Varonis for Microsoft 365 Copilot by Varonis (Top Data Protection Innovation)

Clips
News
More from theCUBEd Awards

Brian Vecci

Field CTO

Varonis

How generative AI security helps mitigate risks in enterprise environments

Artificial intelligence is developing rapidly, and as businesses adopt generative AI security measures, they face new challenges in protecting sensitive data from unintended exposure and misuse.Organizations struggle to control sensitive data as AI-powered platforms such as Microsoft Corp.’s Copilot and Salesforce Inc.’s Agentforce offer unprecedented access to information. The challenge lies not only in managing permissions, but in understanding how data is used, who has access and what unintended risks may arise, Brian Vecci (pictured), field chief technology officer of Varonis Systems Inc., noted

play_circle_outline Varonis' data-centric approach to security

play_circle_outline Varonis' automation for identifying and protecting sensitive data

play_circle_outline Risks and controls for other applications like Salesforce and Agentforce

Info
Transcript

Varonis for Microsoft 365 Copilot by Varonis (Top Data Protection Innovation)

Brian Vecci

Field CTO Varonis

Join us for theCUBE's Tech Innovation CUBEd Awards as we feature Brian Vecci, the Field CTO at Varonis, discussing their groundbreaking work that earned them top honors in the data protection innovation category. Vecci, alongside analysts from theCUBE Research, delves into Varonis's pioneering data-centric approach to security and the evolving landscape of cyber threats. This insightful dialogue underscores their commitment to enhancing data security amid the complexities of modern tech ecosystems.

Key takeaways from the discussion with Vecci reveal ... Read more

explore Keep Exploring

What approach has Varonis taken to security since its founding? add

Where does Varonis automatically identify data at risk and monitor access controls around it? add

What did a risk assessment of a big organization using Salesforce reveal? add

bolt Powered by CUBE AI

Varonis for Microsoft 365 Copilot by Varonis (Top Data Protection Innovation)

>> Hello, and welcome to theCUBE's Tech Innovation CUBEd Awards, where we are celebrating the winners of our inaugural program. The competition was fierce and we received an exceptional number of high caliber entries that showcased the incredible innovation happening across the tech landscape. Today, we are joined by Brian Vecci, who is the field CTO from Varonis, to discuss their award-winning entry, the innovation behind it, and how they are driving the industry forward. Varonis took the top honors in the data protection innovation category. So congratulations and let's dive in. Welcome, Brian.

>> Thank you very much. I'm glad to be here.

>> So, innovation is central to these awards. Can you share a specific example of how you or your company approach a challenge in an innovation or innovative type of way, and the type of impact that it had?

>> Absolutely. Varonis from our founding, has taken a data centric approach to security. Traditionally, of course, enterprises have struggled mightily to protect data. Data is the target of every cyber attack. Nobody breaks into a bank to steal the pens. They're after money. Folks that get access to a device or a network or an application, or if you hit by an insider threat, they go after data. We have been innovating for 20 years now, helping organizations not just understand what data they have, where it is, but whether it's sensitive or not, what it contains, who and what has access to it and how it's being used. And then we help them apply automatic controls to ensure that only the right people have access to what they're supposed to. And then if anything ever does happen, they minimize the time to detection and time to response for any threat. We've been doing this for file systems with collaborative platforms like Microsoft 365, with SaaS applications like Salesforce, and increasingly in cloud architecture and in the big hyperscalers like Azure, AWS, and GCP. So we've always taken a data centric approach to security, and especially these days with generative AI tools like Microsoft Copilot, we continue to innovate to help ensure that our customers can get the benefits of these new tools and technologies without introducing any new risks.

>> Well, let's talk about that, GenAI. Obviously, everybody's talking about it, but I think there are some risks. So what are the type of the risks that you see with GenAI and what should organizations do about it?

>> That's a really, really big question. I'll start by just telling you a story. We were working with one of the big Wall Street banks in the middle of the year last year or earlier last year. And they were in the middle of a Microsoft Copilot for 365 pilot, as many organizations are right now. And in trying to figure out just how valuable this new tool could be, they deployed it to users on their trading floor. And I was in a bank IT department before I came to Varonis. And so I know as well as anybody that if you want to see who gets the most love from IT, you go down to the trading floor. These are the people who have nine different monitors and the latest devices, the latest phones and laptops and computers and whatnot. Because if you can make those people more productive, the bank will make more money. So they gave people on the trading floor access to Copilot for 365. And one of the first prompts that one of these users put into Copilot was a relatively benign question. What stocks do our employees invest in? Because somebody surely has written a report somewhere. This bank had been around for 120 years and so Copilot is maybe the greatest information retrieval tool ever. And what they expected was they would get a summary. A couple of paragraphs on, here are the kinds of stocks that employees of the bank typically invest in. Instead, what this user got was a huge table of thousands of rows of the employee names, and their social security numbers, and account numbers and positions within their 401(k) account. And it wasn't because Copilot gave this user access to an HR or a financial system that they didn't have access to. It's because somebody on their compensation team had created a spreadsheet, saved it in a team site, and had shared it inadvertently with everybody in the company. That was a risk before they started using Copilot, but as soon as they gave Copilot to one of their smart users, suddenly, that user was exposing all of this data in ways that they never expected. So they immediately turned it off. Companies want to get the benefits, the productivity gains of generative AI and new technologies, but they're struggling with managing that risk to making sure that people don't have access to data that they don't need. And the problem with collaborative stores like Microsoft 365, they make it so easy for us to work from anywhere, to collaborate with anybody, to use any device to access anything, to share with other people, is that enterprises really don't know what data they have and where it is. They don't know who and what has access to it and they now really struggle with, how is it being accessed and used and is that introducing any new risk?

>> Right. So what you just described, I think is the perfect nightmare scenario for any CISO or any compliance officer, as a matter of fact, especially in a highly regulated type of environment. So what are the type of questions that you get from CISOs in the context of GenAI? What other concerns and what is specifically your approach to help solve for this problem?

>> It's a really great question. The questions that we've gotten from CISOs are very similar to the questions that we've gotten from CISOs and security teams, and privacy and compliance teams for decades now. It's not the risks that they know about, it's the risks that they don't know about. What don't I know before I deploy Copilot? What are the things that are going to happen that I am not prepared for? And I mentioned Varonis takes a different approach to securing data, and this has been true before anybody had ever heard of Copilot. It's especially true now, and especially as we're building AI workloads and using these kinds of productivity tools. What Varonis does is automatically identify not just where this data is, which spreadsheets contain the 401(k) data of our employees. Where do we have patient records in files and in databases and in data lakes, like Snowflake and Databricks, and places like Amazon S3 buckets? Where is this data? Where is it at risk? Who and what has access to it? Is any of it exposed to people or applications that should or shouldn't have access to it? And really critically, how is it being used? What Varonis does is when we start looking at enterprise data, wherever it is, on premises or in the cloud, in a file or a database, we tell you exactly what it is. We look at the security posture and access controls around it, and we monitor the behavior, the access to the data, the references to that data, from prompts and responses of AI tools, accesses by humans and APIs and other applications. And then we've built automation to safely apply controls to make sure that data is not exposed, but to do it safely. One of the big fears when it comes to security automation is, what are we going to break when we push the button or flip the switch and make sure that people don't have access to what they don't need? What makes Varonis unique and why we've been able to innovate in this way is that we don't just know what the data is. We know what data is being used by who. So when we build automation and our customers apply that automation, they do it safely. So they can be sure that data is properly protected, that it's only available to those who need it, whether they're people or machines. And because we watch every data touch and we know what data is sensitive, and we know what devices people are using and where they're coming from, and which APIs are part of which applications. We minimize how long it takes to detect a threat and we minimize how long it takes to respond to it. And with our SaaS offering now, which is part of how our organizations are deploying Varonis, we see the issues before you do. So with managed data detection response, we'll call you. And we've already seen enterprises that have deployed Copilot and gotten a phone call from us saying, "Hey, did you know that people are looking for credentials, or API keys, or asking about employee data? Someone just put into Copilot, show me the CEO's salary, or all of the employees who got bonuses last quarter, or looking for logins and passwords and credentials." All of these are the examples of the kinds of misbehavior or risky activity that we're able to really quickly identify. So customers that use Varonis are just much better protected without having to put a lot of work into it.

>> Right. I think this is very key here, because what you're describing is really the conflation of markets here and of different organizations, the security organization and the compliance office. Because all of this is compliant or non-compliant depending on how you look at it. So the risks are certainly very, very high, and I really like how the solution really gives you all of that view. But it's not just Microsoft 365 or Copilot and sort of the Microsoft world. What about the other applications out there, like Salesforce, for example?

>> Salesforce is a great example. Every big data store and application, of course are building and offering their own generative AI tools. Salesforce now has Agentforce, which provides GenAI based functionality to Salesforce users. And much like Copilot, it has the potential to make Salesforce users dramatically more productive. But in the same way, there's potentially risks that companies aren't able to address on their own. We did a risk assessment with a big organization that uses Salesforce, and what we found within hours of installing Varonis and scanning their environment and looking at all of their access controls and configurations of all of the Salesforce records and data, was that every single employee that they hired had access to every single Salesforce record in the entire organization because of a series of misconfigurations over time. Now, you give those users access to Agentforce, a GenAI based tool that has the potential to make them more productive, and suddenly, their agents that they're configuring in the skills they have access to, suddenly could expose data that those people are not supposed to see. So we have the same level of visibility and the same type of control and monitoring for Agentforce, and Salesforce, or Gemini and Google. All of these GenAI applications are going to need this level of control, or organizations are going to have to put the brakes on deploying them because to your point, it has the potential to be a privacy and a compliance nightmare.

>> Well, Brian, thank you so much for all these details. I'm not surprised you won the award, the CUBEd Award. First time we've done this. Definitely a great solution for data protection that I encourage everybody to take a look at. So Brian, thank you very much for your time today.

>> Thank you so much.

>> And to our viewers, thank you very much. Stay tuned for more information on other winners of the first edition of theCUBE Awards from theCUBE. My name is Christophe Bertrand, principal analyst here at theCUBE Research. Thank you.