With major security threats and vulnerabilities making headlines daily, it’s good to hear there’s now a way for organizations to share experiences and strategically work together. Through the Building Security in Maturity Model (BSIMM), the security efforts of 78 firms – including familiar brands such as HSBC, Citigroup, Fannie Mae, and Aetna – were surveyed and presented to the IT community for free. Companies can compare and benchmark their own security initiatives against these results. Of course, it’s completely up to you and your organization to decide which BSIMM actions to take.
BSIMM is based on the Software Security Framework (SSF), consisting of twelve practices which is also further organized under four domains – Governance, Intelligence, SDL Touchpoints, and Deployment.
Ultimately, BSIMM can help organizations plan, structure, and execute programs to fight evolving security threats and vulnerabilities. BSIMM in theory should help firms up their security game by building on what others have done.
Get a Free Data Risk Assessment
Who Would Benefit from BSIMM?
Just about any company should see benefits from the BSIMM approach. Essentially, everyone who relies on software for data protection could use a BSIMM boost. More specifically, senior executives leading a security team should find BSIMM a powerful knowledge resource.
Mapping BSIMM to Varonis:
The following is a table containing sections of the BSIMM and an explanation describing how Varonis solutions can help reduce security risks and protect an organization’s computer infrastructure.
Governance |
||
| STRATEGY & METRICS (SM) | Activity# | Varonis Solutions |
|
Educate executives. Executives are periodically |
SM1.3 |
Risk Assessment and Deep Dive With a risk assessment on your infrastructure, within hours of installation, you can instantly conduct a permissions audit: File and folder access permissions and how those map to specific users and groups. You can even generate reports to see where you might be vulnerable. And within a day of installation, Varonis will begin to show you which users are accessing the data, and how. After three weeks, Varonis will make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs. |
| Identify gate locations, gather necessary artifacts. | SM1.4 | |
| COMPLIANCE & POLICY (CP) | ||
|---|---|---|
|
Unify regulatory pressures If the business or its customers are subject to regulatory or compliance drivers such as FFIEC, GLBA, OCC, PCI, DSS, SOX, HIPAA, or others, the SSG acts as a focal point for understanding the constraints such drivers |
CP1.1 |
Compliance and Regulation We cover many compliance and regulatory requirements, such as: |
| Identify PII data inventory | CP2.1 |
PII Data Inventory The Varonis Data Classification Framework scans file systems and SharePoint sites and The Data Classification Framework solution can prioritize risk by highlighting folders with high concentrations of sensitive content and extremely loose permissions. |
| Create regulator eye-candy.
The SSG has the information regulators want. A combination of written policy, controls documentation, and artifacts gathered through the SSDL gives the SSG the ability to demonstrate the organization’s |
CP3.1 |
Configurable Reports to Meet Regulatory Requirements Varonis DatAdvantage monitors and stores in a |
| TRAINING IT | ||
|
Provide awareness training. The SSG provides awareness training in order to promote a culture of software security throughout the organization. Training might be delivered by SSG members, by an outside firm, by the internal training organization, or |
T1.1 |
Educational and Training Opportunities Varonis staff are also avid learners and educators. Here are some of the educational opportunities we offer and provide: • Varonis Blog: learn more about security, privacy, IT Operations and more on our blog. We post • Office Hours: One free hour-long one-on-one web session with your local Engineer to discuss operational and security questions. • TechTalk: Customers are invited to our bi-monthly webinars to learn about the latest security threats and vulnerabilities |
| Deliver role-specific advanced curriculum (tools, technology stacks, bug parade).
Software security training goes beyond building awareness and enables |
T1.5 | |
|
Deliver on-demand individual training. The organization lowers the burden on trainees and reduces the cost of delivering training by offering on-demand training for individuals across roles. |
T1.7 | |
| Include security resources in onboarding. | T2.6 | |
Intelligence |
||
| ATTACK MODELS | ||
|
Identify potential attackers. The SSG identifies potential attackers in order to understand their motivations and capabilities. |
AM1.3 |
User Behavior Analytics User Behavior Analytics (UBA) has become an,essential solution to identify potential attackers. Defending the inside from legitimate users is just not part of the equation for perimeter-based security and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gain access as users. Once in, cybercriminals have become clever at implementing a ransomware attack that isn’t spotted by, anti-virus software. In fact, to an IT admin who is,just monitoring their system activity the attackers appear as just another user. And that’s why you need UBA! UBA really excels at handling,the unknown. In the background, the UBA engine can baseline each user’s,normal activity, and then spot variances and report in real time – in,whatever form they reveal themselves.,For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows. |
|
Create SSG capability to solve difficult design problems. When the SSG is involved early,in the new project process, it contributes to new architecture and solves,difficult design problems. The negative impact security has on other,constraints (time to market, price, etc.) is minimized. If a skilled security,architect from the SSG is involved in the design of a new protocol, he or she,could analyze the security implications of existing protocols and identify,elements that should be duplicated or avoided. Designing for security up,front is more efficient than analyzing an existing design for security and,then refactoring when flaws are uncovered. Some design problems will require,specific expertise outside of the SSG. |
SFD2.2 | Submit a feature request or join our Strategic Accounts program so we can customize Varonis to your needs. |
| STANDARDS & REQUIREMENTS (SR) | ||
|
Create security standards. The SSG meets the organization’s demand for security guidance by |
SR1.1 | If you need ideas on creating a security policy, click here. |
SSDL Touchpoints |
||
| ARCHITECTURE ANALYSIS (AA) | ||
|
Perform security feature review. To get started in architecture analysis, center the process on a review of security features. Security-aware reviewers first identify the security features in an application (authentication, access control, use of cryptography, etc.) then study the design looking for problems that would cause these features to fail at their purpose or otherwise prove insufficient. |
AA1.1 |
Reporting and Access Controls Use DatAdvantage to run reports, to identify, prioritize, and remediate excessive access to sensitive high-risk data. DataPrivilege helps define the,policies and processes that govern who can access, and who can grant access,to unstructured data, but it also enforces the workflow and the desired,action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access, policy: 1. it unites all of the parties,responsible including data owners, auditors, data users AND IT around,the same set of information and With DatAdvantage and DataPrivilege, compliance officers and auditors can receive regular reports of data use and access activity of privileged and protected information to ensure compliant use and safekeeping. |
| CODE REVIEW (CR) | ||
|
Automate malicious code detection. Automated code review is used to identify dangerous code written by malicious in-house developers or outsource providers. |
CR3.4 |
Prevent Ransomware DatAdvantage’s audit trail and,behavioral alerts can help detect when malware or viruses are accessing files, mailboxes, or SharePoint sites. A Varonis customer used DatAdvantage to quickly isolate and successfully halt the spread of the Cryptolocker virus in their environment. This was how our customer described the situation: “Within DatAdvantage I ran a query on that specific user and realized that there were over 400,000 access events that had been generated from that user’s account. It was at that point that we knew it was a virus…Once we had identified the second user, we went back to DatAdvantage to identify the files they had accessed. There were over 200,000 access events generated from this user’s account.” Read more. Also read The Complete Ransomware Guide |
Deployment |
||
| CONFIGURATION MANAGEMENT & VULNERABILITY MANAGEMENT (CMVM) |
||
|
Create or interface with incident response. The SSG is prepared to respond to an incident and is |
CMVM1.1 |
Real-Time Alerts Varonis DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs.,Real-time alerts can also be triggered when administrative users access, modify, or delete business data. |
