In my never ending search to understand “the data problem”, how could I help but to stumble on a company with a tag line of “all about the data”? I could say that the tag should probably be “all about the meta-data”, but then I’d just be nit-picking.
The company is called Varonis (www.varonis.com). Headquartered in New York City, this is a company with technical talent out of Israel playing the US market. I guess I would categorize this as a security related product.
The product, DataAdvantage, has two main features to it. These features broadly answer the questions, “who can touch what”, and “who is touching what”. I am not in the security business, but the demonstration I saw was eye-opening and effective, and I have not heard of others in this same space (and since I’m undoubtedly wrong others will comment with names of competitive products). I am writing this blog based upon a demo. This demo was effective and if I was more into the security space I would get a copy and play with it.
The product is built on what they call the IDU Platform. It consists of a SQL database, a whole boatload of analytical software (translation: software written by a Ph. D.) and some agents. It reads from Active Directory using a service account (no schema changes) and does not require enabling NFS security logging on your systems.
Who can touch what?
Starting with that first question, this system makes it possible / easier to look at how security permissions are being applied to folders and files on servers around your network. You turn on a meta-data crawler that pulls ACL information into the SQL database. After you let this go for a while, you can now use the GUI to investigate. The GUI looks pretty snappy. You have the typical three pane window that we see a lot of these days. On the left is your Active Directory Groups and Users. In the Middle are folders and files. On the right are User rights. Once you master this interface, it seems that you can do just about any kind of query out of this thing. Want to just troll down the folders and have the AD groups show you who has access? Check. Want to pick a user or group and see what files they have access to? Check. Want to see what files have “Everyone” access? Check. Want to point to a file and determine the effective permissions all the way to the root of the drive? No. At least not today. (For example, Joe might have access to a file, but without access to a parent folder he can never get to the file anyway).
This feature not only allows you to audit permissions in an easy to consume interface, but you can modify the ACLs from this interface to fix them on the live systems (remember: you are viewing a snapshot of the ACLs that are stored in the database). Traditionally, when people change roles within a company over time it is easy to add and forget ACL access to people, but institutionally these accesses rarely go away as they should when the conditions change. With this product, you have a tool to monitor, audit, and correct.
Now, before you jump on the offer for a free 30 day trial, stop and think about how you are going to use this first. There are at least two bad approaches you can take, the cowboy approach and the committee approach.
In the Cowboy approach you just look around and when you see something you think is wrong you change it. If nobody complains then that was the right thing to do. The Committee approach has you troll for issues and then sends them to a committee to investigate and implement change control procedures sometime in the next 3 years. Hopefully you can come up with a process for handling what you find that is somewhere in-between these extremes.
Who is touching what?
In order to answer the second question, a dll probe (agent) is added to the servers. This agent registers itself with the kernel event system to receive file access notification events. These events are already built into the Windows OS and are efficiently posted (and dropped if there is nothing registered to receive the event) inside the kernel of the OS. The NTFS file system already posts these events, so you don’t need to turn anything on (such as security auditing). The agent will eliminate duplicate events and a collector will occasionally (configurable) gather them and forward them into the database for analysis.
This is where the Ph. D. comes in. …magic happens… …and now you have a GUI that allows you to find out who touched what. Here, any good programmer could show you what files a user or a group of users accessed. Or conversely, what users accessed a group of files. But with a Ph. D. you get extremely more interesting questions answered by looking at patterns. For example, “what files do only the finance group normally access, and who outside of finance also has access to them”? Another problem they mentioned is the employee who suddenly starts downloading everything to his laptop, typically a couple of days before he quits. I’m sure there must be a few government mandated programs that this software addresses like SOX or HIPPA or whatever.
No-where here do I address the performance impacts of dropping such a system in. There is no free lunch, but I heard reasonable sounds that it probably isn’t bad on your existing equipment, but you probably have to add hardware to house the platform plus the database. In a large environment, this probably means adding data collectors in a three tier approach.
Varonis has been in business since 2005. One assumes they are here in the US market to get bought out by someone (which could be good or bad for their customers, depending on who that is). I heard (third hand) that licensing starts at $17,000US for a 100 user shop. After seeing the demo I had expected a higher price tag, but I suppose that you have hardware/OS for the platform and a database to provision on top of that. To really price out the cost, you also have to consider the time element. Figure a couple of days for training, and a day to install stuff. After waiting to get a baseline, now even in a small shop you have to figure a man-month of looking at stuff and starting the remediation process. And how do you calculate an ROI? Simply put, this is the stuff you are ignoring so all the costs are overhead without savings? Well not taking care of security does cost you plenty; it is just really hard to quantify that. Maybe the “what will it cost you to have a security or data breech” argument works.
The company does direct sales and has an active channel program. The website lists about 15 customers and I also heard that Fidelity was a customer (although not listed on the website) as well.