Deploying Varonis at a Leading
Multi-National Organisation
Author: Matt Woodhams
Release Date: 29/09/2022
As a Project Manager at Somerford, I am involved in delivering projects across our broad range of partner products. Each project is customer-specific and can involve unique challenges and issues, however there are often common themes in delivering projects for each of the products we provide. I have previously covered how we delivered Splunk Enterprise Security in eight weeks at University of Exeter.
In this blog post I will outline some of my experiences deploying Varonis at scale in multinational organisations and the key phases of delivering such engagements. The examples discussed here are drawn from the projects I have worked on over the last 18 months but are not customer-specific; they are relevant to a wide range of large organisations, in any industry.
The Varonis platform provides a coherent suite of functionality to leverage the increased visibility of an organisation’s data and reduce risk. When initially deploying Varonis into a new customer environment, there can be several stages to the deployment depending on which Varonis modules are in scope and the customer’s desired use case(s). A project to locate and restrict access to personal data for GDPR compliance using the Data Classification Engine (DCE) would look different to a project using the Data Transport Engine (DTE) to archive stale data to free up space on the existing infrastructure.
Deploying the Varonis Data Security Platform
The first phase of deploying Varonis in a new environment is to install the Varonis Data Security Platform (DSP) software on an appropriate server, deploy Varonis Collector(s), and install the Varonis agent onto the in-scope file servers.
The Varonis DSP provides the main administrative interface into Varonis’s software through the Varonis Management Console, and acts as the central hub of the Varonis instance.
The Varonis Collectors conduct much of the processing required to complete tasks such as scanning files for target terms during a DCE scan or generating alerts for suspected suspicious activity; it is therefore prudent to locate these as close to the target file servers as possible. Coherent placing of Collector(s) is particularly key where file servers are in geographically-distant data centres or there is significant disparity between the data volumes on each file server.
One point of note regarding installation of the Varonis agent is that a reboot is sometimes required as part of the process, for example if the IRPStackSize needs to be changed for Windows 2008 R2 and below. This needs to be taken into account to align with the relevant Change Request timelines for rebooting production file servers.
FileWalks and the 120 day IDU Analytics Period
Once the Varonis agents are deployed onto the file servers, these can be onboarded into Varonis via the Management Console and a Full FileWalk scheduled. The FileWalk is a fundamental part of utilising Varonis, but is perhaps slightly misleadingly-named as Varonis is mapping the folder structures on each file server; and not necessarily showing every file. Following the initial FileWalk, the default is to run a Full FileWalk each week and an Incremental FileWalk hourly to promptly map any changes made during the day.
With the Varonis platform deployed, file servers onboarded and the initial Full FileWalk completed, Varonis will immediately start gathering event information of which users are accessing files in each folder. This helps build a picture of who is regularly accessing individual folders, which Varonis can overlay with the folder permissions to recommend users who can be removed from the respective folder permissions due to inactivity. This event information is gathered for 120 days during the IDU Analytics Period and may be used in conjunction with the ‘last modified’ date to classify data as stale.
(NB either the ‘last modified’ or ‘last accessed’ date can be used as the sole metric to classify stale data if remediation is an urgent requirement, but event information enhances accuracy.)
Data Classification Scan Timescales
The final phase of interest, from a project management perspective, is DCE scanning. Most commonly, our customers are looking to locate files containing GDPR terms such as mobile phone numbers or personal email addresses; we have also built bespoke DCE rules to search for industry-specific terms. Whichever rules are in scope, it can take a while to complete DCE scans as there are usually terabytes of information to be scanned on production file servers and Varonis’s platform is designed to complete these scans without putting an adverse load on these servers. For instance, Varonis is expected to only demand a workload from a file server equivalent to 5 users opening, searching and closing files at a time, so very little.
We generally encourage a three-phased approach to conduct the data classification, to reduce the need to rerun scans while ensuring accuracy.
- Pilot Scan – an initial scan using the desired DCE Scan Rules and targeting a small area of the data repository with a representative cross-section of data classifications. This provides a baseline which can then be examined for false positives (and possible false negatives) and the rules then tuned.
- Beta Scan – this is where a larger area, typically one server, is scanned ,the results examined and the rules tuned further if necessary.
- Production Scan – this is the scan over the whole of the organisation.
It is difficult to predict time required for DCE scans, however, the Pilot and Beta Scans can be used to predict possible time scales, with resilience being built into the project plan accordingly. Potential factors affecting the DCE scan speed include data volume, Collector and File server performance, networking, and the quantity and types of rules and expressions.
As outlined, the timescales and challenges to deploying Varonis at scale can vary depending on the Varonis modules involved, the desired use cases, and any specific idiosyncrasies in the customer’s IT environment. With a coherent project management approach and our experienced team, Somerford have been able to successfully deploy Varonis at several leading multinational organizations. Somerford are continuing to work with these customers to efficiently utilize Varonis’s functionality to gain better visibility of their exposure, remediate areas of risk, and improve the security of their data.