How Varonis Levels Up Your Incident Response

Varonis arms your incident response team with expert playbooks on how to respond to common alerts, as well as a free IR service to help you when you need it most.
Michael Buckbee
3 min read
Last updated October 14, 2022

It’s a good time to be in cybersecurity. Incident Response(IR) teams are growing like crazy, and there are more jobs in cybersecurity than qualified candidates.

The challenge for organizations is combining the right people, processes, and technology to best equip themselves to detect and respond to cybersecurity threats. IR teams need all the backup they can get, and Varonis has two very compelling solutions to get you that backup.

Get the Free Pentesting Active
Directory Environments e-book

Varonis Incident Response Playbooks

Varonis Playbooks, which are built right into the DatAlert investigation page, are like having a 20+ year cybersecurity veteran on your team.

The alert investigation page is rich with context to answer questions about the user, device, data, and a whole lot more – and now the guidance from the Playbook speeds up your IR team investigations and resolutions.

Check out this example from a common brute force attack scenario.

Remote desktop connection

Notice the right side of the alert page. For many of the threat models, you have a step-by-step how-to guide to help you decide which actions to take.

Let’s dig into this threat model’s Playbook.

The first section is Detection and Analysis. This section tells you how you can determine if this is a legitimate brute force attack or not. Check out this excerpt and imagine responding to this alert for the first, second, or third time.

The following may indicate an attack:
* Focus on the accounts. Check whether they have suspicious risk assessment insights.
* Note whether the affected accounts belong to the same department and role, or if they share a
manager. View the User context card or the relevant columns in the Events, Alerts, or Users pages.
* Focus on the device(s) from which the activity was performed. Check whether they have
suspicious risk assessment insights. Would these accounts ordinarily use these devices?
* If the devices are Domain Controllers, check the Domain Controller log which initiates the call.
* Was the activity performed during the accounts standard working hours? * View the risk assessment insights regarding working hours under Time in the Alert Info page. If the activity was
performed outside the accounts’ standard working hours, an attack may have occurred.

Varonis customers report that they get better at diagnosing and responding to incidents because of the guidance from the Playbooks.

Check out this excerpt from the Containment, Eradication, and Recovery section.

* Reset the passwords of the compromised accounts. Make sure to notify the relevant users.
* Check additional alerts and events generated by the acting account, to make sure no issues
were missed. Note the events that should be rolled back.
* Check the devices of the compromised account. They may be infected with malware.

How easy are those instructions to follow? For an experienced analyst, these tasks are no brainers. But think of the brand new team member fresh out of school. How much faster will they ramp up with resources like this at their fingertips?

But sometimes you need more hands-on help.

Varonis Incident Response Team

We know how stressful it can be to field an alert about a potentially severe incident. We’re here to help. The Varonis IR Team is a group of in-house cybersecurity analysts that respond to incidents reported by Varonis alerts.

The kinds of questions they work on are specific to cybersecurity incidents. For example, if you see alerts about a possible NTLM brute force attack, you can contact the Varonis IR Team, and they will respond with suggested next steps or sometimes jump on a call and start investigating the incident with you.

This team discovered a new version of QBot late last year.

How much does this cost, you asked? It’s free. All Varonis users have access to a global, 16 member IR team.

Closing Thoughts

The Playbooks and IR Team are serious value-adds for your investment in Varonis that increase your IR capability. Playbooks can speed up your own IR team’s response times and ramp up their experience. Throw in the IR team to augment your own resources, and you can quickly see how any investment in Varonis is worth so much more than the list price.

Want to see just how much Varonis can help speed up time to detection (TTD) and time to resolution (TTR)? Forrester conducted an independent study on one Varonis customer to quantify the ROI of getting high-fidelity, context-rich alerts, resulting in a 90% reduction in response times.

Check out the Varonis IR team in action during a Live Cyber Attack Lab webinar. Pick a time that works for you!

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

data-breach-response-times:-trends-and-tips
Data Breach Response Times: Trends and Tips
We've taken a deep dive to discover the trends between different data breaches, their response times, the effect of response duration and what you can do to keep your response time down.
your-sales-data-is-mission-critical:-are-you-protecting-it?
Your Sales Data Is Mission-Critical: Are You Protecting It?
If you’re like many executives, you might assume your data is secure within those cloud applications. That’s a dangerous assumption, though. Cloud providers are responsible for everything that delivers their application (e.g., their data center); it’s your responsibility to protect the data inside it.
varonis-version-7.0
Varonis Version 7.0
Version 7.0 of the Varonis Data Security Platform is here – featuring new cloud support and advanced threat detection and response capabilities: new event sources and enrichment; out-of-the-box threat intelligence applied to...
endpoint-detection-and-response:-all-you-need-to-know-about-edr-security
Endpoint Detection and Response: All You Need to Know About EDR Security
This guide covers Endpoint Detection and Response, a type of solution to detect and respond to suspicious activity on desktops, laptops, and mobile devices.