On February 2013, President Barack Obama issued an Executive Order 13636, Improving Critical
Infrastructure Cybersecurity. The Executive Order is directed at the National Institute of
Standards and Technology (NIST) to work with stakeholders to develop a voluntary
framework – based on existing standards, guidelines, and practices - for reducing cyber risks to
critical infrastructure. On February 12, 2014, NIST released the first version of the Framework
for Improving Critical Infrastructure Cybersecurity. The Framework, created through
collaboration between technologists and the government, consists of standards, guidelines, and
practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable,
and cost-effective approach of the Framework helps owners and operators of critical
infrastructure to manage cybersecurity-related risk.
Practitioners should keep in mind that the Framework is an overall structure that can be
addressed by different security standards, including, for example, NIST 800-53, ISO 270001,
and COBIT 5.
National Institute of Standards and Technology’s Cybersecurity Framework
National Institute of Standards and Technology’s Framework for Improving Critical
Infrastructure Cybersecurity and Varonis
The following is a table containing sections of NIST’s Cybersecurity Framework and an
explanation describing how Varonis solutions can help reduce security risks and protect an
organization’s computer infrastructure:
NIST’s Cybersecurity
Varonis Solutions
Identify: Asset Management
ID.AM-1: Physical devices and systems
The data, personnel, devices,
within the organization are inventoried
systems, and facilities that
ID.AM-2: Software platforms and
enable the organization to
applications within the organization are
achieve business purposes are
identified and managed
ID.AM-3: Organizational
DatAdvantage shows all directory and
consistent with their relative
communication and data flows are
file share contents mapping users to
importance to business
data and vice versa
objectives and the
ID.AM-4: External information systems
organization’s risk strategy.
are catalogued
ID.AM-5: Resources (e.g., hardware,
Varonis provides the ability to classify
devices, data, and software) are
data based on business
prioritized based on their classification,
guidelines and ensure that proper
criticality, and business value
controls are in place based
on that classification.
ID.AM-6: Cybersecurity roles and
responsibilities for the entire workforce
and third-party stakeholders (e.g.,
suppliers, customers, partners) are
National Institute of Standards and Technology’s Cybersecurity Framework
Identity: Business Environment
The Varonis Operational Plan is a
The organization’s mission,
methodology for implementing the
objectives, stakeholders, and
Data Governance Suite. As it is a
activities are understood and
methodology describing a sequence of
prioritized; this information is
operations, techniques, and reports to
used to inform cybersecurity
run in order to take unstructured data
roles, responsibilities, and risk
from its natural, “uncontrolled” state,
management decisions.
to a governed state.
Identity: Governance
Varonis can ensure that only business
The policies, procedures, and
owners manage data
processes to manage and
authorizations, and further allow
monitor the organization’s
auditors and compliance
regulatory, legal, risk,
personnel to monitor the process
environmental, and operational
requirements are understood
and inform the management of
cybersecurity risk.
Identity: Risk Assessment
Varonis significantly reduces the risk of
The organization understands
data loss and misuse by continually
the cybersecurity risk to
maintaining access controls that are
organizational operations
restrictive to business need to know
(including mission, functions,
image, or reputation),
organizational assets, and
Identity: Risk Management
ID.RM-1: Risk management processes
Varonis products can help quickly
are established, managed, and agreed
identify operational risk with regard to
The organization’s priorities,
to by organizational stakeholders
file system, email, and SharePoint
constraints, risk tolerances, and
ID.RM-2: Organizational risk tolerance
assumptions are established
is determined and clearly expressed
and used to support operational
ID.RM-3: The organization’s
DatAdvantage will report on data
risk decisions.
determination of risk tolerance is
which has weakened security through
informed by its role in critical
global groups (everyone,
National Institute of Standards and Technology’s Cybersecurity Framework
infrastructure and sector specific risk
authenticated users, etc.) or otherwise
excessive access, as well as users and
groups which have excess access
Protect: Access Control
PR.AC-1: Identities and credentials are
Varonis allows the enforcement of an
Access to assets and associated
managed for authorized devices and
access control policy by ensuring that
facilities is limited to authorized
business owners accept or reject
users, processes, or devices,
recommendations for permissions
and to authorized activities and
PR.AC-2: Physical access to assets is
Varonis can help monitor and audit
managed and protected
third-party system activity on
unstructured and semi structured data
PR.AC-3: Remote access is managed
DatAnywhere instantly enables mobile
access, file synchronization, and
secure 3rd party sharing for your
existing file shares. Files can stay
exactly where they are—on existing
SMB file servers or NAS.
Third party access is monitored and
can be revoked at any time. Third
party links can contain expiration
dates and pin codes for extra security
and can be revoked at any time. Third
parties do not require an entry in the
organizations Active Directory or LDAP
Private cloud benefits:
• Definitive copies of files are always
stored on corporate storage
• No one gets permissions to shared
data unless they already have it
• Users authenticate to Active
Directory or LDAP and there is no need
to reconfigure or replicate permissions
National Institute of Standards and Technology’s Cybersecurity Framework
• IT controls speed, availability, and
PR.AC-4: Access permissions are
Varonis helps organizations comply
managed, incorporating the principles
with initiatives to ensure least privilege
of least privilege and separation of
access to regulated data. The system
analyzes data access patterns and
continually recommends that those
without business need to data have
their privileges revoked
PR.AC-5: Network integrity is
protected, incorporating network
segregation where appropriate
Protect: Awareness and
Varonis staff are also avid learners and
educators. Here are some of the
The organization’s personnel
educational opportunities we offer and
and partners are provided
cybersecurity awareness
• Professional Services: ensures our
education and are adequately
customers can effectively use the
trained to perform their
product to fulfill all their use cases and
information security-related
to use our products.
duties and responsibilities
• Varonis Blog: learn more about
consistent with related policies,
security, privacy, IT Operations and
procedures, and agreements.
more on our blog. We post
approximately 3-4 blog posts per week
• Office Hours: 1 free hour one-on-one
live web session with your local
Engineer to discuss operational and
security questions.
Protect: Data Security
PR.DS-1: Data-at-rest is protected
Information and records (data)
To ensure that information and
are managed consistent with
records, especially sensitive data
the organization’s risk strategy
remains confidential and unpublished,
to protect the confidentiality,
organizations can implement the
National Institute of Standards and Technology’s Cybersecurity Framework
integrity, and availability of
Varonis IDU Classification Framework.
It helps identify sensitive content
within records, determine who has
access to it, who is using it, and who
should be responsible (data owners) –
all of which are also reportable.
Integrity and Availability of
Varonis ensures the success of audits
and examinations and can
demonstrate effectiveness of security,
operational integrity in a number of
Varonis recommends the
revocation of permissions to
data for those users who do
not have a business need to
the data – this ensures that
user access to data is always
warranted and driven by least
Varonis generates reports
showing the history of
permission revocations and the
percentages by which overly
permissive access was reduced
Varonis DataPrivilege provides
a mechanism via a web-based
application by which to
monitor, administer
(allow/deny) all access
requests to unstructured data.
Requestors, data owners,
technical controllers, financial
National Institute of Standards and Technology’s Cybersecurity Framework
controllers are all united in
communication and action
through this system. With
regard to requests to access
unstructured data on file
shares, all actions taken and
rationale for them are
recorded. Further, a workflow
is enforced (i.e. requests to
financial folders go straight to
the business owner).
Via these capabilities, entities can
demonstrate a historical and sustained
enforcement of least privilege access
and its effects.
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed
throughout removal, transfers, and
Stale Data
Varonis DatAdvantage keeps an audit
trail of every open, create, move,
modify and delete on the file system.
By analyzing this data over time,
Varonis can quickly identify which files
and folders are no longer in use.
Unused Users and Groups
Varonis combines user and group
information from directory services,
permissions information on file and
SharePoint servers, and a complete
audit trail of all file activity. This
means that DatAdvantage can quickly
identify which users and security
groups are no longer in use, meaning
National Institute of Standards and Technology’s Cybersecurity Framework
they can be safely removed without
affecting business process.
Data Transfers
Data Transport Engine provides the
flexibility to configure complete endto-end migration rules: define source
criteria based on path, and/or content,
classification rule, Varonis ownership
and follow-up (flag/ tag) criteria,
define destination path, folder, and
permissions translation, and when the
migration will take place. The ability to
configure these rules allow for the
rapid and safe execution of complex
data migrations, and to easily
implement and enforce policies for
data retention and location based on
content, accessibility, and activity.
PR.DS-4: Adequate capacity to ensure
availability is maintained
PR.DS-5: Protections against data leaks
are implemented
PR.DS-6: Integrity checking
mechanisms are used to verify
software, firmware, and information
PR.DS-7: The development and testing
environment(s) are separate from the
production environment
Protect: Information Protection
Processes and Procedures
PR.IP-1: A baseline configuration of
information technology/industrial
DatAlert can be configured to send
real-time alerts on a number of actions
National Institute of Standards and Technology’s Cybersecurity Framework
Security policies (that address
control systems is created and
including the granting of
administrative rights to a user or
purpose, scope, roles,
group. It baselines every user’s normal
responsibilities, management
access behavior and can generate real
commitment, and coordination
time incident response when behavior
among organizational entities),
becomes abnormal.
processes, and procedures are
maintained and used to manage
protection of information
systems and assets.
PR.IP-2: A System Development Life
Cycle to manage systems is
PR.IP-3: Configuration change control
processes are in place
Varonis DatAdvantage monitors every
user’s file touch and stores in a
searchable format, all aspects of data
use for information stored on file
servers and Network Attached Storage
(NAS) devices. Varonis DatAlert can
alert when in real time when
inappropriate activities
take place (changes made outside
change control windows, etc.)
PR.IP-4: Backups of information are
conducted, maintained, and tested
PR.IP-5: Policy and regulations
regarding the physical operating
environment for organizational assets
are met
PR.IP-6: Data is destroyed according to
PR.IP-7: Protection processes are
continuously improved
National Institute of Standards and Technology’s Cybersecurity Framework
PR.IP-8: Effectiveness of protection
technologies is shared with appropriate
PR.IP-9: Response plans (Incident
Response and Business Continuity) and
recovery plans (Incident Recovery and
Disaster Recovery) are in place and
PR.IP-10: Response and recovery plans
are tested
PR.IP-11: Cybersecurity is included in
human resources practices (e.g.,
deprovisioning, personnel screening)
PR.IP-12: A vulnerability management
plan is developed and implemented
Protect: Maintenance
PR.MA-1: Maintenance and repair of
Maintenance and repairs of
organizational assets is performed and
industrial control and
logged in a timely manner, with
information system components
approved and controlled tools
is performed consistent with
policies and procedures.
PR.MA-2: Remote maintenance of
organizational assets is approved,
logged, and performed in a manner
that prevents unauthorized access
Varonis gives the means to conduct a
full in depth data entitlement review
by which all user privileges to data is
reported. It also provides reports of
historical access rights to data sets
showing any trends toward overly
permissive access
Protect: Protective Technology
Technical security solutions are
managed to ensure the security
PR.PT-1: Audit/log records are
DatAdvantage can help organizations
determined, documented,
identify the use of privileged access
implemented, and reviewed in
accounts and ensure that appropriate
accordance with policy
segregation of duties is implemented
National Institute of Standards and Technology’s Cybersecurity Framework
and resilience of systems and
through best practices as they relate
assets, consistent with related
to use of separate administrative
policies, procedures, and
accounts. In addition to the visibility
provided through our Log, Statistics,
and Reports features, DatAlert can be
configured to notify administrators
when elevated accounts have been
used or when an account has been
elevated in group membership to an
administrative level. Such controls are
key to securing the environment, and
our reporting capabilities can play a
critical role in maintaining the data’s
lifecycle through regular audits and
report subscriptions.
PR.PT-2: Removable media is protected
and its use restricted according to
PR.PT-3: Access to systems and assets
is controlled, incorporating the principle
of least functionality
PR.PT-4: Communications and control
networks are protected
Detect: Anomalies and Events
DE.AE-1: A baseline of network
operations and expected data flows for
Anomalous activity is detected
in a timely manner and the
users and systems is established and
potential impact of events is
Data breaches and Monitoring
Varonis DatAlert provides real-time
alerting based on file activity, Active
Directory changes, permissions
changes, and other events detected by
DE.AE-2: Detected events are analyzed
Varonis DatAdvantage. Alert criteria
to understand attack targets and
and output are easily configurable so
that the right people and systems can
National Institute of Standards and Technology’s Cybersecurity Framework
DE.AE-3: Event data are aggregated
be notified about the right things, at
and correlated from multiple sources
the right times in the right ways.
and sensors
DatAlert improves your ability to
detect possible security breaches and
DE.AE-4: Impact of events is
misconfigurations, and the audit trail
in DatAdvantage provides valuable
DE.AE-5: Incident alert thresholds are
Detect: Security Continuous
DE.CM-1: The network is monitored to
detect potential cybersecurity events
The information system and
information during the incident
response process.
Recently we published an article to our
blog about a how a Varonis customer
used DatAdvantage to quickly and
assets are monitored at discrete
DE.CM-2: The physical environment is
effectly isolate and halt the spread of
intervals to identify
monitored to detect potential
the Cryptolocker virus in their
cybersecurity events and verify
cybersecurity events
environment. To quote our customer,
the effectiveness of protective
DE.CM-3: Personnel activity is
monitored to detect potential
cybersecurity events
DE.CM-4: Malicious code is detected
"Within DatAdvantage I ran a query on
that specific user and realized that
there were over 400,000 access
events that had been generated from
that user’s account. It was at that
point that we knew it was a virus...
DE.CM-5: Unauthorized mobile code is
Once we had identified the second
user, we went back to DatAdvantage
DE.CM-6: External service provider
activity is monitored to detect potential
cybersecurity events
to identify the files they had accessed.
There were over 200,000 access
events generated from this user’s
DE.CM-7: Monitoring for unauthorized
personnel, connections, devices, and
software is performed
The fact that they were able to quickly
identify which files had been corrupted
helped them reduce the impact of the
DE.CM-8: Vulnerability scans are
virus on the environment and the
downtime for the users. In addition, it
allowed them to maximize their time
National Institute of Standards and Technology’s Cybersecurity Framework
and resources by only having to
restore the data that was affected.
To read more about this success story,
check out:
Detect: Detection Processes
DE.DP-1: Roles and responsibilities for
detection are well defined to ensure
Detection processes and
procedures are maintained and
DataPrivilege helps organizations not
only define the policies that govern
who can access, and who can grant
access to unstructured data, but it also
tested to ensure timely and
DE.DP-2: Detection activities comply
enforces the workflow and the desired
adequate awareness of
with all applicable requirements
action to be taken (i.e. allow, deny,
anomalous events.
DE.DP-3: Detection processes are
DE.DP-4: Event detection information is
communicated to appropriate parties
allow for a certain time period).
This has a two-fold effect on the
consistent and broad communication
of the access policy:
• it unites all of the parties responsible
including data owners, compliance
DE.DP-5: Detection processes are
officers, auditors, data users AND IT
continuously improved
around the same set of information
• it allows organizations to continually
monitor the access framework in order
to make changes and optimize both for
compliance and for continuous
enforcement of warranted access.
Respond: Communications
RS.CO-1: Personnel know their roles
and order of operations when a
Response activities are
response is needed
coordinated with internal and
external stakeholders, as
RS.CO-2: Events are reported
appropriate, to include external
consistent with established criteria
Varonis provides highly detailed
reports including: data use (i.e. every
user’s every file-touch), user activity
National Institute of Standards and Technology’s Cybersecurity Framework
support from law enforcement
on sensitive data, changes including
security and permissions changes
which affect the access privileges
to a given file or folder, a detailed
record of permissions revocations
including the names of users and the
data sets for which permissions were
RS.CO-3: Information is shared
consistent with response plans
RS.CO-4: Coordination with
stakeholders occurs consistent with
response plans
RS.CO-5: Voluntary information sharing
occurs with external stakeholders to
achieve broader cybersecurity
situational awareness
National Institute of Standards and Technology’s Cybersecurity Framework