Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

Transcription

1 We protect your most sensitive information from insider threats. Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes! VARONIS SYSTEMS

2 About Me Dietrich Benjes VP UK, Ireland & Middle East

3 About Varonis Started operations in 2005 IPO in Feb 2014 Over 4,000 Customers (as of Sept 2015) We secure your sensitive data from the inside out 3

4 The Varonis Origin Story 4

5 Agenda all in 10 minutes! The anatomy of insider breaches Real world breaches What, why and how of UBA (User Behaviour Analytics) Case studies Data & Risk Assessments 5

6 The Varonis Origin Story 6

7 The script - Anatomy of a Breach, or Kill Chain Reconnaissance Intrusion Exploitation Misconduct Exfiltration Privilege Escalation Lateral Movement Obfuscation (anti-forensics) Denial Of Service 7

8 Target as a Target 40,000,000 records lost Lots of fancy tools watching the perimeter (candy bar syndrome) [ ] spokeswoman, Molly Snyder, says the intruders had gained access to the system by using stolen credentials from a thirdparty vendor 8

9 The New Normal (Goodbye, Secure Perimeter) Someone gets inside, or is already there Rogue insider, credential hijack, phishing, malware They have access to lots of sensitive, unstructured data Files and s are over-exposed gold mines They can search for and download sensitive data without being noticed Users behavior on unstructured data is rarely monitored or analyzed Organizations breaches detected long after they happen (if ever) Even then, they rarely have accurate knowledge of the extent of the breach 9

10 Example: Sony Breach At a Glance What data was exposed? 47,000 social security numbers Financial records and payroll information Personal data and addresses, visa and passport numbers, tax records Over 30,000 confidential business documents Embarrassing and incriminating C-level correspondence Private keys to Sony s servers How much did it cost? $15,000,000 in cleanup $35,000,000 for the fiscal year 10

11 Example: the Sony Breach Kill Chain Reconnaissance Attackers gained access with stolen credentials obtained with phishing s, then downloaded tools to map the environment. Intrusion Wiper malware dropped on servers (with embedded employee credentials for execution) Lateral movement Attackers located passwords so they could continue to expand or elevate rights. They later released usernames and passwords for everything from internal systems to corporate Twitter accounts. Privilege escalation The attackers discovered treasure troves of plain-text passwords which gave them even more access to everything they needed to own the organization, including certificates and RSA token information. Data exfiltration Hundreds of GB of sensitive data was released, containing everything from PII information to confidential business documents including budgets and upcoming projects, to embarrassing s between executives. 11

12 Example: How Sony would have looked

13 How Varonis Works INPUTS: METADATA FILE SYSTEM & PERMISSIONS DIRECTORY SERVICE OBJECTS BUSINESS & IT INSIGHTS ACTIVITY CONTENT VISUALIZE DATA AND ACCESS RESIGNATION, HACKER, VIRUS ACTIVITY TRENDS & DATA GROWTH IDENTIFY STALE DATA UNNEEDED ACCESS DATA OWNER IDENTIFICATION EXPOSED, SENSITIVE DATA CONSUMERS BUSINESS EXECUTIVES BUSINESS DATA OWNERS IT SECURITY COMPLIANCE IT STORAGE IT OPERATIONS 13

14 What is UBA? Science of user activity and data flow analysis UBA systems: Monitor user activity feeds Profile user behavior and relationships with data and other users Create a baseline of what constitutes normal activity Alert on abnormal activity based on AI, machine learning, thresholds, etc. UBA provides meaningful insights into user and data patterns, security risks, social connections and a wealth of other information 14

15 Why UBA? Why your customers need UBA Historic security investment and focus has been at the perimeter 87% of security investment is done at the FW / perimeter (*HP) 86% of data breaches are internal (*NSA) Rogue employees, accidental exposures and compromised accounts Cost of a breach $3.8m, time to realise 270 days!!! Industry experts agree that most of the high profile data breaches could ve been prevented with UBA 15

16 How do we do it? In a nutshell Collect, create, and analyze metadata Automatically discover critical assets, noteworthy people, and normal behavior, establishing a baseline of behavior Identify unusual behavior with machine learning algorithms and behavioral rule sets Alert on behavioral anomalies and suspicious activity 16

17 Value Quickly monitor critical assets for very scary things: Insider threats Privilege escalation and abuse Someone reading your executives s Build context around the content of data and activity with collected metadata Reduce the amount of time it takes to find and assess a real issue, with forensics on compromised assets Recover from potential security breaches more quickly Integrate with SIEM and other UBA systems 17

18 Varonis Customer: Large Military Organization GOVERNMENT BUSINESS PROBLEM: Stolen Data Hundreds of files were stolen from a large military organization No record of access or automated analysis to flag insider abuse No way of knowing what files were taken or by whom BUSINESS SOLUTION Automatically monitor every touch on every file Complete audit trail on access activity Make sure only the right users can access the right data Alert on abnormal behavior Reduce risk and keep data secure IMMEDIATE RESULTS Caught over 30 attempts to steal data in 6 months!!! Reduced unnecessary user access by over 50% Started tracking all data usage A trusted insider took hundreds of thousands of files without anyone noticing and sold them. The organization had tens of millions of dollars invested in every security technology you can think of firewalls, IAM, IPS, DLP, and SIEM but none of these systems made a sound. 18

19 Example: Insider Attack 19

20 Customer Testimonial I wanted to let you know that we had an outbreak on our windows file server of the crypto virus. Using Varonis I was able to: Identify the infected user that was encrypting the shares and lock down access in 5 minutes. Then I was able to pull the logs so I could view the folders that were affected. This allowed me to bring the rest of the file server online and only have to restore the files that were affected by the user. Previously an outbreak of this nature would require us to take the share down for 24 hours until the infected user could be identified and restore all the shares from backup. Varonis saved the day. 20

21 Example: Crypto Attack 21

22 Varonis Data & Risk Assessments - Report Examples Overly accessible folders containing important or regulated content Overly accessible hierarchies and data structures Folders with stale information Usage statistics Permissions overview Stale permissions and identity configurations 22

23 Varonis Security Assessment: Initial Results 469,322 globally accessible folders 69% of all folders are open to EVERYONE in the company 356 folders contained sensitive data 98.5% folders containing sensitive data were globally accessible 96% of sensitive files were stale 20% of AD users had expired passwords 12.4% of AD users had no password expiration 23

24 Free Threat Assessment 24

25 Thank you! Dietrich Benjes / Dietrich@varonis.com