Inside Out Security Blog   /  

How Varonis Levels Up Your Incident Response

How Varonis Levels Up Your Incident Response


    It’s a good time to be in cybersecurity. Incident Response(IR) teams are growing like crazy, and there are more jobs in cybersecurity than qualified candidates.

    The challenge for organizations is combining the right people, processes, and technology to best equip themselves to detect and respond to cybersecurity threats. IR teams need all the backup they can get, and Varonis has two very compelling solutions to get you that backup.

    Get the Free Pentesting Active
    Directory Environments e-book

    Varonis Incident Response Playbooks

    Varonis Playbooks, which are built right into the DatAlert investigation page, are like having a 20+ year cybersecurity veteran on your team.

    The alert investigation page is rich with context to answer questions about the user, device, data, and a whole lot more – and now the guidance from the Playbook speeds up your IR team investigations and resolutions.

    Check out this example from a common brute force attack scenario.

    Remote desktop connection

    Notice the right side of the alert page. For many of the threat models, you have a step-by-step how-to guide to help you decide which actions to take.

    Let’s dig into this threat model’s Playbook.

    The first section is Detection and Analysis. This section tells you how you can determine if this is a legitimate brute force attack or not. Check out this excerpt and imagine responding to this alert for the first, second, or third time.

    The following may indicate an attack:
    * Focus on the accounts. Check whether they have suspicious risk assessment insights.
    * Note whether the affected accounts belong to the same department and role, or if they share a
    manager. View the User context card or the relevant columns in the Events, Alerts, or Users pages.
    * Focus on the device(s) from which the activity was performed. Check whether they have
    suspicious risk assessment insights. Would these accounts ordinarily use these devices?
    * If the devices are Domain Controllers, check the Domain Controller log which initiates the call.
    * Was the activity performed during the accounts standard working hours? * View the risk assessment insights regarding working hours under Time in the Alert Info page. If the activity was
    performed outside the accounts’ standard working hours, an attack may have occurred.

    Varonis customers report that they get better at diagnosing and responding to incidents because of the guidance from the Playbooks.

    Check out this excerpt from the Containment, Eradication, and Recovery section.

    * Reset the passwords of the compromised accounts. Make sure to notify the relevant users.
    * Check additional alerts and events generated by the acting account, to make sure no issues
    were missed. Note the events that should be rolled back.
    * Check the devices of the compromised account. They may be infected with malware.

    How easy are those instructions to follow? For an experienced analyst, these tasks are no brainers. But think of the brand new team member fresh out of school. How much faster will they ramp up with resources like this at their fingertips?

    But sometimes you need more hands-on help.

    Varonis Incident Response Team

    We know how stressful it can be to field an alert about a potentially severe incident. We’re here to help. The Varonis IR Team is a group of in-house cybersecurity analysts that respond to incidents reported by Varonis alerts.

    The kinds of questions they work on are specific to cybersecurity incidents. For example, if you see alerts about a possible NTLM brute force attack, you can contact the Varonis IR Team, and they will respond with suggested next steps or sometimes jump on a call and start investigating the incident with you.

    This team discovered a new version of QBot late last year.

    How much does this cost, you asked? It’s free. All Varonis users have access to a global, 16 member IR team.

    Closing Thoughts

    The Playbooks and IR Team are serious value-adds for your investment in Varonis that increase your IR capability. Playbooks can speed up your own IR team’s response times and ramp up their experience. Throw in the IR team to augment your own resources, and you can quickly see how any investment in Varonis is worth so much more than the list price.

    Want to see just how much Varonis can help speed up time to detection (TTD) and time to resolution (TTR)? Forrester conducted an independent study on one Varonis customer to quantify the ROI of getting high-fidelity, context-rich alerts, resulting in a 90% reduction in response times.

    Check out the Varonis IR team in action during a Live Cyber Attack Lab webinar. Pick a time that works for you!

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    We're Varonis.

    We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

    How it works