The surging use of collaboration tools like Microsoft Teams and Zoom during the pandemic has dramatically increased the information attack surface for organizations and widened blind spots in data protection. MeriTalk recently connected with Matthew Radolec, Director of Security Architecture & Incident Response at Varonis, to understand how organizations can effectively detect and respond to cyber threats popping up in tools many haven’t thought to consider.
MeriTalk: What makes collaboration tools an interesting target? Is this a relatively new attack vector?
Radolec: The general openness of collaboration tools makes them an interesting target. When we think about the legacy world, we are generally referring to on-prem environments in which security or identity teams control and manage access. However, modern collaboration tools turn that model on its head by giving end users control over who can access data. Unfortunately, end users are generally not as skilled at controlling and managing access to sensitive information. Attackers are ready to take advantage of them by being invited to collaborate on a document or by compromising the user. If there’s no one watching, attackers can escalate attacks by collaborating with themselves or other outside attackers.
Collaboration tools are a relatively new attack vector. The way that Zoom or Teams brings risks to light is also relatively new. That’s because data is everywhere, in various cloud data centers – it’s no longer controlled inside of your organization where you might have some network- or endpoint-based controls to limit where that information can flow.
MeriTalk: Most organizations are rapidly expanding their use of Zoom and Microsoft Teams during the pandemic, but aren’t considering the associated rise in security concerns you mentioned. How does Varonis help their customers manage this risk, both in Civilian and Defense scenarios?
Radolec: Managing risk starts by focusing on understanding where your important data is. Manage access to that information by controlling who has access to what. Monitor your data to understand who might be misusing or abusing it, whether that’s an insider threat or a external attacker attempting to launch a cyberattack.
Many organizations have thought about things like, “How do I secure my network?” and “How do I apply reasonable protections to my endpoints and servers?” But often, they fail to apply protections to files, folders, and emails. That’s where Varonis helps out, by focusing on the data and layering security controls around it. This is especially important for things like Microsoft Teams, when you think you’re saving a file on a Teams site, but you might actually be saving it in SharePoint Online or OneDrive, and all the groups that are used to manage it aren’t necessarily Teams groups as much as they are components of Azure Active Directory. Teams is just a lens into the ecosystem of Office 365, as opposed to a standalone application.
MeriTalk: More than 90 percent of organizations globally have reported an increase in cyberattacks since March of this year, with some of the highest-profile attacks and breaches occurring in some of the largest government agencies. What advice do you have for these agencies looking to avoid major data breaches within the current telework environment?
Radolec: I would break it down into three different areas:
- Go back to the basics. You can control who has access to what information by focusing on your most important data. Start by monitoring your data, and then you can peel back access over time, using the information you have from that monitoring because you know who actually leverages that access.
- Think about a data breach – when someone has unauthorized access to information that requires them to report it. That’s often why many high-profile cyberattacks hit the news. If you focus on the data itself and limit who can access that data, and whether it exists on a file server or a Teams site, you’ll be able to better understand when it’s misused or abused, simply by monitoring it.
- Security awareness is the root cause of many incidents. It’s about focusing on the fact that users are the targets. Organizations need to educate staff about the common types of attacks – like thread hijacking, where an attacker tries to revive an old email thread with a malicious attachment in it, whether they’re spoofing the sender of that address, or they’ve actually compromised someone in your network. It’s essential to help people understand where an attack could come from, even if it comes from someone you think is a trusted source.
MeriTalk: Varonis’ 2019 Data Risk Report found that 53 percent of companies researched had over 1,000 sensitive files accessible to every employee. Do you think this risk has increased in the last year?
Radolec: Definitely. The rapid shift to support remote work is where many organizations have sacrificed security to maintain operations. They’ve taken data that was otherwise locked down and exposed it in places like file shares or collaboration tools like Office 365, and they haven’t gone through and applied all the same controls that they did in the on-prem world.
Think of all of the time that you’ve spent securing your on-prem data over the last decade. Now, you’ve just uploaded and put all that data into Office 365. But have you gone to the same lengths to protect it? 99 percent of the time to answer is no. That’s because organizations had to adapt to this new world very quickly. Therefore, a lot of the risk from overexposed sensitive data has only gone up with the adoption of collaboration tools and the decentralization of who can control and manage access to information.
MeriTalk: What are some best practices agencies can enforce to ensure their data is secure? What are the immediate steps agencies can take to start securing sensitive data?
Radolec: The first thing to do is to get a risk assessment. Varonis offers a complimentary Data Risk Assessment to uncover vulnerabilities that hackers can take advantage of and put you at risk.
Best practices start by figuring out where your sensitive data is. From there, we apply different classification rules and policies to go out and find those regulated data types or the classified information that exists inside of the various files and folders that we’re monitoring. Step one identifies where your data resides. Step two takes a look at who has access to data and prioritizes where it’s globally accessible or overexposed. The third step is monitoring. Even if you can’t make architecture or project-based changes, at the bare minimum, you can monitor everything around your sensitive data to immediately get an understanding of how it’s used on a day-to-day basis. You can also apply things like behavioral analytics to understand how it might be misused or abused.
MeriTalk: How does Varonis use resources like their Incident Response Team to stop cyberattacks before they occur?
Radolec: The Varonis Incident Response Team is a globally distributed team of cybersecurity professionals. We act as an escalation point for our customers. When they are notified of a potential incident, they reach out to us. We help them build a timeline to understand what happened. We perform an analysis to answer questions such as, “Did an attacker successfully get in?” and “Is this alert a sign of an early-stage or a late-stage attack?”
A lot of attacks start with phishing emails, reconnaissance, or an attempted lateral movement. If you’re able to pick them up earlier in the kill chain or the attack framework, you’re able to stop them before they turn it into a breach. If you have something suspicious that’s happening, the best thing that you can do is reach out – the Incident Response Team is part of the Varonis subscription, available to all licensed customers.
MeriTalk: Is there anything else you’d like our readers to keep in mind?
Radolec: When people think about monitoring, they think about alerting – which can create a false sense of security that’s not based on metrics. I like to ask organizations about the effectiveness of the monitoring that they have today. How many alerts are your analysts processing that lead to a valid investigation?
When you start to look at the different tools you have at that level, and start to measure the effectiveness of those tools, organizations will often begin to head down the path of behavior analytics – applying machine learning and artificial intelligence on different datasets to understand abnormalities. Organizations are having better luck detecting insider threats and cyberattacks by external attackers by using this approach.
Another thing that I would suggest is to take a look at how collaboration tools are used across your team. You probably underestimate how often people are collaborating and who they’re collaborating with. Often, organizations miss the compliance lens, which means identifying whether information can be accessed via collaboration tools or if there is a better, more secure place for it permitted by policy.