More Threat Models
New threat models to detect Directory Services attacks:
- Potential pass-the-ticket attack
- Abnormal access behavior: possible distributed credential stuffing attack
- Abnormal access behavior: possible credential stuffing attack from a single source
New Edge threat models based on telemetry from proxies, including:
- Abnormal service behavior: upload of data to external websites – this threat model helps catch exfiltration activity
- Abnormal behavior: an unusual amount of data was uploaded to email websites after accessing sensitive data – this threat model flags activity that might be an insider threat
- Abnormal behavior: an unusual amount of data was uploaded to an external website after accessing GDPR data – this threat model helps protect sGDPR data.
It’s faster, easier to use, and more responsive.
- New updates help reduce investigation time from minutes to seconds via the web UI, taking advantage of Solr event storage.
- Alert emails link to the investigation UI, alert ID link buttons are now easier to spot, and all RTA and UBA rules are enabled by default.
- Indicators flag when a user accesses sensitive files in the previous 24 hours, and any GDPR data accessed in the past 24 hours.
- Customers can subscribe to a saved or schedule search in the web UI, saving time and streamlining security reviews. We’ve also added predefined searches – including user accounts with non-expiring passwords, and stale admin or service accounts.
*You might notice a UI change as well: the DatAlert logo is now simply the Varonis logo. The web UI is now included with a DA license.
Live updates are enabled in this beta version, sending updates on Data Classification Engine and UBA dictionaries, as well as log collector updates.
It’s a new user interface for DataPrivilege with a modern look and feel, enhanced usability and user experience, iconic toolbars, fewer popup dialogs, and fewer mouse clicks.
Classification categories are attached to folders in the Request Details and Entitlement Review Details screens, and you can now configure entitlement review rules using the new classification filter (making it easier than ever to see who can – or wants to – access regulated data.
Data Classification Labels
Data Classification Labels integrates with Microsoft Information Protection (MIP) to enable users to better track and secure sensitive files across enterprise data stores.
By integrating with Microsoft Information Protection, customers can automatically apply classification labels and encrypt files that Varonis has identified as sensitive. Users can manually tag documents, and Varonis will ingest this information to provide additional context around the data.
Read more on Data Classification Labels…
- HNAS NFS support for audit events
- Support for Cisco (IronPort) Web Proxy (Edge)
- Shared links events supported in SharePoint Online and OneDrive (DatAdvantage for Office 365) – you can run reports on data shared with anonymous guest links, OneDrive and SharePoint Online shared links, and more.
- Data Transport Engine stub files can now point to custom landing page.
Want to see it in action? Get a 1:1 demo and ask about the latest features today.
We announced Varonis Edge back in November, and we’re excited for you to try it. After over a decade of protecting core data stores, we’re extending that same data security approach to the perimeter: analyzing devices like DNS, VPN, and Web Proxy to detect attacks like malware, APT intrusion, and exfiltration. With Edge, you’ll be able to correlate events and alerts from your perimeter with alerts and events about your data.
We’ve added new threat models for these perimeter devices: so that you can stay ahead of security events like brute force attacks, DNS tunneling, credential stuffing, and more.
Backed by popular demand, we’ve added new classification categories to our Data Classification Engine (formerly Data Classification Framework). We’re shipping four predefined categories out of the box, to more easily identify and discover PII, PHI, PCI, and GDPR data.
GDPR Threat Models
With over 250 unique patterns to identify and classify EU data that will fall under the upcoming General Data Protection Regulation (GDPR), we’re making it easier than ever to see what’s happening to that data once it’s identified. You’ll not only be able to identify regulated data, but monitor and track when suspicious activity occurs on it with specific GDPR threat models: from abnormal service behavior accessing atypical folders containing GDPR data, to global access groups added to a folder with a significant amount of GDPR data, and more.
Everybody likes a map – and DatAlert now tracks cyberattacks to a specific location, alerting when unusual access to your data is coming from a new or unusual physical locations, or geolocation. New threat models track unreasonable geohopping, activity from a blacklisted geolocation, and activity from new geolocation.
We’ve added maps and geolocation to the DatAlert web interface – so that you can see what’s going on and where at a glance.
Other updates include:
- HPE 3PAR support
- Enhancements to DatAlert search functionality: predefined searches, saved searches, and more
- Improved performance and support for incremental search results
- Office 365 Azure AD auditing and collection
- Enhancements to AD authentication events
- Automation Engine: support for multiple OU selection for new groups/per filer resolution
- DataPrivilege request-related and owner-related API now supports both Windows and SharePoint
- Reporting now supports relative mode for all date filters
Introducing complete monitoring for Exchange Online, giving Varonis customers the same coverage we’ve provided for years with the Exchange on-premises system. With DatAdvantage for Exchange Online, you’ll be able to monitor email events – and with DatAlert, you’ll get alerted when there’s unusual mailbox activity.
We’ve added new threat models for Exchange Online – including abnormal service behavior: atypical actions performed on mailboxes owned by other users, and abnormal admin behavior: access to atypical mailboxes.
DatAdvantage for Exchange Online gives you a complete audit trail of exactly who is sending emails (and where they’re going), which users are accessing what email folders, and which users open phishing emails – those kind of things. You’ll finally have transparency and know everything that happens in Exchange Online.
Additional Highlights from the beta release of 6.4.50
- DataPrivilege feature parity – And with feature parity, some new features:
- Exporting Decisions of Entitlement Reviews
- The DatAlert web interface is getting more intuitive and easier to use: we’re introducing user views – to easily analyze who triggered alerts. You can now save your most common and frequent searches on alerts, events, and users – so you don’t have to start from the beginning every time.
- New Architecture – 6.4.50 includes elements of our new architecture: improving event handling and real time processing. Solr is basically replacing SQL for database flattening and performance improvements.
- Support for NetApp 9.2
IAM & ITSM Integration with DataPrivilege
Our new DataPrivilege API provides more flexibility for IT and business users so they can unify and customize their user experience and workflows. With the API, you’ll be able to synchronize managed data with your IAM/ITSM solution, and return instructions to DataPrivilege to execute and report on requests and access control changes. You’ll be able to use the integration to externally control DataPrivilege entitlement reviews, self-service access workflows, ownership assignment, and more.
We’re less than a year out from EU General Data Protection Regulation (GDPR) becoming law, and hearing that our customers are facing more pressure than ever to get their data security polices ready for the regulation. To help enterprises quickly meet GDPR, we’re introducing GDPR Patterns with over 150 patterns of specific personal data that falls in the realm of GDPR, starting with patterns for 19 countries currently in the EU (including the UK).
Using the Data Classification Framework as a foundation, GDPR Patterns will enable organizations to discover regulated personal data: from national identification numbers to IBAN to blood type to credit card information. This means that you’ll be able to generate reports on GDPR applicable data: including permissions, open access, and stale data. These patterns and classifications will help enterprises meet GDPR head-on, building out security policy to monitor and alert on GDPR affected data.
The Automation Engine
The Automation Engine automatically and safely repairs inconsistent ACL’s and global groups applied to file systems so that our customers are less vulnerable to attacks, more compliant, and consistently meeting a least privilege model.
- Fix hidden security vulnerabilities like inconsistent ACLs and global access.
- Revoke unnecessary access that users no longer need or use, reducing your risk profile.
- Accelerate and automate least privilege.
Click here for more info.
DatAlert Analytics Rewind
DatAlert Analytics Rewind allows customers with three or more months of data to analyze past user and data activity with DatAlert Analytics threat models, and identify alerts that they would have gotten in the past. You can not only pre-emptively tune out false positives, but also look back at your data activity history to identify breaches that may have already occurred.
New Threat Models for Exchange and DS
We’ve added more threat models to DatAlert Analytics to detect and prevent impersonation, exploitation, and account hijacking. The latest set keeps you aware of suspicious mailbox and Exchange behaviors, password resets and unusual activity from personal devices.
Email security and Exchange: New threat models flag an abnormal amount of emails sent to accounts outside the organization, unusual mailbox activity from service accounts, and automated forwarding that might indicate an attacker trying to redirect and exfiltrate data.
Directory Services: New threat models detect suspicious password resets that may indicate attempts to hijack a user account, unusual access to personal devices, suspicious attempts to access an unusual amount of resources, and unusual login activity that may indicate a credential stuffing attack.
- SharePoint 2016 support
- Windows Server 2016 support
- Active Directory 2016 support
- Support for Netapp ONTAP Cloud Data Storage
6.3.150 RC Highlights
New Security Dashboard
DatAlert is easier than ever to use as a starting point for investigating suspicious behavior, spotting unusual activity on file servers, and finding security vulnerabilities. We’re introducing a configurable dashboard where you can easily identify and prioritize at-risk areas like global access, stale data, and overexposed sensitive information.
Alert investigation page
A new alert page enables quick triage on individual alerts – drill down on suspicious activity that might indicate that an attack is under way and triage for further investigation. The alert investigation page offers additional security insights about users, data, time, and affected devices.
Enhanced behaviors and analysis
- Behavioral Peers: DatAlert can compare file and email touches of one user – along with other activity – to that of her peers. Behavioral peer comparisons are available directly within the alerts page to streamline investigation and help identify the severity of alerted behavior.
- Device Insight: Review device context cards, and get insight through the DatAlert UI to see alerts triggered on specific devices. Insights into devices also help highlight abnormal device usage per user account to pinpoint a computer that’s been compromised for insider activities.
- Normal Working Hours: Varonis determines normal working hours for each individual based on email & file activity – and compares activity against their peers, to catch suspicious activity more quickly than ever.
- Flags & Watch list: Customers can now flag suspicious users, putting them on a watch-list for tracking – making it easier to keep an eye on suspicious users and devices. Users can be highlighted based on past alerts or based on information from legal, HR, or other departments.
Additional features included in this release
- Support for SQL 2016
- Support for EMC Unity 300
- Support for EMC Unity 500