Overview of Exabeam SIEM and Security Analytics Product Innovations

In our recent webinar, Overview of Exabeam SIEM and Security Analytics Product Innovations, Jeannie Warner, Director of Product Marketing, discussed how Exabeam helps organizations by being purpose-built for security. The presentation was followed by a demo of our products by Andy Skrei, Senior Director of Product Management.

In the webinar, Jeannie discusses:

• Cybersecurity reality
• Today’s breaches are rooted in compromised credentials
• Legacy SIEM has created a SIEM effectiveness gap
• Introducing New-Scale SIEM™
• Cloud-scale security log management
• Powerful behavioral analytics 
• Automated investigation experience
• Used by the largest brands in the world
• Why you need New-Scale SIEM

Cybersecurity reality

Andy and Jeannie both have security operations backgrounds, and when talking to customers, there are four things they consistently hear customers say that they are struggling with. 

1. The need to collect not just more data, but the right data. Every new security sensor, detection product, or security tool you bring in is creating and driving the collection of more data, generating gigabytes or terabytes of logs, creating two issues:
   • It’s driving up data storage costs, making SIEM exceedingly expensive.
   • It’s difficult for organizations to get the right data they need for a holistic picture of their environment.
2. The defender has to know what they’re looking for. They might get a clue — maybe an alert from their EDR product — but then they have to run a series of manual investigations to find scope, and keep generating manual reports. The Achilles heel of correlation rules is the need to create them in advance, and building correlation rules is critical. But, if you rely on only correlation, zero-day attacks become more dangerous, because you don’t yet know how they’ll operate. Defenders may not get an alert at all because an adversary’s behavior looks completely normal, even if it’s not — and “normal” changes constantly.  
3. Threats are buried in a sea of noise — like trying to find a needle in a haystack. Every product generates a ton of alerts, and not all of them need to be actioned.
4. When we rely on humans to do investigations, they might miss big chunks because they’re manually querying data, trying to piece together all the parts of the investigation, and don’t see the full picture.

Today’s breaches are rooted in compromised credentials

Phishing, ransomware, and malware all tie to compromised credentials, Jeannie points out. “Everything looks legitimate when somebody’s using valid credentials. If a hacker obtained the credentials of one of your employees, what sensors in your environment would tell you the normal behavior of those credentials, and without that, how can you identify abnormal behavior?”

Legacy SIEM has created a SIEM effectiveness gap

The SIEM effectiveness gap is a result of the fact that legacy SIEMs weren’t built for today’s security challenges and weren’t designed to identify compromised credentials. Discussing the history of legacy SIEM, Jeannie states, “In generation one — in the days of ArcSight or QRadar — it was about alerts, logs, and correlation. The problem was that storage was based on relational databases and correlation wasn’t efficient; it was expensive, slow, and required a lot of horsepower. In generation two, Splunk proved that relational databases weren’t great for storage. They used flat files and added indexing of alerts, logs, data points, and other information on their platform.”

When Exabeam joined the game with behavioral analytics, Jeannie says, it made a huge impact. “For us at Exabeam, behavioral analytics has always been foundational to our product. We started off augmenting environments where we didn’t own the data lake, so our analysis engine is open and can run on top of any SIEM. Exabeam was always designed to ingest third-party alerts from different systems and automation was added organically.” 

Introducing New-Scale SIEM™

When we say New-Scale, Jeannie explains, it’s about managing more data sources at a higher volume in a cloud-native architecture. It’s also about scaling your response to focus on risk-based priorities, scaling investigations with automation, scaling detection with behavioral analytics intelligence across billions of access points, and scaling operations. Here are some of the key advantages:

• We manage credential-based attacks exceptionally well because we know normal behavior. 
• We get rid of alert noise with our behavioral analytics and alert triage capabilities. 
• We speed investigation and response with automation.
• Customers benefit from very efficient data storage costs with the infrastructure from the cloud. 

The three key pillars of New-Scale SIEM are: 

• Cloud-scale security log management — We can ingest, parse, store, and search data regardless of where it’s coming from — on-premises or in the cloud — at scale. We’re not limited by the volume of data, physical memory and space, and sources customers need to bring in.

• Powerful behavioral analytics — We’re not just dealing with data visualization and correlation, but adding behavioral analytics. This is the core of the history of Exabeam in user and entity behavior analytics (UEBA) — we practically invented the space, mapping user to IP to device and baselining normal behavior across all those users and devices. Seeing normal lets you identify anomalies — basically every first time an event happens. 

• Automated investigation experience — An automated investigation experience gives analysts the full picture of an incident, helping them respond quickly and thoroughly. SOC analysts aren’t just looking for a critical web or endpoint alert; they can see where the chain of events started and clearly identify the full scope, then automate the response for a complete outcome.

Here are more details from Jeannie on the three pillars.

Cloud-scale security log management

“We’re bringing the ability to ingest, parse, store, and search at sustained speeds of over 1M events per second (EPS) per tenant on a cloud-native platform that scales to hundreds of petabytes,” says Jeannie. “We’re bringing fast, modernized search and visualization, allowing analysts to see and act faster. We ingest raw data from 549 on-premises and cloud tools with nearly 8,000 pre-built parsers that automatically build security events for faster performance in search, correlations, and dashboards.”

Powerful behavioral analytics 

“We bring all this advanced analytics, automated detection, and risk-based prioritization to the table, either with our SIEM or on top of somebody else’s so you don’t need to start with our full platform,” Jeannie explains. “The most critical component of behavioral analytics is baselining normal. Giving the analyst information on normal behavior paints a very clear picture of what to focus on.” 

“When we say, ‘Detect the Undetectable™,’ Jeannie continues, “we help analysts find what they don’t know to look for. We stay ahead of the threats — whether from external adversaries, malicious insiders, or compromised insiders — because our models look at the tactics and techniques that attackers use.”

Automated investigation experience

“Automation is a word we use frequently in security — too often isolated as part of incident response. To close the SIEM effectiveness gap,” asserts Jeannie, “you want to automate the entire threat detection and investigation process, along with response. We bring automation to each step of the threat detection, investigation, and response (TDIR) workflow not just when an alert happens, but before and after. We bring automation and context to the response — who the users are, the departments they’re in, and peer groups. We bring in threat intelligence — that we pay for, not customers — and use it to enrich data and build events. We’re quickly answering the questions that used to take days or weeks to get responses. By reducing manual, repetitive, and tedious tasks, you can put your human resources on more meaningful work and recapture their lost time.” 

Used by the largest brands in the world

With Exabeam, you’re partnering with an inventive team of threat hunters and a global leader. Jeannie states, “Currently, 20% of the Fortune 1000 use Exabeam. We were a Visionary our first year out, and have been a Leader in the Gartner Magic Quadrant for SIEM for the past four years. Our customers are forward-thinking organizations from around the world — across all industries including finance, retail, manufacturing, healthcare, government, and more.” 

Why you need New-Scale SIEM

To address the SIEM effectiveness gap, you need a SIEM that’s purpose-built for security — cloud-native and built for scale. 

With Exabeam, you get:

• Cloud-scale security log management to ingest, parse, store, and search data from anywhere to collect more of the data you need
• Behavioral analytics that helps you understand normal so you can accurately detect and prioritize anomalies
• An automated investigation experience for the entire TDIR workflow that will help your team quickly identify adversaries — whether inside or out — with a full picture of an incident 
• And ultimately, more meaningful work for your team, not tedious tasks — making them more effective, boosting morale, and reducing analyst churn

Exabeam was born in security,” Jeannie says. “We didn’t bolt it on after the fact. We live and breathe security, and you’ll see that knowledge and expertise in our products and people, every day.

For more insights, watch the webinar, Overview of Exabeam’s SIEM & Security Analytics Product Innovations or read the transcript.

You will learn about:

• Rapid data ingestion from hundreds of third-party vendors with integrated threat intelligence
• A cloud-native data lake with hyper quick query performance
• Powerful behavioral analytics for next-level insights that other tools miss
• How automation can change the way your analysts do their jobs.