VARONIS

DATA RISK ASSESSMENT

SAMPLE REPORT: ACME

Want to know where your biggest data security

threats are?

We’ll show you.

The Varonis Data Risk Assessment is a detailed,

true-to-life report based on your company
data, that reveals the vulnerabilities hackers will
hunt for.

Use the report to generate a prioritized

remediation plan, get buy-in from leadership,
and map out what you need to do next to
meet regulations.
 Scope

DATA RISK ASSESSMENT

SCOPE OF DATA RISK ASSESSMENT
A sample scope of data stores monitored for this report: including data, folders, files, and permissions, user, and
group accounts. Risk areas highlighted include overexposed sensitive data, access control issues, and more.

FILE SERVERS AND DATA CONTENTS ACTIVE DIRECTORY

SOURCES MONITORED

• CIFS_FS_1 • 331,237 GB of data • 8,580 user accounts

• CIFS_FS_2 • 90,348,156 folders • 14,427 groups

• CIFS_FS_3 • 1,617,176,767 files • 9,268 computeraccounts

• CIFS_FS_4 • 701,387,576 permission • 420 disabled users

entries
• CIFS_FS_5

• NS_FS_1

• EXCH_1

• SP_1

A sample of ACME’s data was assessed for risks in the following areas:

• Overexposed and at-risk sensitive & classified data

• Access controls and authorization processes

• Privileged and end user access monitoring

• Active Directory structure

• NTFS and sharing permissions structure

• Data retention proficiency

• Compliance with applicable regulations

Data Risk Assessment Sample | www.varonis.com 1

 Key Findings: KPIs

No. Of Folders With Open Access No. Of Sensitive Files With Open Access

74% 35%
66,502,975 Folders With Open Access 339,213,456 Sensitive Files With Open Access

No. Of Folders With Stale Data Files That Contain Sensitive Data

94% 59%
85,377,723 Folders with Stale Data 950,534,645 Files Contain Sensitive Data

No. Of Folders With Inconsistent Permissions User Accounts with Non-Expiring Passwords

58,419 1,182
58,419 folders have Inconsistent Permissions User Accounts with Non-Expiring Passwords

Data Risk Assessment Sample | www.varonis.com 2

 Key Findings: Global Access Groups

66.5 million
GLOBAL GROUP ACCESS:
Global groups allow everyone in an organization to
access these folders. Global groups are groups such folders with global group access
as Everyone, Domain Users, and Authenticated Users.

Overexposed data is a common security vulnerability.

Without automation, IT professionals estimate IT

74%
professionals estimate it takes about 6-8 hours per
folder to locate and manually remove global access
groups. They must identify users that need access,
create and apply new groups, and populate them 66,502,975
with the right users. of 90,348,156

RISK SUMMARY: Low Medium High

• Excessive access is one of the primary causes of

data breaches.

• Overexposed sensitive and critical data is a

significant security risk.

• Outdated user permissions are a target for

DISTRIBUTION OF SENSITIVE FILES
exploitation and malicious use. GLOBAL GROUP WITH GLOBAL
ACCESS GROUP ACCESS

• CIFS_FS_2 11% • CIFS_FS_2 2%

• CIFS_FS_3 7% • CIFS_FS_3 1%

• CIFS_FS_4 20% • CIFS_FS_4 2%

RECOMMENDED ACTIONS: • SP_FS_1 44% • SP_FS_1 82%

• Remove global access group permissions to identify • EXCH_FS_1 18% • EXCH_FS_1 13%
folders open to global groups.

• Place active users in a new group.

• Replace the global access group with the new

group on the ACL.

Data Risk Assessment Sample | www.varonis.com 3

 Key Findings: Sensitive Data

950+ million
SENSITIVE DATA:
Many files contain critical information about
employees, customers, projects, clients, or other files contain sensitive data
business-sensitive content. This data is often subject to
(950,534,645)
industry regulation, such as SOX, HIPAA, PCI, EU GDPR,

339+ million
GLBA, and more.

Sensitive data that’s open to global groups

represents a significant risk to the business, and
(339,213,456)
should be identified and remediated so that only the sensitive files are open
appropriate users can access it. to global groups

RISK SUMMARY: Low Medium High

50%
Over 50% of sensitive
• Sensitive data often contains the most private
information resides on
and sought-after information: personal data, credit one file server: SP_FS_1
card information, IP, emails, and more.

• Excessive access is one of the primary causes of

data breaches.
DISTRIBUTION OF TOTAL NUMBER OF 
• Overexposed sensitive and critical data is a SENSITIVE FILES HITS BY TYPE
significant security risk.
• CIFS_FS_2 13% • SAP Acc# 1,116,554

• CIFS_FS_3 12% • PCI DSS 1,100

• CIFS_FS_4 8% • UK DPA 131,598

• SP_FS_1 54%
RECOMMENDED ACTIONS:
• EXCH_FS_1 13%
• Scan, classify, and monitor sensitive data (where it
lives, who has access to it, and who is accessing it). 1,116,554
131,598
• Implement and maintain a least privilege model.

• Maintain a data-centric security policy to meet 1,100

regulatory compliance on sensitive data.

SAP Account# PCI DSS UK DPA

Data Risk Assessment Sample | www.varonis.com 4

 Key Findings: Stale Data

253,168 GB
STALE DATA:
Stale data - data kept beyond a pre-determined
retention period or that has not been used in a while - of stale data

85+ million
can be expensive to store and manage, and poses an
increased (and unnecessary) security risk.

(85,377,723)
folders contain stale data

Over 75% of data

assessed is stale.

RISK SUMMARY: Low Medium High

• Outdated data quickly becomes a security liability

75%
and unnecessary storage expense.

• Stale data represents an unnecessary security risk,

leaving the door open for that data to be stolen or
compromised.
AMOUNT OF STALE DATA WITH
STALE DATA SENSITIVE INFORMATION

• CIFS_FS_2 25% • CIFS_FS_2 14%

• CIFS_FS_3 22% • CIFS_FS_3 11%

• CIFS_FS_4 8% • CIFS_FS_4 9%

• SP_FS_1 29% • SP_FS_1 53%

RECOMMENDED ACTIONS:
• EXCH_FS_1 16% • EXCH_FS_1 13%
• Identify stale data and determine what data can
be moved, archived, or deleted.

• Create and execute a consistent policy to manage

stale data.

Data Risk Assessment Sample | www.varonis.com 5

 Key Findings: Users and Computer Accounts

USER ACCOUNTS USER AND COMPUTER

• 15 Admin accounts with SPN
• 2 accounts with Security
Identifier (SID) Entry from the
current domain
• 4 accounts that are trusted
for Kerberos delegation
ACCOUNTS
• 40 user accounts have no
password requirement
• 8 Computer Accounts are
also admin accounts
• 12 Computer Accounts
have a weak encryption

40
type for Kerberos

user accounts have no password requirement

ACCOUNTS & USERS: RISK SUMMARY: Low Medium High

Admin Accounts with SPN
Attackers can request tickets or accounts with Service
Principal Names (SPN). Tickets encrypted with RC4 are
highly susceptible to password cracking.
Accounts with a SID History Entry from the
Current Domain
• Accounts with SPN should have long, complex
passwords that are changed frequently. RC4 can be
disabled if not required.
• Accounts should never have a SID history entry from
the same domain.
• Kerberos delegation should only be used by valid
service accounts that require impersonation.

Attackers use this to establish persistency, escalating

the privileges of a normal user to those of a privileged
user in the domain.
RECOMMENDED ACTIONS:
Accounts Trusted for Kerberos Delegation • Review user, computer, and domain indicators.
(Unconstrained Delegation)
• Review user accounts with no password required.

Attackers can compromise an account that is trusted • Monitor Active Directory events for signs of
for Kerberos delegation and use it to impersonate exploitation.
other user accounts.

Data Risk Assessment Sample | www.varonis.com 6

 Key Findings: Folders & Permissions

FOLDERS PERMISSIONS

• 277,027 folders with • 423,872 folders were

unresolved SIDs detected with direct user
ACEs
• 58,419 folders have
inconsistent permissions • 25,551 protected folders

• 1,040,040 folders with unique • 90,348,156 folders without

permissions data owners

277,027 unresolved SIDs

FOLDERS & PERMISSIONS: RISK SUMMARY: Low Medium High

Unresolved SIDs • Inconsistent inheritance exposes data to users that

Unresolved Security Identifiers (SIDs) occur when
an account on an access control list is deleted from
AD. Unresolved SIDs add complexity and may
be exploited.
should not have access, or restrict access from those
who should have it.
• Unresolved SIDs and inconsistent permissions are an
unnecessary security risk.

• Folders with inconsistent permissions potentially

Inconsistent Permissions expose data inside to insiders, hackers, and more.
Inconsistent permissions occur when folders or files
inherit extra access control entries from their parents,
or fail to inherit access control entries from their
parents. Users may be unintentionally granted or
RECOMMENDED ACTIONS:
deprived of access. • Review permissions structure to determine if folder
uniqueness is required. If not, allow the folder to re-
inherit parent permissions, replacing unique ACEs.

• Identify folders with unresolved SIDs and remove

from ACLs.

• Identify folders with direct user permissions, place

users into the appropriate group, and remove the
user ACE from the ACL.

Data Risk Assessment Sample | www.varonis.com 7

 Key Findings: User Activity

TOP ALERT NOTABLE CONNECTIONS USER ACTIVITY

CATEGORIES TRIGGERED
• Intrusion 5
• Privilege 9
• Exfiltration 2
• 18 VPN connections from • 423,110 file opens
disabled users
• 182,335 file modifications
• 11 VPN connections from
• 65,120 file deletions
malicious IPs
• 22,965 permission changes
• 8 connections to Shadow IT sites

• 10 DNS resolution attempts to

750,000+
malicious sites

events on sensitive data

USER AND DEVICE ACTIVITY: RISK SUMMARY: Low Medium High

User Activity & Behavior • Unauthorized attempts to gain access to or modify

User and device activity includes cloud and
on-prem file system, email and SharePoint activity,
Active Directory telemetry, perimeter telemetry and
threat intelligence.
data assets often signal malware, insider threats, or
cyberattacks.
• Unusual user or device behavior may indicate
potential account hijacking, data exfiltration, and
attempts at compromising data.

Varonis monitors and analyzes user and entity • Connections from disabled users or to malicious IPs
behavior across cloud and on-prem data stores, often signal a cyberattack in progress - attackers
Active Directory, and perimeter devices to provide trying to compromise an account or system, or
insight into potential suspicious activity. exfiltrate data.

Varonis detects and alerts on behavioral deviations, RECOMMENDED ACTIONS:

highlights risk, discovers insider threats, ransomware,
• Monitor user behavior and file activity.
and more.
• Monitor for suspicious VPN and DNS connections
and block infiltration attempts from known malicious
connections.

• Detect and alert on security violations, suspicious

behavior, and unusual activity.

• Establish incident response plans and investigation

processes to pursue potential security violations.

Data Risk Assessment Sample | www.varonis.com 8

 What’s Next

VARONIS DATA RISK HOW IT WORKS

ASSESSMENT HIGHLIGHTS
• 100% customized to your
• Global access, stale data, needs
and inconsistent permissions
• Dedicated security engineer
• Overexposed sensitive data performs the assessment on
like PII, HIPAA, and PCI your environment

• Non-compliant access and • Invisible and non-intrusive

authorization processes

Zero impact on your environment.

Less than 90 minutes of your time.

KEY FINDINGS: RISK SUMMARY: Low Medium High

Global Access Groups • Get a risk summary of each finding

Sensitive Data • Review capabilities assessment
Stale Data
• Determine steps to reduce risk
Accounts & Users
Folders & Permissions
User Activity

COVERAGE: RECOMMENDATIONS:
• Windows • Active Directory • Actionable next steps for each risk area

• SharePoint • Dell EMC • Methodology to achieve a secure state

• Exchange • NetApp

• Office 365 • HPE

• Azure AD • Nasuni

• UNIX/Linux

Data Risk Assessment Sample | www.varonis.com 9

 Varonis Methodology

OPERATIONAL JOURNEY
In its work with thousands of organizations, Varonis has developed a proven, efficient methodology for organizations
to monitor, protect, and manage their data. Our data-centric approach reduces risk, increases efficiency and helps
achieve compliance with regulations like PCI, HIPAA and GDPR.

DETECT: DETECT: PREVENT:

1. PREPARE 2. OPERATIONALIZE 3. FIX

• Deploy Varonis • Create incident response plan • Fix broken ACLs

• Prioritize and assess risks
• Train staff on the basics -
This preliminary report is
a small sampling of the
first step in our Varonis
Operational Journey.
based on alerts, including
• Eliminate global access to sensitive
automation
data
• Eliminate remaining global access
managing permissions and finding
lost files
groups
• Eliminate unnecessary AD artifacts
(unused security groups, non-
expiring passwords, etc.)

• Quarantine/archive/delete stale
data

PREVENT: SUSTAIN: SUSTAIN:

4. TRANSFORM 5. AUTOMATE 6. IMPROVE

• Identify folders that n

 eed owners • Automate authorization workflow • Regularly review risks, alerts and
via Data Owners processes to ensure continuous
• Identify data owners
improvement
• Automate periodic entitlement
• Simplify permissions structure
reviews
• Provide owners reports about
• Automate disposition,
their data
quarantining, policy enforcement

Data Risk Assessment Sample | www.varonis.com 10

ABOUT VARONIS
Varonis is a pioneer in data security and analytics, specializing in software for data security, governance,
compliance, classification, and analytics. Varonis detects insider threats and cyberattacks by analyzing file
activity and user behavior; prevents disaster by locking down sensitive data; and efficiently sustains a secure
state with automation.

LIVE DEMO DATA RISK ASSESSMENT GET IN TOUCH

Set up Varonis in your own Get a customized risk Have more questions?
environment. Fast and assessment, reduce your risk Let us know.
hassle free. profile, and fix security issues. 1.877.292.8767

info.varonis.com/demo info.varonis.com/start [email protected]

VC8012C