Leave a review for our podcast & we'll send you a pack of infosec cards.
Get the Free Pen Testing Active Directory Environments EBook
Prior to Varonis, Elena Khasanova worked in backend IT for large organizations. She did a bit of coding, database administration, project management, but was ready for more responsibility and challenges.
So seven years ago, she made the move to New York City from Madison, Wisconsin and joined the professional services department at Varonis.
With limited experience speaking with external customers and basic training, Varonis entrusted her to deploy products as well as present to customers. Elena recalls, “Not every company will give you a chance to talk to external customers without prior experience….But it was Varonis that gave me that chance.”
According to her manager, Ken Spinner:
Over the last 6 years, I’ve had the pleasure of working with Elena, first as a coworker in different departments, and most recently as the leader of our Remediation Team in our Professional Services department. Elena was uniquely qualified to lead the team as she had significant experience performing project management prior to planning and completing our first remediation projects. Elena’s knowledge was instrumental in defining the essence of the Varonis Data Risk Assessment, the process used by PS to perform remediation, as well as providing practical insight to Engineering during the development of the Automation Engine.
Read on to learn more about Elena – this time, in her own words.
What would people never guess you do in your role?
Not only am I involved in professional services, I also spend a lot of time on sales calls.
What did you learn about yourself after working at Varonis?
I am pretty good at selling concepts and ideas.
How has Varonis helped you in your career development?
Prior to Varonis, I only worked in internal IT. Varonis gave me a chance to work with external customers and exposed me to sales and product management.
What advice do you have for prospective candidates?
Pour your heart and soul into Varonis products. If you are smart and hard-working, it will be noticed right away.
What do you like most about the company?
Despite being a publicly traded company, it kept its startup spirit and passion.
What’s the biggest data security problem your customers/prospects are faced with?
Company files are often accessible by every employee regardless of their roles. How can we fix that without someone losing access to work they really need access to?
What certificates do you have?
CISSP and PMP
What is your favorite book?
Big Magic by Elizabeth Gilbert
What is your favorite time hack?
I assign values in my to-do list by urgency: important (not always urgent but is important in the long run), speed and reluctance.
Things I’m most reluctant to do, I try to do in the beginning of the day when my willpower is still high.
What’s your favorite quote?
“It would not be much of a universe if it wasn’t home to the people you love.”
– by the greatest scientist, Stephen Hawking
Elena Khasanova: My name is Elena Khasanova, and I’m currently a Professional Services Manager at Varonis. And this is how I work.
Cindy Ng: How long have you been working at Varonis?
Elena Khasanova: It will be seven years in June. So, pretty long time.
Cindy Ng: And what was your background prior to working at Varonis?
Elena Khasanova: Prior to Varonis, I worked for fairly large-sized organizations. I would say, on the customer side. So I worked IT in back-end IT. And my customers were the internal teams, internal departments, and my coworkers. I worked in both a very technical disciplines, I did some coding, I did some database administration, and then I switched towards project management and geared more and more towards IT security area of overall IT. And then, I ended up taking a bunch of the Microsoft certificates and CISSP certifications. So I became a bit of an expert on projects within IT security industry.
Cindy Ng: And you’ve gotten certificates, you’ve held many different roles. How did you end up deciding that Varonis was a good fit for you?
Elena Khasanova: So, at that point, prior to Varonis, I actually lived in Wisconsin for eight years. And Madison, Wisconsin, to be precise. And that town or city was getting pretty small for me, and I wanted to work for a smaller company and also the one that sells IT as a service. So I wanted to be on the front-end of the revenue. Not quite in sales, but yet working with external customers.
You know, not every company will give you a chance to go and talk to external customers without prior experience. There is more on the line when working with external customers.
While working with internal customers, of course, you need to deliver to the highest level of satisfaction, but nevertheless, it’s your coworkers. If you serve HR team as an IT team, HR team does not have an ability to go to another vendor, right, to another IT team. You don’t compete with another IT team. So you kind of have this internal monopoly in delivering the services.
If you work with external customers, the external customers, it’s real revenue on the line, so it’s not just internal transfer of, you know, company budgets between departments. It’s real money on the line that do support the company and the shareholders. Customers, of course, always have a choice to go with somebody else.
So, I think there’s so much more at stake when dealing with external customers. Then, you know, the risks, and therefore, the rewards are so much more elevated.
So, one day, a recruiter from New York City called me and said, “Oh, this is a little bit of a more technical position, but this is exactly what you wanted, so give it a try.” And I had an interview over the phone, and they flew me in. And I was amazed that Varonis, immediately after a brief training, trusted me enough to go and deploy our product and train our customers and interact with very large companies on behalf of Varonis.
Varonis gave me a chance, and I really, actually, enjoyed it. And I think I, a bit surprised, even myself, that how much fun I had. Right now I can put on my resume very expansive experience working with external customers, but it was Varonis that gave me that chance and exposed me to this area. I mean, I loved it from day one. Like I said, it’s been almost seven years now and I’m still here and still loving it.
Cindy Ng: That’s great. So, you’re involved in professional services at Varonis. What does professional services entail, and what was the catalyst to create the professional services department at Varonis?
Elena Khasanova: Right now, professional services perform such a wide variety of tasks. It was not always the case. It started as a supplement to the support department. Varonis support department existed from the very beginning of the company’s existence, and if customers had issues, they would call or email support team and deal with them. However, at some point, it was clear that it was not sufficient to just give the customer instructions on how to install the products and then have them deal with support as needed to be.
So, the first person was hired to create, you know, one team, professional services department that rapidly grew, based on the customers’ needs, into the team specializing in the initial installation and training for the customers. Lately, other technical tasks were added, such as upgrades or migrations as the customers needed to move from one service to another.
At some point, the customers asked us to do more reporting on the issues within the environment. The issues with data permissions. So that was added to the list of tasks that professional services performed.
And then later, the customers started asking us to not only report on the issues, but actually fix them. And that’s when the remediation services branch was born.
So, it was very organic growth. It was very much driven by customer demands. And as well, it was driven by our customers becoming larger and bigger enterprise companies. And as we’ve had more and more international companies around the world, there was a need to provide more than just installation services, but, you know, do project management, as well, and do business analysis and other things, as well.
So, at this point, we do anything from simple installation to very large wide-scale rollouts around the world, as well as perform even multi-year engagements, very wide variety of projects and engagements. And some of them could be very large.
Cindy Ng: So professional services is wide in scope. So, are you engaged with other teams within Varonis to coordinate?
Elena Khasanova: As we collect more and more feedback from the field, and as professional services department itself is reaching, I believe, seven years of age, we interact more and more with other teams to make sure that the feedback from the field goes back into, for example, product management. Product management is one of our biggest collaborators here in Varonis. So, we provide feedback from the customers as well as feedback from professional services on how to make the product more stable, more customer-friendly, more user-friendly, and to shape the future of the product.
Other teams are sales, of course. I personally spend up to 30% of my time on sales calls, because some of the remediation engagements are fairly large and complex and it helps to have somebody on the call to talk to the customer about the best practices, the pitfalls to avoid, and so on and so forth. It’s just, for sales, it’s hard to have that level of experience and interactions from previous projects, so it helps to have a professional services representative on a call or we even go on-site to help sales close the deal.
Cindy Ng: How would you break down your day?
Elena Khasanova: So, it’s about 25% with sales, about 15% with product management and marketing, I think, and that left 60% of pure project management with professional services.
Cindy Ng: The term “remediation” is thrown around a lot. What exactly is it…?
Elena Khasanova: From Varonis’ perspective, it’s remediation of data access. The reason why companies need it is that at almost every external breach, at some point, becomes an internal breach. So, companies surround themselves with heavy layers of firewalls, and they secure their perimeter as best as they can. However, with so many companies outsourcing and subcontracting so many IT activities to other vendors, as well as those vendors, in turn, subcontracted to more and more vendors, it’s almost impossible to fully protect internal data via a firewall.
Once somebody, whether it’s a malicious employee or malware, can get inside the company and they start accessing data they shouldn’t be accessing, that breach spreads internally like water to a Titanic compartments. And this is why companies need to secure the internal data in addition to securing the perimeter.
And this is our term “remediation” that we use, it’s to secure data within those compartments inside the company. So if there is a breach, that breach will be limited to that compartment and will not, say, impact the operational areas of the company and…
Cindy Ng: And, how would customers know if their internal permissions are overexposed? So, for instance, if all finance folders are open to everyone in the organization, there’s a huge disconnect. So I think C-levels, they think that, and correct me if I’m wrong, that they probably already think that problems have already been corrected and it’s not really an issue because if we’ve been able to create so much amazing technology that that problem is no longer an issue. Meanwhile, IT is like, you know, If you do it manually, if you try to fix global group access, that is a very hard problem to fix.
Elena Khasanova: So, you’re very correct on this one, that not only it’s hard to fix, but many customers are not even aware that there is a problem in the environment to begin with. We actually call it “turning the light in the basement to discover dead bodies there” because most native operating systems do not actually provide any interface or any information on the exposure of data internally. And it’s actually really tough without a specialized product such as Varonis to even see that unless you’re thinking there is a problem and you actually create some kind of scripts to, you know, scan your internal permissions. But if you don’t know there is a problem, you don’t know what you don’t know, so you don’t even think about that, so you’re looking at other areas.
I love the shocking look on customers’ face when we perform our risk assessment. So we can really quickly scan the environment, and within 48 hours produce amazing wealth of information to the customers. And I love going to customers’ meetings and showing them that, “Look, 40% of your data is exposed to everyone in the company. Oh, and you have 20,000 accounts in your company, and any one of these accounts can access 40% of your data. Did you know that?”
We even ask the customers to write the numbers on a paper and just kind of as a bet. Not a bet, maybe, but just to, again, to show the gap between the perception and the reality that, “Hey, how many photos do you think are exposed to everyone?” And the customers, I mean, virtually every time would say, I don’t know, 4, 5, maybe 10, and 50. And then we run the scan and turns out it’s 50,000.
Cindy Ng: What about prospects, that think that they can write a script?
Elena Khasanova: Well, so a script, technically, maybe could be written, but because our product is optimized for this and we’ve been doing it for now more than 10 years, we will scan even a very large environment within matter of 48 hours. While a manual script, it could take it months to go through each and every folder and collect those permissions, and then report them in a meaningful manner.
We have a beautiful interface, we can immediately, you know, show you the pie charts, and all the graphics, and trends. And it’s really beautiful and you can click around and play around with it. You can drill down, come back out, and so on and so forth. Even if you write a script, and it takes that script months to scan the permissions, it will be just a huge text log file that will be really hard to differentiate between different departments, different company branches. Again, drill down, come back out of it, and so on and so forth.
So we’re just giving you such a good interface and everything at a glance, and our product re-scans it constantly, so if there are any changes, permissions get changed, we will immediately produce a snapshot of that.
Cindy Ng: Let’s go back to the finance folder that’s open to everyone. So, if I remove that ability where the finance folders are removed, the global group access, which steps if any, do I need to take?
Elena Khasanova: So, removing access from everyone is an excellent first step. And how we do it is we look at the activity in the back-end. And if an account, whether it’s individual account or a service account, had any activity, we will keep that account access while disconnecting the Everyone group. In many cases, that is enough. However, if it’s true sensitive data and, you know, I would argue that all the data is sensitive, right, if it comes to that. However, the software itself cannot differentiate between legitimate and illegitimate access and only human eyes can.
We’ve had situations where we had somebody running a so-called crawler from their workstation and that software would just go and hit every server open and try to scan what’s inside. As a result of it, it produced a lot of activity. So when we performed automatic removal of the group Everyone, it kept that account because the account had activity.
So, with the next step of the access certification that is performed by a human data owner, we would have never been able to actually expose that account and say that, “Look, why is this account in this group? Why did it have any activity to begin with? It should have never been able to perform that.”
So the second step of a human access re-certification, which we call entitlement review, really takes down the access to the state of list privilege. So you need both steps. One is automatic software removal and then human entitlement review.
Cindy Ng: If you’re a company, you have data and you feel like the data keeps growing and there’s not enough IT staff, what are your recommendations for that company?
Elena Khasanova: We recommend handing off a lot of that responsibility and accountability on who should be accessing data to so-called data owners. Those are the people from the business side who know what type of data is inside and who should be having access to it. For it’s not feasible for the IT department to know, especially in mid and large-sized companies, to know exactly who should be having access to each folder. “Should Mary be having access to finance, stocks or bonds folder or not? Or, maybe, Mary, you know, moved positions or maybe now current job description changed slightly and she no longer needs to have that access.” Only business owners know that.
And so, our recommendation is… And it seems like more and more customers not only buy into that, but actually come to us asking to implement this. So, our recommendation is to define data owners for all of your data, even outside of IT, and then implement some kind of process, very user-friendly process that allows data owners, within minutes, to make decisions on who should and should not be having access to the data.
Cindy Ng: And when it comes to stale data, what are your recommendations?
Elena Khasanova: With stale data, we try to follow company policies. First of all, as long as you’re actually doing something with stale data, you’re already doing well. The potential actions that could be applied to stale data are data quarantine. So we strip out all the permissions and maybe, potentially, only storage team or only internal audit has access to it. You can move it into cheaper storage. So, maybe it will be a bit slower for your customers and applications, but nobody’s accessing it anyway, so you’re just keeping it there. And it costs less for the company. Or you just delete it.
Cindy Ng: So, but if you’re in an organization that doesn’t care about the cost of storage, why would it be worth figuring out what to do with stale data?
Elena Khasanova: Cost of storage is only one of the aspects that comes into decisions of what to do with stale data. And, by the way, when you think about that, the cost of storage is not just active data that sits on a disk, but also the countless backups, and often, data duplication that also costs the company money.
However, let’s say that’s not a factor. Stale data could be an area of risk to the company because it creates liability. If you remember a case with Sony when emails from more than 10 years ago resurfaced with Angelina Jolie being, you know, called some names, and that cost the company a loss of reputation as well as the actress will never now do business with Sony, those are the liability issues that should drive a company to deleting the stale data the moment it passed the regulation period of retaining it.
You just simply don’t know what’s stored in there. And if there’s a lawsuit and you’re subpoenaed, you will have to present all the data stored on your company’s servers. Now, if it was deleted, and then you cannot and you don’t have to actually present it. Of course, you have to retain it, I’m sure your legal department knows for X number of months or years, but past that period, too many companies just continue keeping that data, and again, it just represents a liability issue from that perspective.
Cindy Ng: GDPR is coming up and I’m wondering if you’re getting any questions about that.
Elena Khasanova: GDPR is an interesting regulation because in U.S., many companies still don’t think they fall under its jurisdiction. GDPR covers any company that has at least one customer or one employee with a EU citizenship.
So, I’ve been to the meetings with customers, in U.S., where we would bring up GDPR and we would hear back that, “Oh, no, we are not impacted. We don’t have any customers or employees that have that citizenship.” And then a person, literally in the meeting, like, just raised his hand and said, “I have a dual passport. I am an EU citizen.”
So, it was just kind of very funny to see that, but at the same time, I think we need to do more awareness training to demonstrate to U.S. companies that they simply may not know, but it’s actually very likely. If you are a large U.S. company, even if you don’t do business specifically in the European Union, if you are big enough, it’s very likely that one of your employees or customers does have that citizenship, and then you will fall under the umbrella coverage of GDPR.
Also, it’s very important to know that how strict GDPR is and how severe the penalties are. And, I think, again, while in Europe, many companies scramble to make sure that they are ready for the rollout in May, but U.S. companies, for them, it’s still something on a back burner or something that they’re not actively thinking about. So, it’d be interesting to see this transition.
Cindy Ng: You’ve been working in the InfoSec space for a long time. A lot of people say that InfoSec is really just about compliance and dismiss the potential value of security.
Elena Khasanova: What we see is more and more companies that do not consider themselves IT companies do actually become IT companies in a way that so much of their business is built on technology, working well, being stable, you know without having downtimes and so on and so forth. And then, with that comes security. I mean, you hear a lot now about Facebook and how well or not well they actually kept customers’ data. So, that makes more and more companies on business-level, on CEO levels think about, “Okay, how is my IT working? And how, do we have backups? Do we have some redundant network that if outage happens that the airline will continue to function? And how secure is that with so many companies being hit with data security breaches recently?”
And finally, we see CEOs actually losing jobs because of that.
I think the role of InfoSec being so elevated, and now, InfoSec representatives participate in very high-level business discussions, because, otherwise, if you ignore that, you will have impact to your core business.
Cindy Ng: So it sounds like you’ve been keeping really busy with lots of data breaches and fixing global group access. Outside of work, what do you enjoy doing?
Elena Khasanova: I, jokingly, actually say on my LinkedIn profile if somebody just reminded me that I bore people to death at parties with the security data, security conversations. And maybe, yes, that does happen. So I also love to travel around the world. And I used to travel a lot more before I had the kids, but we are trying to involve our kids. Well, I have one, a toddler, 16 year old, 16 months old, sorry, and one on the way. Very little, but she already has her global entry and she’s been on, I think, 12 flights now. So, yes, we actually had to take her to airports for clearance interview with immigration officials and she did very well. So she can now bypass the immigration lines on the entry to the country. And so yeah, we hope to kind of maintain, somewhat, our travel lifestyle.
I used to travel so much, I actually ran out of international, all the space in the passport within two years of getting it and I had to send it back to the officials to add more pages.
Cindy Ng: What were the last three places you went to?
Elena Khasanova: So, the last three places. We just went to Bermuda with the whole family. And before that, we went to Guadeloupe, which is French West Indies that were not on my radar until “Wall Street Journal” ran an article about it. And Norwegian Airlines actually opened a direct flight there. I highly recommend it. It’s one of those areas that doesn’t have any five-star resort hotels, but it’s a great place to go and in four hours, from New York City anyways, you’ll be there. And prior to that, it was probably… Oh, it was Scotland. Also, actually, a new country for me, but I went there for work. Every time I go for work, I do try to sneak out and find some few hours to at least go, maybe, for a walk or hike or explore a castle like I did in Scotland. So that was a lot of fun.
Cindy Ng: Oh, beautiful. Yeah, I hear the landscapes there are gorgeous. Sounds like you’ve had a very rewarding career thus far, and I wish you much success.
Elena Khasanova: Thank you very much.
Support for the Inside Out Security Show and the following message come from Varonis. A Varonis Data Risk Assessment doesn’t take long. A 90 min software install lets you map access to your directory services, classify files to discover what’s sensitive, and start monitoring and analyzing user behavior. If you want to turn on the lights Varonis can help. Visit info.varonis.com/podcast and get a free data risk assessment.