REMEDIATION

DATA RISK
ASSESSMENT
PREPARED FOR UMBRELLA CORP

CRITICAL FINDINGS

0 10 20 30 40 50 60 70
DATE CREATED: 8.7.23
 TABLE OF CONTENTS
Business impact 03
TOC

Assessment overview 04

Critical findings 05

Detailed findings 10
Data security posture
Threat analysis
Configuration risk
Identity risk
Salesforce risk

Next steps 31

“I was amazed by how quickly Varonis was able to classify data

and uncover potential data exposure during the free assessment.
It was truly eye-opening.”

Michael Smith, CISO, HKS

Varonis Data Risk Assessment 2

 WHY DID UMBRELLA CORP
START A VARONIS DATA RISK
INTRODUCTION

ASSESSMENT?
Umbrella Corp has a board-level requirement to discover, classify, and label
all PII to ensure compliance and downstream DLP effectiveness. Umbrella
Corp’s recent ransomware incident highlights the need for data monitoring.
Without action, they face regulatory fines and data exposure levels that
leadership is not comfortable with.

Challenges

Classifying sensitive data and fixing Quantifying data security posture and
exposures is a struggle. showing progress to the board is a must.

Data remediation efforts are difficult There is a need to monitor data

with a small team​. usage and alert on abnormal activity.

Sub-units operate independently — a Compliance audits are manual and

unified data security program is needed.​ incomplete.

Varonis Data Risk Assessment 3

 UMBRELLA CORP’S RISK
ASSESSMENT OVERVIEW
INTRODUCTION

Connected data sources and assessment timeline

Varonis can connect to dozens of additional data sources. Setup takes minutes.

Microsoft 365 Active Directory Salesforce Windows Google

+ Azure AD File Share Workspace

Platform install Proof of value

Assessment
June 1, 2023 June 21, 2023

5.6M 12K 805K 2.4M

resources identities events sensitive
(files/objects) (daily average) records classified
(PHI, PCI, secrets)

Note: only a portion of Umbrella Corp’s overall environment was connected for the POC.

Varonis Data Risk Assessment 4

 CRITICAL FINDINGS
Risks that could result in a data breach
CRITICAL FINDINGS

Below are the top four findings that Varonis deems a critical data security risk.

HR compensation reports shared publicly via

1
“anyone” links.

2 332 Salesforce users can export production data.

An external user is a super admin in Google

3
Workspace.

A marketing assistant triggered an abnormal

4
data access alert.

0 10 20 30

Varonis Data Risk Assessment 5

 CRITICAL FINDING #1

HR compensation reports shared publicly

via “anyone” links.
CRITICAL FINDINGS

Melissa Donovan accidentally exposed the company’s bonus information

to the internet.

Risk type: Recommendation:

Public data exposure Revoke “Anyone” access to this file
immediately by disabling the link.
NIST control: Disable the ability to share publicly.
AC-3(9): Controlled Release Use Varonis automation to revoke
any public link to files containing
sensitive information.
Affected system:
Microsoft 365

Observation:
Melissa Donovan, an HR business partner,
uploaded International Bonuses.docx to
her HR Teams site on January 12. Varonis’
classification scan identified 231 instances
of PII within the file and our logs show she
created the “Anyone” link on February 13,
exposing the file to the internet. The link
has been accessed by anonymous users
from 27 various IP addresses globally.

Varonis Data Risk Assessment 6

 CRITICAL FINDING #2

332 Salesforce users can export

production data.
CRITICAL FINDINGS

The regular “Sales” profile grants export access. This is too broad and
should be fixed.

Risk type: Recommendation:

Sensitive data exposure Remove the export report permission
from the “Sales” profile and any other
NIST control: non-admin role. Review all profiles
AC-2(7): Role-Based Schemes and permission sets that grant highly
privileged actions — such as export
report, modify all data, and read all
Affected system:
data.
Salesforce (production, sandbox, dev)

Observation:
Varonis scans identified a toxic
combination of permissions that creates
a serious data exfiltration risk — 332
salespeople, via their “Sales” profile,
can export all lead, contact, opportunity,
and account data from Umbrella Corp’s
production Salesforce instance.

Varonis Data Risk Assessment 7

 CRITICAL FINDING #3

An external user is a super admin

in Google Workspace.
CRITICAL FINDINGS

Guy Incognito is a super admin without MFA. His activity spiked on July 4,
which triggered an alert.

Risk type: Recommendation:

Insecure admin account Immediately enforce MFA on Guy
Incognito’s account and add to a
NIST control: watch list in Varonis. Review the
AC-2(7): Privileged User Accounts user’s past 30 days of activity,
entitlements, and related identities.
Decide whether this external user
Affected system:
truly needs super admin rights.
Google Workspace

Observation:
Guy Incognito is an external contractor
using a personal Gmail account to
access Umbrella Corp’s Google Workspace
account. This user has super admin rights
and does not have MFA enabled. This
account is considered extremely high risk.

Varonis Data Risk Assessment 8

 CRITICAL FINDING #4

A marketing assistant triggered

an abnormal data access alert.
CRITICAL FINDINGS

Darren York should not have access to financial data. Varonis UEBA
detected anomalous access.

Risk type: Recommendation:

Abnormal user behavior Use Varonis to run a query to see all
of Darren’s activity in the past 30
NIST control: days. Ensure that permissions to data
AC-2(12): Account Monitoring for containing financial records are only
Atypical Usage accessible to employees who need
access.

Affected system:
Microsoft 365

Observation:
Marketing assistant Darren York
triggered a behavior-based alert by
deviating from his normal baseline of
data access activity. Varonis detected
that he was accessing files with financial
data, which is atypical for his role.

Varonis Data Risk Assessment 9

 DATA SECURITY POSTURE
Umbrella Corp’s sensitive data is spread across multiple cloud services and on-prem data
stores. To minimize the risk of a data breach, it is crucial for the company to have real-time
visibility and control over its rapidly changing data estate — with unified classification,
threat detection, and policy enforcement.
DETAILED FINDINGS

Where is Umbrella Corp’s most sensitive data and how much is at risk?

Sensitive records Exposed records

120K

70K

50K
40K
30K

15K
10K
5K 4K 1.5K

Sharepoint OneDrive Windows Google Salesforce

Key risk indicators:

310K 27K
sensitive records events on sensitive data per day

24.5K 11K
sensitive records exposed org-wide sensitive records exposed externally

Varonis Data Risk Assessment 10

 Data discovery and classification
Classification policies enabled

We enabled 85 built-in rules and created three custom rules during this risk assessment.
The top four data types by volume are shown below.
DETAILED FINDINGS

PCI-DSS Passwords U.S. PII Matter numbers

Containers: 1,160 Containers: 160 Containers: 2,620 Containers: 1,002
Objects: 12,421 Objects: 421 Objects: 72,245 Objects: 92,420
Records: 89,924 Records: 923 Records: 199,104 Records: 799,922

Built-in policy library

PII GDPR Credentials Financial Federal

HIPAA PHI 2.0 GDPR Germany Passwords PCI-DSS 2.0 ITAR

Colorado Privacy Act GDPR France Private keys SOX Top Secret

NY SHIELD Act GDPR Austria Certificates GLBA CUI

Plus hundreds more rules, patterns, and dictionaries

The power of Varonis data classification

+ True incremental scanning for efficient + 400+ expert-built and tested rules
and scalable discovery on massive data sets available (and growing) out of the box

+ Unified classification policies across all + Customizable scanning scopes and

supported data stores sampling

+ Battle-tested in multi-petabyte environments

Varonis Data Risk Assessment 11

 Microsoft 365 data exposure
Data exposure in M365 is not unique to Umbrella Corp. The average company has 40+
million unique permissions across their multi-cloud data and, according to Microsoft,
more than 50% of permissions are high-risk and capable of causing catastrophic
damage if misconfigured.
DETAILED FINDINGS

What kind of data lives in M365 and what is Umbrella Corp’s exposure?

Sensitive records Exposed records

97K

54K

34K
18K

10K
8K
2.5K 1K

PCI-DSS Matter Number US PII Secrets

Key risk indicators:

203K
sensitive records 1.5K
sensitive records exposed

20K externally

sensitive records exposed org-wide

Varonis Data Risk Assessment 12

 Collaboration risk

Exposure levels
Sharing links are helpful for collaboration, but they can expose that data to everyone in
the organization, guest users, or the internet. Umbrella Corp has a significant amount of
DETAILED FINDINGS

sensitive data exposure due to links in SharePoint and OneDrive.

SharePoint Online and OneDrive

All files Sensitive files

154K
Org-wide
72K

7,250
Guest
2,009

12,402
External
2,225

57,222
Anyone
8,250

0 50K 100K 150K 200K

Shared link growth

Umbrella Corp’s blast radius is growing rapidly week over week. Below is a graph of link
growth by type during the risk assessment period.

Specific users Anyone Org-wide

50K

40K

30K

20K

10K

0
June 1 June 8 June 15 June 22 June 29

Varonis Data Risk Assessment 13

 Data exposed publicly

Data exposed publicly via “anyone” links

Below is a small sample of sensitive files that are accessible to anyone on the internet.
The Varonis audit trail shows the type of data within the file (PCI, PHI, etc.), who shared
DETAILED FINDINGS

the link, when, and whether the file has been accessed via the link.

1 Spreadsheets with credentials and 2 Employment agreements with PII

credit card info and banking account info

Varonis Data Risk Assessment 14

 How fast can we remediate shared link risk?
A typical Varonis customer can eliminate exposure rapidly with automation. Below are
the results from a large financial institution that enabled least privilege automation.
Nearly 100% of external and org-wide data exposure was eliminated in under 30 days.
REMEDIATION

Automation polices keep risk low in the face of data growth and continued collaboration.
With policies set to auto-enforce, new risks are remediated as they appear and least
privilege is continuously enforced.

0 10 20 30

Varonis Data Risk Assessment 15

 Misplaced and mislabeled data
Misplaced data: GDPR compliance risk
Varonis discovered EU citizen PII records on a U.S.-hosted M365 tenant. The files
were uploaded on July 15 by a service account named “ExportJob” which appears to
be connected to an automated Workato task. We recommend migrating this data to
Umbrella Corp’s EU-based tenant and adjusting the automated task.

1
1
U.S.-based M365 tenants

Files containing EU
citizen PII
2

Mislabeled files: DLP enforcement gap

Many files are missing MIP labels or have outdated, misapplied labels. As a result,
downstream DLP enforcement could fail, resulting in sensitive data leakage or the
reverse — users are blocked from sharing non-sensitive data that is mislabeled.

We found 27,000+
sensitive files with
no label applied.

Varonis Data Risk Assessment 16

 Threat detection and response
Varonis real-time monitoring and behavior-based threat detection was enabled
across each in-scope system. During the assessment period, our AI models were
trained on 800M+ events to learn the unique behavior of users and devices in
Umbrella Corp’s environment.

800M 75 2
Hundreds of millions Dozens of alerts A handful of
of events collected triggered incidents investigated
Each event is automatically Average ~3 per day Varonis Proactive IR spotted
enriched and normalized. and escalated two incidents.

Data-centric UEBA
Events are enriched with data, user, and device context. Security analysts can run
queries such as: “List all sensitive data access events by privileged accounts from
devices connected from Germany.”

Account identification IP to device resolution

Account Device IP Device External IP

Operation by Object Sensitive? Geolocation
type address name address

Amy Johnson Executive customer.xlsx Yes 173.17.33.3 aj-03154 54.239.13.2 Canada

File sensitivity Geolocation

Varonis Data Risk Assessment 17

 THREAT ANALYSIS
Incident report: compromised service account

Observation:
The Varonis IR team discovered that a backup service account was compromised and
DETAILED FINDINGS

began accessing user data.

Mitigation:
Varonis IR triaged and remediated the incident within minutes. The UC\BackupService
account was immediately disabled, active sessions were killed, and the password was
reset. Varonis delivered a full investigation report to the Umbrella Corp team complete
with root cause analysis and recommendations.

Drilldown:
142 files were accessed by the compromised account. 82 of those files were classified as
sensitive by Varonis.

Varonis Data Risk Assessment 18

 CONFIGURATION RISK
Varonis is continuously scanning system configurations in Umbrella Corp’s SaaS and IaaS
platforms to determine if any settings are risky or if any configurations have drifted from
their desired state.
DETAILED FINDINGS

21 misconfigurations discovered
Salesforce has the most misconfigurations (8).

5 high severity misconfigurations

M365 and Salesforce each have 2 critical misconfigurations.

4 configurations set to auto-enforce

Varonis can automatically enforce secure settings.

Below is a summary of the five high severity misconfigurations discovered during the
assessment. Full details and recommendations for each one can be found in the Varonis UI.

Click here to see more sample SaaS and laaS configurations Varonis can monitor.

Varonis Data Risk Assessment 19

 THIRD-PARTY APP RISK
We identified 36 third-party apps that are risky, inactive, or unverified.

Apps High risk apps Unverified

DETAILED FINDINGS

54
99
third-party apps
installed

14
27 high-risk with broad
data access

18
12
10
7 2
22
8
5 inactive apps

Here is a breakdown of the top four third-party apps, by user count, that are integrated
with the SaaS platforms Varonis is monitoring:

Google Salesforce Microsoft 365

Additionally, we discovered 111 inactive users whose app assignments can be revoked
directly from the Varonis UI.

Varonis Data Risk Assessment 20

 IDENTITY RISK
Active Directory security posture
Varonis scans Umbrella Corp’s cloud and on-prem directory services and detects
weak configurations that can provide pathways for attackers. These risks are updated in
DETAILED FINDINGS

real-time on your Varonis dashboards and will help prioritize AD hardening efforts.

1 Rare that this account is used under 2 Vulnerable to offline password cracking
normal circumstances. This could
indicate compromise.

Entra ID (Azure AD) security posture

Entra ID posture is continuously monitored and scored by Varonis. Risky
misconfigurations that put your data at risk are surfaced in your risk dashboards
and reports.

1 2

1 Review unverified app permission 2 These accounts should be deactivated

and data access. immediately.

Varonis Data Risk Assessment 21

 Active Directory monitoring
Varonis is monitoring events in Umbrella Corp’s directory services and correlating
those actions to the data-centric events collected from collaboration platforms
and data stores.

These changes were performed outside of the change control window.

DETAILED FINDINGS

Varonis Data Risk Assessment 22

 Risky external users and personal accounts
DETAILED FINDINGS

Gmail user accounts are stale but have access to sensitive data.

Related identity mapping

Varonis automatically identifies related accounts using a proprietary algorithm. Guy
Incognito is an admin user in Google Workspace using a personal Gmail account without
MFA. He is connected to several identities across Umbrella Corp’s environments.

Guy has several aliases — a mixture of corporate and personal accounts.

1 identity 5 identities

2 identities 7 identities

Guy Incognito

5 identities 2 identities

1 identity 2 identities

Varonis Data Risk Assessment 23

 Offboarding gaps: inactive accounts
Varonis found 3,000+ stale identities across Umbrella Corp’s directory services and local
account repositories.
DETAILED FINDINGS

Terminated contractors retaining access from their personal Google accounts.

Varonis Data Risk Assessment 24

 SALESFORCE RISK
Salesforce houses an organization’s most valuable data, but its complex permission
structures and lack of visibility into who can access that data puts it at risk of insider
threats and cyber threats.

Prospect and
SALESFORCE

customer data Price books KB articles

Support cases Contracts Chat logs

Assessment scope

Environments + Production + Dev

+ Sandbox

Data + 234,240 records + 203 external/public

shared records
+ 8,241 documents
+ 22 monitored third party
+ 520 fields apps

+ 9,214 sensitive resources

Identities + 2,012 internal users + 212 guest users

+ 425 external users + 55 super admins

+ 124 contractors

Entitlements + 89 profiles + 55 permissions sets

+ 52 privileged profiles + 27 permission set groups

+ 22 community profiles + 33 roles

+ 3 guest profiles

Top 3 external
domains
Gmail.com Hotmail.com Protonmail.com

Varonis Data
Varonis Risk
Data RiskAssessment
Assessment 25
 SALESFORCE DATA EXPOSURE
What kind of data lives in Salesforce and what is their exposure?

Sensitive records Exposed records

SALESFORCE

97K 203K
objects with at least
one sensitive record

54K
1.5K
sensitive records
34K
exposed externally
18K

10K
8K
2.5K
20K
1K sensitive records
exposed org-wide
PCI-DSS Matter Number US PII Secrets

Umbrella Corp’s data exfiltration risk

There are a handful of entitlements, described below, that should be considered highly
privileged. If granted to too many users, these entitlements can create a significant data
exposure and exfiltration risk.

235 entitlements with Export Report enabled

Export Report allows users to export data directly out of Salesforce.
If necessary, it should be applied to Permission Sets.

124 entitlements with View All Data or Modify All Data enabled
Users with this permission can View and Modify all data inside the org.

52 entitlements with API enabled

Allows users to communicate with all Salesforce APIs, exfiltrate data, or
perform other actions.

Varonis provides Umbrella Corp with a real-time view of critical entitlements and the
ability to quickly right-size access and enforce least privilege. We also recommend
setting up Varonis alerts that trigger when these privileged entitlements change.

Varonis Data
Varonis Risk
Data RiskAssessment
Assessment 26
26
 SENSITIVE DATA SHARED
EXTERNALLY
Umbrella Corp’s Salesforce instances allow guest user access. There are also several
user accounts that act as service accounts for third-party apps. Varonis detected 1,500+
sensitive records that are exposed externally, such as the W2 file attachment below.
SALESFORCE

Users outside the company can access, update, or delete PCI and PII data in your
Salesforce instance.

In addition to exposing data to guest users, contractors, and other authenticated third
parties, our assessment also surfaced data exposed to the internet via public links.

Varonis Data Risk Assessment 27

 SALESFORCE
MISCONFIGURATIONS
Varonis detected and fixed four misconfigurations or insecure
org-wide defaults that could provide an attack path.
SALESFORCE

Terminated contractors were accessing the sandbox account even though Okta
accounts had been deprovisioned.

Salesforce alerts
15 alerts were triggered and resolved by Varonis IR, including a case where insider
Melissa Donovan was accessing an abnormal number of records compared to her
behavioral baseline. Our investigation showed that Melissa had installed a browser
extension that was accessing Salesforce record URLs rapidly.

Melissa Donovan deviated

from her normal activity —
accessing records she
doesn’t usually touch.

Varonis Data Risk Assessment 28

 Monitoring admin changes
Josh Hammond made several admin changes to production outside of the change
control window. Below is the detailed change log.
SALESFORCE

Varonis Data Risk Assessment 29

 SALESFORCE RESEARCH
Our team hunts for and discloses vulnerabilities and toxic configurations in Salesforce.

Ghost Sites: Stealing Data From Einstein’s Wormhole: Capturing

Deactivated Sales Communities Outlook & Google Calendars via
Salesforce Guest User Bug

About Varonis Threat Labs

Our team of security researchers and data scientists are among the most elite
cybersecurity minds in the world. With decades of military, intelligence, and enterprise
experience, the Varonis Threat Labs team proactively looks for vulnerabilities in the
applications our customers use to find and close gaps before attackers can. All these
learnings are programmed into our platform to help you stay ahead of cyberattacks.

Check out the latest research: www.varonis.com/blog/tag/threat-research

Varonis Data Risk Assessment 30

 REDUCE YOUR RISK WITHOUT
TAKING ANY.
NEXT STEPS

Our free risk assessment takes minutes to set up and delivers immediate
value. In less than 24 hours, you’ll have a clear, risk-based view of the
data that matters most and a clear path to automated remediation.

Full access to the Varonis SaaS platform

Get full access to our Data Security Platform for the length of your
assessment and get actionable insights for your most critical data.

Dedicated IR analyst
Being connected to the Varonis SaaS Data Security Platform means
that our experts have eyes on your alerts and we’ll call you if we see
something alarming.

Key findings report

A detailed summary of your data security risks and an executive
presentation to review the findings and recommendations.
This report is yours to keep, even if you don’t become a customer.

Get your free assessment

Trusted by thousands of customers

Varonis Data Risk Assessment 31

FORRESTER LEADER

Varonis named a Leader

in Data Security Platforms.
“Varonis is a top choice for organizations prioritizing
deep data visibility, classification capabilities, and
automated remediation for data access.”

Forrester Wave™: Data Security Platforms, Q1 2023

FORRESTER LEADER

0 10 20 30 40 50 60 70