All posts by Rob Sobers

Is Your Company Prepared for a Cyber Attack?

Is Your Company Prepared for a Cyber Attack?

In December of 2016, a researcher approached credit card reporting agency Equifax with a simple message: Your website is vulnerable to a cyber attack. The company did nothing to patch the flaw. They were breached six months later, in May of 2017, with hackers stealing the sensitive data of 145.5 million Americans.

It’s an extreme example of an all-too-common business failing: that of cybersecurity preparedness.

As hacks continue to proliferate the news cycle, targeting both large corporations and small businesses, companies that previously didn’t see a need to invest in cybersecurity training and prevention are increasingly focusing in on one question: Are we prepared in the event of an attack? And, resoundingly, the answer is “no.”

Cybersecurity readiness involves developing a complex, proactive strategy that goes far beyond a basic response plan — although research suggests that many businesses don’t have one of those in place, either.

We’ve compiled the major steps you need to take to prepare your business for a cyber attack. Take a look at them below, and decide for yourself how your company would fare.

would your company survive a cyber attack

Creating an effective cybersecurity preparedness plan is a mix of implementing company-wide, procedural policies; utilizing data protection and taking technical precautions to protect your data; and putting a reactive plan in place in case the worst case does happen.

So, is your company prepared?

Sources
Verizon Data Breach Investigations Report | PWC Global State of Information Security Survey

Is Your Biggest Security Threat Already Inside Your Organization?

Are insiders compromising your security

The person in the cubicle next to you could be your company’s biggest security threat.

The large-scale attacks we’re accustomed to seeing in the news — Yahoo, Equifax, WannaCry ransomware — are massive data breaches caused by cyber criminals, state-sponsored entities or hacktivists. They dominate the news cycle with splashy headlines that tell an all-too recognizable story: one of name-brand corporations vs. anonymous cyber villains.

We focus in outsider threats because they’re both terrifying and thrilling, and because they’re familiar. They often have a clear-cut storyline, one that we’ve seen before. But the hyper-focus on cyberattacks caused by outside parties can lead organizations to ignore a major cybersecurity threat: insiders already in the organization.

We’ve seen these threats before too: attacks of dramatic espionage from Snowden, Reality Winner and Gregory Chung — but insider threats aren’t always so obvious, and they pose a risk for organizations that don’t operate in the national security space. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches.

They’re dangerous for a number of reasons, including because of how much they vary: from rogue employees bent on personal gain or professional revenge to careless staffers without proper cybersecurity training, insider threats can come from almost anyone, making them a prime concern for businesses. Check out our full infographic to learn more about the motives and methods behind these types of threats.

Insider threats cybersecurity

Are you doing everything you can to prevent insider threats?

If you’re granting unnecessary internal permissions, lack an auditing system for high-risk people or sensitive data, or aren’t paying close attention to possible behavioral indicators of malicious activity, your organization is at risk. You’re more vulnerable than you think — assess your risk today to see what you can do to ward off threats that come from the inside.

Infographic sources:
U.S. Department of Homeland Security | 2018 Insider Threat Report | Digital Guardian | MetaCompliance | ITProPortal | IT Governance | Wired

Social Media Security: How Safe is Your Information?

Comparing social media privacy

In 2012 a massive cyber attack by a hacker named “Peace” exploited over 117 million LinkedIn users’ passwords. After the dust settled from the initial attack, new protocols were put in place and the breach was all but forgotten in the public eye, the same hacker reared their head again. Nearly five years later, “Peace” began releasing the stolen password information of the same LinkedIn users from the earlier hack.

With millions of users’ data (or billions, in the case of Facebook) floating around the web, the need for tight security from social media platforms is obvious. Facebook alone has reported receiving more than 600,000 security hack attempts each day. (Although that is nothing compared to the NSA’s 300 million attempted hacks each day!)

The wide age range and technology experience level of social media users makes security management even more complex. A social platform needs to not only combat hackers, but also has to protect users whose personal security practices might be elementary. Only 18 percent of Americans report changing their social media password regularly.

So with the constant threats of hacks coming in — from both foreign and domestic hackers — what exactly are these platforms doing to keep our information safe?

Each of the major social platforms has their own security blog that keeps users and industry infosec bloggers in the loop about new security advancements, tactics for combating fraud and the occasional public statement about hacks.

We’ve broken down the security initiatives and features to compare what LinkedIn, Twitter and Facebook security teams are doing to protect the social platforms that people use each day.

comparing social media settings

While each platform has its unique set of challenges, one of the main initiatives from each is the bug bounty program. You can read more about each platform’s policy below:

Each policy been very successful for its respective site. However, even though these safety precautions exist, there are always hackers trying to get one step ahead of the curve.

For instance, Twitter is attempting protect the safety and integrity of of their platform by reducing the number of automated bots. They publicly announced their battle in a blog post, stating “While bots can be a positive and vital tool, from customer support to public safety, we strictly prohibit the use of bots and other networks of manipulation to undermine the core functionality of our service.” However, bots are clearly still an issue, with their hands in everything from the Oscars to local elections.

It is clear the fight to protect the safety and privacy of social media is far from over, but as data security teams in companies continue to grow, learn and share knowledge, there is hope that they will remain ahead of the game.

Infographic sources:

LinkedIn 1, 2, 3 | Threatpost | Vice | Twitter | Harvard Business Review | Wired | Facebook | The Telegraph

Do Americans Ever Change Their Passwords?

computer with data

Just how cautious are Americans when it comes to cybersecurity?

In today’s hyper-connected, highly-digitized society, data breaches are becoming increasingly commonplace. And they affect both corporations and individuals. In 2017 alone, the Equifax breach — considered by some to be the worst security breach in recent history — put 145.5 million Americans at risk of exposed information and identity theft.

Additionally, a Gmail phishing attack last year put 1 million users at risk of exposed information, and an Instagram hack revealed the contact information of 6 million users. Yahoo also revealed that a 2013 data breach affected the private information associated with all of their users — 3 billion in total.

According to the Pew Research Center, 64 percent of Americans have experienced some type of data breach in their lifetime. Despite this, the center found that the majority of Americans fail to follow cybersecurity best practices in their own digital lives.

In an effort to uncover more on password security habits (and associated feelings of cybersecurity), we put these numbers to the test. Read on to discover what we found after surveying 1,000 Americans.

Americans and Password Security

While cyberattacks are top-of-mind for many Americans, first-hand experiences and worry about imminent attacks doesn’t seem to get people to change their digital habits.

Despite the Pew Research Center’s report that the majority of Americans have personally experienced a major data breach and even anticipate an attack within the next five years, the majority of adults surveyed still seem largely unconcerned with personal password safety.

The most common reason users change their passwords is because they’ve simply forgotten their current one. Half of people surveyed cited this as the most common reason to change a password. In contrast, despite the increasing amount of hacks in the news cycle, only 1 in 5 Americans said they change their password as a result of a hack in the news.

americans changing their passwords data

Which Password Is Changed Most Often?

Our research revealed that the most common password Americans change is the password to their online banking or loans account, at 29 percent.

which passwords do americans change data

This is perhaps unsurprising, considering that financial security is one of the major concerns for Americans when it comes to cybersecurity. According to Pew, 66 percent of Americans anticipate the banking and financial systems to experience major cyberattacks in the near future, 41 percent say that they’ve experienced credit card fraud, and 14 percent have had loans taken out in their name.

However, recent hacks in the news have shown that individual users are increasingly affected across a number of entities, including email, social media, online shopping, and software and applications.

How Are Passwords Saved?

Our research also found that the majority of Americans use memorization or pen and paper to keep track of their passwords.

This is in contrast to the password best practices outlined by cybersecurity professionals, which recommend using third-party password management services, changing passwords on a regular basis and most importantly, never leaving passwords accessible or in plain text.

how do americans remember passwords

Although there are some memory tricks you can use to remember complex passwords, memorization can be difficult, given that ideal passwords are meant to be a combination of letters, numbers and symbols. Additionally, using the same password for different sites isn’t recommended.

Despite the fact that password management services are the easiest and most highly recommended form of keeping passwords safe, only 7 percent of respondents said that they use this kind of software to keep track of their passwords.

We found that the biggest demographic difference in how people manage and remember their passwords is between men and women. Both men and women agree that memorization is the best way to remember a password. However, men are considerably more likely to use password managing software.

men vs. women password management data

In all, there seems the be a major discrepancy between Americans’ real-life experiences with cyber breaches and their personal online practices. Learn more about how Americans approach cybersecurity and password security by downloading our full infographic, below.

download varonis infographic

Varonis Brings Data Security to Nasuni

Nasuni Cloud NAS

We’re excited to announce that, in an upcoming release, the Varonis Data Security Platform will bring data-centric audit and protection to Nasuni Enterprise File Services. Nasuni is a key Varonis partner in the growing market for hybrid cloud Network Attached Storage (NAS).

If Nasuni is a critical part of your IT infrastructure, adding Varonis will enable you to:

  • Discover and classify sensitive, regulated files
  • Detect and alert on suspicious activity like ransomware and insider threats
  • Lock down file systems and permissions to only the right people
  • Capture and analyze a fully searchable audit trail of file system activity
  • Automatically find and flag stale data

Varonis will use the Nasuni API to analyze access events, lock down file systems and permissions, capture a detailed audit trail for compliance and forensics, and automate reporting. You’ll have unprecedented visibility and protection on your Nasuni edge appliances, helping you stay safe from insider threats and cyberattacks.

If you’re in the Boston area this week and are looking to leverage the cloud for more scalable file sharing, NAS consolidation, or multi-site file collaboration, head on over to Nasuni Summit on October 5 where you can hear more about our partnership. We’re also participating in panel discussions on security, compliance, and cloud.

Stay tuned to learn more about the official release of our Nasuni integration. If you’d like to be one of the first to try it out, simply reach out.

🚨 Petya-Inspired Ransomware Outbreak: What You Need To Know

NotPetya Ransomware

On the heels of last month’s massive WannaCry outbreak, a major ransomware incident is currently underway by a new variant (now) dubbed “NotPetya.” For most of the morning, researchers believed the ransomware to be a variant of Petya, but Kaspersky Labs and others are reporting that, though it has similarities, it’s actually #NotPetya. Regardless of its name, here’s what you should know.

This malware doesn’t just encrypt data for a ransom, but instead hijacks computers and renders them completely inaccessible by encrypting their Master Boot Record (MBR).

Petya is another fast-spreading attack which, like WannaCry, uses the NSA exploit EternalBlue. Unlike WannaCry, Petya can also spread via remote WMI and PsExec (more on that in minute). A few scary things about this new malware:

  • It doesn’t have a remote kill switch like WannaCry
  • It is far more sophisticated — it has a variety of automated ways to spread
  • It renders machines completely unusable

A number of prominent organizations and companies have already been badly hit, including the Ukranian government, which has quite the sense of humor:


Infections have been reported across the globe: affecting metro systems, national utilities, banks and international enterprises: the scope is not yet known, but reports continue to come in of infected computers and stalled IT systems across industries and throughout the world.

How is Petya spreading?

Petya was initially thought to have gotten a toehold in corporate networks via emails with infected Word document attachments which exploit CVE-2017-0199. (If you’ve patched Microsoft Office, you should be protected from this attack vector.)

While phishing is a viable attack vector, one of the primary vectors is MeDoc, a financial software firm based in the Ukraine. MeDoc’s software update feature was hacked and attackers used it to distribute the Petya ransomware (source). This explains why the Ukraine has been hit hardest.

Once a single machine is infected, Petya spreads peer-to-peer to other Windows-based endpoints and servers that are vulnerable to MS17-010 — the SMB vulnerability that everyone was instructed to patch during WannaCry.  It can also spread via PsExec to admin$ shares, even on patched machines. We’ve written a detailed guide about PsExec and how to disable PowerShell recently. That’ll come in handy here.

A silver lining, at least at this juncture, is that the peer-to-peer infection doesn’t seem to leap beyond the local network. Petya can buzz through an entire LAN rather efficiently, but is unlikely to hop to other networks. As @MalwareTechBlog, the pizza-loving surfer dude who famously hit the WannaCry kill switch points out:

The Current Petya attack is different in the sense that the exploits it uses are only used to spread across a local network rather than the internet (i.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected). Due to the fact networks are of limited size and fairly quick to scan, the malware would cease spreading once it has finished scanning the local network and therefore is not anywhere near as infectious as WannaCry, which still continues to spread (though is prevented from activating via the “kill switch”).

 

How to Detect PsExec with DatAlert

If you’re a DatAlert customer on the version 6.3.150 or later you can do the following to detect PsExec.exe dropped on Windows file servers:

1. Select Tools –> DatAlert –> DatAlert

2. Search for “system admin”

3. For each of the selected rules (expand the groups to see them), press “Edit Rule” and tick “Enabled”

If PsExec is detected, DatAlert will generate sysadmin tools alerts in the “Reconnaissance” alert category such as “System administration tool created or modified” or “An operation on a tool commonly used by system administrators failed.”

This should help you detect if Petya is using PsExec to spread across your file servers. Keep reading because there is more you can do to prevent initial infection and stop Petya from spreading on your endpoints.

What does Petya do?

Once on a machine, NotPetya waits for a hour and a half before performing any attack, likely to give time for more machines to be affected, and to obfuscate the point of entry.

After waiting:

  1. It encrypts the Master File Table (MFT) of locally attached NTFS drives
  2. Copies itself into the Master Boot Record (MBR) for the infected workstation/server
  3. Forces a reboot of the machine so that users are locked out
  4. Displays the ransom demand lock screen on boot (shown below)

By encrypting the MFT, the individual workstation or server is taken offline until the ransom is paid. This has the potential to disrupt an organization to a much greater degree than if some files on a server are encrypted. In many cases, IT may need to individually address each machine; the standard ransomware response of “We’ll just restore those files from backup” is rendered ineffective.

If remote boot / imaging processes aren’t in place to restore infected machines, it may be necessary to put hands on the workstations to fix them. While possible in most cases, for companies with many remote installations it can be extremely challenging and time consuming. If you’re a shipping company with 600+ cargo ships on the move at any moment nearly impossible.

As Microsoft notes, “Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code” — if the infected user does not have admin privileges on the machine, it will try to encrypt user data matching the following extensions:

It does not add a unique extension to the encrypted files (such as .locky) — it encrypts the contents and preserves the original filename and extension.

What To Do?

Preventing Petya closely mirrors the steps that you may have previously taken for WannaCry:

  • Disable SMBv1 while you patch
  • Block TCP port 445 from outside (or between segments if possible)
  • Apply the patch!

Local Kill Switch

There is also somewhat of a local kill switch. On any given machine, if the file %WINDIR%\perfc exists (no extension) the ransomware will not execute. You can get creative with ways to deploy that file to all workstations in your environment.

Additionally, you can see which endpoint AV products are able to detect Petya by looking at the VirusTotal results.

A sample of Petya acquired by researchers was compiled on June 18:

Should You Pay?

A Posteo (an email service provider) account was included in the Ransomware message. The abuse and security team at Posteo have posted an update at:

https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

They have:

  1. Blocked the account
  2. Confirmed that no decrypt keys were sent from the account
  3. Contacted the authorities to offer what assistance they can

All of which adds up to the fact that you shouldn’t pay the ransom as you won’t receive the necessary decryption keys.

This is a developing story and we’ll keep this post updated as we learn more.

Other Helpful Links

Reality Leah Winner and the Age of Insider Threats

Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats.

First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically review access controls and revoke access to documents and emails that employees don’t need?

According to the released affidavit, Winner had only been employee of Pluribus International Corporation since February 2017, but reportedly gained top-secret security clearance in 2013. While her access was legitimate, there is no indication that the leaked document was relevant to her job. In fact, in the affidavit, Winner admits to not having a “need to know.”

The Epidemic of Open Access

This leads to a much broader question about access control: should every employee or contractor with top-secret clearance have access to everything? Likewise, should the CEO of a company have access to every sensitive file and email in her company? Most security pros would argue no. It’s certainly a violation of the rule of least privilege.

Excessive access can be linked to increased risks from insider threats, and the problem is only getting worse. In a recent Ponemon Institute study 62% of end users said they have access to company data they probably shouldn’t see and 76% of IT pros said they’d experienced data loss or theft in the past two years.

The open access epidemic can result in even more damage when accounts are compromised. Even if Winner hadn’t intentionally leaked the document to the media, had her account been compromised by an outside attacker, that information would be vulnerable.

One has to wonder whether Pluribus has a clear picture of it’s most sensitive information. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — in the 2017 Varonis Data Risk Report, we found that 47% of organizations have at least 1,000 sensitive files open to every employee.

Detecting Insider Threats by Combining Metadata

What’s more, there seems to have been a failure in insider threat detection. It was only when the news outlet contacted an unnamed intelligence agency that federal investigators began their audit to determine who had accessed the leaked document. Was it consistent with Winner’s normal data access behaviors to access files relating to the Russian election hacking investigation? Even though she had legitimate access, there may have been abnormalities in her data access patterns that could have sounded an insider abuse alarm.

Lastly, and perhaps one of the most interesting facets of the story, is how The Intercept accidentally outed Winner by posting a copy of the leaked document which contained tracking metadata. Winner accessed the data and then printed it. Investigators knew it was printed because of invisible micro dots on the page, so they could trace it to a specific printer and date. That narrowed it down to six users, one of which had email contact with The Intercept.

Image credit: http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

It was a combination of different types of forensic metadata that identified Winner as the leaker. Just knowing the printer and date wouldn’t have been enough on its own without it being correlated with email behavior, but together Winner could be conclusively identified.

Want to learn more about insider threats and techniques to mitigation them? Troy Hunt produced an hour-long video course called The Enemy Within. It’s 100% free. Click here to enroll.

If you want to get a handle on insider threats within your organization, Varonis can help.

What is a Data Security Platform?

What is a Data Security Platform?

A Data Security Platform (DSP) is a category of security products that replaces traditionally disparate security tools.

DSPs combine data protection capabilities such as sensitive data discovery, data access governance, user behavior analytics, advanced threat detection, activity monitoring, and compliance reporting, and integrate with adjacent security technologies.

They also provide a single management interface to allow security teams to centrally orchestrate their data security controls and uniformly enforce policies across a variety of data repositories, on-premises and in the cloud.

Data Security Platform (DSP)

Adapted from a figure used in the July 2016 Forrester report, The Future Of Data Security And Privacy: Growth And Competitive Differentiation.

The Rise of the Data Security Platform

A rapidly evolving threat landscape, rampant data breaches, and increasingly rigorous compliance requirements have made managing and protecting data more difficult than ever. Exponential data growth across multiple silos has created a compound effect that has made the disparate tool approach untenable. Siloed tools often result in inconsistently applied data security policies.

Many organizations are finding that simply increasing IT security spend doesn’t necessarily correlate to better overall data security. How much you spend isn’t as important as what you spend it on and how you use what you buy.

“Expense in depth” hasn’t been working. As a result, CISOs are aiming to consolidate and focus their IT spend on platforms over products to improve their enterprise-wide security posture, simplify manageability, streamline processes, and control costs.

According to Gartner, “By 2020, data-centric audit and protection products will replace disparate siloed data security tools in 40% of large enterprises, up from less than 5% today.”

(Source: Gartner Market Guide for Data-Centric Audit and Protection, March 21, 2017).

What are the benefits of a Data Security Platform?

There are clear benefits to consolidation which are generally true in all facets of technology, not just information security:

  • Easier to manage and maintain
  • Easier to coordinate strategy
  • Easier to train new employees
  • Fewer components to patch and upgrade
  • Fewer vendors to deal with
  • Fewer incompatibilities
  • Lower costs from retiring multiple point solutions

In information security, context is king. And context is enhanced drastically when products are integrated as part of a unified platform.

As a result, the benefits of a Data Security Platform are pronounced:

  • By combining previously disparate functions, DSPs have more context about data sensitivity, access controls, and user behavior, and can therefore paint a more complete picture of a security incident and the risk of potential breaches.
  • The total cost of ownership (TCO) is lower for a DSP than for multiple, hard-to-integrate point solutions.
  • In general, platform technologies have the flexibility and scalable architecture to accommodate new data stores and add new functionality when required, making the investment more durable
  • Maintaining compatibility between multiple data security products can be a massive challenge for security teams.
    • DSPs often result in an OpEx reduction because the security teams are dealing with fewer vendors and maintaining, tuning, and upgrading fewer products.
    • Capex reduction by retiring point solutions
  • CISOs want to be able to apply their data security strategy consistently across data silos and easily measure results.

Why context is essential to threat detection

What happens when your tools lack context?

Let’s take a standalone data loss prevention (DLP) product as an example.

Upon implementing DLP it is not uncommon to have tens of thousands of “alerts” about sensitive files. Where do you begin? How do you prioritize? Which incident in the colossal stack represents a significant risk that warrants your immediate, undivided attention?

The challenge doesn’t stop here. Pick an incident/alert at random – the sensitive files involved may have been auto-encrypted and auto-quarantined, but what comes next? Who has the knowledge and authority to decide the appropriate access controls? Who are we now preventing from doing their jobs? How and why were the files placed here in the first place?

DLP solutions by themselves provide very little context about data usage, permissions, and ownership, making it difficult for IT to proceed with sustainable remediation. IT is not qualified to make decisions about accessibility and acceptable use on its own; even if it were, it is not realistic to make these kinds of decisions for each and every file.

You can see a pattern forming here – with disparate products we often end up with excellent questions, but we urgently need answers that only a DSP can provide.

Which previously standalone technologies does a Data Security Platform include?

  • Data Classification & Discovery
    • Where is my sensitive data?
    • What kind of sensitive, regulated data do we have? (e.g., PCI, PII, GDPR)
    • How should I prioritize my remediation and breach detection efforts? Which data is out of scope?
  • Permissions Management
    • Where is my sensitive data overexposed?
    • Who has access to sensitive information they don’t need?
    • How are permissions applied? Are they standardized? Consistent?
  • User Behavior Analytics
    • Who is accessing data in abnormal ways?
    • What is normal behavior for a given role or account?
    • Which accounts typically run automated processes? Which access critical data? Executive files and emails?
  • Advanced Threat Detection & Response
    • Which data is under attack or potentially being compromised by an insider threat?
    • Which user accounts have been compromised?
    • Which data was actually taken, if any?
    • Who is trying to exfiltrate data?
  • Auditing & Reporting
    • Which data was accessed? By whom? When?
    • Which files and emails were accessed or deleted by a particular user?
    • Which files were compromised in a breach, by which accounts, and exactly when were they accessed?
    • Which user made this change to a file system, access controls or group policy, and when?
  • Data Access Governance
    • How do we implement and maintain a least privilege model?
    • Who owns the data? Who should be making the access control decisions for each critical dataset?
    • How do I manage joiners, movers, and leavers so only the right people maintain access?
  • Data Retention & Archiving
    • How do we get rid of toxic data that we no longer need?
    • How do we ensure personal data rights (right to erasure & to be forgotten)?

Analyst Research

A number of analysts firms have taken note of the Data Security Platform market and have released research reports and market guides to help CISOs and other security decision-makers.

Forrester’s “Expense in Depth” Research

In January 2017, Forrester Consulting released a study, commissioned by Varonis, entitled The Data Security Money Pit: Expense in Depth Hinders Maturity that shows a candy-store approach to data security may actually hinder data protection and explores how a unified data security platform could give security professionals the protection capabilities they desire, including security analytics, classification and access control while reducing costs and technical challenges.

The study finds that a fragmented approach to data security exacerbates many vulnerabilities and challenges, and 96% of these respondents believe a unified approach would benefit them, including preventing and more quickly responding to attempted attacks, limiting exposure and reducing complexity and cost.. The study goes on to highlight specific areas where enterprise data security falls short:

  • 62% of respondents don’t know where their most sensitive unstructured data resides
  • 66% don’t classify this data properly
  • 59% don’t enforce a least privilege model for access to this data
  • 63% don’t audit use of this data and alert on abuses
  • 93% suffer persistent technical challenges with their current data security approach

Point products may mitigate specific threats, but when used tactically, they undermine more comprehensive data security efforts.

According to the study, “It’s time to put a stop to expense in depth and wrestling with cobbling together core capabilities via disparate solutions.”

Almost 90% of respondents desire a unified data security platform. Key criteria to include in such a platform as selected by the survey respondents include:

  • Data classification, analytics and reporting (68% of respondents)
  • Meeting regulatory compliance (76% of respondents)
  • Aggregating key management capabilities (70% of respondents)
  • Improving response to anomalous activity (68% of respondents)

Forrester concludes:

Forrester on Data Security Platforms

Gartner’s DCAP Market Guide

Gartner released the 2017 edition of their Market Guide for Data-Centric Audit and Protection. The guide’s summary concisely describes the need for a platform approach to data security:

Garter on Data-Centric Audit and Protection

Gartner recommends that organizations “implement a DCAP strategy, and ‘shortlist’ products that orchestrate data security controls consistently across all silos that store the sensitive data.” Further, the report advises, “A vendor’s ability to integrate these capabilities across multiple silos will vary between products and also in comparison with vendors in each market subsegment. Below is a summary of some key features to investigate:”

  • Data classification and discovery
  • Data security policy management
  • Monitoring user privileges and data access activity
  • Auditing and reporting
  • Behavior analysis, alerting and blocking
  • Data protection

Demo the Varonis Data Security Platform

The Varonis Data Security Platform (DSP) protects enterprise data against insider threats, data breaches and cyberattacks by analyzing content, accessibility of data and the behavior of the people and machines that access data to alert on misbehavior, enforce a least privilege model and automate data management functions. Learn more about the Varonis Data Security Platform →

What customers are saying about the Varonis Data Security Platform

City of San Diego on the Varonis Data Security Platform

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Detecting Malware Payloads in Office Document Metadata

Office Documents with Malicious Metadata

Ever consider document properties like “Company,” “Title,” and “Comments” a vehicle for a malicious payload? Checkout this nifty PowerShell payload in the company metadata:

Here’s the full VirusTotal entry. The target opens the Office document and, with macros enabled, the payload stored within the document’s own metadata executes and does its work. No extra files written to disk or network requests made.

The question  about whether DatAlert can detect stuff like this came up in the Twitter thread, so I decided to write up a quick how-to.

Finding Malicious Metadata with Varonis

What you’ll need: DatAdvantage, Data Classification Framework, DatAlert

Step 1: Add Extended File Properties to be scanned by Data Classification Framework.

  • Open up the Varonis Management Console
  • Click on Configuration → Extended File properties
  • Add a new property for whichever field you’d like to scan (e.g., “Company”)

Varonis Management Console

(Note: prior to version 6.3, extended properties are created in DatAdvantage under Tools → DCF and DW → Configuration → Advanced)

Step 2: Define a malicious metadata classification rule

  • In the main menu of DatAdvantage select Tools → DCF and DW → Configuration
  • Create a new rule
  • Create a new filter
  • Select File properties → Company (or whichever property you’re scanning)
  • Select “like” to search for a substring
  • Add the malicious value you’d like to look for (e.g., .exe or .bat)

Varonis DCF New Classification Rule

Step 3: Create an alert in DatAlert to notify you whenever a file with malicious metadata is discovered

  • In the main menu of DatAdvantage select Tools → DatAlert
  • Click the green “+” button to create a new rule
  • Click on the “Where (Affected Object)” sub menu on the left
  • Add a new filter → Classification Results
  • Select your rule name (e.g., “Malicious Metadata”)
  • Select “Files with hits” and “Hit count (on selected rules)” greater than 0

DatAlert Rule for Malicious Document Metadata

You can fill out the rest of the details of your alert rule–like which systems to scan, how you want to get your alerts, etc.

As an extra precaution, you could also create a Data Transport Engine rule based on the same classification result that will automatically quarantine files that are found to have malicious metadata.

That’s it! You can update your “Malicious Metadata” over time as you see reports from malware researchers of new and stealthier ways to encode malicious bits within document metadata.

If you’re an existing Varonis customer, you can setup office hours with your assigned engineer to review your classification rules and alerts. Not yet a Varonis customer? What are you waiting for? Get a demo of our data security platform today.

Are Wikileaks and ransomware the precursors to mass extortion?

Are Wikileaks and ransomware the precursors to mass extortion?

Despite Julian Assange’s promise not to let Wikileaks’ “radical transparency” hurt innocent people, an investigation found that the whistleblowing site has published hundreds of sensitive records belonging to ordinary citizens, including medical files of rape victims and sick children.

The idea of having all your secrets exposed, as an individual or a business, can be terrifying. Whether you agree with Wikileaks or not, the world will be a very different place when nothing is safe. Imagine your all your emails, health records, texts, finances open for the world to see. Unfortunately, we may be closer to this than we think.  

If ransomware has taught us one thing it’s that an overwhelming amount of important business and personal data isn’t sufficiently protected. Researcher Kevin Beaumont says he’s seeing around 4,000 new ransomware infections per hour. If it’s so easy for an intruder to encrypt data, what’s stopping cybercriminals from publishing it on the open web?

There are still a few hurdles for extortionware, but none of them are insurmountable:

1. Attackers would have to exfiltrate the data in order to expose it

Ransomware encrypts data in place without actually stealing it. Extortionware has to bypass traditional network monitoring tools that are built to detect unusual amounts of data leaving their network quickly. Of course, files could be siphoned off slowly disguised as benign web or DNS traffic.

2. There is no central “wall of shame” repository like Wikileaks

If attackers teamed up to build a searchable public repository for extorted data, it’d make the threat of exposure feel more real and create a greater sense of urgency. Wikileaks is very persistent about reminding the public that the DNC and Sony emails are out in the open, and they make it simple for journalists and others to search the breached data and make noise about it.

3. Maybe ransomware pays better

Some suggest that the economics of ransomware are better than extortionware, which is why we haven’t seen it take off. On the other hand, how do you recover when copies of your files and emails are made public? Can the DNC truly recover? Payment might be the only option, and one big score could be worth hundreds of ransomware payments.  

So what’s preventing ransomware authors from trying to doing both? Unfortunately, not much. They could first encrypt the data then try to exfiltrate it. If you get caught during exfiltration, it’s not a big deal. Just pop up your ransom notification and claim your BTC.

Ransomware has proven that organizations are definitely behind the curve when it comes to catching abnormal behavior inside their perimeters, particularly on file systems. I think the biggest lesson to take away from Wikileaks, ransomware, and extortionware is that we’re on the cusp of a world where unprotected files and emails will regularly hurt businesses, destroy privacy, and even jeopardize lives (I’m talking about hospitals that have suffered from cyberattacks like ransomware).

If it’s trivially easy for noisy cybercriminals that advertise their presence with ransom notes to penetrate and encrypt thousands of files at will, the only reasonable conclusion is that more subtle threats are secretly succeeding in a huge way.  We just haven’t realized it yet…except for the U.S. Office of Personnel Management. And Sony Pictures. And Mossack Fonseca. And the DNC. And…

The Enemy Within: A Free Security Training Course by Troy Hunt

The Enemy Within: A Free Security Training Course by Troy Hunt

It takes a very long time to discover a threat on your network according to the Verizon DBIR:

breach-discovery

Which is mind-boggling given the most devastating breaches often start with an insider—either an employee or an attacker that gets inside using an insider’s credentials. Target, OPM, Panama Papers, Wikileaks. The list goes on and on.

The truth is that many organizations are behind the curve when it comes to understanding and defending against insider threats.

So when we were tossing around topic ideas with Troy, it quickly became clear what our next video course should focus on.

I’m happy to announce the third course in our free, CPE-eligible security training series—The Enemy Within: Understanding Insider Threats.



Get all the videos now



What’s inside?

The course is broken into 8 video modules totaling over an hour worth of entertaining material covering where insider threats originate from, how they exfiltrate data, and how to stop them.

More free content

While you’re at it, grab the previous two courses in the series:

About Troy

Troy is a Microsoft Regional Director, most Valuable Professional and top-rated international speaker on online security, regularly delivering the number one rated talk at events across the globe. He’s also the author of 26 online Pluralsight courses which frequently feature at the top of the charts. Troy’s site, HaveIBeenPwned.com, is one of the world’s most popular data breach verification sites.