From data management to incident management: how to embed Varonis correctly in the Incident Management process
At present, it is rather difficult to imagine a company that does not think about information security. The level of IS development largely depends on the level of business and IT development. Protecting information always begins with something simple: you need to install firewalls, antiviruses, etc., that is, solve problems at the infrastructure level. At this stage, the alignment of relevant processes and their regulation is not paid attention. Over time, the tasks become more complex, there is a need to use more complex solutions, such as DLP systems, systems for managing unstructured or semi-structured data, security scanners, systems of Security Information and Event Management (SIEM) class. And once a set of chaotic and unregulated processes, a huge number of remedies, each of which is vital, reaches a state where it is not clear whether we really understand how it all works, how to manage it, what happens in the company from the point of view of information security. . Practice shows that not always increasing the number of protective equipment entails an increase in staff. Very often, managers believe that since they have invested a decent amount in ensuring information security, it means that everything should function practically without human participation. But it is not. As a rule, such an approach leads to personnel overload and low efficiency of performing IS operations.
One way to solve this problem and reduce operating costs is, as a rule, building a Security Management Center based on a specific SIEM solution. Or just connect all the IS systems to a single SIEM system.
It is important to understand that the means of protection against “everything and at once” does not exist. Various software and hardware protects against a certain type of threat. And responsible for them, as a rule, different people. Therefore, very often there is the task of integrating Varonis products with SIEM class systems so that you can see all the information security events in one console.
Varonis products are easily integrated with SIEM solutions. There are several possibilities here:
1. Alerts. Varonis has a fairly rich abilities to alert users. They can come by e-mail, in the form of an SNMP message, recorded in the Event Log. We are also interested in the method of transmitting alerts via syslog. Here it is important to correctly configure Varonis itself - after all, it will depend on which alerts you are interested in that the incident incident management process is properly structured. If you are interested in mass copying or deletion of information, the work of specific users in a specific folder, an attempt to access confidential data by employees who do not have such rights, then you need to configure such alerts. We should not forget that it will be necessary to adjust the correlation rules in the SIEM solution so that the results of the messages from Varonis are incidents in accordance with the conditions that you consider the most correct. It is important to understand that this is a bidirectional process - as soon as you set up an alert in Varonis and see this alert in the SIEM system, you must immediately configure a correlation rule for it. The process of normalizing events from Varonis also does not have to take a lot of time: messages come in very close to CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also interpret messages from Varonis easily, only a slightly longer setup is required. In this way, you can receive in your SIEM solution all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only tune in according to the changes in the infrastructure.
')
2. Integration through Varonis reports. In this case, you, as a rule, do not have a warning system from Varonis (you may not have needed it initially, and you did not buy it), but you will have the product you want to associate with your existing SIEM solution. Varonis has extensive reporting capabilities and all those information security incidents that could be in the alerts will also be present in the reports. It is only necessary to precisely configure the reports that you want to upload and by what criteria, the frequency of uploading and format. The main drawback here is the lack of efficiency - because you do not have a warning system, and from the report you can find out what happened only the next day. And the integration with SIEM here will be different: if in the first case there was a syslog, then here it will be a csv file that will be downloaded at a certain frequency. But the ultimate goal will be achieved in this case: you can see all the security incidents you are interested in in one console.
3. Events of the Varonis itself. Here we are talking about the events that Varonis writes in the Event Log of the server itself: these are events about its condition. If we want to know if Varonis is working at the moment and do not want to constantly go to the server, open the product console or check if the Varonis services are running, then nothing prevents us from reading the Event Log of the Varonis server and generate an IB incident in case if there are any errors. In this case, we can be absolutely sure that everything is under control.
Thus, you can get a solution that fully meets the needs of information security in terms of managing incidents related to the data created by company employees. This will entail a reduction in operating expenses, and the employees of the information security department will be able to solve everyday tasks of ensuring information security more quickly and efficiently.
One way to solve this problem and reduce operating costs is, as a rule, building a Security Management Center based on a specific SIEM solution. Or just connect all the IS systems to a single SIEM system.
It is important to understand that the means of protection against “everything and at once” does not exist. Various software and hardware protects against a certain type of threat. And responsible for them, as a rule, different people. Therefore, very often there is the task of integrating Varonis products with SIEM class systems so that you can see all the information security events in one console.
Varonis products are easily integrated with SIEM solutions. There are several possibilities here:
1. Alerts. Varonis has a fairly rich abilities to alert users. They can come by e-mail, in the form of an SNMP message, recorded in the Event Log. We are also interested in the method of transmitting alerts via syslog. Here it is important to correctly configure Varonis itself - after all, it will depend on which alerts you are interested in that the incident incident management process is properly structured. If you are interested in mass copying or deletion of information, the work of specific users in a specific folder, an attempt to access confidential data by employees who do not have such rights, then you need to configure such alerts. We should not forget that it will be necessary to adjust the correlation rules in the SIEM solution so that the results of the messages from Varonis are incidents in accordance with the conditions that you consider the most correct. It is important to understand that this is a bidirectional process - as soon as you set up an alert in Varonis and see this alert in the SIEM system, you must immediately configure a correlation rule for it. The process of normalizing events from Varonis also does not have to take a lot of time: messages come in very close to CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also interpret messages from Varonis easily, only a slightly longer setup is required. In this way, you can receive in your SIEM solution all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only tune in according to the changes in the infrastructure.
')
2. Integration through Varonis reports. In this case, you, as a rule, do not have a warning system from Varonis (you may not have needed it initially, and you did not buy it), but you will have the product you want to associate with your existing SIEM solution. Varonis has extensive reporting capabilities and all those information security incidents that could be in the alerts will also be present in the reports. It is only necessary to precisely configure the reports that you want to upload and by what criteria, the frequency of uploading and format. The main drawback here is the lack of efficiency - because you do not have a warning system, and from the report you can find out what happened only the next day. And the integration with SIEM here will be different: if in the first case there was a syslog, then here it will be a csv file that will be downloaded at a certain frequency. But the ultimate goal will be achieved in this case: you can see all the security incidents you are interested in in one console.
3. Events of the Varonis itself. Here we are talking about the events that Varonis writes in the Event Log of the server itself: these are events about its condition. If we want to know if Varonis is working at the moment and do not want to constantly go to the server, open the product console or check if the Varonis services are running, then nothing prevents us from reading the Event Log of the Varonis server and generate an IB incident in case if there are any errors. In this case, we can be absolutely sure that everything is under control.
Thus, you can get a solution that fully meets the needs of information security in terms of managing incidents related to the data created by company employees. This will entail a reduction in operating expenses, and the employees of the information security department will be able to solve everyday tasks of ensuring information security more quickly and efficiently.
Source: https://habr.com/ru/post/261981/
All Articles