Think of any of the big data breaches: Equifax, Target, NSA, Wikileaks, Yahoo, Sony. They all have one thing in common: the data breaches were an inside job.
That’s not to say that all the hackers were employees or contractors, but once the hackers get inside the perimeter security, is there any difference? Their activities all look the same to an outside observer.
We write about this phenomenon so often. Once a hacker gets access inside the network, they often have everything they need to find (and attempt to exfiltrate) the good stuff that will make the headlines – the personal data, emails, business documents, credit card numbers, etc.
So the question becomes – can your data security team realize that they’re inside, before it’s too late?
It’s imperative that in addition to your firewall, routers and network monitoring software, you monitor what’s inside as well: the user behavior, file activity, folder access and AD changes.
The Perimeter Has Been Breached
Here’s a scenario: a hacker has gained access to a user account and is attempting to download Intellectual Property data that is stored in OneDrive. The first few attempts to access the data have failed, but they’re persistent, so they poked around until they found an account that has the access they needed to read the files.
Even with monitoring at the file operation level, this kind of activity is hard to discern from the end user clicking on that folder and trying to get access.
And that’s where we come in. Varonis analyzes all of these attempts to access this OneDrive share in context, with user behavior analytics (UBA). From there, you can leverage Varonis threat models to analyze and compare that activity to known behaviors both by the user who’s trying to access that data, their peers, and by hackers to exploit and infiltrate company networks.
In this scenario, this account is suddenly accessing classified, sensitive data that they have never touched before. That’s a red flag – and we’ve got threat models built specifically to detect that type of behavior.
This is outside of normal behavior patterns for the account that the hacker is leveraging – and because Varonis has been monitoring all the activity in OneDrive for over a year now, you have all the evidence you need to act immediately.
Without Varonis, you’d likely never even see the attempts to access this OneDrive folder. You would never notice the files being copied from this folder, and you wouldn’t see which folder they accessed next.
Investigation & Forensics
The first step is to programmatically lock out and log out this account – which you can set up as an automatic response with Varonis. At the same time, emails and alerts can be sent to the infosec team and/or a SIEM system. Once the relevant parties are informed the investigative work can begin.
So where to start? Find out what happened, how it happened, what vulnerabilities were exploited, and what you can do to defend against it in the future. With the Varonis DatAdvantage UI, you can pull up the file audit history of the hacked userid to see where else that account has been before the alert was triggered.
Use the full file audit trail to see what – if any – damage was done and lock down access to the entire system if necessary. And after the initial threat is neutralized, the work to close the security holes can begin.
The Varonis Security Platform is a key component of a layered security system. Layers create redundancy, and redundancy increases security. Hackers will find and exploit any opening they can; it is our responsibility to protect each other’s private data.
By learning and using the correct tools and principles for good data security, we can make it much harder for the bad guys to profit from their hacking, and limit the impact of data security breaches.
Want to see how Varonis will work in your environment to catch these types of insider threats? Click here to set a demo with one of our security engineers.