www.varonis.com
Open in
urlscan Pro
45.60.158.169
Public Scan
URL:
https://www.varonis.com/blog/investigate-ntlm-brute-force
Submission: On January 03 via api from SG — Scanned from SG
Submission: On January 03 via api from SG — Scanned from SG
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8" __bizdiag="-906336856" __biza="WJ__">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="What can we help you find?"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/142972/40a8f297-80c2-4c34-9572-8648458abed5
<form id="hsForm_40a8f297-80c2-4c34-9572-8648458abed5" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/142972/40a8f297-80c2-4c34-9572-8648458abed5"
class="hs-form-private hsForm_40a8f297-80c2-4c34-9572-8648458abed5 hs-form-40a8f297-80c2-4c34-9572-8648458abed5 hs-form-40a8f297-80c2-4c34-9572-8648458abed5_f8541955-0e4b-496d-9454-3351de854e9f hs-custom-form hs-form"
target="target_iframe_40a8f297-80c2-4c34-9572-8648458abed5" data-instance-id="f8541955-0e4b-496d-9454-3351de854e9f" data-form-id="40a8f297-80c2-4c34-9572-8648458abed5" data-portal-id="142972" __bizdiag="-1712629423" __biza="WJ__">
<fieldset class="form-columns-2">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-40a8f297-80c2-4c34-9572-8648458abed5" class="" placeholder="Enter your First Name"
for="firstname-40a8f297-80c2-4c34-9572-8648458abed5"><span>First Name</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-40a8f297-80c2-4c34-9572-8648458abed5" name="firstname" required="" placeholder="First Name" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-40a8f297-80c2-4c34-9572-8648458abed5" class="" placeholder="Enter your Last Name" for="lastname-40a8f297-80c2-4c34-9572-8648458abed5"><span>Last
Name</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-40a8f297-80c2-4c34-9572-8648458abed5" name="lastname" required="" placeholder="Last Name" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-40a8f297-80c2-4c34-9572-8648458abed5" class="" placeholder="Enter your Email" for="email-40a8f297-80c2-4c34-9572-8648458abed5"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-40a8f297-80c2-4c34-9572-8648458abed5" name="email" required="" placeholder="Email" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
</fieldset>
<fieldset class="form-columns-1">
<div class="legal-consent-container">
<div>
<div class="hs-dependent-field">
<div class="hs_LEGAL_CONSENT.subscription_type_179 hs-LEGAL_CONSENT.subscription_type_179 hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="LEGAL_CONSENT.subscription_type_179-40a8f297-80c2-4c34-9572-8648458abed5" class="hs-form-booleancheckbox-display"><input
id="LEGAL_CONSENT.subscription_type_179-40a8f297-80c2-4c34-9572-8648458abed5" class="hs-input" type="checkbox" name="LEGAL_CONSENT.subscription_type_179" value="true"><span>
<p>I agree to receive communications from Varonis.</p><span class="hs-form-required">*</span>
</span></label></li>
</ul>
</div>
</div>
</div>
<legend class="hs-field-desc checkbox-desc" style="display: none;"></legend>
</div>
<div class="hs-richtext">
<p> You can unsubscribe from these communications at any time. For more information on our privacy practices, and how we're committed to protecting your information, please review our
<a href="https://www.varonis.com/privacy-policy/">privacy policy</a>.</p>
</div>
<div class="hs-richtext">
<p> </p>
</div>
</div>
</fieldset>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Download Now"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1704285731296","formDefinitionUpdatedAt":"1677515362798","legalConsentOptions":"{\"legitimateInterestSubscriptionTypes\":[1282526],\"communicationConsentCheckboxes\":[{\"communicationTypeId\":179,\"label\":\"<p>I agree to receive communications from Varonis.</p>\",\"required\":true}],\"legitimateInterestLegalBasis\":\"LEGITIMATE_INTEREST_PQL\",\"processingConsentType\":\"IMPLICIT\",\"processingConsentText\":\"<p> </p>\",\"processingConsentCheckboxLabel\":\"I agree to allow Varonis to store and process my personal data.\",\"privacyPolicyText\":\"<p> You can unsubscribe from these communications at any time. For more information on our privacy practices, and how we're committed to protecting your information, please review our <a href=\\\"https://www.varonis.com/privacy-policy/\\\">privacy policy</a>.</p>\",\"isLegitimateInterest\":false}","disableCookieSubmission":"true","notifyHubSpotOwner":"true","renderRawHtml":"true","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36","pageTitle":"How to Investigate NTLM Brute Force Attacks","pageUrl":"https://www.varonis.com/blog/investigate-ntlm-brute-force","pageId":"53575261302","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.varonis.com/blog/investigate-ntlm-brute-force","contentType":"blog-post","hutk":"1eccd4ad5671cc880e5a5cb6996fa209","__hsfp":2815483069,"__hssc":"162743971.1.1704285734687","__hstc":"162743971.1eccd4ad5671cc880e5a5cb6996fa209.1704285734687.1704285734687.1704285734687.1","formTarget":"#hbspt-form-f8541955-0e4b-496d-9454-3351de854e9f","sfdcCampaignId":"70158000000otJGAAY","boolCheckBoxFields":"LEGAL_CONSENT.subscription_type_179","rumScriptExecuteTime":3300.099998474121,"rumTotalRequestTime":4492.699996948242,"rumTotalRenderTime":4553.5,"rumServiceResponseTime":1192.599998474121,"rumFormRenderTime":60.80000305175781,"locale":"en","timestamp":1704285734702,"originalEmbedContext":{"portalId":"142972","formId":"40a8f297-80c2-4c34-9572-8648458abed5","region":"na1","target":"#hbspt-form-f8541955-0e4b-496d-9454-3351de854e9f","isBuilder":false,"isTestPage":false,"isPreview":false,"isMobileResponsive":true,"sfdcCampaignId":"70158000000otJGAAY"},"correlationId":"f8541955-0e4b-496d-9454-3351de854e9f","renderedFieldsIds":["firstname","lastname","email","LEGAL_CONSENT.subscription_type_179"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.4371","sourceName":"forms-embed","sourceVersion":"1.4371","sourceVersionMajor":"1","sourceVersionMinor":"4371","allPageIds":{"analyticsPageId":"53575261302","contentPageId":53575261302,"contentAnalyticsPageId":"53575261302"},"_debug_embedLogLines":[{"clientTimestamp":1704285731595,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"How to Investigate NTLM Brute Force Attacks\",\"pageUrl\":\"https://www.varonis.com/blog/investigate-ntlm-brute-force\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.129 Safari/537.36\",\"pageId\":\"53575261302\",\"contentAnalyticsPageId\":\"53575261302\",\"contentPageId\":53575261302,\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1704285731597,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"SG\""},{"clientTimestamp":1704285734695,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"1eccd4ad5671cc880e5a5cb6996fa209\",\"canonicalUrl\":\"https://www.varonis.com/blog/investigate-ntlm-brute-force\",\"contentType\":\"blog-post\",\"pageId\":\"53575261302\"}"}]}"><iframe
name="target_iframe_40a8f297-80c2-4c34-9572-8648458abed5" style="display: none;"></iframe>
</form>Text Content
This site uses cookies to provide you with a better browsing experience. To
learn more about the different cookies we're using, please see our privacy
policy.
AcceptDecline
Varonis debuts trailblazing features for securing Salesforce. Learn More
Introducing Athena AI — our new generative AI layer for the Varonis Data
Security Platform.
Learn more
Cloud Platform
The Platform
Varonis Overview
The #1 Data Security Platform
How it works
Integrations
Third-party apps
Why Varonis SaaS
Request a quote
See all packages
Protection Packages
Microsoft 365 & Entra ID
Advanced data security for your Microsoft cloud.
SaaS & IaaS
Defend data in Salesforce, Google, AWS, and beyond.
Windows & NAS
Monitor and protect your file shares and hybrid NAS.
Core use cases
Data discovery & classification
Compliance management
Least privilege automation
Ransomware prevention
Insider risk management
Cloud data security
DSPM
Proactive incident response
Coverage
Microsoft 365
Azure Files
Windows File Shares
Active Directory
Google Workspace
Salesforce
Nasuni
UNIX/Linux
Box
AWS
Okta
GitHub
See all integrations
Why Varonis?
Case studies
Industry recognition
Customer success
Incident response & forensics team
Operational plan
Measurable ROI
Why Varonis SaaS
Company
About Varonis
Careers
Investor relations
Press
Corporate responsibility
Trust & security
Brand
Contact us
Partners
Partner program
Partner locator
Partner portal
Service providers
Technology partners
Buy on AWS marketplace
Buy on Azure marketplace
Resources
Support
Community
Resource library
Blog
Free security courses
Product training
SecurityFWD
Webinars
Events
Get started
×
search
* English
* Deutsch
* Français
Get a demo
Blog / Data Security
HOW TO INVESTIGATE NTLM BRUTE FORCE ATTACKS
Ed Lin
6 min read
Last updated November 2, 2022
Contents
* Objective
* What is NTLM?
* What are Account Enumeration and Brute Force?
* Detecting NTLM Brute Force Attacks with Varonis
* 1. Preparing the Investigation in Varonis via the WebUI
* 2. Investigating the Events in Varonis via the WebUI
* 3. Preparing NTLM auditing
* 4. Investigating NTLM logs in Event Viewer
* 5. Remediation
OBJECTIVE
Malicious actors routinely use the NTLM authentication protocol to carry out
account enumeration and brute force-styled attacks to compromise accounts within
a victim’s network. Once inside, an attacker can gain persistence, exfiltrate
sensitive data, and unleash ransomware.
In this post, we will cover the fundamentals of NTLM and its security flaws, as
well as the workflow the Varonis IR Team uses to investigate these NTLM brute
force attacks.
GET THE FREE PENTESTING ACTIVE
DIRECTORY ENVIRONMENTS E-BOOK
First Name*
Last Name*
Email*
* I agree to receive communications from Varonis.
*
You can unsubscribe from these communications at any time. For more information
on our privacy practices, and how we're committed to protecting your
information, please review our privacy policy.
WHAT IS NTLM?
NTLM or “New Technology LAN Manager” is a protocol developed by Microsoft to
authenticate users and computers on the network. It uses a challenge/response
mechanism for authentication which allows users to prove their identities
without sending a password over the network.
Despite being replaced by more secure authentication protocols and having
multiple known vulnerabilities, NTLM is still widely deployed today because of
its compatibility with legacy systems and applications.
WHAT ARE ACCOUNT ENUMERATION AND BRUTE FORCE?
In general, brute force attacks involve using trial and error to work through
possible user name and password combinations in order to compromise an account.
Account enumeration is a more specific type of brute force attack where the
attacker is attempting to guess the valid usernames of users within a network.
These attacks are typically done when the malicious actor has limited
information about their victim’s network.
Depending on the complexity of the attack, the guessed username attempts could
be something basic like “Admin” or “Guest” or more sophisticated like using the
naming convention that is currently being utilized at the organization, e.g.
“JSmith3”.
Additionally, if you or your organization has experienced a similar scenario, we
recommend additional scrutiny when investigating as you may be more susceptible
to future attacks.
Once a threat actor has successfully identified existing usernames, they will
begin brute forcing those users to compromise their passwords and gain access to
the network. As a result, it is imperative to identify and remediate these
account enumeration attacks in order to prevent a cyber attack in its beginning
stages.
DETECTING NTLM BRUTE FORCE ATTACKS WITH VARONIS
There are several types of alerts that you can see in the Varonis Alert
Dashboard or via email that may indicate that there is an ongoing NTLM Brute
Force Attack.
Some of which include:
* Password spraying attack from a single source
* Account Enumeration Attack from a single source (using NTLM)
* Lockout: Multiple account lockouts
* Abnormal Behavior: an unusual amount of lockouts across
end-user/service/admin accounts
×
You can also search for all failed authentication behavior in the Varonis
Dashboard to look for suspicious activity that you want to investigate.
×
1. PREPARING THE INVESTIGATION IN VARONIS VIA THE WEBUI
Click “Analytics” in the Varonis Dashboard.
Select “DirectoryServices” in the Servers dropdown.
Filter for Authentication Events by typing “Account Authentication (TGT)” This
will give you all the events related to attempted logins for the specified time.
Now search for all NTLM authentications that failed due to a bad username by
adding “User Name (Event By) = Nobody (Abstract),” and “Authentication Protocol
= NTLM”
×
Varonis uses “Abstract/Nobody” as a placeholder in the User Name column for
usernames that do not exist in AD. By searching for events with
“Abstract/Nobody,” you are effectively drilling down on all NTLM attempts that
failed due to having an incorrect username.
Additionally, if you are seeing any of the previously mentioned alerts such as
“Account Enumeration Attack from a single source (using NTLM),” you can view
directly the related events that triggered this alert.
If you are not seeing any relevant alerts, please continue onto Step 2.
Click and open a new tab for alerts by clicking on the plus sign and selecting
“Alerts”. Run a query searching for “Account Enumeration Attack from a single
source (using NTLM)” or any of the related brute force alerts and click “Run
Search”.
×
Hover over “Actions” beneath the search bar and click “View all Related Events”
×
This will bring you to an audit log of all the related authentication attempts
related to this specific alert.
2. INVESTIGATING THE EVENTS IN VARONIS VIA THE WEBUI
Now that you have the relevant events, there will be four columns that will be
helpful during the investigation:
* Event Description
* Device Name
* Event Time
* Collection Device Hostname
Make sure they are present by clicking on “Attributes” and by searching for each
of the column tiles in the newly opened window and selecting them
×
Within the event view, you are looking for failed logins for usernames that do
not match your naming convention by using the “Event Description” column.
Generic account names like “administrator,” “admin,” “root,” or “service,” can
indicate a dictionary-style NTLM brute force attack.
Other examples of generic account names may be other simple names like “john,”
“aaa,” and “test.” You may even see usernames from foreign languages as well.
The “Device Name” may also be a spoofed device name from the attacker’s
authentication requests. Most likely, you won’t recognize these device names as
these also will not follow your corporate naming conventions.
Attackers commonly use device names like “Windows10” or “mstsc” in an attempt to
obfuscate their activity. Sometimes they’ll leave the device name entirely
empty. Some of the most commonly spoofed device names include:
* Rdesktop
* Remmina
* Freerdp
* Windows7
* Windows8
* Windows2012
* Windows2016
* Windows2019
If you are seeing generic account names that do not match your naming convention
in combination with spoofed or null device names, it is likely that your
organization is being targeted by an account enumeration attack.
×
Add the spoofed device names to the search bar and select all monitored
resources in the Server dropdown.
×
By looking at all activity from the spoofed devices, you can determine if there
are immediate signs of account compromise such as successful authentications.
You can also filter by all successful events from this suspicious device by
clicking on the “Status” hyperlink on the left and selecting “Success” in the
window that pops up. For example, account lockout events would be considered a
successful event while the underlying failed authentications would not.
×
Moreover, if there are lockouts from these devices or if there are multiple
attempts to authenticate to actual usernames, it is highly likely that the
attacker has successfully identified valid usernames and is now attempting to
log in via password brute forcing.
×
Above: We can assume that this admin account has been successfully enumerated by
the attacker as a valid user since it has been locked out.
When an account is locked out due to an account enumeration attack, we highly
recommend disabling this enumerated account and changing its password for a
stronger one. Additionally, pivoting a search to look for all activity from
these locked-out accounts could be a useful query as well.
Finally, take note of the “Collection Device Hostname” for these authentication
attempts. This is the Domain Controller (DC) we need to prioritize during the
next phase of the investigation. Since the device name is often spoofed or null,
we will need to enable additional logging to identify the actual device being
attacked.
3. PREPARING NTLM AUDITING
In this section, we will focus on ensuring that the proper configurations are in
place to capture the most helpful events for the investigation.
More specifically, you will need to use Event ID 8004 in Event Viewer to
identify the actual device that is on the receiving end of these NTLM brute
force attack attempts. Locating the victim device will be the first step in the
remediation process.
8004 events are typically not enabled by default and may require configuration
changes in specific Domain Controller group policies to enable logging.
Log in to a Domain Controller and open Group Policy Management Editor
Navigate to the Default Domain Controllers Policy and Right-Click to select
Edit.
×
The Group Policy Management Editor will open. Navigate to Policies>Windows
Settings>Security Settings>Local Policies” and select “Security Options.”
There are three security policies that we will need to configure:
* Network security: Restrict NTLM: Audit Incoming Traffic = Enable auditing for
all accounts
* Network security: Restrict NTLM: Audit NTLM authentication in this domain =
Enable all
* Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers =
Audit all
×
Change these values by right-clicking and selecting “Properties” and then define
the policy settings. Click Apply when finished.
×
Run “gpupdate /force” to apply these changes and begin collecting these events.
4. INVESTIGATING NTLM LOGS IN EVENT VIEWER
Navigate to the DC that you identified based on “Collection Device Hostname” in
step 1.
Open Event Viewer and go to Application and Services
Logs>Microsoft>Windows>NTLM>Operational.
Right-click and select “Properties”.
×
Expand the storage size of this log from the default 1MB to a larger size (we
recommend 20MB as a starting point).
×
You can now use Event ID 8004 events to investigate malicious authentication
activity.
Use the Find function to search for the device name or user names we saw the
attacker using in Step 1.
Once you are able to find an 8004 event that matches one of the malicious
authentications events in the WebUI, use the “Secure Channel Name” field to
identify the device the attacker is targeting.
×
In this screenshot, we see that the attacker’s device name was spoofed to be
WINDOWS7 and that the destination device for these malicious authentications is
DESKTOP2.
5. REMEDIATION
Once we identify the victim device, we can identify how the attacker is sending
these authentication attempts. There are a few different sources of data that
you can investigate:
* Check firewall logs for connection activity that occurred at the same time as
the authentication attempts.
* Log on to the victim device and use tools such as Netstat or Wireshark (only
do this if you see no indications of a successful suspicious authentication
on that device!)
Attackers will use tools like Shodan to search for devices with publicly exposed
ports, which is likely how they found this victim device in the first place.
You should identify the IP address and port the attacker is using to send the
authentication requests. One port, in particular, RDP or port 3389 has been one
of the most commonly targeted ports by threat actors, especially given the
recent rise of remote workers.
×
After connecting to this targeting machine and running Netstat, we can see
multiple established connections to the victim's device by suspicious IPs over
port 3389.
Once you have this information, you can take remediation actions such as
blocking specific IPs from the firewall or closing certain ports.
For devices that are required to remain exposed to the internet, we recommend
reducing the attack surface for malicious actors by:
* Enabling MFA for all users
* Disabling pre-built usernames like “Guest” and “Admin”
* Enforcing a strong password policy
However, it is important to note that if given enough attempts, threat actors
can eventually make their way into a network as they narrow down their brute
force attempts.
Finally, we recommend reviewing Varonis and NTLM logs to confirm these
authentication attempts have stopped and continue to be on guard for new NTLM
brute force attack activity.
Special thanks to Ian McIntyre, Ian Levy, and Raphael Kelly of the Varonis
Incident Response Team for their contributions to this guide.
The Varonis IR Team provides free cybersecurity analysis and remediation to
Varonis customers. Contact your Varonis Sales Team for details!
WHAT YOU SHOULD DO NOW
Below are three ways we can help you begin your journey to reducing data risk at
your company:
1. Schedule a demo session with us, where we can show you around, answer your
questions, and help you see if Varonis is right for you.
2. Download our free report and learn the risks associated with SaaS data
exposure.
3. Share this blog post with someone you know who'd enjoy reading it. Share it
with them via email, LinkedIn, Reddit, or Facebook.
×
ED LIN
Ed Lin is a Security Analyst II for the Incident Response and Security
Architecture team at Varonis. Ed has a consulting background with experience in
incident response and data protection.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Get started View sample
Keep reading
2024 Cybersecurity Trends: What You Need to Know
Lexi Croisdale
December 26, 2023
Learn more about data security posture management, AI security risks, compliance
changes, and more to prepare your 2024 cybersecurity strategy.
Straight From the CISO: Top Tips for Today's Cybersecurity Leaders
Megan Garza
December 14, 2023
We’ve gained massive insight from our conversations with CISOs and other
cybersecurity leaders. Now, we're passing along their wisdom to you.
Navigating the Complex Landscape of Data Protection in the Federal Sector
Lexi Croisdale
December 13, 2023
Varonis' Justin Wilkins and Trevor Brenn highlight the importance of data
security for the federal sector, the risks of gen AI, and more.
Speed Data: The Next Generation of Cybersecurity With Mark Weber
Megan Garza
November 21, 2023
Executive in Residence for the Catholic University of America Mark Weber shares
tips for mentoring future cybersecurity professionals.
Platform
Protection packages
Microsoft 365 & Entra ID SaaS & IaaS Windows & NAS
Products
Overview DatAdvantage Automation Engine Data Classification Engine Data
Classification Labels Policy Pack DatAnswers DatAlert Edge Data Transport Engine
DataPrivilege DatAdvantage Cloud Data Classification Cloud
Solutions
By use case
Cloud data protection Data discovery & classification Compliance management Data
loss prevention Data activity auditing DSPM Least privilege automation Insider
risk management Proactive incident response Ransomware prevention SSPM Zero
Trust
By industry
Finance Healthcare Federal government Education Manufacturing State & local
government
Integrations
Microsoft 365 On-prem data & apps Cloud data, SaaS, & IaaS Directory services
NAS Network devices Third-party apps
Why Varonis?
Case studies Operational plan Industry recognition Customer success IR &
forensics team Measurable ROI Why Varonis SaaS
Company
About Varonis Careers Investor relations Press Corporate responsibility Trust &
security Brand
Partners
Partner program Partner locator Partner portal Service providers Technology
partners Buy on AWS marketplace Buy on Azure marketplace
Resources
Resource library Blog Free security courses Product training SecurityFWD
Webinars Events
Support
Community
Contact Us
Get a demo Get support +1 (877) 292-8767
* English
* Deutsch
* Français
Legal | Trust | Privacy
© 2023 Varonis