Tuesday, October 8, 2013

Using Varonis to find misconfigured Exchange mailboxes

One of the wonderful features of Varonis DatAdvantage is the 3d-Users and Groups List report.  On the surface it is just a list of all of the users and groups in the domain, but with the creative use of filters and the Extended Properties, you can answer a lot of useful questions.

For example, during the migration of mailboxes from Exchange 2003 to Exchange 2010, there are mailboxes where certain attributes may not be updated correctly and will become obvious once the old Exchange server is shut down  One of these is the user's homeMTA.  If you look at the field it will be something like this.

CN=Microsoft MTA\0ADEL:097a9a78-54ae-4d27-a101-5daf2d0a30b5,CN=Deleted Objects,CN=Configuration,DC=Company,DC=com

As you can see, the MTA is listed as being deleted and needs to be corrected.  One way to identify these in Varonis is to used the 3d report.

First we have to add homeMTA to the Extended Properties.  As the Active Directory attributes are typically pulled once a night, we need to run the AD Walk and then the Pull AD jobs manually.

Then we can move on to reporting in 3d and develop a query like this:



The key component is to look for the "DEL" phrase in the homeMTA field.

Run this report and now you have a list of mailboxes to fix.

Once again, the 3d-report can be your best friend.

Tuesday, May 28, 2013

Creating a Folder List for Varonis DatAdvantage




For some of the reports within Varonis DatAdvantage, such as 4b, Varonis has the ability to accept a list of folders to process.  This file consists of two fields separated b the pipe “|” character.  When a folder list is generated by the 4f report from within DatAdvantage, the fields are separated by a comma.  This is true even if the default separator is set to "|" in the control panel.  In addition, when a NetApp folder is enumerated the path is separated by the “/” character like a UNIX folder, however the Folder list only accepts the “\” character in the path.  Here is a Powershell script that will clean up the issues with the folder list generated by the 4f report.

$OutAll = @()
$Infile= Import-Csv "C:\VaronisPublic\Varonis Output\output.csv"
foreach($line in $Infile)
{
$OutLine = New-Object System.Object
$OutLine | Add-Member -type NoteProperty -Name FilerName -value $line.FilerName
$a = $line.AccessPath -replace "/", "\"
$OutLine | Add-Member -type NoteProperty -Name AccessPath -value $a
     
$OutAll += $OutLine  
}
$OutAll |Convertto-csv -Delimiter "|" -NoTypeInformation  | % { $_ -replace '"', ""} | out-file "c:\VaronisPublic\Varonis Output\outfile.csv" -fo -en ascii

Wednesday, February 13, 2013

Varonis Data Governance Awards

With so many data breaches and negative stories coming out of the information security world, it is nice to see some positive news.  A new thing that Varonis Systems introduced this year was the "Data Governance" awards for customers that made outstanding use of the the DatAdvantage platform and improved the security processes around their unstructured data.  I was proud to be a judge and see the wonderful progress that many organizations are making.  See the award winners here

Tuesday, February 12, 2013

Symantec Study Says Many Employees Steal Data

Symantec has published a study related to employee theft of data; which was conducted by the Ponemon Institute.

Symantec Press Release

They offer several recommendations which include:
  • Employee education
  • Enforce non-disclosure agreements
  • Implement Monitoring technology
But they fail to address steps that could be taken to reduce access to sensitive data and better audit that access. Companies should strive to implement a Least Privilege model for information access, have a regular process for Entitlement Reviews, a well-defined Permission Approval process, and implement a program to audit access to information that involves the data owners.

The Varonis DatAdvantage suite of solutions should be one of the cornerstone's of an organization's strategy to protect and better manage access to data at its source.

Friday, December 28, 2012

User Account Management in Varonis

One of the core benefits of Varonis DatAdvantage is that System Administrators can make better decisions regarding access permissions and folder management because of the excellent visibility that the product supplies. Since they can see an entire tree with permissions and other file server metadata, they are more likely to appropriately permission folders. However, that requires that the System Admin have the system open and is regularly using it.


With the newest release of Varonis, 5.7.68, there is even more incentive for system administrators to use Varonis on a daily basis. The product now allows the Varonis user to perform an number of activities involving individual user accounts directly from the IDU GUI.

The following tasks can be performed through DatAdvantage by right-clicking on a user:

  • Creating a new user
  • Editing a user's AD properties
  • Copy a user
  • Resetting a user's password
  • Unlock a user account
  • Delete a user account
  • Enable or disable an account
  • Move an account

From the User / Group panel the Varonis admin can also filter users and groups whose accounts require attention, such as identifying locked accounts.

If you have not already done so, upgrade your system to the latest release.

Friday, July 27, 2012

Net Neutrality and The Master Switch

I have been on the fence about “net neutrality”, but after reading Timothy Wu’s book on the information industries, The Master Switch: The Rise and Fall of Information Empires (Borzoi Books). I am firmly in support of net neutrality. This is a great background read on the economics behind these industries. Wu cogently explains the long-held concept of a “common carrier”, and how allowing Internet Service Providers to discriminate against certain customers, the opposite of net neutrality, can only lead to the stifling of innovation. He covers the growth of the telephone industry, radio, movies, television, and the Internet.
The book provides a history of the development of those industries and the economic and political forces that lead to the establishment of large centralized firms, such as AT&T, NBC, CBS, and Paramount Picture, in each of those markets. These consolidations ended up slowly progress in those industries, with the prime example being AT&T and how it stopped answering machines, fax machines, and other innovations that could have come decades before they were finally introduced. Wu provides very strong arguments as to how any efforts to stop net neutrality would inevitably lead to unknown, but clearly bad, results.

Sunday, July 1, 2012

Spear-Phishing

On June 28, 2012, The US-CERT (United States Computer Emergency Readiness Team) released the ICS-CERT Advisory "ICS-CERT Incident Summary Report." The report provides a summary of their incident response activities from 2009 - 2011.
The most common attack vector for was spear-phishing emails with malicious links or attachments. This accounted for 7 out of 17 incidents. They surmised that "Sophisticated threat actors were present in 11 of the 17 incidents, including the actors utilizing spear-phishing tactics to compromise networks."


Brian Krebs analyzed email threat data from the University of Alabama at Birmingham and across the sample set the anti-virus solutions on the market were not very effective, with an average detection rate of 24.7 percent and median detection rate of 19 percent.

One cannot survive on anti-virus solutions alone, which tend to rely on signatures and heuristic analysis of the payloads. We recommend a defense in depth strategy here that relies on analyzing the behavior of the PCs as well, so that once an attack has passed through the AV solution, there is another barrier to detect anomalies. Invincea provides an isolated environment to handle links and PDF attachments. An internal IDS/IPS system could identify unusual behavior.  Please reach out to me if you would like more information on our recommendations.