Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Varonis Version 8.5: New Features to Combat Insider Risk in Microsoft 365

Data Security

8.5 update header

The transition to remote work over the last year has exponentially increased the usage of Microsoft 365’s collaboration tools. One look at the massive spike in daily active users for Teams tells the story:

Source

Microsoft reports that users around the globe spend a total of 30 billion minutes a day collaborating across 365—a metric they call Daily Collaboration Minutes (DCM).

With the large volume of data being created and shared via Microsoft 365, security and compliance teams are struggling to keep up. Tracking where sensitive data is stored and shared can be frustrating using Microsoft’s native security tools. It can be difficult, if not possible to answer questions like:

  • How many Team sites contain sensitive data?
  • How many organization-wide shared links to sensitive data do we have?
  • How do we quantify and reduce our collaboration risk?

These blind spots make it difficult for IT to visualize and reduce exposure—not only to external attackers but to insiders across their environment.

Uncover Organization-Wide Exposure in SharePoint Online and OneDrive

Our Remote Work Update de-mystified Teams permissions by showing what happens behind the scenes when a new Teams site is created. With 8.5, we’re expanding that visibility to help IT control organization-wide exposure.

Some of the new updates include the ability to:

  • See where user-generated links expose sensitive data
  • Track sensitive sites created through Teams, including private channels
  • Alert on suspicious behavior in Azure AD

In addition to providing more visibility into potential insider threats, 8.5 provides measures to protect your organization from external threats. New and updated threat models for Azure AD help thwart attackers trying to penetrate Microsoft 365 environments. Customers can also opt-in to receive automatic IOC dictionary updates to help detect emerging threats like the Zerologon vulnerability and SUNBURST.

Track User-Generated Collaboration Links in SharePoint Online and OneDrive

Organization links can inadvertently create overexposure, leaving sensitive data open to insider threats. With 8.5, IT can now easily manage shared links across their organization and see where sensitive data is exposed using the new dashboard widget.

This new dashboard widget can help answer critical questions like:

    • How many links are there?
    • How many links contain sensitive data?
    • What kind of exposure do they create?
    • How many sensitive links are exposed?

The widget draws a clear distinction between links shared with “anyone on the internet” vs. “anyone in your organization” vs. “specific users” – all of which can create varying levels of data security risk.

Full Visibility into Links Shared with Unique Permissions

Users can unknowingly create gaps in visibility within SharePoint Online and OneDrive when they grant files unique permissions. When unique permissions are granted, the parent folder permissions can give a false appearance that ALL content in the folder tree is locked down.

Files gain unique permissions when they are:

  • Shared using a shared link
  • Shared using explicit permissions
  • Manually set to stop inheriting permissions from the parent folder

When a user creates and shares a sub-folder or file using any of the methods above, those objects no longer have the same permissions as the parent folder. Unique permissions are extremely hard to track and can provide a hidden pathway to an attacker.

The new dashboard widget helps IT monitor the extent of their unique permissions risk:

Discover Where Links Create Organization-Wide Exposure

Even if your organization disables all external sharing, users can put sensitive data at risk within M365 through sharing data with organization-wide permissions. With just a few clicks, a user can expose sensitive data to their entire organization:

Organization-wide exposure is created when users share files using:

  • All organization permissions
  • Anyone on the internet permissions
  • Direct access to Everyone except external users
  • Direct access to other global access groups

This update has greatly simplified the discovery of organization-wide access within your Microsoft 365 environment. Prior to this update, whenever users searched for global access groups such as the “Anyone group” in DatAdvantage, they would receive an overwhelming number of results because Varonis would surface literally ALL the underlying groups that Microsoft creates behind the scenes. In other words, we fully revealed M365’s permissions complexity in our UI.

Now, all files that contain the same type of organization-wide permissions are consolidated into a single group within relevant reports, making it far easier to pinpoint overexposure and begin the process of remediation.

Track Sites by Sensitivity in SharePoint Online

What about the 20,000-foot view of risk in M365? Even questions such as “What are my most sensitive SharePoint sites?” or “How many new Teams were created this week that contain sensitive data?” can be a struggle with the native tools in M365.

While IT could see the sites users were making, they did not have any visibility into which sites and private channels contained sensitive information, leaving the data open and vulnerable.

This update introduces a new dashboard widget highlighting where users share sensitive data through SharePoint Online sites and private channels, helping them better understand how sensitive data is being stored and shared across the organization.

.

Additional 8.5 features

  • DatAlert
    • New Azure AD threat model updates
      • Detect Abnormal geo-hopping
      • Discover connections from blacklisted locations
      • Alerts on unusual user activity related to Azure AD accounts
      • NTLM target device events now linked to brute-force models for simplified investigation
    • Detect potential Zerologon attacks
      • Alert when abnormal Domain Controller password changes are detected
    • Live updates
      • IOC detections are now pushed directly to customers through live-updates.
        • Get alerts pushed through live-update on emerging threats like Zerologon and SUNBURST
      • Advanced Tuning
        • Tune privileged accounts, exclude specific users and devices
  • Expanded NAS Coverage
    • New platform support:
      • Panzura, EMC NAS, Nasuni 8.5, Hitachi NAS, and NetApp ONTAP SELECT 9.7
    • DA support for Hitachi NAS cluster namespaces
  • DatAnswers
    • Query preview in the personal information form
      • A preview of the user’s query is presented in the Personal Information Form
    • Web Interface
      • Drill down from SharePoint Online, OneDrive, and Exchange Online dashboards to analytics
      • New and updated filters and attributes
        • Filter according to sensitivity
        • Reflects if folders directly contain sensitive files
        • See total hit count directly on the files where the event was generated

Want to learn more about combating insider risk in Microsoft 365? Attend our Virtual Connect! event to get enterprise-wide visibility into where sensitive data is exposed within your Microsoft 365 environment.

Nathan Coppinger

Nathan Coppinger

Nathan has always loved learning about cutting edge technology but didn’t have the patience for coding. So, he found his niche as a microphone for the talented individuals behind the code.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.