Now You Know – Varonis DatAlert Suite

August 26, 2021

The Varonis Data Security Platform is true to its name: it’s a complete, enterprise-level data security platform that meets and exceeds your unstructured data requirements. One of the ways it shows versatility and comprehensiveness lies in ability to expand and integrate additional Varonis products. One of the products that stacks with the Data Security Platform is the Varonis DatAlert Suite, which comprises two products: DatAlert and DatAlert Analytics.

This powerful suite provides out-of-the-box rules to detect and alert on suspicious file system activity, whether on-prem or in the cloud, as well as within your email and network environments. In addition to this vast array of rules, it also lets you create custom rules tailored to specific environments.

So, you may be wondering – “how does it all work?” Or “what’s the difference between DatAlert and DatAlert Analytics?”

Let’s discuss.

DatAlert

Let’s start with DatAlert, which allows for standard and threshold rules. Think of these as having a specific set of conditions or a threshold of conditions. When the conditions are met, rules trigger an alert. The rules monitor your data resources and critical assets for suspicious and unusual activities and work across platforms monitoring events throughout Windows and UNIX/Linux, as well as storage devices such as Isilons and NetApps, Active Directory, SharePoint, Exchange, M365 and more.

You might be curious – “what are the conditions a rule might be configured to look for?” Well, DatAlert allows you to get granular. For instance, you might want a rule to look for changes to your Active Directory “Domain Admins” group, file system permission changes, GPO changes or to detect when a file is created, opened or renamed due to a potential ransomware attack. Perhaps you need certain DatAlert rules to apply only to specific personnel or groups or only at specific times. All this customization is possible.

Image

Picture 1: Above is an example of some of the common items DatAlert is detecting and protecting against.

When threats or suspicious activities are detected, alerts are triggered helping you detect potential security breaches and unwanted changes in your environment. These alerts can notify IT or Security Admins and be forwarded to your syslog devices or SIEMs. The alerts can even trigger responsive actions such as disabling a user’s account, turning off a network share, logging a user off or even shutting down a resource. These responsive actions can be anything from executing a command line binary or batch file to executing a PowerShell script triggering the desired responsive action.

The detection of critical events and compromised assets is critical to a healthy and secure environment. Varonis DatAlert drastically reduces the amount of time it takes to find and assess genuine issues and keeps your data protected.

DatAlert Analytics

So, that’s a little bit about Varonis DatAlert but what about DatAlert Analytics? Varonis has a dedicated team of security experts and data scientists that are continually looking at behavior-based threat models. DatAlert Analytics capitalizes on this expertise and has introduced behavior-based analysis. Essentially, the true power of DatAlert Analytics lies within automating threat detection with predictive threat models built on analytics, user behavior, and machine learning.

DatAlert Analytics profiles user type and behavior. It understands which accounts are administrative, executive, or service accounts and builds a baseline analysis on how these accounts are typically used within the organization. Do these accounts access file servers, cloud resources, email systems, or interact with Active Directory? Varonis DatAlert Analytics knows. It understands your users’ behavior throughout your data resources. It alerts on potential threats and atypical behavior and offers the same ability as DatAlert to trigger responsive actions. It will become your greatest ally in defending against insider threats, ransomware, and potential data breaches. DatAlert Analytics give you meaningful insights into user and data patterns, security risks, and even social connections.

Image

Picture 2: Above is an example of DatAlert Analytics rules that are searching for abnormal behavior based on the user behavioral profiles that Varonis builds.

Dashboard

Lastly, let’s put all of this together. The Varonis DatAlert Suite can help you visualize, interpret, and analyze risk and alerts via a built-in dashboard. The DatAlert Suite utilizes a user-friendly web-based dashboard which helps you score, triage, analyze, and prioritize alerts which lead to action and incident resolution. These alerts are tracked from a user, device, and threat model perspective. The dashboard can be customized based on alert criteria which will deliver meaningful output to your security analysts.

For each alert, the DatAlert Suite’s dashboard will provide a playbook that reviews what events caused alerts to be triggered, who you should notify, how you can contain and recover from the alert. It will also offer things that can be done to tune your alerts for added accuracy in the future.

Image

Picture 3: Above is a high-level example of the dashboard showing top alerted assets.

Image

Picture 4: Above is a detailed example of events that caused an alert for a user account (BackupService) accessing atypical files on a data resource.

If you would like to learn more, please reach out to your Optiv account team to schedule a demo. If you don’t already have a dedicated advisor, please fill out the “Contact Us” form and someone will be in touch. Additionally, ask about the Varonis Data Risk & Ransomware Preparedness assessments that can illuminate things such as where your sensitive data is located, where your data may be at risk, and how the Varonis DatAlert Suite can detect and alert on threats which allow you to respond promptly and confidently.

If you didn’t know, now you know!