From data management to incident management: how to properly integrate Varonis into the Incident Management process

    It is currently quite difficult to imagine a company that does not think about information security. The level of development of information security to a large extent depends on the level of development of business and IT. Information security always starts with something simple: you need to install firewalls, antiviruses and more, that is, solve problems at the infrastructure level. At this stage, attention is not paid to building the relevant processes and their regulation. Over time, tasks become more complicated, there is a need to use more complex solutions, such as DLP systems, unstructured or semi-structured data management systems, security scanners, Security Information and Event Management (SIEM) class systems. And once a combination of chaotic and unregulated processes, a huge amount of remedies, each of which is vital, reaches a state where it is already unclear whether we really understand how it all functions, how to manage it, what is happening in the company from the point of view of information security. Practice shows that not always increasing the number of protective equipment entails an increase in personnel. Very often, managers believe that since they have invested a decent amount in ensuring information security, then everything should function with little or no human involvement. But this is not so. As a rule, such an approach leads to staff congestion and low efficiency in the implementation of information security operations. Practice shows that not always increasing the number of protective equipment entails an increase in personnel. Very often, managers believe that since they have invested a decent amount in ensuring information security, then everything should function with little or no human involvement. But this is not so. As a rule, such an approach leads to staff congestion and low efficiency in the implementation of information security operations. Practice shows that not always increasing the number of protective equipment entails an increase in personnel. Very often, managers believe that since they have invested a decent amount in ensuring information security, then everything should function with little or no human involvement. But this is not so. As a rule, such an approach leads to staff congestion and low efficiency in the implementation of information security operations.

    One way to solve this problem and reduce operating costs is, as a rule, to build a security management center based on a specific SIEM solution. Or simply connecting all IB systems to a single SIEM system.

    It is important to understand that remedies for “everything at once” do not exist. Various software and hardware tools protect against a specific type of threat. And, as a rule, different people are responsible for them. Therefore, the task of integrating Varonis products with SIEM class systems so often arises that you can see all information security events in one console. Varonis
    products integrate seamlessly with SIEM solutions. There are several possibilities here:

    1. Alerts. Varonis has a fairly rich ability to alert users. They can be sent by e-mail, in the form of SNMP messages, recorded in the Event Log. We are interested in the method of sending alerts via syslog. Here it is important to properly configure Varonis itself - after all, the correctly structured incident management process will depend on which alerts you are interested in. If you are interested in mass copying or deleting information, the work of specific users in a specific folder, an attempt to access sensitive data from employees who do not have such rights, then you need to configure such notifications. We should not forget that it will be necessary to adjust the correlation rules in the SIEM solution so that the results of messages from Varonis are incidents in accordance with those conditions which you consider the most correct. It is important to understand that this is a bi-directional process - as soon as you configure an alert in Varonis and see this alert in the SIEM system, you must immediately configure a correlation rule for it. The process of normalizing events from Varonis should also not take much time: messages come in very close CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. It is important to understand that this is a bi-directional process - as soon as you configure an alert in Varonis and see this alert in the SIEM system, you must immediately configure a correlation rule for it. The process of normalizing events from Varonis should also not take much time: messages come in very close CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. It is important to understand that this is a bi-directional process - as soon as you configure an alert in Varonis and see this alert in the SIEM system, you must immediately configure a correlation rule for it. The process of normalizing events from Varonis should also not take much time: messages come in very close CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. that this is a bi-directional process - as soon as you configure an alert in Varonis and see this alert in the SIEM system, you must immediately configure a correlation rule for it. The process of normalizing events from Varonis should also not take much time: messages come in very close CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. that this is a bi-directional process - as soon as you configure an alert in Varonis and see this alert in the SIEM system, you must immediately configure a correlation rule for it. The process of normalizing events from Varonis should also not take much time: messages come in very close CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. you must immediately configure a correlation rule for it. The process of normalizing events from Varonis should also not take much time: messages come in very close CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. you must immediately configure a correlation rule for it. The process of normalizing events from Varonis should also not take much time: messages come in very close CEF format, which can be easily interpreted by HP Arcsight. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure. Other SIEM solutions also easily interpret messages from Varonis, requiring only a slightly longer setup. Thus, in your SIEM solution you can get all the information about alerts that can occur in Varonis and not even contact the product console itself. It is only necessary to make the initial configuration and then only to adjust in accordance with changes in infrastructure.

    2. Integration through Varonis reports. In this case, as a rule, you don’t have a warning system from Varonis (you probably didn’t need it from the beginning, and you didn’t buy it), but you have a product itself that you want to associate with your existing SIEM solution. Varonis has extensive reporting capabilities and all those information security incidents that might have been in alerts will also be present in reports. It is only necessary to configure exactly the reports that you want to unload and according to what criteria, the frequency of uploading and format. The main drawback here is the lack of efficiency - because you do not have a warning system, and from the report you can find out what happened only the next day. And the integration with SIEM here will be different: if in the first case there was syslog, then here it will be a csv file, which will be unloaded at certain intervals. But the final goal will be achieved in this case too: you can see all the information security incidents that interest you in one console.

    3. Events of Varonis itself. Here we are talking about those events that Varonis writes to the Event Log of the server itself: these are events about its state. If we want to know if Varonis is currently running and do not want to constantly climb onto the server, open the product console or check if the Varonis services are running, then nothing prevents us from reading the Varonis Server Event Log and generating an information security incident if if there will be any errors. In this case, we can be absolutely sure that everything is under our control.

    Thus, you can get a solution that fully meets the needs of IS in terms of managing incidents related to the data created by the company's employees. This will entail a reduction in operating expenses, and IS department employees will be able to more quickly and efficiently solve everyday tasks to ensure information security.

    Also popular now: