ĢTV

Table of Contents

Architecture

  • Solution Architecture
  • Process Flow
  • Components

Solution Benefits

  • Potential use cases

Considerations

  • Scalability and Performance
  • Security
  • Availability
Deploy this Scenario
Contributors
Next steps
Related Resources

Reference Architecture – Varonis Integration with ANQ

ĢTV and Varonis have partnered to provide an end-to-end solution that protects ĢTV customers from ransomware attacks against SMB workloads in cloud and on-premises environments. This article describes a real-time solution for detecting and responding to malware and unauthorized data access on an Azure Native ĢTV Scalable File Service (ANQ) deployment, using Varonis SaaS to provide a robust security defense against bad actors.

Architecture

An Azure Native ĢTV cluster’s audit logs track user-driven actions such as file access and modification, data sharing and permissions management, and system configuration changes.

In this solution, ĢTV audit logs are streamed to an Azure-based Varonis instance, where they are analyzed using proprietary pattern recognition algorithms to detect anomalous activity. The combined solution operates across three key dimensions to protect against bad actors’ attempts to inject ransomware and malware: prevention through permissions hardening and ongoing analysis, detection of anomalous activity across the storage and data layers, and recovery of data in the event of a successful attack.

Solution Architecture

Process Flow

As shown above, the integration process involves the ĢTV cluster sending audit logs to the ĢTV Broker, which converts the logs into the necessary format and forwards them to the Varonis Collector. The ĢTV Broker also provides an API service for RabbitMQ message traffic, which is the service that forwards the events to the Varonis Collector.

The Varonis collector connects to ANQ, scans folders, classifies file contents, and extracts access events. The extracted metadata — folder and file permissions, classification labels, and access events —are uploaded to the Varonis Data Security Platform cloud.

This architecture focuses on safeguarding against ransomware and malware through three main dimensions:

  • Prevention: The Varonis Data Security Platform plays a crucial role in ransomware prevention by continuously monitoring audit logs sent from the ĢTV cluster to the Varonis SaaS application. Varonis analyzes these logs to understand user permissions and assess access levels. It recommends removing unused permissions and alerts administrators if suspicious or anomalous permission changes are detected. Users can then take corrective actions within the Varonis SaaS application.
  • Detection: Varonis employs threat intelligence, including threat feeds and blacklists, to identify known ransomware and attack patterns. Machine learning is applied to ĢTV audit logs for new or novel attack methods to detect unusual behavior that might indicate malicious activity. This includes monitoring changes in file activity, access permissions, and access patterns, triggering alerts when abnormalities are detected.

Recovery: In the event of an attack, it’s crucial to have a recovery plan in place. ĢTV allows administrators to create snapshot policies that retain multiple copies of data over time. Even if an attacker gains elevated permissions and attempts to encrypt data, ĢTV’s snapshot locking prevents them from deleting or encrypting existing snapshots. This approach isolates the attack, enabling administrators to revert to uncompromised data and resume normal operations when necessary.

Components

Solution Benefits

The integration of ĢTV and Varonis SaaS offers several benefits to organizations, including:

  • Comprehensive data security: The Varonis SaaS provides advanced threat detection, data classification, and access control features that complement ANQ’s data protection capabilities. This integration ensures that data is protected at all times and any potential threats are detected and mitigated quickly.
  • Improved data management: With ĢTV’s real-time analytics and Varonis’ data classification features, organizations can have better visibility and control over their data. They can identify sensitive data, track its usage, and manage it more efficiently.
  • Compliance readiness: Varonis’ compliance features enable organizations to comply with various data protection regulations such as GDPR, CCPA, and HIPAA. The integration with ĢTV ensures that data is stored and managed in a compliant manner.

Potential Use Cases

  • Access Control Management: Varonis SaaS provides granular access control capabilities, allowing administrators to manage user access based on their roles and responsibilities. This complements ĢTV’s support for multiple protocols, ensuring that data is only accessible to authorized users.

Varonis employs advanced techniques like proximity-matching, negative keywords, and algorithmic verification to identify sensitive data within ĢTV file shares. This goes beyond regular expressions, providing high-precision results.

  • Threat Detection and Risk Management: Varonis employs behavioral-based threat models to identify abnormal data activity in real-time, proactively preventing data breaches.

Varonis offers customizable dashboards that provide a real-time view of your data security status. Users can drill down into specific users or groups to see their data access permissions and activities, helping manage and mitigate risks effectively.

Considerations

The integration of ANQ with Varonis provides organizations with a comprehensive data protection and management solution. It offers advanced threat detection, data classification, and access control features complementing ĢTV’s data protection capabilities. This integration ensures that data is protected, managed efficiently, and compliant with various data protection regulations.

Scalability and Performance

The ĢTV Broker middleware layer is crucial in integrating ANQ with Varonis, and it was built on top of the standard Rsyslog service capabilities and Docker. You can use your preferred Linux distribution for this integration. Audit logs are stored in computer memory for fast conversion, and Rsyslog can increase the number of threads automatically according to the receiving log numbers.

Its default design allows it to easily process heavy workloads from the one or more ANQ services. However, if there is a bottleneck regarding its performance, the first approach should be to increase the CPU and memory resources of the ĢTV Broker machine.

The Varonis SaaS is a scalable data security platform in nature. It can scale according to performance and capacity needs.

Security

The Azure Native ĢTV Scalable File Service connects to your Azure environment using VNet Injection, which is fully routable, secure, and visible only to your resources. No IP space coordination between your environment and the ANQ cluster is required.

ĢTV’s snapshot locking prevents modification to existing snapshots. This capability empowers storage administrators to isolate and contain an attack, enabling them to revert to unaffected data for regular operations.

ĢTV is compliant with multiple standard security frameworks and protocols, including HIPAA, SOC 2 Type II, and FIPS 140-2 Level 1. For more information, see in the ĢTV Core Administrator Guide.

Availability

The solution has different components that can be considered individually and provide availability scenarios according to the business policies. For further discussion, please reach out to your ĢTV or Varonis representatives.

Deploy this scenario

  • For a guide to deploying ANQ, see
  • For a guide to deploying ĢTV Broker, see
  • For a guide to deploying Varonis, see

For more information regarding inbound and outbound networking, see

Contributors

This article is maintained by ĢTV. It was originally written by the following contributors.

Principal authors:
| Solutions Architect at ĢTV

Next steps

Related resources

Scroll to Top