Live Cyber Attack Lab ūüéĮ Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


How to Best Apply SANS Critical Security Controls to Unstructured Human-Generated Data

Data Security

The SANS Top 20 Critical Security Controls (CSC) have become a widely accepted strategy for protecting organizations against the most common security risks. They take a practical view of security that‚Äôs based on protecting against real-world threats‚ÄĒ‚Äúoffense informs defense‚ÄĚ. Developed and maintained by an international group of organizations, government agencies, and security experts, the controls are prioritized to protect the organization‚Äôs infrastructure and data by strengthening the organization‚Äôs defense system through continuous automated protection and monitoring.

As a Metadata Era reader, you’re no doubt wondering how unstructured human-generated data relates to these security controls. Our customers frequently bring this up when we have a discussion about the type of data that’s important to the organization.

CISSP certified Systems Engineer, Terry Boedeker¬†describes the scenario, ‚ÄúThat‚Äôs often how a conversation may start with the IT department. They may say, ‚ÄėWe only care about SQL. All of our sensitive data is stored in a database.‚Äô‚ÄĚ He adds, ‚ÄúWhile data may be structured somewhere, any time an individual interacts with the data in the environment, they‚Äôre often doing so in an unstructured format. The data may be in a customer management system, or in a SQL database, but they‚Äôre pulling that data and putting it on a spreadsheet, documents, PowerPoints and emails. Humans are interacting with data at an unstructured level all the time.‚ÄĚ

Unstructured, human-generated files also consume considerable storage space and are generally kept for long periods of time. As such, it’s important for organizations to have the ability to identify, monitor and manage access to the organization’s unstructured data, which also conveniently maps to some of the SANS Top 20 Critical Security Controls.

Here’s how to best apply SANS critical security controls to your organization’s human generated data.


Critical Security Control Solution
12 Controlled Use of Administrative Privileges: The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. DatAdvantage helps organizations examine and audit the use of privileged access accounts to detect and prevent abuse.  With a continual audit record of all file, email, SharePoint, and Directory Services activity, DatAdvantage provides visibility into administrative users’ actions.  The log can be viewed interactively or via email reports.DatAdvantage can also identify when users have administrative rights they do not use or need and provides a way to safely remove excess privileges without impacting the business. Through DataPrivilege, membership in administrative groups can be tightly controlled, audited and reviewed.

DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group.  This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs. Real-time alerts can also be triggered when administrative users access, modify, or delete business data.

DataPrivilege provides a web-based interface that allows business stakeholders (i.e., stewards) to review, approve, and deny access to their data, putting access control decisions in the hands of the person or people with the right context.

14 Maintenance,
Monitoring, and Analysis of Audit Logs: Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
DatAdvantage captures, aggregates, normalizes, and analyzes every data access event for every user on Windows, UNIX/Linux, NAS, EMC VNX (Celerra) and Isilon, Exchange and SharePoint servers, as well as Active Directory changes, without requiring native operating system auditing on most of them.

Through its intuitive graphical interface and reports, DatAdvantage clearly presents the answers to questions such as:
·Who has been accessing this folder?
·What data has this user been accessing?
·Who sent emails to whom?
·Who deleted these files?
·Where did those files go?

Data for ever access event is collected without impacting performance or storage on production systems, using normal computing infrastructure.

DatAlert leverages the audit trail collected by DatAdvantage and the Metadata Framework to trigger real-time alerts when unwanted or suspicious events occur.

15 Controlled
Access Based on the Need to Know: The processes and tools used to track/control/prevent/correct  secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
DatAdvantage’s recommendation engine can help eliminate permissions creep by using its bi-directional cluster analysis to determine when a user has access to data they do not need.  DatAdvantage produces a recommendation which can be acted upon by IT or a business user.  DatAdvantage also provides a simulation sandbox to ensure permission changes do not adversely impact the environment.

The IDU Classification Framework scans file systems and SharePoint sites and automatically identifies sensitive content such as credit card numbers, healthcare information, or other critical assets.  Once critical information is discovered, DatAdvantage provides additional context as to who has access to the content, who has been accessing the content, and who should not have access anymore.The IDU Classification Framework can prioritize risk by highlighting folders withhigh concentrations of sensitive content and extremely loose permissions.

DataPrivilege¬†enables ‚Äúneed-to-know‚ÄĚ access by empowering data owners to make informed¬†decisions about who should and should not have access to their business data.¬†A web-based interface with an automated permissions management workflow involves¬†the data owners directly in decisions related to their business unit’s data,¬†without manual effort or assistance from IT.

17 Data Protection: The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and data integrity of sensitive information. Many security breaches occur because employees have access to more data than they require and data use is not audited or analyzed. DatAdvantage helps organizations ensure their data at rest is secured against unauthorized theft or accidental loss by providing unprecedented visibility into who has access to data, who is accessing data, where sensitive data resides, and who owns it.

By using DatAdvantage’s recommendation engine to eliminate unnecessary permissions and reduce the access footprint of user accounts and security groups, accounts that are breached have a much smaller potential for harm, and their actions are recorded to make it possible to assess damage and recover from potential breaches more efficiently.

Additionally, since DatAdvantage profiles every user’s normal data access behavior, it can detect and alert when abnormal spikes in access occur, thus detecting and preventing data breaches and insider threats. With DatAlert, administrators can be alerted when sensitive data is discovered outside of a specified area so that they can take immediate action.  DatAlert can also be configured to detect privilege escalations, change management violations, changes to GPOs, folder permissions, etc.

5 Malware Defenses: Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. DatAdvantage’s audit trail and behavioral alerts can help detect when malware or viruses are accessing files, mailboxes, or SharePoint sites.

A Varonis customer used DatAdvantage to quickly isolate and successfully halt the spread of the Cryptolocker virus in their environment.

This¬†was how our customer described the situation: “Within DatAdvantage I ran¬†a query on that specific user and realized that there were over 400,000¬†access events that had been generated from that user‚Äôs account. It was at¬†that point that we knew it was a virus… Once we had identified the second¬†user, we went back to DatAdvantage to identify the files they had accessed.¬†There were over 200,000 access events generated from this user‚Äôs account.‚ÄĚ

DatAdvantage enabled our customer to quickly identify corrupt files and helped¬†the organization reduce the impact of the virus on the environment and user¬†downtime. In addition, it allowed them to maximize their time and resources¬†by only having to restore the data that was affected. Read more…

Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.