Black Hat 2018: Securing Unstructured Data

Ready for your post Black Hat 2018 eye-opener of the day? According to Brian Vecci, CISSP and Technical Evangelist for Varonis, 58% of companies have more than 100,000 folders open to anyone who happens to be on their networks. How well do we think those companies understand what’s in those thousands of folders? Thought so…  But, at least they have no idea who is accessing them, either. In fact, Vecci pointed out that 34% of users in these organizations are, in his words, “stale.” They may have left the company but retained their network access credentials.

As you might imagine, there is serious security risk exposure in this level of control laxity for unstructured data like Word files and PDFs. Even companies with strict data life cycle policies for databases tend to be bad at deleting unstructured data on a schedule. It just sits. “You could have confidential financial information, personal contact data, trade secrets and more in document files that are open to much wider access than most people realize,” Vecci said. “This is the challenge we have taken on.”

Brian Vecci, Technical Evangelist for Varonis

Varonis offers solutions for data governance and analytics affecting unstructured data on file drives, SharePoint sites and Office 365 file repositories. It’s not Data Loss Prevention (DLP) or Identity Management. Rather, Varonis finds sensitive data and sets up access control rules. The solution can monitor who is trying to get at sensitive files, issuing alerts when there is suspicious activity.

Alert scenarios range from outside hackers to an employee who is planning to leave the company suddenly downloading a lot of files for no apparent reason. In this latter context, the security of unstructured data is about more than just cyber security. It’s a matter of effective business management. Letting sensitive information fall into the wrong hands can disrupt a company’s competitive edge or denigrate its public reputation.

The Varonis solution can also help with classification of unstructured data, a massive headache that many organizations either avoid altogether or do in a superficial way. This process aligns with compliance. For example, under GDPR, companies must control and disclose how they handle personally identifiable information. This is relatively straightforward, if time-consuming with databases, but it can be nearly impossible with unstructured data in the absence of a solution.