Varonis and the Building Security in Maturity Model (BSIMM)

With major security threats and vulnerabilities making headlines daily, it’s good to hear there’s now a way for organizations to share experiences and strategically work together. Through the Building Security...
Michael Buckbee
6 min read
Last updated June 9, 2023

With major security threats and vulnerabilities making headlines daily, it’s good to hear there’s now a way for organizations to share experiences and strategically work together. Through the Building Security in Maturity Model (BSIMM), the security efforts of 78 firms –  including familiar brands such as HSBC, Citigroup, Fannie Mae, and Aetna –  were surveyed and presented to the IT community for free. Companies can compare and benchmark their own security initiatives against these results. Of course, it’s completely up to you and your organization to decide which BSIMM actions to take.

BSIMM is based on the Software Security Framework (SSF), consisting of twelve practices which is also further organized under four domains – Governance, Intelligence, SDL Touchpoints, and Deployment.

SSF

Ultimately, BSIMM can help organizations plan, structure, and execute programs to fight evolving security threats and vulnerabilities. BSIMM in theory should help firms up their security game by building on what others have done.

Get a Free Data Risk Assessment

Who Would Benefit from BSIMM?

Just about any company should see benefits from the BSIMM approach. Essentially, everyone who relies on software for data protection could use a BSIMM boost. More specifically, senior executives leading a security team should find BSIMM a powerful knowledge resource.

Mapping BSIMM to Varonis:

The following is a table containing sections of the BSIMM and an explanation describing how Varonis solutions can help reduce security risks and protect an organization’s computer infrastructure.

Governance

   
STRATEGY & METRICS (SM)  Activity#  Varonis Solutions

Educate executives.

Executives are periodically
shown the consequences of inadequate software security and the negative
business impact that poor security can have.

SM1.3

Risk Assessment and Deep Dive

With a risk assessment on your infrastructure, within hours of installation, you can instantly conduct a permissions audit: File and folder access permissions and how those map to specific users and groups. You can even generate reports to see where you might be vulnerable.

And within a day of installation, Varonis will begin to show you which users are accessing the data, and how.

After three weeks, Varonis will make highly reliable recommendations about how to limit access to files and folders to just those users who need it for their jobs.

Identify gate locations, gather necessary artifacts. SM1.4
COMPLIANCE & POLICY (CP)    

Unify regulatory pressures

If the business or its customers are subject to regulatory or compliance drivers such as FFIEC, GLBA, OCC, PCI, DSS, SOX, HIPAA, or others, the SSG acts as a focal point for understanding the constraints such drivers
impose on software.

CP1.1

Compliance and Regulation

We cover many compliance and regulatory requirements, such as:
FFIEC, PCI DSS, SOX, HIPAA, Gramm-Leach-Bliley, and more!

Identify PII data inventory CP2.1

PII Data Inventory

The Varonis Data Classification Framework scans file systems and SharePoint sites and
automatically identifies sensitive personally identifiable information including
healthcare, financial, and other critical assets. Once critical information is discovered, Varonis DatAdvantage provides additional context as to who has access to the content, who has been accessing the content, and who should not have access anymore.

The Data Classification Framework solution can prioritize risk by highlighting folders with high concentrations of sensitive content and extremely loose permissions.

Create regulator eye-candy.

 

The SSG has the information regulators want. A combination of written policy, controls documentation, and artifacts gathered through the SSDL gives the SSG the ability to demonstrate the organization’s
compliance story without a fire drill for every audit.

CP3.1

Configurable Reports to Meet Regulatory Requirements

Varonis DatAdvantage monitors and stores in a
searchable format, all aspects of data use for information stored on file and email servers.,Varonis provides a detailed record of files server contents and how they are used including: filenames, folders, access privileges to files and folders
(i.e. a user’s or groups NTFS permissions), data use by username of group name (i.e. create, open, delete, rename), a list of the likely business owners of data – all of which are easily reportable.

TRAINING IT    

Provide awareness training.

The SSG provides awareness training in order to promote a culture of software security throughout the organization. Training might be delivered by SSG members, by an outside firm, by the internal training organization, or
through eLearning.

T1.1

Educational and Training Opportunities

Varonis staff are also avid learners and educators.

Here are some of the educational opportunities we offer and provide:
Professional Services: ensures our customers can effectively use the product to fulfill all their use cases and to use our products.

Varonis Blog: learn more about security, privacy, IT Operations and more on our blog. We post
approximately 3-4 blog posts per week

Office Hours: One free hour-long one-on-one web session with your local Engineer to discuss operational and security questions.

TechTalk: Customers are invited to our bi-monthly webinars to learn about the latest security threats and vulnerabilities

Deliver role-specific advanced curriculum (tools, technology stacks, bug parade).

 

Software security training goes beyond building awareness and enables
trainees to incorporate security practices into their work. The training is tailored to the role of trainees; trainees get information about the tools, technology
stacks, or kinds of bugs that are most relevant to them.

T1.5

Deliver on-demand individual training.

The organization lowers the burden on trainees and reduces the cost of delivering training by offering on-demand training for individuals across roles.

T1.7
Include security resources in onboarding. T2.6

Intelligence

   
ATTACK MODELS    

Identify potential attackers.

The SSG identifies potential attackers in order to understand their motivations and capabilities.

AM1.3

User Behavior Analytics

User Behavior Analytics (UBA) has become an,essential solution to identify potential attackers.

Defending the inside from legitimate users is just not part of the equation for perimeter-based security and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gain access as users.

Once in, cybercriminals have become clever at implementing a ransomware attack that isn’t spotted by, anti-virus software. In fact, to an IT admin who is,just monitoring their system activity the attackers appear as just another user.

And that’s why you need UBA!

UBA really excels at handling,the unknown. In the background, the UBA engine can baseline each user’s,normal activity, and then spot variances and report in real time – in,whatever form they reveal themselves.,For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows.

Create SSG capability to solve difficult design problems.

When the SSG is involved early,in the new project process, it contributes to new architecture and solves,difficult design problems. The negative impact security has on other,constraints (time to market, price, etc.) is minimized. If a skilled security,architect from the SSG is involved in the design of a new protocol, he or she,could analyze the security implications of existing protocols and identify,elements that should be duplicated or avoided. Designing for security up,front is more efficient than analyzing an existing design for security and,then refactoring when flaws are uncovered. Some design problems will require,specific expertise outside of the SSG.

SFD2.2 Submit a feature request or join our Strategic Accounts program so we can customize Varonis to your needs.
STANDARDS & REQUIREMENTS (SR)    

Create security standards.

The SSG meets the organization’s demand for security guidance by
creating standards that explain the accepted way to adhere to policy and carry out specific security-centric operations.

SR1.1 If you need ideas on
creating a security policy, click here.

SSDL Touchpoints

   
ARCHITECTURE ANALYSIS (AA)    

Perform security feature review.

To get started in architecture analysis, center the process on a review of security features. Security-aware reviewers first identify the security features in an application (authentication, access control, use of cryptography, etc.) then study the design looking for problems that would cause these features to fail at their purpose or otherwise prove insufficient.

AA1.1

Reporting and Access Controls

Use DatAdvantage to run reports, to identify, prioritize, and remediate excessive access to sensitive high-risk data.

DataPrivilege helps define the,policies and processes that govern who can access, and who can grant access,to unstructured data, but it also enforces the workflow and the desired,action to be taken (i.e. allow, deny, allow for a certain time period).

This has a two-fold effect on the consistent and broad communication of the access, policy:

1. it unites all of the parties,responsible including data owners, auditors, data users AND IT around,the same set of information and
2. it allows organizations to continually monitor the access framework in order to make changes and optimize for continuous enforcement of warranted access.

With DatAdvantage and DataPrivilege, compliance officers and auditors can receive regular reports of data use and access activity of privileged and protected information to ensure compliant use and safekeeping.

CODE REVIEW (CR)    

Automate malicious code detection.

Automated code review is used to identify dangerous code written by malicious in-house developers or outsource providers.

CR3.4

Prevent Ransomware

DatAdvantage’s audit trail and,behavioral alerts can help detect when malware or viruses are accessing files, mailboxes, or SharePoint sites.

A Varonis customer used DatAdvantage to quickly isolate and successfully halt the spread of the Cryptolocker virus in their environment.

This was how our customer described the situation: “Within DatAdvantage I ran a query on that specific user and realized that there were over 400,000 access events that had been generated from that user’s account. It was at that point that we knew it was a virus…Once we had identified the second user, we went back to DatAdvantage to identify the files they had accessed. There were over 200,000 access events generated from this user’s account.” Read more.

Also read The Complete Ransomware Guide

Deployment

   
CONFIGURATION MANAGEMENT & VULNERABILITY
MANAGEMENT (CMVM)
   

Create or interface with incident response.

The SSG is prepared to respond to an incident and is
regularly included in the incident response process

CMVM1.1

Real-Time Alerts

Varonis DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs.,Real-time alerts can also be triggered when administrative users access, modify, or delete business data.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

new-updates-to-the-cis-critical-security-controls
New Updates to the CIS Critical Security Controls
If you haven’t already heard, the Top 20 Critical Security Controls has a new name. Last year, after the Center for Internet Security(CIS) integrated with the Council on Cybersecurity, the...
data-security-compliance-and-datadvantage,-part-ii:- more-on-risk-assessment
Data Security Compliance and DatAdvantage, Part II:  More on Risk Assessment
I can’t really overstate the importance of risk assessments in data security standards. It’s really at the core of everything you subsequently do in a security program. In this post...
nydfs-cybersecurity-regulation-in-plain-english
NYDFS Cybersecurity Regulation in Plain English
Learn about the new NYDFS cybersecurity regulation and the rules for basic principles of data security, documentation of security policies, and much more.
why-a-honeypot-is-not-a-comprehensive-security-solution
Why A Honeypot Is Not A Comprehensive Security Solution
A core security principle and perhaps one of the most important lessons you’ll learn as a security pro is AHAT, “always have an audit trail”. Why? If you’re ever faced...