Inside Out Security Blog   /  

Varonis Version 8.5: New Features to Combat Insider Risk in Microsoft 365

Varonis Version 8.5: New Features to Combat Insider Risk in Microsoft 365


    The transition to remote work over the last year has exponentially increased the usage of Microsoft 365’s collaboration tools. One look at the massive spike in daily active users for Teams tells the story:


    Microsoft reports that users around the globe spend a total of 30 billion minutes a day collaborating across 365—a metric they call Daily Collaboration Minutes (DCM).

    With the large volume of data being created and shared via Microsoft 365, security and compliance teams are struggling to keep up. Tracking where sensitive data is stored and shared can be frustrating using Microsoft’s native security tools. It can be difficult, if not possible to answer questions like:

    • How many Team sites contain sensitive data?
    • How many organization-wide shared links to sensitive data do we have?
    • How do we quantify and reduce our collaboration risk?

    These blind spots make it difficult for IT to visualize and reduce exposure—not only to external attackers but to insiders across their environment.

    Uncover Organization-Wide Exposure in SharePoint Online and OneDrive

    Our Remote Work Update de-mystified Teams permissions by showing what happens behind the scenes when a new Teams site is created. With 8.5, we’re expanding that visibility to help IT control organization-wide exposure.

    Some of the new updates include the ability to:

    • See where user-generated links expose sensitive data
    • Track sensitive sites created through Teams, including private channels
    • Alert on suspicious behavior in Azure AD

    In addition to providing more visibility into potential insider threats, 8.5 provides measures to protect your organization from external threats. New and updated threat models for Azure AD help thwart attackers trying to penetrate Microsoft 365 environments. Customers can also opt-in to receive automatic IOC dictionary updates to help detect emerging threats like the Zerologon vulnerability and SUNBURST.

    Track User-Generated Collaboration Links in SharePoint Online and OneDrive

    Organization links can inadvertently create overexposure, leaving sensitive data open to insider threats. With 8.5, IT can now easily manage shared links across their organization and see where sensitive data is exposed using the new dashboard widget.

    This new dashboard widget can help answer critical questions like:

    • How many links are there?
    • How many links contain sensitive data?
    • What kind of exposure do they create?
    • How many sensitive links are exposed?

    The widget draws a clear distinction between links shared with “anyone on the internet” vs. “anyone in your organization” vs. “specific users” – all of which can create varying levels of data security risk.

    Full Visibility into Links Shared with Unique Permissions

    Users can unknowingly create gaps in visibility within SharePoint Online and OneDrive when they grant files unique permissions. When unique permissions are granted, the parent folder permissions can give a false appearance that ALL content in the folder tree is locked down.

    Files gain unique permissions when they are:

    • Shared using a shared link
    • Shared using explicit permissions
    • Manually set to stop inheriting permissions from the parent folder

    When a user creates and shares a sub-folder or file using any of the methods above, those objects no longer have the same permissions as the parent folder. Unique permissions are extremely hard to track and can provide a hidden pathway to an attacker.

    The new dashboard widget helps IT monitor the extent of their unique permissions risk:

    Discover Where Links Create Organization-Wide Exposure

    Even if your organization disables all external sharing, users can put sensitive data at risk within M365 through sharing data with organization-wide permissions. With just a few clicks, a user can expose sensitive data to their entire organization:

    Organization-wide exposure is created when users share files using:

    • All organization permissions
    • Anyone on the internet permissions
    • Direct access to Everyone except external users
    • Direct access to other global access groups

    This update has greatly simplified the discovery of organization-wide access within your Microsoft 365 environment. Prior to this update, whenever users searched for global access groups such as the “Anyone group” in DatAdvantage, they would receive an overwhelming number of results because Varonis would surface literally ALL the underlying groups that Microsoft creates behind the scenes. In other words, we fully revealed M365’s permissions complexity in our UI.

    Now, all files that contain the same type of organization-wide permissions are consolidated into a single group within relevant reports, making it far easier to pinpoint overexposure and begin the process of remediation.

    Track Sites by Sensitivity in SharePoint Online

    What about the 20,000-foot view of risk in M365? Even questions such as “What are my most sensitive SharePoint sites?” or “How many new Teams were created this week that contain sensitive data?” can be a struggle with the native tools in M365.

    While IT could see the sites users were making, they did not have any visibility into which sites and private channels contained sensitive information, leaving the data open and vulnerable.

    This update introduces a new dashboard widget highlighting where users share sensitive data through SharePoint Online sites and private channels, helping them better understand how sensitive data is being stored and shared across the organization.


    Additional 8.5 features


    New Azure AD threat model updates:

    • Detect Abnormal geo-hopping
    • Discover connections from blacklisted locations
    • Alerts on unusual user activity related to Azure AD accounts
    • NTLM target device events now linked to brute-force models for simplified investigation
    • Alert when abnormal Domain Controller password changes are detected to identify potential Zerologon attacks
    Live updates
    • IOC detections are now pushed directly to customers through live-updates.
    • Get alerts pushed through live-update on emerging threats like Zerologon and SUNBURST
    Advanced Tuning
    • Tune privileged accounts, exclude specific users and devices

    Expanded NAS Coverage

    New platform support:

    • Panzura, EMC NAS, Nasuni 8.5, Hitachi NAS, and NetApp ONTAP SELECT 9.7
    • DA support for Hitachi NAS cluster namespaces
    • Query preview in the personal information form
    • A preview of the user’s query is presented in the Personal Information Form
    Web Interface
    • Drill down from SharePoint Online, OneDrive, and Exchange Online dashboards to analytics
    New and updated filters and attributes
    • Filter according to sensitivity
    • Reflects if folders directly contain sensitive files
    • See total hit count directly on the files where the event was generated

    Want to learn more about combating insider risk in Microsoft 365? Attend our Virtual Connect! event to get enterprise-wide visibility into where sensitive data is exposed within your Microsoft 365 environment.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    We're Varonis.

    We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

    How it works