Now You Know – Varonis DatAlert Suite Home Insights Blog Now You Know – Varonis DatAlert Suite August 26, 2021 Part 1 of a series. The Varonis Data Security Platform is true to its name: it’s a complete, enterprise-level data security platform that meets and exceeds your unstructured data requirements. One of the ways it shows versatility and comprehensiveness lies in ability to expand and integrate additional Varonis products. One of the products that stacks with the Data Security Platform is the Varonis DatAlert Suite, which comprises two products: DatAlert and DatAlert Analytics. This powerful suite provides out-of-the-box rules to detect and alert on suspicious file system activity, whether on-prem or in the cloud, as well as within your email and network environments. In addition to this vast array of rules, it also lets you create custom rules tailored to specific environments. So, you may be wondering – “how does it all work?” Or “what’s the difference between DatAlert and DatAlert Analytics?” Let’s discuss. DatAlert Let’s start with DatAlert, which allows for standard and threshold rules. Think of these as having a specific set of conditions or a threshold of conditions. When the conditions are met, rules trigger an alert. The rules monitor your data resources and critical assets for suspicious and unusual activities and work across platforms monitoring events throughout Windows and UNIX/Linux, as well as storage devices such as Isilons and NetApps, Active Directory, SharePoint, Exchange, M365 and more. You might be curious – “what are the conditions a rule might be configured to look for?” Well, DatAlert allows you to get granular. For instance, you might want a rule to look for changes to your Active Directory “Domain Admins” group, file system permission changes, GPO changes or to detect when a file is created, opened or renamed due to a potential ransomware attack. Perhaps you need certain DatAlert rules to apply only to specific personnel or groups or only at specific times. All this customization is possible. Image Picture 1: Above is an example of some of the common items DatAlert is detecting and protecting against. When threats or suspicious activities are detected, alerts are triggered helping you detect potential security breaches and unwanted changes in your environment. These alerts can notify IT or Security Admins and be forwarded to your syslog devices or SIEMs. The alerts can even trigger responsive actions such as disabling a user’s account, turning off a network share, logging a user off or even shutting down a resource. These responsive actions can be anything from executing a command line binary or batch file to executing a PowerShell script triggering the desired responsive action. The detection of critical events and compromised assets is critical to a healthy and secure environment. Varonis DatAlert drastically reduces the amount of time it takes to find and assess genuine issues and keeps your data protected. DatAlert Analytics So, that’s a little bit about Varonis DatAlert but what about DatAlert Analytics? Varonis has a dedicated team of security experts and data scientists that are continually looking at behavior-based threat models. DatAlert Analytics capitalizes on this expertise and has introduced behavior-based analysis. Essentially, the true power of DatAlert Analytics lies within automating threat detection with predictive threat models built on analytics, user behavior, and machine learning. DatAlert Analytics profiles user type and behavior. It understands which accounts are administrative, executive, or service accounts and builds a baseline analysis on how these accounts are typically used within the organization. Do these accounts access file servers, cloud resources, email systems, or interact with Active Directory? Varonis DatAlert Analytics knows. It understands your users’ behavior throughout your data resources. It alerts on potential threats and atypical behavior and offers the same ability as DatAlert to trigger responsive actions. It will become your greatest ally in defending against insider threats, ransomware, and potential data breaches. DatAlert Analytics give you meaningful insights into user and data patterns, security risks, and even social connections. Image Picture 2: Above is an example of DatAlert Analytics rules that are searching for abnormal behavior based on the user behavioral profiles that Varonis builds. Dashboard Lastly, let’s put all of this together. The Varonis DatAlert Suite can help you visualize, interpret, and analyze risk and alerts via a built-in dashboard. The DatAlert Suite utilizes a user-friendly web-based dashboard which helps you score, triage, analyze, and prioritize alerts which lead to action and incident resolution. These alerts are tracked from a user, device, and threat model perspective. The dashboard can be customized based on alert criteria which will deliver meaningful output to your security analysts. For each alert, the DatAlert Suite’s dashboard will provide a playbook that reviews what events caused alerts to be triggered, who you should notify, how you can contain and recover from the alert. It will also offer things that can be done to tune your alerts for added accuracy in the future. Image Picture 3: Above is a high-level example of the dashboard showing top alerted assets. Image Picture 4: Above is a detailed example of events that caused an alert for a user account (BackupService) accessing atypical files on a data resource. If you would like to learn more, please reach out to your Optiv account team to schedule a demo. If you don’t already have a dedicated advisor, please fill out the “Contact Us” form and someone will be in touch. Additionally, ask about the Varonis Data Risk & Ransomware Preparedness assessments that can illuminate things such as where your sensitive data is located, where your data may be at risk, and how the Varonis DatAlert Suite can detect and alert on threats which allow you to respond promptly and confidently. If you didn’t know, now you know! By: Jeremy Bieber Partner Architect for Varonis | Optiv Jeremy is Optiv's Partner Architect for Varonis, specializing in understanding unstructured data, data governance/compliance and data protection. With over 22 years of experience, Jeremy began professionally working with technology during the late 1990s at Electronic Data Systems and later at Hewlett-Packard. In 2016 he joined Varonis, consulting with clients and implementing the Varonis Data Security Platform to ensure client achievement of least-privileged access models and proactive threat detection, locating and ensuring sensitive-data compliance on-premise and in the cloud. Over the course of his career, Jeremy has achieved a range of industry certifications including over a dozen Microsoft certifications, certifications from VMware, Hewlett-Packard, Smarsh and Varonis. He can pull from his lengthy experience including system administration, architecture, engineering and consulting to provide a seasoned focus on data security. At Optiv, he uses this real-world experience to relate how the Varonis Data Security Platform will enhance the overall security goals for our clients, reduce risk, detect abnormal behavior and ensure compliance. Share: Threat Partner Series Ransomware Analytics Risk UEBA/UBA Related Insights Image Cyber Threats, Unintegrated Tools and Alert Fatigue November 06, 2019 Nearly a third of cybersecurity professionals say they ignore alerts because so many are false positives. See Details Blog Image Security Automation and Orchestration Briefing: Technology and Partner Review May 15, 2018 This paper takes an in-depth look at Phantom’s solution and constructing playbooks to triage endpoint and network alerts. See Details Download Image Zero Trust Journey: Zero Trust with Varonis July 20, 2021 Zero Trust security is a new way to architect your cybersecurity strategy. Read to learn about how to set up Zero Trust Security for your network. See Details Download How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.