New-Scale SIEM Expands Exabeam Threat Coverage with Content Library and TDIR Use Cases

Organizations’ decision to purchase a security information and event management (SIEM) solution is driven by the need to solve a variety of challenges facing the business. One of those main drivers is to establish effective threat detection, investigation, and response (TDIR) capabilities. In order to leverage a SIEM for TDIR, organizations require the ability to detect a wide array of threats with high fidelity and at scale, as well as respond to those threats. Security content is the key enabler within any SIEM or security operations platform to drive the entire TDIR experience from end to end. With the launch of New-Scale SIEM, Exabeam introduces many new functionalities related to content, as well as brand-new TDIR content.

In this article:

• Cloud-delivered content
• Prepackaged dashboards (anomalies, case management, use cases)
• Pre-built Correlation Rules 
• TDIR for Public Cloud
• MFA Bombing

Cloud-delivered content  

With New-Scale SIEM^TM, Exabeam customers can now receive new and updated content over the cloud and directly into the Exabeam Security Operations Platform. This offers a frictionless experience for the customer to ensure they have the latest TDIR and use case-based content from Exabeam across key features such as Dashboards, Search, Threat Intelligence Service, and Pre-built Correlation Rules. Since Exabeam takes a use case-centric approach to content, customers can expect that for major content packages they will receive new content for many features, not just detections. This will ensure that organizations will not only be able to detect the latest emerging threats, but they will have the ability to hunt for these threats in history and summarize detections, behaviors, and traffic through both Search and Dashboards. As the leader of the Exabeam Security Research Team (ESRT), this is the feature set that I am most excited about in the new platform.  

Prepackaged dashboards (anomalies, case management, use cases) 

Exabeam now ships with a handful of powerful pre-packaged dashboards for TDIR that summarize detection and response capabilities for the entire organization. The anomalies dashboard serves to provide a unique view of all the anomalies triggered within Exabeam Advanced Analytics (AA) to see trends across use cases, individual anomalies, and a full summary of all detections. This dashboard can help analysts spot when a specific anomaly detection rule is being triggered in higher volumes for all users or devices within an organization, and take quick action.

The full summary of all rule triggers sorted by the count of triggers is one of my favorite views, as this is an incredible place to start threat hunting. Most threat hunting involves trying to identify something anomalous. By letting AA do the heavy lifting, a threat hunter can use this visualization to quickly find the anomalies that have only triggered once or twice across the entire organization. Those are definitely insights I would want to take a closer look at. Threat hunters can either take the rule trigger names and get the timeline results from AA Threat Hunter, or leverage our new Anomaly Search feature to search for the rule name while applying Boolean logic and other fields of interest.

Exabeam also has pre-built dashboards to summarize how the security operations center (SOC) is operating by visualizing the metrics coming from our Alert and Case Management application. Management or shift leaders can quickly see how many cases are in various stages of response, how many cases are assigned to each analyst, and the average mean time to resolution across your entire SOC.  

Pre-built Correlation Rules 

With the introduction of the new Pre-built Correlation Rules application, Exabeam is now delivering prepackaged correlation rule templates to our SIEM, Fusion, Security Investigation, and Security Analytics customers. Pre-built Correlation Rules cover the majority of base correlation rules you would need in a SIEM, and cover traditional threats like brute force detection, audit log clearing for both on-premises systems as well as cloud. Customers can pick and choose which alerts they would like to enable, and have the ability to select the outcome for each rule to fit their workflows. Exabeam will continue to deliver new correlation rules on a regular basis to our customers directly into the Pre-built Correlation Rules application, as well as offering much faster delivery of rules during major incidents and emerging threats.  

TDIR for Public Cloud  

The ESRT has been focused on developing TDIR for Public Cloud for the last six months. We have worked very closely with our own internal SOC and design customers to deliver comprehensive visibility into user behavior within public cloud infrastructure. Given that most organizations are multicloud, we wanted to ensure that we deliver consistent content for the three major cloud providers so that customers can have the same level of detection capabilities in each cloud they use. The ESRT spent a lot of time breaking down and understanding the nuances of how each cloud provider manages users, identities, roles, permissions, instances, storage, and data to abstract the unique complexities of each.

The result? We are delivering 165 new models and 176 new rules to detect the latest cloud threats. This content is mapped to Exabeam use cases and covers the following: 

• Abnormal authentication and access
• Privilege escalation
• Cloud data protection
• Account manipulation
• Malware
• Cryptomining

As organizations continue migrating more of their workloads to the cloud and adopting  more SaaS applications, Exabeam will keep developing new content to provide unique insights into normal behavior, and identify abnormal behavior, across all our customers’ key operating environments.  

MFA Bombing  

With many high-profile breaches recently circumventing multifactor authentication (MFA) by simply spamming end users with two-factor authentication (2FA) push requests until they grow tired and accept, Exabeam is releasing new content to protect customers. The new MFA Bombing content uses the power of Exabeam behavioral analytics to model MFA requests and identify anomalous push requests to spot these attacks in real time without static thresholds. We have already observed this content identifying real-world attacks within our customer base. This  new content package provides the following anomaly detection rules: 

• An abnormal amount of failure MFA events for this user has been observed. 
• A brand new country was seen in MFA events for this user that resulted in successful authentication. (This may indicate stolen credentials.) 
• A brand-new failure reason can indicate abnormal activity occurring with an account. 
• A new operating system never before seen for this user in MFA requests was seen authenticating. 
• A never-before-seen device for this user was observed authenticating with MFA. 
• First time this user responds with this authentication method in MFA challenges. 
• The country which the request originated from is different from the country where the user authenticated. 

I am thrilled about this new platform and all the new capabilities and possibilities it unlocks for the Exabeam Security Research Team. We will continue to research the latest threat actors and attacks to deliver top-notch content to help stay ahead of the most widely used tactics, techniques, and procedures (TTPs) in the wild and deliver content across the entire TDIR workflow.