Friday, December 28, 2012

User Account Management in Varonis

One of the core benefits of Varonis DatAdvantage is that System Administrators can make better decisions regarding access permissions and folder management because of the excellent visibility that the product supplies. Since they can see an entire tree with permissions and other file server metadata, they are more likely to appropriately permission folders. However, that requires that the System Admin have the system open and is regularly using it.


With the newest release of Varonis, 5.7.68, there is even more incentive for system administrators to use Varonis on a daily basis. The product now allows the Varonis user to perform an number of activities involving individual user accounts directly from the IDU GUI.

The following tasks can be performed through DatAdvantage by right-clicking on a user:

  • Creating a new user
  • Editing a user's AD properties
  • Copy a user
  • Resetting a user's password
  • Unlock a user account
  • Delete a user account
  • Enable or disable an account
  • Move an account

From the User / Group panel the Varonis admin can also filter users and groups whose accounts require attention, such as identifying locked accounts.

If you have not already done so, upgrade your system to the latest release.

Friday, July 27, 2012

Net Neutrality and The Master Switch

I have been on the fence about “net neutrality”, but after reading Timothy Wu’s book on the information industries, The Master Switch: The Rise and Fall of Information Empires (Borzoi Books). I am firmly in support of net neutrality. This is a great background read on the economics behind these industries. Wu cogently explains the long-held concept of a “common carrier”, and how allowing Internet Service Providers to discriminate against certain customers, the opposite of net neutrality, can only lead to the stifling of innovation. He covers the growth of the telephone industry, radio, movies, television, and the Internet.
The book provides a history of the development of those industries and the economic and political forces that lead to the establishment of large centralized firms, such as AT&T, NBC, CBS, and Paramount Picture, in each of those markets. These consolidations ended up slowly progress in those industries, with the prime example being AT&T and how it stopped answering machines, fax machines, and other innovations that could have come decades before they were finally introduced. Wu provides very strong arguments as to how any efforts to stop net neutrality would inevitably lead to unknown, but clearly bad, results.

Sunday, July 1, 2012

Spear-Phishing

On June 28, 2012, The US-CERT (United States Computer Emergency Readiness Team) released the ICS-CERT Advisory "ICS-CERT Incident Summary Report." The report provides a summary of their incident response activities from 2009 - 2011.
The most common attack vector for was spear-phishing emails with malicious links or attachments. This accounted for 7 out of 17 incidents. They surmised that "Sophisticated threat actors were present in 11 of the 17 incidents, including the actors utilizing spear-phishing tactics to compromise networks."


Brian Krebs analyzed email threat data from the University of Alabama at Birmingham and across the sample set the anti-virus solutions on the market were not very effective, with an average detection rate of 24.7 percent and median detection rate of 19 percent.

One cannot survive on anti-virus solutions alone, which tend to rely on signatures and heuristic analysis of the payloads. We recommend a defense in depth strategy here that relies on analyzing the behavior of the PCs as well, so that once an attack has passed through the AV solution, there is another barrier to detect anomalies. Invincea provides an isolated environment to handle links and PDF attachments. An internal IDS/IPS system could identify unusual behavior.  Please reach out to me if you would like more information on our recommendations.

Sunday, June 24, 2012

America The Vulnerable

America The Vulnerable, “Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare” by Joel Brenner provides a broad picture of the issues of cybersecurity in the early part of the 21st century. In many cases, the facts presented are not new but Joel Brenner has the ability to put them in context and provides an excellent look at the big picture implications of those facts.
Joel Brenner, is a former senior counsel at the National Security Agency and has extensive experience in counterintelligence. This background allows Brenner to describe in detail the structural and procedural challenges that the US government and industry face in dealing with the threats.
The book roams across the entire cybersecurity landscape. Brenner describes the economic and political motivations of other nations and they are leading them to do the things that they do. He details the Chinese, providing documented sources describing their objectives, motivations, and tactics.
Brenner presents a speculative case study on how a cyberattack from China might be used for increased strength in a diplomatic standoff around Taiwan. Very interested take that is different from many fear-mongers predicting cyber apocalypse, but offers a practical description as to how our weaknesses could realistically be used against us.
One of the key points made is that the increasing transparency due to electronic information leads to reduced secrecy for governments and reduced privacy for individuals.
In addition to the excellent survey of the challenges related to information security, Brenner offers prescriptions that both the government and the private sector can take to deal with the threats.
These include for the U.S. government:
  • Use federal purchasing to enforce higher security standards.
  • Forbid federal agencies from doing business with ISPs that are hosts for botnets, publish list of companies.
  • Remove anti-trust considerations to allow US firms to collaborate and share information on security.
  • Require Internet service providers to notify customers whose machines have been infected by a botnet.
  • Use regulations to stop utilities from connecting industrial control systems to public networks.
  • Use tax code to change behavior.
  • Increase research into attribution techniques and identity standards.
  • Increase research into verifiable software and firmware, and the benefits of moving security directly into hardware.
  • Increase research into an alternative Internet architecture.
  • Require disclosure of risks for utilities in bond documents.
  • Toughen public audit standards for cybersecurity.
  • The US should engage like-minded democratic governments in a multilateral effort to make Internet communication open and secure.
The recommendation for the private sector include:
    Clean up your act.
  • Control what’s on your system.
  • Control who’s on your system.
  • Protect what’s valuable.
  • Patch rigorously.
  • Train everybody.
  • Audit for operational effect.
  • Manage overseas travel behavior.
This is a very good overview for people outside the Information Security world, in addition to being an excellent reference for practitioners, as Brenner does not dive into the weeds yet provides a compelling view of the world today.

Saturday, June 9, 2012

Tackling ArcSight Express Configuration

The ArcSight SIEM platform is extremely powerful and capable of correlating an amazing amount of information. This information can overwhelm some people in getting starting to get value out of the solution. Here are some general thoughts on how to approach this challenge.
  1. Decide on what use cases you want like to implement first. Try proceeding one use case (I am using the term generically not in the ArcSight specific way) at a time so that you are not trying to boil the ocean.
  2. Decide what event sources are necessary for that use case to be sent to Express / ESM.
  3. Configure the SmartConnector software to send all of the data from those devices to the Logger or straight to Express depending on your architecture.
  4. When the events are sent to Express set up an Active Channel and review the event types that you are getting from those sources and determine:
    • What is irrelevant and filter them out on the connector and/or logger.
    • Figure out what is just as useful if you aggregate them and set up aggregation rules on the connector (Firewall connections for example).
  5. Check those event sources are categorized correctly and can utilize the standard content from ArcSight.
  6. Now that filtering and aggregation is in place for those event sources, work on rules and content to deal with that use case.
When you are correctly dealing with the security issues handled by that use case, then move on to the next use case and repeat the process.

Tuesday, April 3, 2012

Identifying Disabled Users

Great question came up today in Varonis training. How can we identify when a user account was disabled and who performed the operation? For those of you running Varonis' DA for Directory Services module the answer can be gathered from the Directory Services log. The key items to select are the user account that you want to investigate and select select the Change Description filter with the operation Like and using the text field:

Property "User Account Control" modified: 514


This is a good candidate to set up as a monthly report to audit all of the user accounts that were disabled during the last month; something that will keep the auditors happy. If you would like the XML for the template please email me and I will send it to you.

Saturday, March 31, 2012

Network Access Control Vendors Reviewed

One of the core principles of Information Security is that organizations should have preventive, detection, and corrective controls in place to protect their infrastructure and data. If one looks at annual spending in Information Security it is dominated by preventive controls such as firewalls, anti-spam, and anti-virus solutions. One thing that those solutions have in common is that they all fail. In dealing with many clients we see a lack of detective and corrective tools and processes in place to respond to the inevitable breakdowns that occur because of user errors, zero-day attacks, or sophisticated adversaries.

To get a quick overview of your environment, can you answer questions such as these:
  • What devices are on your network?

  • Are they compliant with current policies?

  • Are there any unauthorized devices (such as tablets and mobile phones) on the network?

ForeScout Technologies has a great solution, CounterACT, that is marketed as a NAC (Network Access Control) but provides much more functionality that helps organizations deal with the device on their network. It provides an internal intrusion detection system to identify devices that have gone “rogue” (are trying to spread malware or viruses) through a dynamic “honeypot” solution.

In addition, it can inventory devices to detect when they are not compliant with companies policies, such as not running and AV solution or not encrypted. It also provides corrective controls to warn users and administrators of a potential issue, automate remediation through scripting interfaces, and it can quarantine devices and/or processes that are not supposed to be running.

The Tolly Group has issued a report on behalf of ForeScout that compares the main competitors in the NAC marketplace across 34 different criteria. To access this report please click here. If you would like more information, please reach out to us.

Tuesday, February 28, 2012

Varonis's new DatAdvantage for Directory Services

The job of securing information continues to get harder. The technology that we are managing is becoming more complicated, the threat vectors are increasing through new channel such as mobile devices, and the adversaries are getting more sophisticated.

One of the most difficult areas to protect is the unstructured data on file servers. I like to use the analogy of bank vaults to describe the file server world. We buy these very expensive bank vaults to store all of our confidential data and we deploy safe deposit boxes (think folders) to allow users to organize and protect that data. The Active Directory groups and passwords are the keys we hand to users to give them access to the safe deposit boxes.

However, with the current technology from the storage vendors the analogy breaks down. Here are some of the challenges:


  • We have no log of who goes in and out of the bank vault or safe deposit boxes.

  • If someone adds an additional keyhole to a safe deposit box, we rarely know who else is holding keys that will let them in.

  • We have no idea how big the boxes are and what is stored in inside of them.

  • Companies continue to buy new vaults because there is no easy way to manage the data in the existing vaults.

  • And every once in a while, IT people take a door off the safe deposit box to give someone access and because the vault is in the dark, we have no idea that this has taken place.


The Varonis DatAdvantage solution gives us the visibility into who access to the safe deposit boxes, audits what they do with the data stored in them, and provides the tools to increase the security of the vault.

What Varonis is bringing to the table with its new DatAdvantage for Directory Services product is the ability to monitor the people who build and assign the keys to the boxes in the bank vaults. When a new key holder (a user) is created we know that. When a user is assigned keys we have a record of who gave them to him. Varonis has provided the IT professional with a comprehensive set of tools to protect and manage their organization’s unstructured data.