Can Varonis Capture "Copy" Events?

I get asked regularly if Varonis DatAdvantage can identify when a user copies a file?  

It depends. 

• If the user opens a file on a server and copies it to his desktop, Varonis DOES NOT record the copy to the desktop, only that the file on the server was opened.  
• If the user copies a file from one folder to another on the same server, we will see a rename event.
• If the user copies a file from one server to another server, you will see a File Open on the first server and a File Create on the second server.

Based on how must people ask the question, the answer is no.  To really know what the user did with the file you need a Data Loss Prevention solution like Digital Guardian (our choice) or Symantec DLP.

Identifying Distribution Groups within Security Groups

It is important to identify Active Directory distribution groups that are embedded in AD security groups, since it is not best practice to use distro groups for file server permissions.  Unfortunately within Varonis DatAdvantage the 3a Group Members report does not have a filter to sort by Group Type.  Here is a workaround that I have used; identifying group types by their email properties.

There are several caveats here.  It is possible that a Security group has an email address and it is possible that a distribution list does not have an email address assigned.  To get a truly comprehensive picture we would have to create a CSV file from the 3d report of all distribution groups, create a CSV file from the 3a report just looking for Groups embedded in groups, and then use Excel or PowerShell to merge the data to identify the distribution group members.

Varonis Connection lost to a server

If Varonis DatAdvantage is no longer collecting events from a server, the Varonis probe will send out error messages on a regular basis that look something like this:

Subject: [VARONISPROBE] Varonis: Connection lost between SERVER (48) and XXXXXXXXX (IDU Probe) (code 13002)

They generally are caused in one of several ways:

1) The server no longer exists. (Then you should disable it in or remove it from Varonis)
2) Someone has upgraded or rebuilt the server and therefore the agent no longer exists on the box. (Then you should manually install the agent)
3) Someone has disabled or removed the Varonis services (After uncovering the reason for the change you can manually reinstall the agent)
4) There are connectivity problems getting to the server. (This needs to get fixed outside of the Varonis infrastructure.

If you have administrative credentials to the monitored server, it is helpful to run Computer Management from the probe and connect to the monitored server from the probe.  The results of using the Computer Management tool from the probe may provide additional clues to the problem.  Looking through the Varonis Event logs on the monitored server via the Event viewer on the Probe can also be helpful.

DatAlert Alert Template for Syslog

Within Varonis DatAlert, the default Alert Template for syslog messages contains line feeds and carriage returns.  Most syslog parsers have a much easier time dealing with single line messages.  If you are going to send Varonis alerts to syslog you should create a template specifically for that.  Here is a sample that I work with.

Correct Share Settings for Adding a Server in Varonis

When adding servers to Varonis, under the Shares tab select the highest level shares that Varonis has access to.  In addition, there is an option to Automatically detect shares.  This should be set to “Detect and Notify” and the “Notify” option should be set to once.  That way, whenever a share is added to a server an email will go out indicating that fact.  At that point, if it is a new volume or new top-level share, you can go back into the Management Console and add that volume.  Do not automatically monitor shares, as this may pick up devices such as CD drives or shares that should not be monitored, such as backup shares.

Removing Disabled Users from the Varonis Permissions Report

One of the most commonly used reports in Varonis DatAdvantage is the “4b - Effective Permissions for User or Group” report.  This is used to list all of the groups and users that have access to a particular folder.  One of the challenges that we faced at a particular customer was that the business people did not want to see the disabled users who had access to the folder.  There is a filter, “Disabled Accounts,” that lets you exclude them.  However, if you just add that filter it removes all of the groups that have access to the folder.  Thanks to Kevin Cyr for asking me if there is a way around this.  Indeed, there is!  Here is a screenshot that handles the problem, which is that the groups do not have the “Disabled Account” property in Active Directory so they are excluded by the standalone “Disabled Accounts” filter.

Varonis Data Governance Awards

With so many data breaches and negative stories coming out of the information security world, it is nice to see some positive news.  A new thing that Varonis Systems introduced this year was the "Data Governance" awards for customers that made outstanding use of the the DatAdvantage platform and improved the security processes around their unstructured data.  I was proud to be a judge and see the wonderful progress that many organizations are making.  See the award winners here. 

Symantec Study Says Many Employees Steal Data

Symantec has published a study related to employee theft of data; which was conducted by the Ponemon Institute.

Symantec Press Release

They offer several recommendations which include:

• Employee education
• Enforce non-disclosure agreements
• Implement Monitoring technology

But they fail to address steps that could be taken to reduce access to sensitive data and better audit that access. Companies should strive to implement a Least Privilege model for information access, have a regular process for Entitlement Reviews, a well-defined Permission Approval process, and implement a program to audit access to information that involves the data owners.

The Varonis DatAdvantage suite of solutions should be one of the cornerstone's of an organization's strategy to protect and better manage access to data at its source.

Identifying Disabled Users

Great question came up today in Varonis training. How can we identify when a user account was disabled and who performed the operation? For those of you running Varonis' DA for Directory Services module the answer can be gathered from the Directory Services log. The key items to select are the user account that you want to investigate and select select the Change Description filter with the operation Like and using the text field:

Property "User Account Control" modified: 514


This is a good candidate to set up as a monthly report to audit all of the user accounts that were disabled during the last month; something that will keep the auditors happy. If you would like the XML for the template please email me and I will send it to you.

Varonis's new DatAdvantage for Directory Services

The job of securing information continues to get harder. The technology that we are managing is becoming more complicated, the threat vectors are increasing through new channel such as mobile devices, and the adversaries are getting more sophisticated.

One of the most difficult areas to protect is the unstructured data on file servers. I like to use the analogy of bank vaults to describe the file server world. We buy these very expensive bank vaults to store all of our confidential data and we deploy safe deposit boxes (think folders) to allow users to organize and protect that data. The Active Directory groups and passwords are the keys we hand to users to give them access to the safe deposit boxes.

However, with the current technology from the storage vendors the analogy breaks down. Here are some of the challenges:

• We have no log of who goes in and out of the bank vault or safe deposit boxes.


• If someone adds an additional keyhole to a safe deposit box, we rarely know who else is holding keys that will let them in.


• We have no idea how big the boxes are and what is stored in inside of them.


• Companies continue to buy new vaults because there is no easy way to manage the data in the existing vaults.


• And every once in a while, IT people take a door off the safe deposit box to give someone access and because the vault is in the dark, we have no idea that this has taken place.

The Varonis DatAdvantage solution gives us the visibility into who access to the safe deposit boxes, audits what they do with the data stored in them, and provides the tools to increase the security of the vault.

What Varonis is bringing to the table with its new DatAdvantage for Directory Services product is the ability to monitor the people who build and assign the keys to the boxes in the bank vaults. When a new key holder (a user) is created we know that. When a user is assigned keys we have a record of who gave them to him. Varonis has provided the IT professional with a comprehensive set of tools to protect and manage their organization’s unstructured data.

Tracking AD Groups Changes with Varonis

Varonis DatAdvantage tracks changes in Active Directory group membership by comparing the results of the nightly AD walks. If we want to see the changes that have been made to a user we can use the "1a - User Access Log report." The key filter to remember is that we want to show data from the "History of Differences." This shows the changes that have been picked up by the nightly jobs. Then we need to select the date range that we want to look at.

Then select the "Operation Type" filter. There are two operation types that we can select depending on what we are trying to track:

• Membership Removed


• Membership Added

Add the filter to look only at "Groups" for the Object Type.
The final piece is that the user affected by the change is identified in the "Change Description" field. Use the "Like" operator and remember to enter in the domain name before the start of the user name.

Run the report and you have the answer you were looking for.



Note: Starting in Version 5.6 of Varonis DatAdvantage we also have the "3e - Historical Group Membership" which will display the groups a user belonged to on a specific date. Great report for answering those tricky audit questions.

Stop Monitoring a Directory in Varonis

There are several types of directories that you may not want to monitor at all in Varonis DatAdvantage. These might be temporary folders that are used by products such as disk archiving solutions that have a cache directory on each Drive that is archived. This will stop all event collection and permissions monitoring for that folder and any subfolders.
Go to each drive where you believe this is an issue, click on the folder to be excluding to select it. Then right click on the folder and select the “Stop Monitoring” option.



When you select the directory a warning dialog box appears asking you to confirm your choice.

If you click “Yes” then the system stops monitoring the folder immediately.

Home Directory Data Usage

One of the neat things that you can do with Varonis DatAdvantage is monitor how much disk space your users' home directories are taking up. If you are like most organizations where all of the home directories are stored in a common directory on the file server, this is a snap.

Using the 4f report - "File System Objects List" create a report with two filters.

• The first is: "Access Path" and should be set to the top level folder that contains the users' folders; such as "D:\home."
• The second is: "Directory Depth" and should be set to 3 so you capture each user's folder on a separate line in the report; such as "D:\home\auser."

Then click on the "Extended Properties" tab and select the "File count" and "Total size in MB" options. Sort, the report on "Total size in MB" and away you go.

This will generate a list of all of the home directories with their associated disk usage, allowing you to identify users who are taking up an inordinate amount of disk space. Save this report to a spreadsheet and run this on a periodic basis and you will be able to track usage trends.

Where are AD Groups Used?

Utilizing Varonis DatAdvantage, one can determine how an Active Directory group is being used on a file server. To find where a security group is applied to a folder directly, run the 4a – Effective Permissions for User or Group report. You need to select each File Server that you want Varonis to investigate and since we are only interested where the group is in the “ACL” there are two options that need to be selected and set to True:

• "Show only direct permissions"
• "Distinguished unique"
  

This allows you to see every folder where the security group is directly applied.

SQL Server Job History

In running Varonis DatAdvantage there are times when you want to look at the history of the nightly jobs for a longer period then the defaults provided by SQL Server 2005. These defaults are based on 'Maximum job history log size (rows)' and 'Maximum job history rows per job.' If you are monitoring a large number of servers than the system may only keep several days worth of history for each job. Where disk space on the SQL Server is not an issue one change the the delete option to purge data based on an overall duration, which can be specified in days, weeks or months. For example, we might want to retain 10 days worht of history to assist in debugging issues. To do that perform the following steps.


First run SQL Server Management Studio.

Then navigate to:
• Root
• SQL Server Instance
• SQL Server Agent
• Right click on SQL Server Agent

• From here right-click on history.
• Select the option to "Automatically remove agent history" and enter the duration that you want to keep the job history.
• Click on OK and you are ready to run.
  

SMTP Errors

The other day I was installing Varonis DatAdvantage for a customer and during the installation process received the following error, "The message could not be sent to the SMTP server. The transport error code was 0x800ccc15."


The first thing I wanted to check was that I had connectivity to the Exchange Server. So I used telnet to connect to port 25. That worked fine, so there was not a firewall in place blocking the connection. The Exchange server was set up to accept relays so that was not the problem.

After some investigation it turned out that McAfee VirusScan Enterprise 8.7.0 was the culprit.

Access Protection was enabled, so I reviewed the settings.

The issue was the rule to "Prevent mass mailing worms from sending mail" was blocking all traffic from the Varonis server. It was stopping all programs except those that are explicitly allowed from using SMTP to send messages.

Back to the McAfee server to add the programs in question and we are back in business.

Adobe Please Fix Your Software

I was configuring a new Varonis server today and needed to download Adobe Reader so that we can access the documentation. I went to the Adobe web site and clicked on the download button. When I finish the installation, what do I find out? That they are still installing 9.3.0 by default! This is the unpatched version that has been the subject of a number of exploits. If a random user who doesn't deal with security on a daily basis installed this, they could be hosed. I ran the updates, but many people wouldn't. Adobe, please release a version that includes the patches built-in.

Updating Varonis DA Immediately

Varonis DatAdvantage updates the Work Area's File Permissions and User Information on a nightly basis. Sometimes, after performing significant changes to improve your security you want to get a view of the current state your server. To do that you need to run the nightly jobs. You can run those jobs manually in two ways. One is through the Configuration menu with the DA GUI. The other, which I prefer, is to go directly to the SQL Management Studio to perform the jobs so I can monitor their progress.

Here are the steps:

1) Run the AD Walk(s)

2) Run the File Walk for each server that you have updated.

3) When those jobs are finished run the Pull Walk.

After the Pull Walk is complete, you can restart the DatAdvantage UI and the permissions will be current.

Stop Monitoring a Server in Varonis

When you have a Windows server that is going offline, but you want to retain all the historical information in Varonis ( the events and permissions) here are the steps you need to follow.

From within the Configuration Screen select File Servers. Then move to the server that you want to decommission.
1) Uncheck all of the boxes for Collect Events.
2) Uncheck the box for Local Accounts.
3) For each drive make sure the Crawl File System is set to Disable.
4) Click OK and you are all set.

Restoring Deleted Permissions with Varonis

This afternoon a hedge fund client called with a high profile problem. One of the system admins from their outsourcer had deleted all of the Active Directory permissions of the General Counsel. Not a great person to prevent from accessing the system. Since they are a Varonis DatAdvantage user, I was able to help them solve this problem.

We ran a query from the log area and selected "History of differences" as the data source. The keys were to set the "File Server" to "IDU" and set the "Change Description" to start with his fully defined domain account. Then we got a list of all of the groups that he belogned to and my client was able to restore them all and get the General Counsel up and running ASAP.

DatAdvantage to the rescue.