What’s In Your Cloud?

July 28, 2022

By now, you may have read one of my previous blog posts in the larger series “Now You Know.” But in case you haven’t and you’re starting here, that’s okay. This is a really good place to start.

In this post I’m going to cover Varonis’ latest platform offering, DatAdvantage Cloud (DAC). If you’re familiar with Varonis’ enterprise on-premise product “DatAdvantage,” then you may be excited to learn that similarly, DAC covers a vast array of SaaS offerings.

So what exactly is DatAdvantage Cloud? In short, the solution identifies risky, abnormal, and malicious behavior across your cloud platforms and visualizes and prioritizes it in a single pane of glass. This allows organizations to monitor and manage from a central location with ease.

What platform coverage does DAC have? SaaS applications and cloud-based data stores such as Salesforce.com, Google Drive and AWS are common coverage platforms, but DAC also integrates with platforms such as Box, GitHub, Zoom, Slack, Jira and Okta.

Similar to the platforms that DAC covers, it itself is a SaaS-based offering. This greatly improves deployment, integration time and efficiency. I will discuss some of these details throughout this post.

It’s no secret companies have dramatically increased their reliance on the key cloud services mentioned above. Each of these services have their own types of data, permission sets and activity logs. One aspect that allows DAC to really shine is its identity correlation. It correlates identities with permissions and events and activities across all the aforementioned cloud platforms.

Imagine being able to see and then prioritize your organization's largest cloud risks by conducting more efficient and quicker multi-cloud investigations and thereby reducing your blast radius.

Deployment & UI

I recently requested that Varonis spin up a DAC instance for testing. Varonis was promptly able to have this instance available and ready for me to login. Within our instance I was able to quickly integrate some development instances of supported SaaS offerings. Namely, AWS and Salesforce.com.

The deployment or integration of DAC with Salesforce.com and AWS each took about 15 and 30 minutes, respectively. Another notable aspect of DAC is that it is agentless. Integration prerequisites and step-by-step instructions on how and what to set up within each cloud app are within the configuration section in the DAC interface in addition to offline documentation. Utilizing these in-app instructions, I found the entire process easy to follow and functional. See Picture1 for a sample of AWS onboarding and Picture2 for a sample of Salesforce onboarding. As you can see, it walks through the entire process with embedded documentation and screenshots.

Image

Picture 1

Image

Picture 2

The overall User Interface (UI) for DAC is intuitive with a polished layout. There are several top-level tabs on the left of the webpage that each allow for various functions and configurations. They are Dashboard, Policies, Alerts, Investigation, Compliance, Insights, and Reports. See Picture3 below.

Image

Picture 3

As you would expect, the Dashboard tab is exactly that, a dashboard. It contains a high-level view of any open alerts and identity activity across your monitored SaaS platforms. See Picture4 below.

Varonis now allows customization of various dashboard components that pull data from underlying saved reports. The Dashboard is fairly self-explanatory, as such, and for the remainder of this blog post we’ll focus on some of the other key sections within DAC.

Image

Picture 4

Policies and Alerting

The Policies tab is comprised of configurable organizational security policies. In true Varonis fashion, they provide a plethora of common policies out-of-the-box. Additionally, there is an option to build your own custom policies, as well.

Policies in DAC are a set of defined activities whereupon occurrence will trigger a resultant action such as generating an alert. For example, in AWS one might want an alert to trigger if there is an S3 bucket deletion attempt, or logging is stopped or deleted. These are just a couple of examples of policies at work within your AWS environment.

Perhaps in Salesforce you want to monitor and alert on abnormal behavior. For example, what if a Log4Shell vulnerability payload is identified? Or users are promoted to super-admin? DAC captures the activity and alerts on it. And, as you may have guessed, it allows one to drill into the activities that generated said alerts. I’ve included a sample alert of Medium severity in Picture5 below.

Image

Picture 5

Here we can see that the identity “tduncan” is performing admin functions without Multi-Factor Authentication (MFA) being active. We can also notice what the specific action is and we see several tags identifying characteristics of this alert and the underlying actions. For example, “internal” “super admin” and “privileged entity” etc. As you see later in this post, tags can be useful for filtering.

If you look at the upper right corner of Picture5 you will notice with the click of a button you can immediately see similar alerts, share this alert or view the policy that caught this alert.

Alerts are filterable on a whole host of criteria. For example, you could filter alerts based upon date, services, status, severity, or even the specific policy that triggered the alert. Filtering allows for a quicker path to narrowing down key alerts, which results in quicker time to action.

The platform can even identity improper or undesirable configurations.

For example, let’s say an account with permissions within your organization’s Salesforce instance configures a specific yet undesirable network subnet or IP for trusted access. This setting is typically buried within Salesforce’s myriad of configuration screens and options, yet DAC can quickly identify and alert on this type of behavior, right out of the box.

Now that we have discussed policies and alerts. I’d like to cover the topic of “Identities.” In the above example we noticed the identity tduncan. In the next section we will explore the concept of Identities within DAC.

Investigation: Identities and Activity

So what are identities within DatAdvantage Cloud? Within the Investigation tab there are sub-tabs. Namely, Activity, Identities, Entitlements, Resources. Let’s focus on the Identities tab.

The Identities tab allows one to see, at a glance, various contextual information about account identities. For example, you can quickly see identities’ locations, types, status, and staleness. See Picture6 below. Identities within DAC could refer to any user, or perhaps role within any one of the monitored platforms you may be monitoring. Various platforms utilize different verbiage or object names so DAC coalesces each of these under the umbrella of “Identities.”

Image

Picture 6

Beyond this, you can now begin to perform an investigation into Identities and their corresponding activities. Once you find an identity you would like to understand more about, you simply click on the identity and are then taken to a view focused on that identity.

For example, in Picture7 below you can see I’ve clicked on the identity “PRS-Connect” which happens to be an AWS user account within a test AWS instance.

Image

Picture 7

From here you could begin to notice the additional sub-tabs. These give you the ability to filter the activity, look at recent resources utilized, perform an access review, and even see related identities. (Also shown above in Picture7.)

Below, I’m showing a single example of an entitlement afforded to user Josh Hammond’s Salesforce.com identity to show how DAC nicely pulls in access levels into a single view, and uses the CRUD permission mapping. If you’re unfamiliar with CRUD, it is simply a grouping of standard permission types. (C)reate, (R)ead, (U)pdate, (D)elete. See Picture8 below.

Image

Picture 8

You can get an overview of what access an Identity has and how/where it is derived by further looking at the Assignments link and the provided reasons for the access, as shown in Picture9 below.

Image

Picture 9

One other useful aspect is the Related Identities sub-tab. The information within is often used when an organization is offboarding personnel. Here, DAC shows you personal accounts all mapped to a single identity for tracking purposes. Or, what if you have suspicious alerts from odd accounts? You could come to this tab and see all accounts related to the identity and then begin to formulate a plan to stop this type of activity. See Picture10 below.

Image

Picture 10 – related identities

As you can see, no longer does one have to sift through endless screens within your cloud platform, such as AWS, or do manual discovery on the access granted to your identities within supported platforms. You can now glean context and quickly and easily utilize your findings to ensure you are achieving least-privilege and reducing your blast radius.

These are just a few things that can be achieved within the Investigation section of DAC. Other things also include seeing group and role entitlements from your various cloud apps, and understanding who is a member of these groups or assigned various roles. You can understand what resources exist in each cloud application and even understand which are public or over-privileged. One can even build a non-user specific filter to look across all activity within any monitored cloud environment and get easy-to-read results on what activity is taking place, where, by whom, and when.

New Features & Improvements

The DAC offering is SaaS-based, so new features and improvements that get rolled out occur seamlessly.

One of the most popular platforms DAC handles is Salesforce. As of the end of April 2022 Varonis announced new features for securing your organization’s Salesforce environment, including data classification for attachments in Salesforce.

As a leading CRM, Salesforce contains some of your organization’s most valuable data. Data such as customer and prospect information, contracts, etc. What many security teams do not understand is the magnitude of scope that Salesforce consumes and its housing of data.

For example, if a financial institution were to build an app with Salesforce, what would happen when you upload your financial documents with your loan application? That information gets contained in Salesforce as files and attachments. There isn’t a way to locate, classify, or secure these files natively in Salesforce.

This is where DAC enters the picture. Varonis has introduced capabilities to help organizations locate and control difficult-to-find sensitive data across Salesforce instances. I will cover these new capabilities at a high level and in a future blog post expand on these and other capabilities.

First, this latest release allows one to classify sensitive files and attachments. For example, DAC now peers inside files attached to objects in Salesforce and subsequently auto-tags sensitive items.

What about understanding exposure in Salesforce? This latest release calculates the net-effective permissions with a simple bi-directional view to show you who has access to sensitive data. DAC now reduces exposure and fixes compliance gaps, such as ex-employees or guest users who still have unnecessary access.

Additionally, it now has the ability to monitor user behavior and alert on data exfiltration attempts by bad actors or malicious insiders and detect org-wide misconfigurations and vulnerabilities within the Salesforce platform.

Conclusion

DAC is a very robust platform targeting key SaaS applications which ensures organizations have proper visibility into their cloud footprint. The capabilities offered drastically reduce your blast radius while offering a single-pane of glass into your critical cloud-based applications, user identities and permissions, audit activity, and compliance for your sensitive data.

Best of all, Optiv works directly with Varonis and provides free assessments that take only minutes to get off the ground. The output of these assessments are often eye-opening and lead to larger conversations around data, identity security, and compliance in the cloud. Contact your Optiv client manager today to learn more!