Varonis: A product for Auditing ACLs and file usage

Written on Mar 11 2008 Filed under: Security, Varonis 8,042 views, 9 comments

by Tim Mangan

Introduction

In my never ending search to understand “the data problem”, how could I help but to stumble on a company with a tag line of “all about the data”?   I could say that the tag should probably be “all about the meta-data”, but then I’d just be nit-picking.

The company is called Varonis (www.varonis.com).  Headquartered in New York City, this is a company with technical talent out of Israel playing the US market.  I guess I would categorize this as a security related product. 

The product, DataAdvantage, has two main features to it.  These features broadly answer the questions, “who can touch what”, and “who is touching what”.  I am not in the security business, but the demonstration I saw was eye-opening and effective, and I have not heard of others in this same space (and since I’m undoubtedly wrong others will comment with names of competitive products).  I am writing this blog based upon a demo.  This demo was effective and if I was more into the security space I would get a copy and play with it.

The product is built on what they call the IDU Platform.  It consists of a SQL database, a whole boatload of analytical software (translation: software written by a Ph. D.) and some agents.  It reads from Active Directory using a service account (no schema changes) and does not require enabling NFS security logging on your systems.

Who can touch what?

Starting with that first question, this system makes it possible / easier to look at how security permissions are being applied to folders and files on servers around your network.  You turn on a meta-data crawler that pulls ACL information into the SQL database.  After you let this go for a while, you can now use the GUI to investigate.  The GUI looks pretty snappy.  You have the typical three pane window that we see a lot of these days.  On the left is your Active Directory Groups and Users.  In the Middle are folders and files.  On the right are User rights.  Once you master this interface, it seems that you can do just about any kind of query out of this thing.  Want to just troll down the folders and have the AD groups show you who has access?  Check.  Want to pick a user or group and see what files they have access to?  Check.  Want to see what files have “Everyone” access?  Check.  Want to point to a file and determine the effective permissions all the way to the root of the drive?  No.  At least not today. (For example, Joe might have access to a file, but without access to a parent folder he can never get to the file anyway).

This feature not only allows you to audit permissions in an easy to consume interface, but you can modify the ACLs from this interface to fix them on the live systems (remember:  you are viewing a snapshot of the ACLs that are stored in the database).  Traditionally, when people change roles within a company over time it is easy to add and forget ACL access to people, but institutionally these accesses rarely go away as they should when the conditions change.  With this product, you have a tool to monitor, audit, and correct. 

Now, before you jump on the offer for a free 30 day trial, stop and think about how you are going to use this first.  There are at least two bad approaches you can take, the cowboy approach and the committee approach. 

In the Cowboy approach you just look around and when you see something you think is wrong you change it.  If nobody complains then that was the right thing to do.  The Committee approach has you troll for issues and then sends them to a committee to investigate and implement change control procedures sometime in the next 3 years.  Hopefully you can come up with a process for handling what you find that is somewhere in-between these extremes.

Who is touching what?

In order to answer the second question, a dll probe (agent) is added to the servers.  This agent registers itself with the kernel event system to receive file access notification events.  These events are already built into the Windows OS and are efficiently posted (and dropped if there is nothing registered to receive the event) inside the kernel of the OS.  The NTFS file system already posts these events, so you don’t need to turn anything on (such as security auditing).  The agent will eliminate duplicate events and a collector will occasionally (configurable) gather them and forward them into the database for analysis.

This is where the Ph. D. comes in.  …magic happens…    …and now you have a GUI that allows you to find out who touched what.  Here, any good programmer could show you what files a user or a group of users accessed.  Or conversely, what users accessed a group of files.  But with a Ph. D. you get extremely more interesting questions answered by looking at patterns.   For example, “what files do only the finance group normally access, and who outside of finance also has access to them”?    Another problem they mentioned is the employee who suddenly starts downloading everything to his laptop, typically a couple of days before he quits.   I’m sure there must be a few government mandated programs that this software addresses like SOX or HIPPA or whatever.

Finishing Up

No-where here do I address the performance impacts of dropping such a system in.  There is no free lunch, but I heard reasonable sounds that it probably isn’t bad on your existing equipment, but you probably have to add hardware to house the platform plus the database.  In a large environment, this probably means adding data collectors in a three tier approach.

Varonis has been in business since 2005.  One assumes they are here in the US market to get bought out by someone (which could be good or bad for their customers, depending on who that is).  I heard (third hand) that licensing starts at $17,000US for a 100 user shop.  After seeing the demo I had expected a higher price tag, but I suppose that you have hardware/OS for the platform and a database to provision on top of that.  To really price out the cost, you also have to consider the time element.  Figure a couple of days for training, and a day to install stuff.  After waiting to get a baseline, now even in a small shop you have to figure a man-month of looking at stuff and starting the remediation process.  And how do you calculate an ROI?  Simply put, this is the stuff you are ignoring so all the costs are overhead without savings?  Well not taking care of security does cost you plenty; it is just really hard to quantify that.  Maybe the “what will it cost you to have a security or data breech” argument works.

The company does direct sales and has an active channel program.  The website lists about 15 customers and I also heard that Fidelity was a customer (although not listed on the website) as well.

Comments

Guest wrote Nice Article

on 03-11-2008 10:51 AM

I have actually been looking at this type of solution for my companies audit requirements. I will add this one to the list.

So thanks for the nice write up!

Guest wrote Just purchased Varonis

on 03-13-2008 7:23 AM

We just bought the full suite of DataAdvantage and DataProtection..  What a fantastic tool!  Our security guys rave about it and our helpdesk people have been using it to good effect to figure out why sometimes it looks like someone should have access to files, but they don't.

Don't even get me started with DataProtection..  What a great tool; allow the data owners to give access to people who need access without going through the helpdesk.  It has already saved us a ton of money!

One caveat; it is not highly intuitive to set up and some of the dialog boxes/menu's were cleartly written by people for whom English is not their native language. 

Tim Mangan wrote Re: Just purchased Varonis

on 03-13-2008 12:44 PM

So the two parts are actually separate products?  That wasn't clear in the demo, but makes sense.  Are the help desk folks enabled to make changes - or only look to understand?

Guest wrote another option If you have only windows file servers

on 03-14-2008 10:24 AM

Tim, you asked for other products, here you go. You can try also with File System Auditor (who accessed what) & Enterprise Security Reporter (who can access what) both from Scriptlogic (now part of qwest) but it's only for Windows servers and you need to add the cost of a decent SQL server but I believe it could be less expensive than varonis.

Regards,

Ilan Belehssen

 

Tim Mangan wrote Re: another option If you have only windows file servers

on 03-15-2008 1:51 PM

Oh right.  I totally forgot that Varonis can handle NFS servers also.  When asked about Novel servers, the Varonis sales jockey made noises, but nothing intelligable.

But thanks, it's good to know there are options available.

Guest wrote Re: another option If you have only windows file servers

on 03-17-2008 8:07 AM

Not a bad prduct but way too expensive.

Guest wrote Too expensive...

on 03-19-2008 11:34 AM

What pricing did you get on this?  How is it licensed?

Guest wrote Varonis = the wow factor

on 04-10-2008 5:19 AM

I work for a UK based Varonis reseller.  From what I see on a daily basis the market is desperate for this tool.

 

Every single demo has the potential customer sitting back in his/her chair and grinning.

 

There is nothing out there that does what Varonis does.  It really is a great tool. 

Guest wrote Employees

on 06-05-2008 7:35 AM

Yes, this is indeed a great product. Too bad it was developed while taking advantage of the employees. R&D and QA teams in Israel are forced to work very long hours, some times even 16-18 hours a day, especially if a new release is about to come out. Executives are being replaced constantly. Sales Reps. are being fired right before it's time to get their annual commission. The entire company is micro-managed by the CEO (who is a co-founder).

(Note: You must be logged in to post a comment.)