Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Introducing Varonis UBA Threat Models

If you’re a regular reader of our blog, you know that we feel that the perimeter is dead, and that the battle against insider (and outsider) threats is won with...
Michael Buckbee
2 min read
Published November 5, 2015
Last updated June 30, 2022

If you’re a regular reader of our blog, you know that we feel that the perimeter is dead, and that the battle against insider (and outsider) threats is won with User Behavior Analytics (UBA), which is why we’re so excited to announce the launch of Varonis UBA Threat Models in beta release of 6.2.5.

What are Threat Models?

Without any configuration on your part, our predictive threat models will automatically analyze behavior across multiple platforms and alert you to potential threats. From CryptoLocker infections to compromised service accounts to disgruntled employees, we’ll detect and alert you on all sorts of abnormal user behavior.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Varonis has been doing UBA for the past decade, most notably to determine when users no longer need access to data based on their behavior and peer-group analysis. With our new threat models, you’re getting even more value out of the data we collect—the ability to use machine learning to detect and stop threats you might not have pre-configured an alert for.

Why does this matter?

Varonis UBA threat models uncover security issues quickly, and give context around metadata and what’s actually happening on your file and email servers, SharePoint, and Active Directory.

 

Video Thumbnail
2:08

 

Our advanced behavioral alerts catch suspicious activity across every stage of a potential data breach: from initial reconnaissance to data exfiltration.  Here’s a sample of some of our most sought-after threat models:

Abnormal behavior: access to sensitive data

Exfiltration: May indicate an unauthorized attempt to gain access to sensitive data assets.   The user’s actions are compared to his behavioral profile, and an alert is created when a deviation is discovered.

Abnormal service behavior: access to atypical mailboxes

Exfiltration:  May indicate an unauthorized attempt to exploit service privileges to gain access to data assets.   The user’s actions are compared to his behavioral profile, and an alert is created when a deviation is discovered.

Crypto intrusion activity

Intrusion: May indicate presence of Ransomware.

Suspicious access activity: non-admin access to files containing credentials

Privilege Escalation:  May indicate an unauthorized attempt to extract credentials, or deny access to systems.

Modification: Critical GPOs

Exploitation: May indicate unauthorized attempts to gain access by changing policies, or using privileged groups. May also indicate attempts to deny users access to systems, especially if performed without regard for established change control processes.

Suspicious access activity: non-admin access to files containing credentials

Privilege Escalation:  May indicate an unauthorized attempt to extract credentials, or deny access to systems.

Exploitation tools detected

Exploitation: May indicate attempt to install or use known hacking tools.

Membership changes: admin groups

Exploitation: May indicate unauthorized attempt to gain access via privileged groups or prevent administrators from responding to the attack, especially if performed outside of established change control processes.

Administrative or service account disabled or deleted

Exploitation: May indicate an unauthorized attempt to damage the infrastructure, deny users access to systems, or to obfuscate, especially if performed outside of established change control processes.

Multiple open events on files likely to contain credentials

Privilege Escalation: May indicate an unauthorized attempt to extract credentials.

Recon tools detected

Reconnaissance: May indicate the unauthorized presence of reconnaissance tools that could be used to scan the corporate network or to search for vulnerabilities.

Curious to see what our threat models reveal about your systems?  Let’s find out.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

varonis-ebook:-wmi-events-and-insider-surveillance
Varonis eBook: WMI Events and Insider Surveillance
If you’ve been reading our blog, you know that Windows software can be weaponized to allow hackers to live-off-the-land and stealthily steal sensitive data. Insiders are also aware of the...
introducing-the-varonis-remote-work-update
Introducing the Varonis Remote Work Update
The Varonis Data Security Platform Remote Work Update is here! This update delivers the product enhancements you need right now to keep your data safe in a work-from-home world. In...
covid-19-threat-update-#3
COVID-19 Threat Update #3
If you’re reading this, there’s a good chance you’ve become one of the millions of employees forced to work from home during the coronavirus crises. Accessing your emails and files...
what-is-c2?-command-and-control-infrastructure-explained
What is C2? Command and Control Infrastructure Explained
A successful cyberattack is about more than just getting your foot into the door of an unsuspecting organization. To be of any real benefit, the attacker needs to maintain persistence…