CIS Critical Security Controls

Discover how Varonis meets and exceeds many of the requirements of the CIS Controls, and provides a strong base to your overall cybersecurity strategy by focusing on the data: the most valuable commodity in your organization.

 
 

CIS Controls V7 Overview

CIS Controls v7 is the latest iteration of the Center for Internet Security’s standards to protect an organization from cybersecurity threats. They built the standard with these basic tenets in mind:

Offense informs defense

Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.

Prioritization

Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors - and that can be feasibly implemented in your computing environment.

Measurements and metrics

Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.

Continuous diagnostics and mitigation

Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.

Automation

Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

 

The CIS Controls are a strong set of guidelines to help defend your organization from cyberattacks, insider threats, and data breaches. Varonis enables organizations to establish and maintain a strong data security strategy - and helps meet those guidelines.

Varonis both meets and exceeds many of the requirements of the CIS Security Controls, and provides a strong base to your overall cybersecurity strategy by focusing on the data: the most valuable commodity in your organization.

 
Control 4:

Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

4.1 Maintain Inventory of Administrative Accounts

DatAdvantage scans your network to catalog all user accounts, group memberships, and their access to data and resources. DatAdvantage autodiscovers all user accounts and monitors the activity of each account. DatAdvantage classifies each account based on behavior and level of access as a user, service account, executive, or privileged account.

DataPrivilege automates entitlement reviews, enabling organizations to review group memberships on a regular schedule and remove users from privileged groups when access is no longer needed.

4.3 Ensure the Use of Dedicated Administrative Accounts

Because Varonis actively monitors your data stores and Active Directory, it can trigger an alert when a privileged account makes changes to file system permissions, security groups, GPOs, mailboxes, and more. Varonis can also detect when a non-dedicated admin account is making - or attempting to make - administrative changes. A fully searchable audit trail of activity makes it easy to investigate abusive admin behavior or change control violations, and you can even roll back changes if needed.

Varonis can also automatically detect when an administrative account is modifying user data in suspicious ways - such as an IT admin reading an executive’s inbox and marketing messages as unread.

4.6 Use Dedicated Workstations For All Administrative

Providing dedicated workstations for admin only tasks is an excellent way to create a more secure enterprise. But would you know if someone used a privileged account on a non-dedicated workstation? Varonis Edge monitors your network perimeter and combines the data from DNS, VPNs, and proxies with the activity collected by Varonis DatAdvantage from Active Directory and your core data stores. DatAlert can detect and alert you if someone is using a privileged account from a non-standard workstation or suspicious geolocation.

In addition to alerting, Varonis DatAdvantage auditing can show you what privileged accounts made which changes.

4.7 Limit Access to Scripting Tools

Preventing users from scripting with PowerShell or other scripting tools protects your network from intrusions or unsanctioned changes, but it won’t stop an intruder from trying to use scripting tools to infiltrate your network. Varonis DatAlert has a threat model specifically designed to trigger if a user accesses known scripting or hacking tools. The alert provides you the opportunity to verify the activity as legitimate or suspicious - and the ability to investigate further.

4.9 Log and Alert on Unsuccessful Administrative Account Login

Varonis DatAdvantage monitors for authentication attempts by all user accounts. You can configure a DatAlert to detect if a privileged account fails to authenticate.

Varonis DatAdvantage, combined with Varonis Edge, analyzes both perimeter telemetry and authentication attempts to determine if an authentication request is coming from a known geographic location or if there are many failed attempts to login in short succession. Both of those actions would trigger a threat model to detect logins from unknown locations or possible brute force attacks.

 
Control 5:

Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

5.1 Establish Secure Configurations

Varonis DatAdvantage and Varonis Edge monitor your data stores and DNS, Proxies, and Routers for malicious activity. DatAlert is pre-configured with over 150 different threat models that detect cyberattacks and misconfigurations. If DatAlert detects known malware, it can notify you of the threat, disable the user, and power off their workstation. Keeping a secure configuration is dependent on prevention and detection of attempts to circumvent the established processes.

5.2 Maintain Secure Images

Varonis monitors specific folders and can trigger alerts of any activity on those folders; for example, your secure image repository. You can configure DatAlert to warn you if someone attempts to access this folder, or when someone modifies a file in that folder. DatAlert is fully customizable to provide the level of security that you need to maintain the security of your images.

5.3 Securely Store Master Images

Varonis monitors specific folders and can triggers alerts of any activity on those folders; for example, your secure image repository. You can configure DatAlert to warn you if someone attempts to access this folder, or when someone modifies a file in that folder. DatAlert is fully customizable to provide the level of security that you need to maintain the security of your images.

 
Control 6:

Maintenance, Monitoring and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

6.2 Activate Audit Logging

DatAdvantage and Edge provide activity logs for:

• Windows
• Unix
• Unix SMB
• SharePoint
• NetApp
• EMC
• Hitachi NAS
• HP NAS
• SharePoint Online
• One Drive
• Dell FluidFS
• Nasuni file servers
• Exchange
• Exchange Online
• DNS
• Proxies
• VPN
• Directory Services

This list continues to grow.

DatAdvantage audits and stores the comprehensive activity logs for all of the systems in this list, and analyzes the activity against DatAlert’s 150+ threat models to protect you from cyberattacks.

6.3 Enable Detailed Logging

Varonis logging contains detailed information about each event including event source, date, user, timestamp, source & destination addresses, and other useful elements depending on the resource.

6.5 Central Log Management

We store all Varonis logging data in our DSP Server, provide maintenance on the databases and enable you to view the audited data with custom reports or in the DatAdvantage and DatAlert UI.

6.6 Deploy SIEM or Log Analytic Tools

Varonis provides integrations with major SEIM systems including Splunk and QRadar. We support those systems with a custom application that syncs the DatAlert UI with the SIEM. For other SEIM tools, we feed events via syslog or API. Varonis provides actionable intelligence to the SEIM about cybersecurity threats, adding valuable context to the SEIM events.

6.7 Regularly Review Logs

Varonis provides automatic log management, monitoring, and analytics. Varonis analyzes all of the collected data against more than 150 threat models to detect and warn you of abnormal behavior, insider threats, and cyberattacks. Varonis cycles log data to keep the most current data active for immediate retrieval, and older log data is archived and available just in case.

6.8 Regularly Tune SIEM

In addition to tuning your SIEM, you will find that the alerts you get from DatAlert are comprehensive and actionable. Customers tell us that the alert integrations between Varonis and their SIEM are invaluable to their security strategies.

 
Control 7:

Email and Web Broswer Protections

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

6.7 Regularly Review Logs

Varonis provides automatic log management, monitoring, and analytics. Varonis analyzes all of our collected data against more than 150 threat models to detect and warn you of abnormal behavior, insider threats, and cyberattacks. Varonis cycles log data to keep the most current data active for immediate retrieval, and older log data is archived and available just in case.

6.8 Regularly Tune SIEM

In addition to tuning your SIEM, you will find that the alerts you get from DatAlert are comprehensive and actionable. Customers tell us that the alert integrations between Varonis and their SIEM are invaluable to their security strategies.

 
Control 8:

Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

8.1 Utilize Centrally Managed Antimalware Software

Varonis is a crucial part of your overall malware defense strategy, detecting malware-like behaviors that could be either a targeted attack or an infiltrator who got past the perimeter security. Varonis DatAlert detects ransomware attacks, privilege escalations, infiltration/exfiltration, and other abnormal behavior patterns based on over 150 different threat models.

8.2 Ensure Anti-Malware Software and Signatures are Updated

Varonis regularly updates DatAlert’s threat models and internal dictionaries to include the most up to date malware variants and threat models for the latest cyberattacks.

8.6 Centralize Anti-Malware Logging

Varonis DatAdvantage logs and stores malware activity and alerts in the Varonis DSP. You can configure Varonis DatAlert to forward all events to a SIEM to consolidate the logs and alerts from your endpoint protection with the logs and alerts from Varonis.

8.7 Enable DNS Query Logging

Varonis Edge monitors and logs all DNS activity before storing and analyzing that data in our database. Varonis has threat models to protect your network from DNS related cyberattacks like DNS Tunneling and Remote Access Trojans that attempt to scan your DNS to expand its footprint in your network.

 
Control 11:

Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management. and change control process in order to prevent attackers from exploiting vulnerable services and settings.

11.6 Use Dedicated Workstations For All Network Administrative Tasks

Providing dedicated workstations for Network Administrative tasks is an excellent way to create a more secure enterprise. But would you know if someone used a privileged account on a non-dedicated workstation? Varonis Edge monitors your network perimeter and combines the data from DNS, VPNs, and proxies with the activity collected by Varonis DatAdvantage from Active Directory and your core data stores. DatAlert can detect and alert if someone is using a privileged account from a non-standard workstation or from a suspicious geolocation.

In addition to alerting in near real-time, Varonis DatAdvantage auditing can show you what privileged accounts made which changes.

 
Control 13:

Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

13.1 Maintain and Inventory Sensitive Information

Varonis Data Classification Engine scans files in your monitored data stores using built-in rules and a library of hundreds of patterns to identify PII, PHI, GDPR, and other sensitive and regulated information. All classification matches are stored in the Varonis database and are reviewable in the DatAdvantage UI. Data Classification Engine rescans any modified folders for new sensitive data. A daily report is available for you to review all of the new sensitive content your users created so you can secure that data.

13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization

DatAdvantage detects and reports on your stale data - data that hasn’t been accessed in a long time that can contain sensitive information. IT staff or data owners can manually delete or quarantine the data. You can also configure Varonis Data Transport Engine to automatically delete or migrate stale data. Managing stale data is vital to protecting your environment from unexpected data breaches.

13.3 Monitor and Block Unauthorized Network Traffic

Varonis DatAlert detects unauthorized transfers of data before a bad actor can send the data across the network. Varonis monitors your data stores for abnormal access to sensitive data, stale data, and data that the user doesn’t normally access. DatAlert also monitors your Exchange environment to detect threats like an insider forwarding a large number of emails to a single email address. By detecting and alerting you to abnormal user access patterns, you can stop exfiltration of data before the data leaves your network.

13.5 Monitor and Detect Any Unauthorized Use of Encryption

Varonis monitors your data stores for abnormally high numbers of file modifications by a single user in a short amount of time, which could mean a user is trying to either encrypt or decrypt a large amount of data for exfiltration. DatAlert also has threat models that detect encryption downgrades that attempt to circumvent authorization controls, like a pass-thehash attack.

 
Control 14:

Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

14.1 Segment the Network Based on Sensitivity

To segment your network based on sensitivity, you need to know where all of your sensitive data lives. Varonis DatAdvantage, along with the Data Classification Engine, maps and identifies all the files in your data stores that contain sensitive data. Once you have identified where your sensitive data lives, you can then take steps to secure the data via network segmentation.

14.5 Utilize an Active Discovery Tool to Identify Sensitive Data

The Data Classification Engine continuously scans and tags new or modified files for new sensitive data. With the Varonis Data Classification Engine, you will not have to worry about the new sensitive content your users create that happens to be in an unsecured folder. If the Data Classification Engine discovers new sensitive files in an insecure location, you can feed that information to the Data Transport Engine, which can move the new sensitive files to a secure folder pending review.

14.6 Protect Information through Access Control Lists

DatAdvantage maintains a full catalog of Access Control Lists (ACLs) in the database. The Varonis Automation Engine then automatically fixes issues with ACLs, including the use of Global Access Groups and broken inheritance. These issues can break your security configuration, and these problems are very hard to discover and troubleshoot without automation. And of course, the Everyone group on any folder is a security risk. From there, DatAdvantage can analyze user behavior patterns, and suggest changes to ACLs in order to remove access that users shouldn’t have - establishing and maintaining a least privilege model.

Maintaining a least privilege model limits the risk of damage from ransomware, and protects your data from later movement, infiltration, and exfiltration.

14.7 Enforce Access Control to Data through Automated Tools

DataPrivilege automates the workflow for data owners to manage access to their data. This workflow starts when an end user requests access and ends with either approval, denial or a limited approval that expires on a schedule.

DataPrivilege provides you with regularly scheduled entitlement reviews that include suggested ACL updates from DatAdvantage.

DataPrivilege allows you to create ethical walls which automatically enforce business rules to ensure that only the right people have access to data at all times. If someone tries to circumvent those rules by granting access outside of normal processes, DataPrivilege will block the access and log the activity.

14.8 Encrypt Sensitive Information at Rest

The hardest part about encrypting all of your sensitive files is knowing where the sensitive data lives. Data Classification Engine and Data Classification Labels integrate with Microsoft Information Protection (MIP) to identify sensitive data automatically and label the files as sensitive. MIP will process the sensitive file labels and encrypt the sensitive data automatically.

14.9 Enforce Detail Logging for Access or Changes to Sensitive Data

DatAdvantage provides monitoring of all data, including sensitive data. All activity is audited and stored in the Varonis database, and you can review the audited data in the DatAdvantage UI or by a customized report. DatAlert analyzes the near real-time activity on your data stores for any abnormal behavior matching one of our threat models. For example, one threat model sends alerts when there is abnormal access to sensitive data stores, while another alerts you if a user is accessing data from an unusual geolocation. Logging is great, but getting real-time alerts with actionable intelligence to stop cyberattacks is better.

 
Control 16:

Account Monitoring and Control

Actively manage the life cycle of system and application accounts - their creation, use, dormancy, and deletion - in order to minimize opportunities for attackers to leverage them.

16.4 Encrypt or Hash all Authentication Credentials

Of course, you want to encrypt stored authentication credentials. There are still cyberthreats that can circumvent the encryption, like the Golden Ticket attack. DatAdvantage for Directory Services monitors all authentication requests, and DatAlert has a threat model to trigger a warning when there is a ‘pass the hash’ attack in progress. Varonis knows what the authentication tokens are supposed to look like – and we can identify when there is something suspicious about them. Monitoring your AD for security threats is just as important as the encryption because encryption alone is never 100% secure.

16.6 Maintain an Inventory of Accounts

Varonis maintains a full database of all accounts in any domain we are monitoring. This database updates daily to catch any new domains or users. You can examine and run reports for the users in each authentication system from the DatAdvantage UI. This UI enables a bi-directional view of a user’s system access and a folder’s ACLs. You can see at a glance who has access to a folder or what folders a user has access to.

16.7 Establish Process for Revoking Access

DataPrivilege provides API integrations that you can program into your process to establish new users and deactivate accounts. As you bring new users online, the DataPrivilege API can establish default permissions based on job function. When a user leaves the organization, you can program the API to remove the user from all security groups in addition to disabling the user account.

Additionally, data owners can authorize access requests for a limited time, and DataPrivilege will automatically revoke the access at the specified time. When you need to provide access to a user for a limited project most of the time that access is never revoked. DataPrivilege automates the revocation at the specified time, so you don’t have to worry about it.

Lastly, DatAdvantage analytics will suggest changes to permissions list based on user activity. If a user doesn’t access a resource, you will see the suggestion to remove that user from your resource at the next entitlement review. You can make the decision the to revoke the access at that time. Stale and enabled accounts are a major security risk to your data – therefore, establishing services and processes to remove permissions and disable users is vital to maintaining a secure environment.

16.8 Disable Any Unassociated Accounts

DatAdvantage monitors all user activity on your primary data stores, email, and Directory Services. Stale accounts are accounts that haven’t logged on in the past 365 days. DatAdvantage provides you a report that highlights stale and enabled accounts. You should review this report on a regular schedule and disable any stale user accounts.

16.9 Disable Dormant Accounts

DatAdvantage monitors all user activity on your primary data stores, email, and Directory Services. Stale accounts are accounts that haven’t logged on in the past 365 days. DatAdvantage provides you a report that shows you stale and enabled accounts. You should review this report on a regular schedule and disable any stale user accounts.

16.10 Ensure All Accounts Have An Expiration Date

DatAdvantage collects important data about all user accounts, and updates those properties on a regular schedule. You can run a report that lists any accounts that have no expiration date or no password expiration date. You can customize and configure DatAdvantage reports to run on a per your policy to maintain expiration date requirements for your user accounts.

16.12 Monitor Attempts to Access Deactivated Accounts

DatAdvantage monitors all file access and account activity in your primary data stores, email, and Directory Services. If there is any attempt to access or use a disabled account, a DatAlert threat model will alert you of the attempt. Attempts to access disabled accounts are most likely a sign of infiltration by cyberattack, and DatAlert will give you the warning and actionable intelligence to protect your data and remove the threat.

16.13 Alert on Account Login Behavior Deviation

DatAdvantage monitors all user activity on your primary data stores, email, and Directory Services. DatAlert analyzes this activity data and compares the behavior patterns to over 150 threat models looking for deviations from standard user behaviors. You will get alerts with actionable intelligence to investigate the incident. You can also program immediate responses that trigger on a DatAlert. One popular response is to write a PowerShell script to disable a user account and power-off the user’s workstation. This response can mitigate a threat immediately and give your team a chance to investigate and remove the threat before there is a full on data breach incident.

 
Control 19:

Incident Response and Managment

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

19.4 Devise Organization-wide Standards for Reporting Incidents

The Varonis Data Security Platform will be an important part of your data security incident reporting. DatAlert will begin your incident reporting process and serve as the initial incident report. DatAlert provides vital actionable intelligence to your forensic analysis, which serve as the details of the incident report. You can program the DatAlert response to open an incident in your IT case management system for ease of tracking.

DatAdvantage shows you if the data involved is sensitive or regulated data, should you need to report the incident to government agencies. You will have the information you need to meet the new GDPR 72 hour breach notification requirements with ease.

Interested in seeing Varonis in action?

Request a demo or contact sales at 877-292-8767