🦄 Making great presentations more accessible.
This project enhances multilingual accessibility and discoverability while preserving the original content. Detailed transcriptions and keyframes capture the nuances and technical insights that convey the full value of each session.
Note: A comprehensive list of re:Invent 2025 transcribed articles is available in this Spreadsheet!
Overview
đź“– AWS re:Invent 2025 - Beyond Posture Management: Stopping Data Breaches in AWS (SEC209)
In this video, Brian Vecci, Field CTO at Varonis, explains that 88% of data breaches involve stolen credentials, with attackers logging in rather than breaking in to access data. He argues that DSPM and CSPM alone are insufficient, as they cannot detect lateral movement, abnormal behavior, or insider threats. Varonis offers a comprehensive data security platform that provides identity protection, monitors data access across cloud and on-premises environments, uses behavior analytics to detect threats with minimal noise, and automates remediation safely without breaking systems. The platform integrates with AWS Security Hub, CloudTrail, IAM Identity Center, and GuardDuty, offering a single pane of glass for data security across AWS, SaaS applications, and databases. Varonis conducts risk assessments that reveal unknown vulnerabilities within weeks.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
The Reality of Modern Cyber Attacks: Why Attackers Target Data Through Stolen Identities
Well, look at this. Hey, everybody. So you pay for the whole seat, you're only going to need the edge. My name is Brian Vecci. I'm the Field CTO at Varonis, and I've got 20 minutes before you all go get drunk to talk about Beyond Posture Management. I'm going to talk about data security. For those of you that don't know, Varonis is a data security platform, and I've been doing this for close to 16 years now. I was in IT and IT security before that. And one of the things that I learned in 16 years in cybersecurity is that attackers don't break in, they log in. I think we all know this. Nobody breaks in to a bank to steal the pens.
If somebody gets access to your infrastructure, compromises an identity, compromises an API, owns a device, they're going after data, but they're doing it through identities. 88% of data breaches involve some sort of stolen credentials. The best, easiest, fastest way to get into your infrastructure is to steal an identity. What happens when that happens? Somebody logs in with those credentials, then they exploit the blast radius. They move laterally in the cloud, which means going to different infrastructure or different applications. They elevate their privileges, ideally getting access to an admin account. They establish persistence, creating new identities and new accounts, but the goal is always to get access to data so that they can steal and encrypt it.
The kinds of things in the wild are code injectors, ransomware, and AWS exploits. This doesn't exploit any AWS vulnerability. It exploits an identity to get access to data in your AWS environment, and then it's ransomware to get access to it, steal it, encrypt it, and hold it for ransom. How might attackers do that? Well, we're seeing things like info stealer malware in the wild, people putting malware into game cracks that they host in GitHub that users then download and of course their identities are stolen. If I can get access to your credentials, to your identity, I can use that to establish persistence, move laterally, and get access to and steal data.
It's really all about data. I said it before, but if I get access to an identity, if I get access to an API, if I own one of your devices, I'm not just going to look at configuration files. I'm not just going to explore. Data is the target. Data is what has value. Nobody breaks into a bank to steal the pen. They are after money. You're a threat actor. The attackers that you're trying to defend against are after data. And there's lots of vectors that a threat actor is going to use to get access to those identities that then they will use to access data, whether it's a phishing attack or a supply chain compromise. We have advanced persistent threats that we see in almost every big environment in the world. The goal, of course, is to get access to data.
Now, DSPM, data security posture management, and CSPM, configuration posture management, is not enough. It is one set of controls, one set of defenses, but it's not enough to protect you. It can't detect changes in authorization. It can't detect lateral movement going from one piece of infrastructure like your AWS environment to another hyperscaler or from a SaaS platform like Salesforce in your AWS environment. It's not going to detect abnormal behavior because these tools don't look at how identities actually access data and it's not going to detect any current active threats or insider threats. If somebody already has valid credentials and they start accessing something that they've never looked at before, how would you know? They're not exploiting the controls that DSPM and CSPM are designed to help you fix. Posture management is one piece of the security puzzle.
Beyond Posture Management: Building a Comprehensive Data Security Framework
If you think about how an attacker behaves, you need identity protection. You need to look at all of the accounts, internal and external, in all of the applications and in all of the infrastructure. Whether it's a global identity or an application identity, whether it's a user identity or a machine identity. You also need to monitor and manage your data and configuration security posture. You need data-centric user and entity behavior analytics. That means you need to watch how all these identities behave, and you need to look at the data that they're accessing, and you need a full set of forensics so that you can come quickly to a complete picture about what happened.
If you're a CISO or if you're in a security team, you generally want to do four things. You want to stop breaches, you won't be paying any fines. You want to stop having to hire people or pay others to do all of this work, and you want to be able to prove that you did it. Where did we start? Where did we finish? How are we implementing these controls, and what does right look like? How can we prove that we're actually protecting our environment? Let's start with identity protection. You need to protect against the most used methods of attack. 88% of data breaches involve a stolen or compromised identity. That means you need to watch identities. You need to know what right looks like. Which are our human, which are our machine identities.
And you need to remove excess privileges. Many of us have tried to solve these problems by using identity and access management, but that is only one piece of the puzzle. Imagine when somebody or something authenticates—what do they actually have access to? At Varonis, we do data risk assessments for our customers in their AWS environments, and what we find is that up to 40% of the data that they're trying to protect is open to literally every single account that can authenticate to the environment. Think about that. Imagine if 40% of the money in your bank account were accessible to anybody that can walk in. How long would you keep that money?
So you need strong identity protection, but you need to manage the blast radius of those identities. Ensure least privilege, remove exposure, but you can do that safely. In security, one of the things that gets us in trouble most is when we're like a bull in a china shop. If you start making changes without understanding what those identities have access to and how they've been accessing that information, you run the risk of breaking things as you fix them.
Using that telemetry, watching how data is accessed by who and by what with the context of what data is sensitive and important—where do we have credentials, where do we have sensitive information like PII or intellectual property or source code. Once you have all of that context, you can enrich logging and behavior, and then you get useful user and entity behavior analytics. You can minimize the time it takes to detect and respond to a threat.
The easiest analogy here is your credit card. We use credit cards primarily because they are safe. Your credit card company knows who you are and where you live and where you travel. My credit card company knows that I'm in Las Vegas today because I booked a flight using my credit card. My credit card company knows the kinds of things I buy, the amounts that I buy, and when I tend to shop. So when somebody uses my number to buy gas in Montreal, a place that I'm not currently, and that's a pattern that a threat actor uses to just a credit card number, they know instantly that's fraud.
If you watch your data and you watch your identity with the context of what the data is and who the identities are—which accounts are human, which accounts are machine, what they have access to, who they work with, how they normally behave, when and where and on what data types—it turns out you can minimize how long it takes to detect and respond to threats by alerting on things without a lot of noise.
And then you need a forensic layer. You need to be able to quickly and completely answer the question: what happened? I've been involved with a lot of incident response over the last 15 years, and one of the things that I've learned is that when there is an incident, an insider threat, an APT, an advanced attack, or a global data breach like what happened with SolarWinds, the first question that gets asked isn't how do we fix this or how do we recover. The first question that gets asked is: what data was touched? Was anything stolen? Do we have to tell our employees? Do we have to tell our customers? If we're a public company, do we need to tell the SEC? Was there anything material that was stolen? And how do we minimize the damage?
That's the first, second, and third question that gets asked. Ask yourselves as security professionals: how long would it take to answer the question, what data was touched, and then how did the threat actor get there? What identity was compromised? What permissions were changed? Were there privileges that were escalated? Was there lateral movement? Do I have a single pane of glass that will tell me exactly how this all happened?
Varonis Data Security Platform: Automated Protection Across Cloud and Hybrid Environments
At Varonis, we've built a data security platform over the last 20 years to do exactly that. Now, some of you might be thinking, 20 years—AWS didn't exist 20 years ago. It's true that 20 years ago, nobody could do this on a single file system in a single data center, let alone these days where all of the places that your data lives. It lives in files, it lives in databases. It lives in all of the hyperscales. It lives in S3 buckets. It lives in databases that live in RDS or EC2. It lives in your AWS environment, but it also lives in the other hyperscales, and for many of you, it still lives in your data centers on premises.
What Varonis is, is a data security platform designed to give you observability so you can find these problems. Classify data accurately across cloud and in hybrid environments. Classify data accurately in structured, unstructured, SaaS application data, databases, files, and collaborative platforms. We'll give you observability to where that data is. And observability isn't just data classification. It's not just what's sensitive, it's who and what has access to it. And to do that, you need to look at all of the access controls, the deep links, the permissions on all of these containers. You need to look at all of the identities and all of their entitlements, and you need to combine all of them together so that you can answer the question: what on earth does Brian have access to? What does this account have access to? Who has access to this sensitive data?
In this S3 bucket or this Salesforce record, or this file sitting inside a virtualized file server? Varonis unravels all of that for you, so you can find problems. You can identify exposures, you can map access, and you can measure risk. But finding problems isn't enough. Finding fatigue is a real thing. If I just give you a list of the hundreds of thousands or millions of problems that you have to solve, that's not a solution. Who among us has the people to go respond to hundreds of thousands of help desk tickets or service tickets to fix all of these problems?
So Varonis takes all of this telemetry, including all of the behavior information. How is this data being accessed by who and what? How are these identities authenticating and from where? How is data flowing between all of our infrastructure? We use all that telemetry to build automation, and it's automation that can be deployed safely. If I'm going to remove a permission or fix an exposure, I better know exactly what might break when I do that, so that when I make changes, I can do it safely, and that's exactly what Varonis does.
We're watching how all of this data is being used by who and what. So when you apply policies, you do it safely. You can be surgical, but it's automatic. So you can reduce risk without breaking anything and without requiring a lot of effort. And because we have the telemetry and the context of what data is used by who and what, from which devices and which services in all of the places that Varonis provides visibility, we give you useful user identity behavior analytics without a lot of noise. We generate very small alerts that have a lot of context about why there's a threat that you need to respond to.
You can lock down your AWS IAM. So you can ensure that identities are properly configured, that your infrastructure is properly configured, and these identities only have access to what they're supposed to. You can enforce least privilege, do it automatically. Without breaking anything, you can detect abnormal behavior by watching how all of the data in your environment is used with the context of what is sensitive, not just sensitive data, but sensitive identities, which identities are human, which identities are machines, which identities are administrators, whether you know it or not.
What are they accessing, how are they accessing it, what's normal, so that you know what's abnormal without a lot of noise? You can minimize the time to detect and time to respond to threats, and you can fix the problems that you will identify. The number of times I've heard from hospitals and banks and manufacturing companies and software companies is, we know we have risks, we just don't have the people to solve them. We know that there are problems out there. Varonis will show them to you and then give you the ability to automate policies to fix the problems that we find, but to do it safely.
I used to ask security teams and CISOs, what keeps you up at night? I stopped asking that question because what you want to hear is something really interesting. What keeps me up at night is nation state actors. What keeps me up at night is ransomware. What keeps me up at night are insider threats. But I stopped asking the question because smart people always answered the same way. It's not the problems that I know about, it's the problems that I don't know about.
Because Varonis looks at everything. We don't use data sampling or predictive scanning. We will scan everything and show you where you have gaps, and then we'll give you the automation to find and fix those problems automatically. So you can go from I don't know what I don't know to I do know my problems and I have fixed them, and I can prove it, and I didn't break anything. And you can do it extremely quickly.
We integrate with the AWS Security Hub. We take signals and telemetry and analysis and threats and alerts. We import them and give you additional context, so we enrich the views that you get from the Security Hub. We enrich the telemetry streams that you get from the AWS CloudTrail. We add additional information and context to the CloudTrail, so it's more useful and it's a better set of signals to detect and respond to threats and to apply automation. We enrich the IAM Identity Center by giving context about data access and where and how entitlements are applied and what kinds of sensitive data are available to which identities, and we enrich the AWS GuardDuty with data-centric threat protection.
Everything that I've just shown you integrates with your AWS security stack. We make the AWS security controls and tools that you have more valuable, and we make it easier to prove that you're implementing controls and we do it safely. We secure data across your AWS ecosystem, whether they're SaaS applications and platforms like Salesforce and GitHub that are integrated with your AWS environment, data stores that are living inside AWS like Snowflake and Databricks, and the databases that are sitting in RDS or virtualized in EC2, let alone all of the data that's sitting inside S3 environments. We'll secure this data across cloud.
We give you a single pane of glass and a single set of policies and automations that you can apply quickly, easily, and safely. If you would like to learn more, and I know you would because if you sat here this long, well, there's free beer over there, which means you want to learn more. If you'd like to see how this works or if you'd like to see a demo, either tonight or maybe tomorrow, either give us a call or come over to our booth. We're booth number 4:30, right along the back wall.
Varonis is a data security platform that will help you find problems automatically, fix them automatically, and detect and respond to threats. The way we start is we do a risk assessment. This takes 15 to 20 minutes to plug into your AWS environment. We'll look at the other hyperscales, we'll look at on-premises data, we'll look at files, we'll look at databases, we'll plug into your Salesforce environment, we'll plug into your GitHub environment, and very quickly, on day one, you will see results.
Within a week, you'll see real risks, and within a couple of weeks, we will show you a real plan to reduce them. But even if you do nothing else, I can guarantee you we're going to show you things that you didn't know about your data. The whole reason, the whole goal of cybersecurity is to protect data. We make it easy, we'll do it across cloud, we'll do it accurately, and we'll do it automatically.
If you don't believe me, well, come and try it. I'll take the Pepsi challenge against any other tools or processes that you have in place. I've been doing this a long time. I've seen people struggle, and I've seen people do a lot with just a little bit. I'm going to end a little bit early because it looks like you guys all want to go enjoy the rest of the show and enjoy your time in Vegas.
My name is Brian. I've got a flight to catch in about 40 minutes, so I'm going to run upstairs and catch an Uber. I really appreciate your time, and I hope you come over and learn some more. Thank you all so much.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)