Tuesday, October 8, 2013

Using Varonis to find misconfigured Exchange mailboxes

One of the wonderful features of Varonis DatAdvantage is the 3d-Users and Groups List report.  On the surface it is just a list of all of the users and groups in the domain, but with the creative use of filters and the Extended Properties, you can answer a lot of useful questions.

For example, during the migration of mailboxes from Exchange 2003 to Exchange 2010, there are mailboxes where certain attributes may not be updated correctly and will become obvious once the old Exchange server is shut down  One of these is the user's homeMTA.  If you look at the field it will be something like this.

CN=Microsoft MTA\0ADEL:097a9a78-54ae-4d27-a101-5daf2d0a30b5,CN=Deleted Objects,CN=Configuration,DC=Company,DC=com

As you can see, the MTA is listed as being deleted and needs to be corrected.  One way to identify these in Varonis is to used the 3d report.

First we have to add homeMTA to the Extended Properties.  As the Active Directory attributes are typically pulled once a night, we need to run the AD Walk and then the Pull AD jobs manually.

Then we can move on to reporting in 3d and develop a query like this:

The key component is to look for the "DEL" phrase in the homeMTA field.

Run this report and now you have a list of mailboxes to fix.

Once again, the 3d-report can be your best friend.

Tuesday, May 28, 2013

Creating a Folder List for Varonis DatAdvantage

For some of the reports within Varonis DatAdvantage, such as 4b, Varonis has the ability to accept a list of folders to process.  This file consists of two fields separated b the pipe “|” character.  When a folder list is generated by the 4f report from within DatAdvantage, the fields are separated by a comma.  This is true even if the default separator is set to "|" in the control panel.  In addition, when a NetApp folder is enumerated the path is separated by the “/” character like a UNIX folder, however the Folder list only accepts the “\” character in the path.  Here is a Powershell script that will clean up the issues with the folder list generated by the 4f report.

$OutAll = @()
$Infile= Import-Csv "C:\VaronisPublic\Varonis Output\output.csv"
foreach($line in $Infile)
$OutLine = New-Object System.Object
$OutLine | Add-Member -type NoteProperty -Name FilerName -value $line.FilerName
$a = $line.AccessPath -replace "/", "\"
$OutLine | Add-Member -type NoteProperty -Name AccessPath -value $a
$OutAll += $OutLine  
$OutAll |Convertto-csv -Delimiter "|" -NoTypeInformation  | % { $_ -replace '"', ""} | out-file "c:\VaronisPublic\Varonis Output\outfile.csv" -fo -en ascii

Wednesday, February 13, 2013

Varonis Data Governance Awards

With so many data breaches and negative stories coming out of the information security world, it is nice to see some positive news.  A new thing that Varonis Systems introduced this year was the "Data Governance" awards for customers that made outstanding use of the the DatAdvantage platform and improved the security processes around their unstructured data.  I was proud to be a judge and see the wonderful progress that many organizations are making.  See the award winners here

Tuesday, February 12, 2013

Symantec Study Says Many Employees Steal Data

Symantec has published a study related to employee theft of data; which was conducted by the Ponemon Institute.

Symantec Press Release

They offer several recommendations which include:
  • Employee education
  • Enforce non-disclosure agreements
  • Implement Monitoring technology
But they fail to address steps that could be taken to reduce access to sensitive data and better audit that access. Companies should strive to implement a Least Privilege model for information access, have a regular process for Entitlement Reviews, a well-defined Permission Approval process, and implement a program to audit access to information that involves the data owners.

The Varonis DatAdvantage suite of solutions should be one of the cornerstone's of an organization's strategy to protect and better manage access to data at its source.