Nation-state attacks, advanced persistent threats, and sophisticated ransomware continue to dominate the news cycle. These attacks have led to significant outages impacting numerous companies, causing issues such as flight delays and bank account lockouts.
While these headlines may suggest that the threat landscape is becoming increasingly sophisticated and complex, that’s not necessarily the case.
Varonis’ Brock Bauer, Security Architect, Incident Response, and Nolan Necoechea, Senior Product Marketing Manager, recently discussed their observations from working with our CISO partners. The duo also analyzed why threats to the cybersecurity space might not be as groundbreaking as they seem and offered strategic advice on developing your security plan.
Watch the live session here or read on for all the details.
How have attack methods changed?
Although it may appear that threats are becoming increasingly sophisticated, the reality of how cyberattacks occur reveals a different scenario.
“If you look at how cyberattacks are actually happening, it paints a different picture,” Nolan said.
Attackers often employ established methods to gain access, such as using stolen credentials or password spraying. Instead of hacking in, they can simply log in with the obtained credentials.
Varonis examined the cyberattacks reported to the SEC in Form 8-K during the first half of this year to better understand the attacks.
We found that 57 percent of the incidents analyzed were due to compromised access.
“This means someone is either buying credentials on the dark web or stealing them using tried and true methods to gain access to the environment,” Nolan said.
If attackers gain access through compromised credentials, they can remain undetected in your environment for up to 150 days. Data exfiltration was the No. 1 impact of cyberattacks in early 2024, and during this time, attackers may search for vulnerabilities to exploit and sensitive data to steal or ransom.
No matter how they're getting in, attackers are targeting data.
Nolan Necoechea, Varonis Senior Product Marketing Manager
Protecting multi-cloud data is a top priority.
Below are the top areas of concern for CISOs that Nolan and Brock have identified for the upcoming year.
Data security remains CISOs’ No. 1 priority.
Attackers have a massive advantage in cloud security. They only need to succeed once to breach data, whereas defenders must protect it every time.
They can try to breach your data a million times, and they only have to win once. But as defenders, we have to win every time.
Nolan Necoechea, Varonis Senior Product Marketing Manager
As organizations move to the cloud, their potential blast radius, or the extent of damage a user can cause, increases. This risk mainly comes from employees having too many permissions; the average employee has access to 17 million folders from day one.
“Most people have access to way more information than they need to do their jobs,” Brock said. With new AI tools, accessing and leveraging this data is easier than ever.
Cloud security has transformed traditional data security methods.
Cloud platforms provide multiple data access methods, often specific to applications or platforms, that can be layered dynamically. This complexity makes it challenging for IT teams to manage access control independently. Collaboration features can introduce errors, which are hard to detect and fix in larger environments.
One tiny mistake from an end user can cause a ripple effect across terabytes of data, opening up a massive security hole.
Brock Bauer, Varonis Security Architect, Incident Response
The growing popularity of gen AI further complicates data security.
Many products now feature AI capabilities, transforming how we interpret and use data. These LLMs enable natural language interactions with information, helping users navigate vast amounts of data.
However, these AI tools can be abused, allowing attackers to access what users can access without their knowledge. Security through obscurity is no longer adequate.
AI is throwing fuel on the data security fire and making things much more complicated for security teams.
Nolan Necoechea, Varonis Senior Product Marketing Manager
Evolving AI regulations
The regulatory landscape is changing, particularly around AI. The EU AI Act is the first legal framework for AI in the European Union. Like GDPR, this law affects U.S.-based companies doing business or having a presence in the EU. Although it's the first of its kind, more regulations are expected, especially in the United States.
“At the state level, there are more than 40 AI bills introduced in 2023,” Nolan said. “So, we can expect that the regulatory landscape of AI will be much more complex soon.”
The CISOs we work with are focused on understanding and complying with existing regulations without gen AI throwing a wrench into many of those regulations.
Nolan Necoechea, Varonis Senior Product Marketing Manager
As we approach 2025, understanding your data is crucial for a strong data security posture amidst generative AI-based regulatory changes.
How to combat data risk
To understand your environment, start with data.
“We need to know what is happening in the environment,” Brock said. “We need to know what data of ours is sensitive.”
Organizations must identify sensitive data to limit access and map permissions to see which resources are overly accessible and which users have too much access.
Secondly, Brock said, orgs should reduce their blast radius via automation.
If your blast radius is minimized, you've minimized the damage by addressing the root cause of these severe breaches.
Brock Bauer, Varonis Security Architect, Incident Response
“There are magnitudes more users creating, downloading, and sharing data than there are security staff to clean up after them,” Brock said. “We need to automate our security policies to reduce our attack surface and respond to alerts automatically.”
Lastly, adopt the mindset that an attack is a matter of when, not if. By treating breaches as an inevitability, orgs can be much better prepared.
An attacker with enough time and persistence will get in.
Brock Bauer, Varonis Security Architect, Incident Response
How Varonis can help
Varonis provides real-time visibility into data location, sensitivity, and access. Our cloud-native platform automatically enforces your data security policies, eliminating risky permissions, misconfigurations, and sharing links without manual effort.
Curious to learn more? Schedule a free Data Risk Assessment to gain a clear, risk-based view of what matters most.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
