Now You Know – Varonis Reporting

February 28, 2022

NOW YOU KNOW: PART 3 of a Series.

Wouldn’t it be satisfying and immensely helpful if you had the ability to quickly pull a report on who performed what activity with your data? Not only who performed the activity, but from where and when?

What about understanding your stale data footprint, or access control lists (ACLs) containing individual users or empty security groups and looped nested groups? What about understanding where all your sensitive data is, who has access to it and what type of access they have?

Do you need to clean up Active Directory (AD) or Azure AD to understand where all your stale users, or groups containing disabled users, are?

In this post, we’ll explore and discuss these scenarios and more by introducing you to the out-of-the-box reporting capabilities within the Varonis Data Security Platform (DSP). This aspect of the product allows data owners and lines of business to wield an immense understanding about their data and users. You’ll come to understand just how comprehensive, customizable, data-driven and versatile Varonis reporting really is. Not only that, but I find this aspect of the Varonis product platform is often under-utilized, and it is my hope this post goes a long way toward changing that.

For you fellow gamers out there, you might recall the early internet meme from a badly translated phrase from the 1991 English-adapted game, Zero Wing: “All your base are belong to us?” If so, you might understand my meaning when I say, “All your reports are belong to Varonis.”

UI Overview

Before jumping into specific reports and scenarios, I want to take a few moments to acclimate you with the user interface (UI). The UI is located appropriately in the “Reports” tab at the top of the Varonis DatAdvantage application. See Picture 1 below.

Image

Picture 1

The UI contains a left pane, which is a categorically sorted list of all reports, and a right pane, which is divided into an upper and lower section. Within the left pane, you can search and filter for specific reports. The right pane’s upper section is where the reporting criteria is defined, and the lower section is where a report’s results will be displayed. See Picture 2 below. This provides a good overview of the Reports UI.

Image

Picture 2

One of the most important and versatile aspects of each report is the granularity it affords, which is essential to getting the most out of reporting. The “Filters” tab (Picture 2) is key to garnering the expected query results from any report. These filters are highly versatile and also show up in other areas of the Varonis product stack. Examples of these will be covered throughout this post.

Report Categories

Now that you’ve had a brief description and visual on the Reports UI, let’s move on to discussing some key reports that every organization strongly needs, yet without Varonis, lacks the ability to obtain.

If you refer to Picture 2, you can see a list of each high-level report category on the left pane. You may be surprised that these are all standard out-of-the-box reports that Varonis provides as a staple to any purchasing customer. What’s more, each of these reports can be customized, saved, and subscriptions can be created for each. A subscription is simply defined as a report that can be configured to run at regularly scheduled intervals, saved in various formats and then delivered to recipients either via email or by placing them on a network file share. You can even use a data-driven subscription to send personalized reports to multiple recipients (data owners) from one location.

Perhaps you’d like to know on a regular basis about certain activity on some of your sensitive data, or maybe when a specific AD group’s membership is changed. Maybe you’d like to know where stale data is, or to understand where inconsistent permissions exists. These are a few examples that barely scratch the surface of what Varonis reporting capabilities can provide for your organization. Now that we have a basic understanding of the UI and reporting categories, let’s dive in. There are over twenty categories of reports available. Obviously, we won’t get to near that many in this post, but a good overview with examples should set us on the right path of understanding. It’s worth noting that each of these categories have numerous reports within. Finally, I’ll mention that each of these reports is fully exportable in multiple common formats such as CSV, XLS, PDF, HTML, etc.

Activity Reporting

I would be remiss not to talk about the very first report available at the top of the report list: The User Activity Report. This report allows one to generate results of all activity on a monitored data resource. Some examples include detailed views of file access activity, permissions changes, group membership changes, and more. Varonis tracks all activity across every data resource it monitors.

One strong use case I’ve seen for this across customers involves locating missing data. Often users will misplace or delete data. Sometimes this is purposeful, other times accidental. The reasons don’t matter. Varonis can tell you who did what with the data when and from where. In Picture 3 below I show an example of building a filter for a specific time frame (the last 2 days), for a specific user (Duane), on a specific data resource (file server CORPFS02).

Image

Picture 3

In this example, we can see that Duane accessed a file in a specific path, then several minutes later, he deleted that file. If Duane was suspected of deleting or moving additional files unwarrantedly, then you could simply adjust the filter to hone in on specific event types, paths, file types or IP addresses.

In this next example, I’ve filtered the report to look for any file or folder move, rename or delete activity. See Picture 4 below:

Image

Picture 4

You will now notice I have grouped by “Event Type” in the lower pane. One excellent feature that makes Varonis Reporting so versatile is the ability to group by any column and even multiple columns in a hierarchy. This allows one to carve up the data in a way that makes sense, and is easier to read.

You can expand each of the groups to see the specific results. For example, if I expand the “Folder Deleted” section, I will only see event activity that matches that event type. This can be extremely useful for IT and security administrators as they try to understand specific activity that may have taken place on their data resources. In Picture 5 below, you can see where I’ve now expanded the grouped results.

Image

Picture 5

The important thing to remember with Varonis Reporting is that with just about any criteria-based scenario you can dream up, the filters allow you to granularly define that scenario, thereby achieving accurate and desired results. And remember, you can always save your filter sets and build subscriptions to any report so that you can automatically receive it at desired intervals.

No matter what activity is occurring on your data resources, with Varonis, you can accurately and quickly get all the answers you need by running this report! Perhaps you have a need to see where someone is logging in from, or who is changing a GPO configuration from AD. Maybe you want to see all activity happening from a given workstation on a particular resource’s GDPR data. In short, if there’s a scenario that could happen, rest assured that the Varonis product provides myriad query filters that can track the activity and provide a nice report of it. Keep in mind, too, that there are a dozen total reports in this same category that allow you to focus on changes in users, groups, folders, authentication events, or even permission changes. The power to understand what’s happening in your environment is mission critical.

Office 365 Reporting

With more and more being pushed to cloud resources such as Office 365, companies need to ensure they have a handle on the data that exists in these spaces. Imagine being able to see all Microsoft Teams data that exists with external members, or SharePoint Online (SPO) sites open to everyone. What about answering the question of SPO links to sensitive data? All these types of reports are possible with Varonis as it relates to your company’s Office 365 cloud data resources.

Do you utilize Azure AD (AAD)? Varonis has you covered. Maybe you need to see admin role changes within AAD, or understand where the activity is on external guest shared links. Or maybe you just need to get a total list of all external users. These reporting scenarios are all part and parcel to the Varonis reporting capabilities.

For example, look at Picture 6 below to see how I utilized the User Access Log report discussed in the last section to show every instance where externally shared links were actually used.

Image

Picture 6

The query in Picture 6 simply reduces the results down to any external user that has used file or folder shared links in the last 90 days. This will allow you to understand how your shared links are being utilized, by whom, and from where. You can even set a filter to cross reference files that were identified as sensitive.

Now, let’s look at how we could find any AAD group with external users. We can simply run a customized group membership report. See Picture 7 below:

Image

Picture 7

As you can see, I’ve defined the filter as an Azure external user (excluding system groups). At the bottom you can see some of the results I captured in Picture 7. We can clearly see the group names and the external members within each. Reports such as these can help you understand how access is granted (via which group).

What about the data, though? Let’s discuss.

File System Permissions

Varonis has a rather lengthy list of reports that you can run to understand the permissions governing your data. One I would like to focus on, since we have been discussing external sharing, is the “Data Shared Externally” report. Look at Picture 8 below. Notice the filters for the query. These are already defined out of the box and immediately yield helpful and potentially actionable results. We can see that several files (108) existing on two SharePoint sites are shared externally. We can see what current permissions exist and who the users/groups are that the data is shared with.

Image

Picture 8

One of the cool things about Varonis reporting is the ability to utilize results from one report to feed the filter or inputs of another report gleaning even more information. For instance, I can run a user activity report on a specific folder or file and see who is actually using externally shared data, as we saw in Picture 6 in the last section.

Alright, let’s review one more example of a file permissions report and then we’ll move on.

Varonis has a report entitled, “Classification and Priorities.” This report displays a list of sensitive data. You can see in Picture 9 below where I’ve narrowed the scope of the report to a single file server in the last 30 days. The report has returned every location on that file server with sensitive data and context about it: the path, the file name, what type of sensitive data, etc. I can then take some or all the results from this report and run a File System Permissions or User Access Log report against the location of the identified sensitive information and find out who has access to this data, what kind of access they have, and who has actually been accessing it, respectively. I have done the latter in Picture 10 below, where I have fed the C:\Share path from the report in Picture 9 into the File System Permissions report in Picture 10. Now I can see the access permissions throughout that tree structure.

Image

Picture 9

Image

Picture 10

Notice in Picture 10 above, I’ve grouped by the “Current Permissions” column, and I’ve expanded the Full Control group. We can clearly see where the folders have allowed for Full Control access on the Share folder and its subfolders. Once security admins and data owners begin to understand the clear security gaps (such as these examples), they can further utilize the Varonis product platform to begin remediating issues in a manner that doesn’t disrupt the business. I’ve talked about and demonstrated how these initiatives can be accomplished in previous blog posts. More on that later.

Trends and Executive Reports

There are a plethora of other report categories I could cover, things such as inactive resources, stale data, size of data, etc., but in the interest of time, I wanted to make this last category a broad covering of two types of reports: trends, and executive reports that are particularly useful to organizational leadership.

We’ll start with trends reporting. There are around nine subcategories of reports in the trends category, including General File System Statistics, Sensitive Files Statistics, Open Access on Sensitive Data Statistics, among others. I’m going to focus on the General File System Statistics report.

This report has a whole host of valuable columns you can add to glean additional data. In Picture 11 below, you can see some of the columns I’ve selected, like “Number of Sensitive Folders with Open Access,” “Number of Folders with User ACEs” and “Number of Folders with Stale Data,” just to name a few. In this example we can see the results for the data resource I ran this report against (CORPFS02).

Image

Picture 11

This data resource has about 1.34GB of data, with 40% of the sensitive data existing in folders with open access. I’ll stop right there and just state the obvious. While this report has a ton of other valuable information in it, any security administrator would be greatly concerned learning that 2,789 folders contain sensitive data with open access. This trend report was ran for the last day. Running this report over time, you’d want numbers like the above statistic to drop in value.

These types of trend reports can help you gauge cleanup progress. Let’s also not forget that Varonis doesn’t just help you to discover this information, but to quickly and efficiently remove open access on the data. If you haven’t already read my previous blog post entitled, “Rev Your Automation Engine,” I would encourage you to do so. Remember, data is typically the thing organizations have the most of, and know the least about.

Something else we can understand from the above example is how much stale data exists on data resources. In this example, nearly 100% of the data on this resource is stale. Once again, in this case, Varonis can not only offer reports to uncover such metrics, but the product itself can go further to help an organization take charge of any clean-up or archiving initiatives.

Varonis reporting even allows you to generate and export executive style reports. For example, see Picture 12 below to understand stale data at a high level. These reports could supplement presentation decks or be helpful with reporting to upper management and executive level personnel regarding the state of an organization’s data. This is just one example as it pertains to stale data. Of course, we can generate more granular reports with Varonis that will actually help us identify the specific data, data owners and progress made over time as we discussed briefly above.

Image

Picture 12

A Few More Things

One of my favorite features about Varonis’ reporting capabilities is the ability to save your filter/query sets and reuse or share with others. This is a huge collaborative bonus that felt noteworthy and I wanted to point out. These get exported and imported as simple XML files.

Lastly, I wanted to highlight that Varonis offers additional reporting through the product’s web-based dashboard. The dashboard commonly contains things such as key risk indicators (KRIs), alerting metrics and analysis, but you can glean additional information by drilling into these items to generate and export reports directly. See Picture 13 below.

These KRI-style reports, coupled with the standard out-of-the-box reporting discussed in this blog post, demonstrate that “all your reports are belong to Varonis.” In other words, Varonis delivers comprehensive, first-in-class reporting that won’t be found elsewhere.

Image

Picture 13

Conclusion

The intent of this blog post is to expose you, the reader, to the vast array of reports that Varonis provides out of the box. This blog post would be much lengthier if I had covered the entire breadth and scope of the reporting that Varonis makes possible. Hopefully, it shows you some common use cases and just how easy it is to get useful reporting on your data.

There are so many powerful aspects of Varonis reporting. If you would like to learn more, please reach out to your Optiv Client Manager to schedule a Varonis demo. As I’ve mentioned in previous posts, there is a free Varonis Data Risk Assessment that utilizes the capabilities of the Varonis Data Security Platform to illuminate where open access exists, where sensitive data is located, and where your data may be at risk among many other insights. Let us help you learn the most about your data. Optiv utilizes Varonis reporting to do just that.

This concludes my “Now You Know” series of blog posts. If you haven’t read the previous two posts in this series, you can find them at optiv.com/blog.

If you didn’t know, now you know!