While the previous layers focus on preventing bad actors from getting inside your network, data security assumes they’re already inside.
One aspect of data security is prevention: ensuring authenticated users can’t get their hands on things they shouldn’t. The other is detection: ensuring that users who abuse their access (maliciously or otherwise) are flagged before a breach occurs.
This is Varonis’ sweet spot. Our security suite covers all aspects of data security that we’ll touch on below.
The goal of identity management is to ensure only the right people have access to the right resources at all times. It answers the question: “who has the keys to which doors?”
Identity and Access Management (IAM) software purports to help you control access more accurately and efficiently. IAM aims to:
- Provide a centralized repository for identity
- Automate account provisioning, setup, and deprovisioning
- Quickly view and change privileges for a role or identity across multiple services
The dream is that you hire a new sales manager, Sam. You provision a new sales manager account for him via your IAM product and, voilà, Sam has instant access to all the right resources (and only the right resources) both on premises and in the cloud. All is right in the world!
You can imagine how this might work really well for apps that have a handful of roles: user, power user, admin, etc. It doesn’t work so well for data — at least not by itself.
Does IAM help with permissions management?
IAM products are missing the link between identities/roles and the ever-changing ACLs that reference them. Go ask your IAM which of the 27 million folders on the NAS have ACLs containing the Sales Managers group or any of its parent groups. I’ll wait here. 🙂
IAM also doesn’t record which users are accessing which data, nor does it have any concept of data sensitivity.
If you put Sam in the sales manager role, IAM has no way of knowing:
- Which files and folders will Sam get access to?
- Which files does Sam actually access? Anything suspicious?
- Does Sam have access to any sensitive files or mailboxes?
- Which files does Sam no longer need access to?
- Does Sam’s behavior hint that he may have actually changed roles?
So, while IAM can help you manage identities and role-based access, especially for applications, it should be complemented by products that ensure that the groups people are in actually grant access to only the right data.
Single Sign-On (SSO) vs. Federated Identity (FID)
Since we’re talking about identity, we’d be remiss not to mention SSO and FID.
SSO allows users to access multiple services with a single set of credentials. A user only has to login once per session to unlock access to multiple services. After you authenticate, your auth token is trusted amongst multiple apps and services.
FID, on the other hand, is all about where those credentials are stored and how authentication happens. When a user logs into a system, instead of providing credentials directly to that system, the authentication process is delegated to an identity provider who then provides approval back to the service. A classic example of FID in action is OAuth.
Many SSO implementations use the principle of FID under the covers. These technologies make for a great user experience and help you avoid having to replicate and sync your user directory.
A potential drawback could be that if you appropriate a user’s password you can quickly gain access to everything at once, but that can be mitigated by multi-factor auth.
Use it for anything that’s important. That is all.
But seriously, multi-factor auth is not a panacea, but boy it presents a gargantuan hurdle for attackers. The latest drop of PCI-DSS (3.2) now requires it for payment systems.
Let me take you on a tour of permissions fantasyland:
- Folders, mailboxes, databases, etc. are protected by access control lists (ACLs) containing security groups
- Users are neatly gathered into these well-labeled groups according to department or role
- Users are put into only the right groups, and these groups are placed only into the correct access control lists
- The world is frozen in stasis for eternity thus preserving your perfectly pruned access controls
Here in the real world, it’s a monumental pain keeping the right users in the right groups and mapping the right groups to the right folders. As users’ roles change they accrue more and more access to data. Nobody revokes that access, ever.
Within weeks of your Big Cleanup Project™, your ACLs don’t accurately reflect your ideal state–people have access to more information than they need, increasing the likelihood of data loss, misuse, and theft.
But wait, doesn’t the OS give me permissions management?
Enter permissions management software (like Varonis DatAdvantage) which:
- Maps users and groups to the data they can access, so you can answer questions like “if I put Dwight in GROUP_XYZ what exactly am I giving him access to?”
- Highlights users that have access to information they don’t need
- Lets you model permissions changes in a sandbox to see who would be affected if you were to pull the trigger
- Clean-up risky artifacts like unused users and groups, looped nested groups, overly delegated groups, groups without users, etc.
Permissions management products can automate painful manual processes that nobody wants to do yet are vital to data security. They also help you measure progress, allowing you to track and maintain the status of your remediation efforts, maintain stability, and identify anomalies and trends before they become issues.
How do you protect your most sensitive data if you don’t know where it is? Data loss prevention (DLP) and other content classification tools attempt to help you wade through terabytes of data to help you find the most important bits. DLP digs into the content itself–either at rest or in motion.
Upon implementing a data-at-rest scanning engine it is not uncommon to have tens of thousands of “alerts” about sensitive files. Where do you begin? How do you prioritize? Which incident in the colossal stack represents a $50 million risk that warrants your immediate, undivided attention? Data classification is super important, but without context about data usage, permissions, and ownership, it’s difficult for IT to take action.
So what’s the upshot? Use data classification in concert with permissions management and user behavior analytics for maximum effectiveness. You’ll see not only where your most sensitive information lives but where it’s overexposed and who’s potentially trying to steal or destroy it.
(PSA: Varonis has it’s own data classification engine or can absorb classification info from other products like DLP.)
User behavior analytics (UBA)
UBA software watches and baselines what users are doing to detect things that don’t look normal.
Unlike firewalls and antivirus software, UBA focuses on what users and systems are doing: apps launched, network activity, and files accessed (when the file or email was touched, who touched it, what was done with it and how frequently). It searches for patterns of usage that indicate unusual or anomalous behavior — regardless of whether the activities are coming from a hacker, insider, or even malware or other processes.
While UBA won’t necessarily prevent hackers or insiders from getting into your system, it can quickly spot their work and minimize damage.
Why do you need UBA?
Great question! To understand why UBA exists, you have to consider where current data security approaches have fallen short. For anyone who’s been following the headline-making breaches over the last two years, it’s almost as if the hackers had been given the keys to the front door.
In the case of Snowden or WikiLeaks, the hackers may literally have had the keys to the front door, as they were already inside. In the Target breach the hackers either obtained or guessed a password of a remote login. In the recent Office of Personnel Management incident, the attackers tricked an employee into downloading malware through a phishing attack.
Defending the inside from legitimate users is just not part of the equation for perimeter-based security, and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gained access as users.
Once in, hackers have become clever at using malware that isn’t spotted by anti-virus software. Sometimes they even use legitimate sysadmin tools to conduct their cyber work.
In fact, to an IT admin who is just monitoring their system activity — by examining apps used, login names, etc. — the attackers appear as just another user.
And that’s why you should consider UBA.
UBA vs. SIEM
If you have SIEM, you might wonder why you need UBA. At first glance UBA and SIEM appear to be very similar, however, upon closer inspection, they do different things.
By focusing less on system events, and more on specific user activities, UBA builds a profile of an employee based on their usage patterns, and sends out an alert if it sees abnormal user behavior. Typically UBA alerts can be sent via e-mail, SMS, or even be piped into your SIEM for correlation with all that other good stuff.
Cindy Ng wrote a really in-depth and easy-to-understand comparison of SIEM and UBA here.
Bonus tip: don’t write passwords on paper
Like Glenn Greenwald and Edward Snowden in a Moscow hotel room, the Vooza team silently passes notes in order to avoid audio-bugs. But that doesn’t mean there aren’t prying eyes around.