Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

How Varonis Levels Up Your Incident Response

Varonis arms your incident response team with expert playbooks on how to respond to common alerts, as well as a free IR service to help you when you need it most.
Michael Buckbee
3 min read
Published March 29, 2020
Last updated October 14, 2022

It’s a good time to be in cybersecurity. Incident Response(IR) teams are growing like crazy, and there are more jobs in cybersecurity than qualified candidates.

The challenge for organizations is combining the right people, processes, and technology to best equip themselves to detect and respond to cybersecurity threats. IR teams need all the backup they can get, and Varonis has two very compelling solutions to get you that backup.

Get the Free Pentesting Active
Directory Environments e-book

Varonis Incident Response Playbooks

Varonis Playbooks, which are built right into the DatAlert investigation page, are like having a 20+ year cybersecurity veteran on your team.

The alert investigation page is rich with context to answer questions about the user, device, data, and a whole lot more – and now the guidance from the Playbook speeds up your IR team investigations and resolutions.

Check out this example from a common brute force attack scenario.

Remote desktop connection

Notice the right side of the alert page. For many of the threat models, you have a step-by-step how-to guide to help you decide which actions to take.

Let’s dig into this threat model’s Playbook.

The first section is Detection and Analysis. This section tells you how you can determine if this is a legitimate brute force attack or not. Check out this excerpt and imagine responding to this alert for the first, second, or third time.

The following may indicate an attack:
* Focus on the accounts. Check whether they have suspicious risk assessment insights.
* Note whether the affected accounts belong to the same department and role, or if they share a
manager. View the User context card or the relevant columns in the Events, Alerts, or Users pages.
* Focus on the device(s) from which the activity was performed. Check whether they have
suspicious risk assessment insights. Would these accounts ordinarily use these devices?
* If the devices are Domain Controllers, check the Domain Controller log which initiates the call.
* Was the activity performed during the accounts standard working hours? * View the risk assessment insights regarding working hours under Time in the Alert Info page. If the activity was
performed outside the accounts’ standard working hours, an attack may have occurred.

Varonis customers report that they get better at diagnosing and responding to incidents because of the guidance from the Playbooks.

Check out this excerpt from the Containment, Eradication, and Recovery section.

* Reset the passwords of the compromised accounts. Make sure to notify the relevant users.
* Check additional alerts and events generated by the acting account, to make sure no issues
were missed. Note the events that should be rolled back.
* Check the devices of the compromised account. They may be infected with malware.

How easy are those instructions to follow? For an experienced analyst, these tasks are no brainers. But think of the brand new team member fresh out of school. How much faster will they ramp up with resources like this at their fingertips?

But sometimes you need more hands-on help.

Varonis Incident Response Team

We know how stressful it can be to field an alert about a potentially severe incident. We’re here to help. The Varonis IR Team is a group of in-house cybersecurity analysts that respond to incidents reported by Varonis alerts.

The kinds of questions they work on are specific to cybersecurity incidents. For example, if you see alerts about a possible NTLM brute force attack, you can contact the Varonis IR Team, and they will respond with suggested next steps or sometimes jump on a call and start investigating the incident with you.

This team discovered a new version of QBot late last year.

How much does this cost, you asked? It’s free. All Varonis users have access to a global, 16 member IR team.

Closing Thoughts

The Playbooks and IR Team are serious value-adds for your investment in Varonis that increase your IR capability. Playbooks can speed up your own IR team’s response times and ramp up their experience. Throw in the IR team to augment your own resources, and you can quickly see how any investment in Varonis is worth so much more than the list price.

Want to see just how much Varonis can help speed up time to detection (TTD) and time to resolution (TTR)? Forrester conducted an independent study on one Varonis customer to quantify the ROI of getting high-fidelity, context-rich alerts, resulting in a 90% reduction in response times.

Check out the Varonis IR team in action during a Live Cyber Attack Lab webinar. Pick a time that works for you!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

data-breach-response-times:-trends-and-tips
Data Breach Response Times: Trends and Tips
We've taken a deep dive to discover the trends between different data breaches, their response times, the effect of response duration and what you can do to keep your response time down.
threat-update-#17---automated-threat-responses
Threat Update #17 - Automated Threat Responses
Ever think about automating responses to threat detections? We sure do! Click to watch Kilian Englert and Ryan O’Boyle from the Varonis Incident Response team discuss how one customer created...
what-is-an-incident-response-plan-and-how-to-create-one
What is an Incident Response Plan and How to Create One
We'll cover what an incident response plan is, why you need one, how to create one, who executes it and the six steps to create your own plan.
endpoint-detection-and-response:-all-you-need-to-know-about-edr-security
Endpoint Detection and Response: All You Need to Know About EDR Security
This guide covers Endpoint Detection and Response, a type of solution to detect and respond to suspicious activity on desktops, laptops, and mobile devices.