Inside Out Security Blog   /   Data Security   /   Cloud Security   /   Varonis Products

Varonis Adds Secrets Discovery for On-Prem and Cloud Data Stores

We’ve all seen it happen. A developer accidentally stores plain-text credentials in a source code file accessible to every employee. A few weeks later, an attacker enters the network, finds the leaked secret, and begins using the credentials to access the company’s AWS account — racking up infrastructure bills and exfiltrating critical data. In 2021 alone, for every 400 developers at an organization, approximately 1,050 passwords, API keys, and other secrets were leaked.

Secrets, like passwords and tokens, are the keys to your most important apps and infrastructure. They keep intellectual property, source code, and the infrastructure of your business safe. But in the wrong hands, this information could cause a lot of damage.

Varonis is excited to announce that we’re expanding our data classification capabilities to include the discovery of secrets. This new feature helps strengthen the defense of your organizational resources and any sensitive information stored on those resources, such as source code, intellectual property, PII data, etc.

We’re able to continually scan your data stores for files and code containing improperly-stored secrets. This feature is available now.

Varonis can help you protect exposed secrets by:

• Classifying secrets with a high level of accuracy
  • We go beyond RegExes with proximity-matching, negative keywords, and algorithmic verification to generate high-fidelity results. Our accurate scanning classifies and surfaces a massive range of secret types and correlates the secret with access to give you a complete picture of your exposure.
• Detecting a wide range of popular secrets
  • With rules identifying secrets for hundreds of common applications/databases/services you may work with and contextual identifiers to improve accuracy, we provide a comprehensive and broad defense of the secrets that protect your critical application components and infrastructure.
• Monitoring source code files and other types of documents for secrets
  • Secrets can end up anywhere! Varonis scans for secrets in our supported on-prem and cloud data stores. We find secrets stored in plain-text documents and in source code files, scripts, and configuration files.
• Reducing the risk of data exposure or attacks on your data
  • By constantly scanning for secrets that are overexposed inside your organization — or worse, publicly exposed — Varonis can reduce your risk of data exposure and help defend your apps and infrastructure.

Introducing secrets discovery 

With our new classification rulesets, Varonis can help you scan your environments for rogue secrets. These rules scan exposed secrets in files and code stored on-prem and in the cloud. With the ever-increasing complexity of modern environments, we know how overwhelming secrets discovery can become when you’re using cloud infrastructure. Read on to learn why the discovery of exposed secrets should be a pillar of your cloud security posture.

What kind of secrets can we find?

Varonis data classification modules can discover hundreds of unique secret patterns you’re likely using in your own code base. We use patterns and proximity-matching to scan your environment for hundreds of popular secret types, for apps and services you’re likely already developing with and using in your environment such as Google OAuth2, Twitter, Atlassian, LinkedIn, elliptic curve cryptographic keys, or cloud database credentials.

Some of the categories of secrets we detect include:

• Passwords
• Database credentials
• Connection strings
• Private keys
• Encryption certificates
• API keys
• Authentication tokens
• Encryption keys

DatAdvantage Cloud users can select which types of exposed secrets to discover in their cloud data stores.

What are secrets?

The explosion of modern applications and cloud computing means organizations are managing infrastructure that becomes more complex every day. Developing modern apps and migrating to the cloud means more moving parts — more cloud infrastructure (perhaps even from multiple cloud providers), more databases, more APIs, independent microservices, etc. — which all need to securely communicate with each other. Each of these components uses a secret to authenticate itself to other components.

While it is best practice to store secrets securely in a secrets manager, for instance, factors including human error sometimes cause secrets to end up being stored in places they should not. Perhaps a developer hardcoded an API key to test a program on their local machine and then accidentally committed those changes to your code repository. No matter how the exposure happened, if secrets you own are stolen or leaked, attackers can access or steal your sensitive data, encrypt your data and demand a ransom, make changes to your production code, use your cloud resources for their own purposes, or even use up your API call quota. The options for attackers would, unfortunately, be fairly endless.

Where can we find secrets?

Varonis crawls your source code files and other places you store data to classify and identify secrets automatically. We discover secrets that are overexposed in plain-text files, such as Word documents, Excel spreadsheets, and Google Docs, and locate many other places where a secret might be improperly stored in plain-text. And by scanning your code files — such as those stored in AWS S3 buckets—, Varonis can catch security issues such as hardcoded private keys or credentials, or secrets stored improperly, like in a log file.

Whether your concern is about secrets overexposed on-prem or in the cloud, Varonis can help. Check out the data stores you can monitor and protect with the Varonis Data Security Platform and DatAdvantage Cloud.

In this example, DatAdvantage Cloud surfaced plaintext Google keys stored in an AWS S3 bucket. 

How do we do it?

While it’s possible to search your code bases and other data stores for exposed secrets with a simple RegEx search, in our experience, we have learned that this approach yields too many false positives — roughly a 60% to 70% rate. And wading through every single result to check for a potentially exposed secret is not a great use of a security practitioner’s time. RegEx searches may also miss some exposed or improperly-stored secrets. And that’s obviously not ideal, either.

Varonis uses a wide set of variables to classify and surface exposed secrets, including pre-existing patterns, proximity-matching, negative keywords, and algorithmic verification. This allows us to identify secrets with a much higher level of accuracy than can be done manually with just a RegEx.

Secrets can become exposed at any time — that’s why we take the approach of automatically scanning your data when changes are made. For example, suppose a developer creates an Excel spreadsheet listing plaintext private keys that are currently being used in your code. Worse, the Excel spreadsheet is stored on SharePoint and open to the entire organization. In that case, Varonis will automatically discover the exposed secret and notify you of the security risk. Because we scan for sensitive data automatically any time a file is modified, you can discover and lock down exposed secrets in a much shorter timeframe.

We also correlate discovered secrets with access activity and directory services to help you determine exposure. For example, developer teams need access to properly-stored secrets to develop and debug your software. Secrets that are stored properly and are only accessible to the developers who need access to them are not a significant risk to your organization. However, what if a secret is committed to your production code or kept in a Google Doc that everyone at your organization can access? We correlate the secret’s location with information on who has access to that location to provide meaningful insights about a secret’s exposure.

In collaboration with other Varonis solutions, you can remediate overexposed secrets by manually or automatically moving them to a secure location when a secret is overexposed.

Protect secrets with Varonis.

Developing modern applications and deploying your apps to the cloud results in exponentially more complex systems. With secrets discovery, you can strengthen your overall cloud security posture by protecting the secrets needed for every interacting component to securely authenticate to each other. Varonis secrets classification and discovery is here to help you protect against secret theft or exposure and reduce the risk of a compromised app or infrastructure.