits to steal your data before you’re able to find and patch the weakness.

What are Vulnerabilities?

Vulnerabilities allow attackers to slip past your defenses and into your network, like the unpatched software that allowed the Equifax hack.

As security professionals, we regularly deal with all kinds of vulnerabilities like software bugs, hacks, and human vulnerabilities.

Software bugs – like the one that led to the Equifax data breach – are faults in the code that hackers can use to get through to your data. Software hacks use existing functionality as part of an attack: the Golden Ticket attack, for instance, is a privilege escalation hack that takes advantage of the way Microsoft Kerberos functions normally. Human vulnerabilities are exploited most frequently by social engineering attacks, which often abuse trust (or naiveté) to steal passwords or send money to African princes.

What Makes a Zero-Day Vulnerability?

In short, urgency and immediacy make a zero-day vulnerability.

These are software bugs that developers have zero days to fix because by the time they’re identified, they are already massive security risks that could cause significant damage. Most of the time, zero-day bugs are not public knowledge and are patched before attackers can build an exploit kit to take advantage of the flaw.

As long as the zero-day vulnerability is not public, developers have time on their side. However, once the exploit becomes public knowledge, it becomes a race for developers to get a patch out before damage is done.

Many organizations offer bounties for discovering zero-day vulnerabilities in their software. Microsoft and Google offer cash rewards for reporting vulnerabilities to them directly, with some rewards north of $100k.

Zero-Day Exploit

A zero-day exploit is different from a zero-day vulnerability. Zero-day exploits do not have to be existing vulnerabilities: they could be a brand new malware of ransomware program. A zero-day exploit is a brand new kind of attack in progress that requires immediate remediation.

When a zero-day vulnerability isn’t discovered and patched before the attackers find the flaw, however, it becomes a zero-day exploit as well.

Zero-day exploits are difficult to detect and defend against: they are unknown until it’s too late, and their nature is under-researched. Signature-based security solutions can’t detect a zero-day exploit, and there are no software vulnerability patches immediately available. You need to react to zero-day exploits quickly to prevent widespread damage to the network or data theft.

How to Defend Against Zero-Day Attacks

You can create a secure network that is resilient against zero-day attacks. By monitoring data and comparing current activity to an established baseline, you can detect abnormalities caused by zero-day attacks. Every cyberattack – zero-day or otherwise – leaves digital footprints in both the data and on the network.

For example, a zero-day exploit that grants an attacker access to a user account will likely cause that user account act abnormally. The attacker might try to search the network for credit card numbers or password lists, or try to elevate the account to a Domain Admin. With Varonis, either of those activities will trigger one of several behavior-based threat models and flag it as suspicious activity. So what can you do to protect yourself against zero-day vulnerabilities?

• Monitor your core data – including files, folders, emails, Active Directory, VPN, DNS, and Web Proxies – for behaviors that could indicate a zero-day cyberattack
• Enforce a least-privilege model to prevent lateral movement and data exfiltration from a zero-day attack
• Update software and security (including IPS and Endpoint) packages as soon as they are available to defend against known zero-day vulnerabilities
• Back up critical systems and establish recovery and incident response plans
• Enforce strict software and internet use policies and train users to identify phishing attacks and other security risks

That last point is key. Empower the team to report behaviors on their systems that are out of place – employees are often the last line of defense against a zero-day attack.

Zero-Day Attack Examples

Each year there are at least a dozen or so different zero-day vulnerabilities identified and patched by software vendors. One of the most infamous is the Strutshock vulnerability used in the Equifax data breach. Developers patched that vulnerability in March of 2017, but Equifax didn’t apply the update – making it a zero-day attack.

Other notable zero-day attacks:

• Heartbleed
• Aurora
• RSA Hack
• Stuxnet

Tips to Prevent Zero-Day Vulnerabilities

Protecting your network from zero-day attacks requires behavior-based data monitoring that helps protect against both known and unknown threats. Varonis establishes behavioral baselines to detect unusual behavior in unusual activity in your network, and alerts on suspicious activity so you can respond and stop the threat before it becomes a data breach. Signature-based systems won’t detect a zero-day exploit, but a data-centric solution can detect the digital footprints of a zero-day exploit attack in progress.

See how Varonis detects attacks with a free 1:1 demo – and discover the best practices to defend against zero-day attacks.

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) also analyzes packets, but can also stop the packet from being delivered based on what kind of attacks it detects — helping stop the attack.

How Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Work

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both parts of the network infrastructure. IDS/IPS compare network packets to a cyberthreat database containing known signatures of cyberattacks — and flag any matching packets.

The main difference between them is that IDS is a monitoring system, while IPS is a control system.

IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

• Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
• Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.

Many IDS/IPS vendors have integrated newer IPS systems with firewalls to create a Unified Threat Management (UTM) technology that combines the functionality of those two similar systems into a single unit. Some systems provide both IDS and IPS functionality in one unit.

The Differences Between IDS and IPS

Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.

IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.

The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.

*Point of emphasis: IDS/IPS are only as effective as their cyberattack databases. Keep them updated and be prepared to make manual adjustments when a new attack breaks out in the wild and/or the attack signature isn’t in the database.

Why IDS and IPS are Critical for Cybersecurity

Security teams face an ever-growing threat of data breaches and compliance fines while continuing to struggle with budget limitations and corporate politics. IDS/IPS technology covers specific and important jobs of a cybersecurity strategy:

• Automation: IDS/IPS systems are largely hands-off, which makes them ideal candidates for use in the current security stack. IPS provides the peace of mind that the network is protected from known threats with limited resource requirements.
• Compliance: Part of compliance often requires proving that you have invested in technologies and systems to protect data. Implementing an IDS/IPS solution checks off a box on the compliance sheet and addresses a number of the CIS Security controls. More importantly, the auditing data is a valuable part of compliance investigations.
• Policy enforcement: IDS/IPS are configurable to help enforce internal security policies at the network level. For example, if you only support one VPN, you can use the IPS to block other VPN traffic.

Varonis DatAlert complements IDS/IPS: while network security is critical for protection from data breaches — and IDS/IPS solutions fill that role perfectly — Varonis monitors real-time activity on data, which is a critical layer to any cybersecurity strategy.

When a new ransomware attack breaks out the IDS/IPS might not have the signatures ready to prevent the attack at the network level. Varonis, however, not only includes signature-based ransomware detection, but also recognizes the characteristics and behavior of a ransomware attack — multiple files modified in a short time for example — and automatically triggers an alert to stop the attack before it spreads.

Want to see how it works? Get a 1:1 demo to see how Varonis complements your IDS/IPS for a strong cybersecurity strategy.

A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. 5% of confirmed data breach incidents in 2017 stemmed from brute force attacks.

Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords, for example – until they find one that works. Catching and neutralizing a brute force attack in progress is the best counter: once attackers have access to the network, they’re much harder to catch.

Types of Brute Force Attacks

The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques.

Recent computers manufactured within the last 10ish years can brute force crack an 8 character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute force decrypt a weak encryption hash in mere months. These kinds of brute force attacks are known as an exhaustive key search, where the computer tries every possible combination of every possible character to find the right combination.

Credential recycling is another type of brute force attack that reuses usernames and passwords from other data breaches to try to break into other systems.

The reverse brute-force attack uses a common password like “password,” and subsequently tries to brute force a username to go with that password. Since password is one of the most common password in 2017, this technique is more successful than you might think.

Motives Behind Brute Force Attacks

Brute force attacks occur in the early stages of the cyber kill chain, typically during the reconnaissance and infiltration stages. Attackers need access or points of entry into their targets, and brute force techniques are a “set it and forget it” method of gaining that access. Once they have entry into the network, attackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.

Attackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but are not linked to other pages. A brute force attack tests different addresses to see if they return a valid webpage, and will seek out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax, or a webpage that contains a list of username and passwords exposed to the world.

There is little finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive – for them – result.

How to Defend Against Brute Force Attacks

Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything usable. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.

• Increase password length: More characters equal more time to brute force crack
• Increase password complexity: More options for each character also increase the time to brute force crack
• Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress
• Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
• Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires human intervention which can stop a brute force attack from success

The proactive way to stop brute force attacks starts with monitoring. Varonis monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We’ve got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack under way), threat models that detect potential credential stuffing, and more – all designed to detect and prevent brute force attacks before the attack escalates.

It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.

Ready to get ahead of brute force attacks? Get a 1:1 demo to learn how Varonis detects attacks so you can stop attackers proactively.

The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.

ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. How can a company ensure that only US citizens have and then access that data on a network and are ITAR compliant? Limiting access to the physical materials is straightforward; limiting access to digital data is more complicated.

Who Needs To Follow ITAR Compliance?

Any company that handles, manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies who can deal in USML goods and services, and it is up to each company to establish policies to comply with ITAR regulations.

• Wholesalers
• Distributors
• Computer Software/ Hardware vendors
• Third-party suppliers
• Contractors

Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A is also in violation of ITAR.

ITAR Regulations

ITAR regulations are simple: only U.S. citizens can access items on the USML list.

ITAR’s rules can present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.

The State Department can issue exemptions to that one rule, and there are existing exemptions established for specific purposes. There are certain countries that currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.

The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.

ITAR exists to track military and defense sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines along with significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.

Penalties for ITAR Compliance Violations

The penalties for ITAR infractions are stiff:

• Civil fines up to $500,000 per violation
• Criminal fines of up to $1 million and/or 10 years imprisonment per violation

In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.

In 2007 ITT took at $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could workaround the restrictions, the Government didn’t agree with their interpretation of the rules.

Types of Defense Articles

There are 21 categories of Defense Articles in the USML. A defense article is anything on this long and oddly specific list.

1. 1. Firearms, Close Assault Weapons and Combat Shotguns
   2. Guns and Armament
   3. Ammunition/Ordnance
   4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
   5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
   6. Surface Vessels of War and Special Naval Equipment
   7. Ground Vehicles
   8. Aircraft and Related Articles
   9. Military Training Equipment and Training
   10. Personal Protective Equipment
   11. Military Electronics
   12. Fire Control, Laser, Imaging and Guidance Equipment
   13. Materials and Miscellaneous Articles
   14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
   15. Spacecraft and Related Articles
   16. Nuclear Weapons Related Articles
   17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
   18. Directed Energy Weapons
   19. Gas Turbine Engines and Associated Equipment
   20. Submersible Vessels and Related Articles
   21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

How to Secure Your ITAR Data

Given the penalties associated with ITAR, it makes sense to protect the digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their own guidance for data security is a great place to start. NIST SP 800-53 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR regulated materials should use NIST SP 800-53 as a baseline for their own security standards.. Follow these basic principles to secure your ITAR data:

• Discover and Classify Sensitive Data
  Locate and secure all sensitive data
  Classify data based on business policy
• Map Data and Permissions
  Identify users, groups, folder and file permissions
  Determine who has access to what data
• Manage Access Control
  Identify and deactivate stale users
  Manage user and group memberships
  Remove Global Access Groups
  Implement a least privilege model
• Monitor Data, File Activity, and User Behavior
  Audit and report on file and event activity
  Monitor for insider threats, malware, misconfigurations and security breaches
  Detect security vulnerabilities and remediate

ITAR Compliance FAQs

1. How can Varonis help me find all of my ITAR data?
   The Data Classification Engine identifies and classifies ITAR regulated data on your core data stores – both on-premise and in the cloud. With a pre-built library of more than 400 patterns for common laws and standards, you can identify ITAR data and even apply custom tags, flags, and notes to regulated data.
2. Who can access this ITAR data?
   Varonis DatAdvantage crawls your file systems to analyze permissions to all of your data, including the ITAR data. Understanding who can access this data is step one to protecting the data from illegal access. With DatAdvantage, you can see this information graphically in a clean, user-friendly UI, or as an exportable report.
3. How will I know if my ITAR data is accessed?
   Varonis DatAlert monitors and trigger alerts when data is accessed, including a folder of your ITAR data. You can detect, flag, and investigate any suspicious behavior or unusual activity on your ITAR data, and maintain a complete audit trail to help meet ITAR regulations.
4. How can I manage access to ITAR data?
   The Automation Engine automatically repairs and maintains file system permissions – keeping ITAR data locked down, and helping achieve a least privilege model. Varonis DataPrivilege helps streamline access governance, automatically enforce security policies, and demonstrate compliance to government auditors.

Want to learn more about how to manage your ITAR data to meet compliance? Get a 1:1 demo with a security engineer to see how Varonis can help.