www.varonis.com
Open in
urlscan Pro
45.60.158.169
Public Scan
URL:
https://www.varonis.com/blog/investigate-ntlm-brute-force
Submission: On January 03 via api from SG — Scanned from SG
Submission: On January 03 via api from SG — Scanned from SG
Form analysis
2 forms found in the DOM<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8" __bizdiag="-906336856" __biza="WJ__">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="What can we help you find?"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/142972/40a8f297-80c2-4c34-9572-8648458abed5
<form id="hsForm_40a8f297-80c2-4c34-9572-8648458abed5" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/142972/40a8f297-80c2-4c34-9572-8648458abed5"
class="hs-form-private hsForm_40a8f297-80c2-4c34-9572-8648458abed5 hs-form-40a8f297-80c2-4c34-9572-8648458abed5 hs-form-40a8f297-80c2-4c34-9572-8648458abed5_f8541955-0e4b-496d-9454-3351de854e9f hs-custom-form hs-form"
target="target_iframe_40a8f297-80c2-4c34-9572-8648458abed5" data-instance-id="f8541955-0e4b-496d-9454-3351de854e9f" data-form-id="40a8f297-80c2-4c34-9572-8648458abed5" data-portal-id="142972" __bizdiag="-1712629423" __biza="WJ__">
<fieldset class="form-columns-2">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-40a8f297-80c2-4c34-9572-8648458abed5" class="" placeholder="Enter your First Name"
for="firstname-40a8f297-80c2-4c34-9572-8648458abed5"><span>First Name</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-40a8f297-80c2-4c34-9572-8648458abed5" name="firstname" required="" placeholder="First Name" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-40a8f297-80c2-4c34-9572-8648458abed5" class="" placeholder="Enter your Last Name" for="lastname-40a8f297-80c2-4c34-9572-8648458abed5"><span>Last
Name</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-40a8f297-80c2-4c34-9572-8648458abed5" name="lastname" required="" placeholder="Last Name" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-40a8f297-80c2-4c34-9572-8648458abed5" class="" placeholder="Enter your Email" for="email-40a8f297-80c2-4c34-9572-8648458abed5"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-40a8f297-80c2-4c34-9572-8648458abed5" name="email" required="" placeholder="Email" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="legal-consent-container">
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_179 hs-LEGAL_CONSENT.subscription_type_179 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_179-40a8f297-80c2-4c34-9572-8648458abed5" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_179-40a8f297-80c2-4c34-9572-8648458abed5" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_179" value="true"><span>
<p>I agree to receive communications from Varonis.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
<div class="hs-richtext">
<p> You can unsubscribe from these communications at any time. For more information on our privacy practices, and how we're committed to protecting your information, please review our
<a href="https://www.varonis.com/privacy-policy/">privacy policy</a>.</p>
</div>
<div class="hs-richtext">
<p> </p>
</div>
</div>
</fieldset>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Download Now"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1704285731296","formDefinitionUpdatedAt":"1677515362798","legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[1282526],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":179,\"label\":\"<p>I agree to receive communications from Varonis.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p> </p>\",\"processingConsentCheckboxLabel\":\"I agree to allow Varonis to store and process my personal data.\",\"privacyPolicyText\":\"<p> You can unsubscribe from these communications at any time. For more information on our privacy practices, and how we're committed to protecting your information, please review our <a href=\\\"https://www.varonis.com/privacy-policy/\\\">privacy policy</a>.</p>\",\"isLegitimateInterest\":false}","disableCookieSubmission":"true","notifyHubSpotOwner":"true","renderRawHtml":"true","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36","pageTitle":"How to Investigate NTLM Brute Force Attacks","pageUrl":"https://www.varonis.com/blog/investigate-ntlm-brute-force","pageId":"53575261302","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.varonis.com/blog/investigate-ntlm-brute-force","contentType":"blog-post","hutk":"1eccd4ad5671cc880e5a5cb6996fa209","__hsfp":2815483069,"__hssc":"162743971.1.1704285734687","__hstc":"162743971.1eccd4ad5671cc880e5a5cb6996fa209.1704285734687.1704285734687.1704285734687.1","formTarget":"#hbspt-form-f8541955-0e4b-496d-9454-3351de854e9f","sfdcCampaignId":"70158000000otJGAAY","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_179","rumScriptExecuteTime":3300.099998474121,"rumTotalRequestTime":4492.699996948242,"rumTotalRenderTime":4553.5,"rumServiceResponseTime":1192.599998474121,"rumFormRenderTime":60.80000305175781,"locale":"en","timestamp":1704285734702,"originalEmbedContext":{"portalId":"142972","formId":"40a8f297-80c2-4c34-9572-8648458abed5","region":"na1","target":"#hbspt-form-f8541955-0e4b-496d-9454-3351de854e9f","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true,"sfdcCampaignId":"70158000000otJGAAY"},"correlationId":"f8541955-0e4b-496d-9454-3351de854e9f","renderedFieldsIds":["firstname","lastname","email","LEGAL_CONSENT.subscription_type_179"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.4371","sourceName":"forms-embed","sourceVersion":"1.4371","sourceVersionMajor":"1","sourceVersionMinor":"4371","allPageIds":{"analyticsPageId":"53575261302","contentPageId":53575261302,"contentAnalyticsPageId":"53575261302"},"_debug_embedLogLines":[{"clientTimestamp":1704285731595,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"How to Investigate NTLM Brute Force Attacks\",\"pageUrl\":\"https://www.varonis.com/blog/investigate-ntlm-brute-force\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36\",\"pageId\":\"53575261302\",\"contentAnalyticsPageId\":\"53575261302\",\"contentPageId\":53575261302,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1704285731597,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"SG\""},{"clientTimestamp":1704285734695,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"1eccd4ad5671cc880e5a5cb6996fa209\",\"canonicalUrl\":\"https://www.varonis.com/blog/investigate-ntlm-brute-force\",\"contentType\":\"blog-post\",\"pageId\":\"53575261302\"}"}]}"><iframe
name="target_iframe_40a8f297-80c2-4c34-9572-8648458abed5" style="display: none;"></iframe>
</form>
Text Content
This site uses cookies to provide you with a better browsing experience. To learn more about the different cookies we're using, please see our privacy policy. AcceptDecline Varonis debuts trailblazing features for securing Salesforce. Learn More Introducing Athena AI — our new generative AI layer for the Varonis Data Security Platform. Learn more Cloud Platform The Platform Varonis Overview The #1 Data Security Platform How it works Integrations Third-party apps Why Varonis SaaS Request a quote See all packages Protection Packages Microsoft 365 & Entra ID Advanced data security for your Microsoft cloud. SaaS & IaaS Defend data in Salesforce, Google, AWS, and beyond. Windows & NAS Monitor and protect your file shares and hybrid NAS. Core use cases Data discovery & classification Compliance management Least privilege automation Ransomware prevention Insider risk management Cloud data security DSPM Proactive incident response Coverage Microsoft 365 Azure Files Windows File Shares Active Directory Google Workspace Salesforce Nasuni UNIX/Linux Box AWS Okta GitHub See all integrations Why Varonis? Case studies Industry recognition Customer success Incident response & forensics team Operational plan Measurable ROI Why Varonis SaaS Company About Varonis Careers Investor relations Press Corporate responsibility Trust & security Brand Contact us Partners Partner program Partner locator Partner portal Service providers Technology partners Buy on AWS marketplace Buy on Azure marketplace Resources Support Community Resource library Blog Free security courses Product training SecurityFWD Webinars Events Get started × search * English * Deutsch * Français Get a demo Blog / Data Security HOW TO INVESTIGATE NTLM BRUTE FORCE ATTACKS Ed Lin 6 min read Last updated November 2, 2022 Contents * Objective * What is NTLM? * What are Account Enumeration and Brute Force? * Detecting NTLM Brute Force Attacks with Varonis * 1. Preparing the Investigation in Varonis via the WebUI * 2. Investigating the Events in Varonis via the WebUI * 3. Preparing NTLM auditing * 4. Investigating NTLM logs in Event Viewer * 5. Remediation OBJECTIVE Malicious actors routinely use the NTLM authentication protocol to carry out account enumeration and brute force-styled attacks to compromise accounts within a victim’s network. Once inside, an attacker can gain persistence, exfiltrate sensitive data, and unleash ransomware. In this post, we will cover the fundamentals of NTLM and its security flaws, as well as the workflow the Varonis IR Team uses to investigate these NTLM brute force attacks. GET THE FREE PENTESTING ACTIVE DIRECTORY ENVIRONMENTS E-BOOK First Name* Last Name* Email* * I agree to receive communications from Varonis. * You can unsubscribe from these communications at any time. For more information on our privacy practices, and how we're committed to protecting your information, please review our privacy policy. WHAT IS NTLM? NTLM or “New Technology LAN Manager” is a protocol developed by Microsoft to authenticate users and computers on the network. It uses a challenge/response mechanism for authentication which allows users to prove their identities without sending a password over the network. Despite being replaced by more secure authentication protocols and having multiple known vulnerabilities, NTLM is still widely deployed today because of its compatibility with legacy systems and applications. WHAT ARE ACCOUNT ENUMERATION AND BRUTE FORCE? In general, brute force attacks involve using trial and error to work through possible user name and password combinations in order to compromise an account. Account enumeration is a more specific type of brute force attack where the attacker is attempting to guess the valid usernames of users within a network. These attacks are typically done when the malicious actor has limited information about their victim’s network. Depending on the complexity of the attack, the guessed username attempts could be something basic like “Admin” or “Guest” or more sophisticated like using the naming convention that is currently being utilized at the organization, e.g. “JSmith3”. Additionally, if you or your organization has experienced a similar scenario, we recommend additional scrutiny when investigating as you may be more susceptible to future attacks. Once a threat actor has successfully identified existing usernames, they will begin brute forcing those users to compromise their passwords and gain access to the network. As a result, it is imperative to identify and remediate these account enumeration attacks in order to prevent a cyber attack in its beginning stages. DETECTING NTLM BRUTE FORCE ATTACKS WITH VARONIS There are several types of alerts that you can see in the Varonis Alert Dashboard or via email that may indicate that there is an ongoing NTLM Brute Force Attack. Some of which include: * Password spraying attack from a single source * Account Enumeration Attack from a single source (using NTLM) * Lockout: Multiple account lockouts * Abnormal Behavior: an unusual amount of lockouts across end-user/service/admin accounts × You can also search for all failed authentication behavior in the Varonis Dashboard to look for suspicious activity that you want to investigate. × 1. PREPARING THE INVESTIGATION IN VARONIS VIA THE WEBUI Click “Analytics” in the Varonis Dashboard. Select “DirectoryServices” in the Servers dropdown. Filter for Authentication Events by typing “Account Authentication (TGT)” This will give you all the events related to attempted logins for the specified time. Now search for all NTLM authentications that failed due to a bad username by adding “User Name (Event By) = Nobody (Abstract),” and “Authentication Protocol = NTLM” × Varonis uses “Abstract/Nobody” as a placeholder in the User Name column for usernames that do not exist in AD. By searching for events with “Abstract/Nobody,” you are effectively drilling down on all NTLM attempts that failed due to having an incorrect username. Additionally, if you are seeing any of the previously mentioned alerts such as “Account Enumeration Attack from a single source (using NTLM),” you can view directly the related events that triggered this alert. If you are not seeing any relevant alerts, please continue onto Step 2. Click and open a new tab for alerts by clicking on the plus sign and selecting “Alerts”. Run a query searching for “Account Enumeration Attack from a single source (using NTLM)” or any of the related brute force alerts and click “Run Search”. × Hover over “Actions” beneath the search bar and click “View all Related Events” × This will bring you to an audit log of all the related authentication attempts related to this specific alert. 2. INVESTIGATING THE EVENTS IN VARONIS VIA THE WEBUI Now that you have the relevant events, there will be four columns that will be helpful during the investigation: * Event Description * Device Name * Event Time * Collection Device Hostname Make sure they are present by clicking on “Attributes” and by searching for each of the column tiles in the newly opened window and selecting them × Within the event view, you are looking for failed logins for usernames that do not match your naming convention by using the “Event Description” column. Generic account names like “administrator,” “admin,” “root,” or “service,” can indicate a dictionary-style NTLM brute force attack. Other examples of generic account names may be other simple names like “john,” “aaa,” and “test.” You may even see usernames from foreign languages as well. The “Device Name” may also be a spoofed device name from the attacker’s authentication requests. Most likely, you won’t recognize these device names as these also will not follow your corporate naming conventions. Attackers commonly use device names like “Windows10” or “mstsc” in an attempt to obfuscate their activity. Sometimes they’ll leave the device name entirely empty. Some of the most commonly spoofed device names include: * Rdesktop * Remmina * Freerdp * Windows7 * Windows8 * Windows2012 * Windows2016 * Windows2019 If you are seeing generic account names that do not match your naming convention in combination with spoofed or null device names, it is likely that your organization is being targeted by an account enumeration attack. × Add the spoofed device names to the search bar and select all monitored resources in the Server dropdown. × By looking at all activity from the spoofed devices, you can determine if there are immediate signs of account compromise such as successful authentications. You can also filter by all successful events from this suspicious device by clicking on the “Status” hyperlink on the left and selecting “Success” in the window that pops up. For example, account lockout events would be considered a successful event while the underlying failed authentications would not. × Moreover, if there are lockouts from these devices or if there are multiple attempts to authenticate to actual usernames, it is highly likely that the attacker has successfully identified valid usernames and is now attempting to log in via password brute forcing. × Above: We can assume that this admin account has been successfully enumerated by the attacker as a valid user since it has been locked out. When an account is locked out due to an account enumeration attack, we highly recommend disabling this enumerated account and changing its password for a stronger one. Additionally, pivoting a search to look for all activity from these locked-out accounts could be a useful query as well. Finally, take note of the “Collection Device Hostname” for these authentication attempts. This is the Domain Controller (DC) we need to prioritize during the next phase of the investigation. Since the device name is often spoofed or null, we will need to enable additional logging to identify the actual device being attacked. 3. PREPARING NTLM AUDITING In this section, we will focus on ensuring that the proper configurations are in place to capture the most helpful events for the investigation. More specifically, you will need to use Event ID 8004 in Event Viewer to identify the actual device that is on the receiving end of these NTLM brute force attack attempts. Locating the victim device will be the first step in the remediation process. 8004 events are typically not enabled by default and may require configuration changes in specific Domain Controller group policies to enable logging. Log in to a Domain Controller and open Group Policy Management Editor Navigate to the Default Domain Controllers Policy and Right-Click to select Edit. × The Group Policy Management Editor will open. Navigate to Policies>Windows Settings>Security Settings>Local Policies” and select “Security Options.” There are three security policies that we will need to configure: * Network security: Restrict NTLM: Audit Incoming Traffic = Enable auditing for all accounts * Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all * Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit all × Change these values by right-clicking and selecting “Properties” and then define the policy settings. Click Apply when finished. × Run “gpupdate /force” to apply these changes and begin collecting these events. 4. INVESTIGATING NTLM LOGS IN EVENT VIEWER Navigate to the DC that you identified based on “Collection Device Hostname” in step 1. Open Event Viewer and go to Application and Services Logs>Microsoft>Windows>NTLM>Operational. Right-click and select “Properties”. × Expand the storage size of this log from the default 1MB to a larger size (we recommend 20MB as a starting point). × You can now use Event ID 8004 events to investigate malicious authentication activity. Use the Find function to search for the device name or user names we saw the attacker using in Step 1. Once you are able to find an 8004 event that matches one of the malicious authentications events in the WebUI, use the “Secure Channel Name” field to identify the device the attacker is targeting. × In this screenshot, we see that the attacker’s device name was spoofed to be WINDOWS7 and that the destination device for these malicious authentications is DESKTOP2. 5. REMEDIATION Once we identify the victim device, we can identify how the attacker is sending these authentication attempts. There are a few different sources of data that you can investigate: * Check firewall logs for connection activity that occurred at the same time as the authentication attempts. * Log on to the victim device and use tools such as Netstat or Wireshark (only do this if you see no indications of a successful suspicious authentication on that device!) Attackers will use tools like Shodan to search for devices with publicly exposed ports, which is likely how they found this victim device in the first place. You should identify the IP address and port the attacker is using to send the authentication requests. One port, in particular, RDP or port 3389 has been one of the most commonly targeted ports by threat actors, especially given the recent rise of remote workers. × After connecting to this targeting machine and running Netstat, we can see multiple established connections to the victim's device by suspicious IPs over port 3389. Once you have this information, you can take remediation actions such as blocking specific IPs from the firewall or closing certain ports. For devices that are required to remain exposed to the internet, we recommend reducing the attack surface for malicious actors by: * Enabling MFA for all users * Disabling pre-built usernames like “Guest” and “Admin” * Enforcing a strong password policy However, it is important to note that if given enough attempts, threat actors can eventually make their way into a network as they narrow down their brute force attempts. Finally, we recommend reviewing Varonis and NTLM logs to confirm these authentication attempts have stopped and continue to be on guard for new NTLM brute force attack activity. Special thanks to Ian McIntyre, Ian Levy, and Raphael Kelly of the Varonis Incident Response Team for their contributions to this guide. The Varonis IR Team provides free cybersecurity analysis and remediation to Varonis customers. Contact your Varonis Sales Team for details! WHAT YOU SHOULD DO NOW Below are three ways we can help you begin your journey to reducing data risk at your company: 1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you. 2. Download our free report and learn the risks associated with SaaS data exposure. 3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook. × ED LIN Ed Lin is a Security Analyst II for the Incident Response and Security Architecture team at Varonis. Ed has a consulting background with experience in incident response and data protection. Try Varonis free. Get a detailed data risk report based on your company’s data. Deploys in minutes. Get started View sample Keep reading 2024 Cybersecurity Trends: What You Need to Know Lexi Croisdale December 26, 2023 Learn more about data security posture management, AI security risks, compliance changes, and more to prepare your 2024 cybersecurity strategy. Straight From the CISO: Top Tips for Today's Cybersecurity Leaders Megan Garza December 14, 2023 We’ve gained massive insight from our conversations with CISOs and other cybersecurity leaders. Now, we're passing along their wisdom to you. Navigating the Complex Landscape of Data Protection in the Federal Sector Lexi Croisdale December 13, 2023 Varonis' Justin Wilkins and Trevor Brenn highlight the importance of data security for the federal sector, the risks of gen AI, and more. Speed Data: The Next Generation of Cybersecurity With Mark Weber Megan Garza November 21, 2023 Executive in Residence for the Catholic University of America Mark Weber shares tips for mentoring future cybersecurity professionals. Platform Protection packages Microsoft 365 & Entra ID SaaS & IaaS Windows & NAS Products Overview DatAdvantage Automation Engine Data Classification Engine Data Classification Labels Policy Pack DatAnswers DatAlert Edge Data Transport Engine DataPrivilege DatAdvantage Cloud Data Classification Cloud Solutions By use case Cloud data protection Data discovery & classification Compliance management Data loss prevention Data activity auditing DSPM Least privilege automation Insider risk management Proactive incident response Ransomware prevention SSPM Zero Trust By industry Finance Healthcare Federal government Education Manufacturing State & local government Integrations Microsoft 365 On-prem data & apps Cloud data, SaaS, & IaaS Directory services NAS Network devices Third-party apps Why Varonis? Case studies Operational plan Industry recognition Customer success IR & forensics team Measurable ROI Why Varonis SaaS Company About Varonis Careers Investor relations Press Corporate responsibility Trust & security Brand Partners Partner program Partner locator Partner portal Service providers Technology partners Buy on AWS marketplace Buy on Azure marketplace Resources Resource library Blog Free security courses Product training SecurityFWD Webinars Events Support Community Contact Us Get a demo Get support +1 (877) 292-8767 * English * Deutsch * Français Legal | Trust | Privacy © 2023 Varonis