Overcoming the Limitations of Addressing Insider Threat: Real Solutions for Real Security Challenges with Exabeam
Webinar Transcript | Air Date March 14, 2023
Watch the Webinar | Read the Blog Post
Jenelle Davis:
Hello, and welcome to this Exabeam webinar where today we’ll be discussing overcoming the limitations of addressing insider threat, real solutions for real security challenges with Exabeam. Thank you for joining us, and we’re gonna give everyone a moment to get in and get settled while we talk about this important topic. I’m Jenelle Davis, and I’m a senior product marketing manager here at Exabeam, and my focus within our team is vertical industries and use cases much like the one we’ll be discussing today. I’m joined by my colleague John Nowotny, and I’ll let him introduce himself before we continue.
John Nowotny:
Yeah. Hi, John Nowotny, sales engineer here at Exabeam, actually a former customer of Exabeam a few years ago before joining over here. So looking forward to today’s webinar, webinar as well.
Jenelle Davis:
Thanks, John. So here’s what we’re gonna discuss today. We’re gonna start out by addressing some of the challenges of insider threat. Then we’re gonna look at how insider threat is actually taking place within organizations. Next, we’ll look at successfully fighting those threats, and then we’ll get into some real world stories looking at how customers are addressing insider threats within their organization. Then John will take us through a demo so that you can see how Exabeam is helping customers to base this challenge. So here’s the big challenge with recognizing insider threats. It’s that hackers don’t break in, they log in. So while some users may be unknowingly targeted for their credentials and access, some are actually intentionally a part of this threat, and so they have legitimate access and knowledge of security measures and procedures that are taking place within your organization. These compromised con credentials, can disguise malicious behavior with legitimate action.
So it looks like they’re doing what they’re supposed to do when they’re actually going left. Unfortunately, financial motivation makes it really difficult to predict or detect actions that are taking place within the organization, and that throughout systems, part of the challenge is balancing this, that your employee’s autonomy with proper levels of security can be difficult. Of course, you don’t wanna micromanage every task that your employees are taking, but you do wanna make sure that you have a heightened sense of awareness within your networks and within your data. The other challenges that insider threat can take on so many forms that it’s just really difficult to wrap your arms around it. So what do these insider threats look like? What forms are they taking on within your organization?
So one of the main ones is lateral movement. With lateral movement, attackers compromise or gain control of assets within the network, and they move internally within the network. So they’re moving east to west from device to device. The challenge with a threat is that it’s often happening, happening slowly and quietly, which makes it really difficult to address or notice because it’s not a big event that’s taking place. The next type of attack that’s happening with the insider earth threat is privilege escalation. With privilege escalation, attackers are gaining higher level permissions or unauthorized access to privileged user accounts or assets. Privilege activity is when these attackers have unrestricted access to critical IT systems and other valuable systems, and they make privilege accounts a top target for attackers. Imagine your supervisors or your leadership having their credentials compromised and now they are, they’re able to access your entire network and all the accounts below them.
That’s why privileged activity is a really dangerous form of insider threat. Account manipulation is when these attackers are using persistent techniques to maintain access to networks, such as creating new accounts or manipulating existing user accounts. And then finally we have data exfiltration. So this is where adversaries target specific organizations and sectors with the sole intent of gaining access to sensitive corporate data or customer data. Once they’ve got that data in their hand, all bets are off. They can use that data to leverage and exploit the organization for financial gain, or they can simply choose to sell it to the highest bidder because they wanna wash their hands of it. The thing to note here is that the commonality with all of these tactics is around credentials and compromised credentials. And that’s why organizations need to, to position themselves with an offensive posture because compromise credentials really are difficult to to detect.
So how can they, how can organizations put themselves in a posture to fight these threats? The first thing that we, that you can do to, to posture yourself is develop a healthy paranoia. Focus on a defensive posture, because at the end of the day, prevention alone isn’t enough. These attacks are going to happen, so preventing them may not be able to be accomplished, but what can you do once they occur? Now, don’t get me wrong, prevention technologies are important. It’s just not enough to simply have technology in place. So you need to make sure that it’s configured and deployed properly, making sure that you’re asking questions like, do I have full coverage across the organization? And as we see with breach after breach, prevention methods simply fail to keep attackers out, and they really don’t stop militia insiders. So what you really need is the fallback of real time threat detection and response capabilities.
The next key to successfully fighting insider threats is the ability to see the normal from the abnormal. So how do you know if the, the, the task that someone is doing or a piece of an asset is taking is normal versus abnormal? You need tools in place to help you to be able to distinguish between the two. And an effective security tool will allow you to baseline that normal behavior and divi between users and devices with behavioral MO models to detect, prioritize, and of course, respond to any abnormal abnormalities that are taking place and appropriately scoring risk to make sure that you can you can acknowledge how these changes are taking place as they continue to change.
Next, your organization can embrace automation. So automation is a great potential to alleviate a lot of the issues that exist within cybersecurity platforms. Of course, we know that the industry is short on resources, people expertise, and most organizations are short on financial resources to attack, to attack all of the attacks that are taking place. Automation can help to alleviate this. Here’s a troubling statistic. 74% of an analyst time is spent on triage investigation. So why not use automation to help focus on the parts of the process that we can automate? One area, right for creating auto for using automation is creating timelines for events which can take hundreds of queries to unravel you doing it manually. By being able to automatically provide your analysts with timelines, it’s a great way to kickstart their investigations. Now, automation can seem like an overwhelming task, but before you get overwhelmed and think that it’s something that has to be done in one fell swoop, just remember that automation doesn’t have to be an all or nothing proposition with careful thought. And planning organizations can take a phased approach to automation and find the appropriate level that works for them.
And finally, think like an attacker. As you’re going about your work, think about how your sys, how you’re positioned in ways that might be vulnerable to attackers. So thinking like, what could, how could I get access to this system if I didn’t have the proper credentials? How do I know what’s normal and not normal within this network? And how do I know all of the assets that are, have access to this net, this network? By thinking about those things, you can begin to position yourself and make changes within your network and within your organization to appropriately protect yourself when threats arise.
So taking all this into consideration, it’s really clear that protecting yourself from insider threat requires a new and focused approach. And here at Exabeam, we call it New-Scale SIEM. Now let’s take a look at some real world examples about how Exabeam is helping organizations to fight against insider threats. Now, we won’t be using names, but these stories speak for themselves, and they really hone in on the point that it is possible to protect your organization against insider threats. So let’s check out this first example. This first example looks at a Lapsus$ attack. So you have probably read or heard about Lapsus$ in the news. The Lapsus$ gang was going around targeting employees within organizations to get access to their credentials. They were using financial incentive to do this, and employees were selling their access to, to their organizations on to Lapsus$ directly.
And this was a real Exabeam customer. As you can see, from the snapshot of our smart timeline, the employee’s risk score continued to rise as time went on. And, but it was a really short period of time. The reason we were able to notice this was because of Exabeam s Advanced analytics notable user function. So the behavior of the compromised user was flagged, and as notable and eventually 10 to 15 rules fired within the Exabeam system, these models that we deployed were able to reveal that the user’s behavior was similar to other tools and tactics and techniques and procedures that had been used in other attacks. This allowed the customer to con to quickly conduct an investigation and discovered messages that the employee had received from Lapsus$ confirming that they had actually been paid. So what did Exabeam detect for this customer?
What do we do for this customer? We were able to provide them with a comprehensive and complete picture of the attack, providing details of abnormal user behavior and lateral movement. We were able to identify the compromised credentials, connecting on the VPN from an anonymous proxy. Not only that, we were able to show them how many assets were affected and how many of those assets had been accessed for the first time. So the attacker was purely leveraged living off the land techniques. And as you can see, we, we were able to provide a very detailed timeline of activities and assets as a result of all of this, this work and investigation, the customer was able to completely remediate the threat, and they were able to interview that employee and confirm that they actually did sell their credentials to the Lapsus$ gang. So this, you see, the timeline here is very short. This is about a three hour window. Based on the information that they received from, they were probably able to prevent a much broader attack from taking place within their organization. And John, I don’t know if you wanna jump in here and talk about this from a customer’s perspective.
John Nowotny:
Yeah, absolutely. And for those particular customers, they had some best of breed kind of technologies, network security, even MFA in their environment. But when you’re talking about credentials that have been sold to another group and MFA is being approved in a manner that isn’t raising any red flags, how can you detect things like this? It goes back to what Jenelle was saying earlier on, the keys for the successful fighting of insider threats is understanding that normal from abnormal. You’ll see a lot of the root reasons that were added in this timeline are a lot of first access abnormal activities and first-time activities on here as well, of course. And that’s what prompted and led this customer to be able to understand what was happening in their organization for this particular attack.
Jenelle Davis:
Thanks, John. All right. This next example that we’re gonna look at is a customer who wasn’t facing an imminent threat, but they were in search of a new security solution to protect their systems, and their organization was going through a rapid piece of transformation and growth. They also wanted to gain a deeper visibility on the threats that were rapidly evading rule-based detection, just like insider threat and compromise credentials. One of the challenges that they had since they were experiencing such, such huge growth is that they had this hodgepodge of legacy sims that were left over from previous business acquisitions. So, the problem that they faced is that those legacy capabilities were unable to analyze all of the operational and security data that they had. This was a company that had really high expectations of data data reliability from its customers and STA stakeholders.
So it was really important to them to find a solution that helped them to guard against insider threats. So making things even more complicated. They had a bunch of use cases that they wanted to deploy at once. And this deployment of 50 use cases was really a challenge. However, the fact that Exabeam was able, is able to provide support models for over 400 use cases made this a, a a task that wasn’t so, so difficult to overcome through our UEBA technology, we were able to help them to deploy a system that allowed them to distinguish malicious behavior from privilege credentials. So I’m gonna kick it over to John, if you wanna add anything here. This was a really good example of how going from start to finish, we were able to meet that need.
John Nowotny:
Yeah, absolutely. And one of the things I like thinking about as well is talking about the, the top point is you can write as many correlation rules as you want, but at the end of the day, you have to make sure you’re looking for the correct behaviors or the correct thresholds, correct signatures to be able to actually alert on those kind of, whether it’s behaviors or those particular artifacts that you’re looking for. And Exabeam, we take a different approach at the analytics engine with the behavior analytics in, in the platform in that over an hour, out of the box 2000, there’s almost 2000 rules that are in there. We have some correlation rules that look for, you know, some of the bad things and bad behaviors, but over half of them, that rule set is actually just around those behaviors. And so what that means is that as those models, and we’ll see this in the demo here shortly, but as those models are understanding what’s happening for every user and asset in your organization is that we’re able to understand what’s deviated from normal.
And once there’s enough aggregate risk here, we can understand what becomes a notable, a notable user, notable asset. And so, because when you think about, well, a thousand rules that, you know, maybe that still seems like a lot in some ways, but maybe seems like a little to some of the organizations, but those thousand rules are then extrapolated against every user and asset. So really those become a number of unique rules. And so if you’ve got, you know, call it you know, a thousand you know, users in your organization, or 10,000 users for each of those users, they have a thousand unique rules that are specific to them. And so that’s how we’re able to do this quickly. With that built-in ability to have that already extrapolated to every user and asset makes it easy, much easier to adopt all these different use cases you might be wanting to get coverage for in your org organization.
Jenelle Davis:
That’s awesome. And I think that one of the great points to take away from this is every organization’s use cases are gonna be different. Their business use case is gonna be different. And it’s important to have a tool that can be flexible to meet that organization’s specific needs.
John Nowotny:
Absolutely.
Jenelle Davis:
So we’ve talked about a company who was facing an imminent threat, one who’s looking for a new provider. And so next we’re gonna talk about a company that already had a SIEM in place. So this company that is now an Exabeam customer was a former Splunk user. So you may be thinking, well, I have Splunk and I, I don’t know how to, do I have to completely move to Exabeam. I don’t know how that process is going to look, but the beauty of New-Scale SIEM is that we’re able to augment or deploy a solution that meets your individual needs. So as you can see here, this customer started out with Exabeam as an augmentation. So back in February of 2022 we became and we augmented their Splunk their Splunk system.
However, as the year went on and the benefits of our advanced analytics became clear, the challenge also became clear. It’s the fact that Splunk lacks those analytics and that their pricing was, was really high. So throughout the course of the year working with our team, when it came time for that renewal it was clear that this customer would benefit by completely deploying Exabeam as a full SIEM solution. And so that’s what they, that’s what they did. And here in TW January of 2023 they made that decision and they’re using advanced analytics to bring value to their SIEM investment. So here, the, the, the value to that customer is that they would have more, more functionality and storage at the same price.
John Nowotny (18:14):
Yeah, absolutely. And specifically on this customer as well what we saw was actually that they got in, they brought the analytics on top of Splunk. We see this, you know, quite a bit. This is actually how Exabeam came to, to market back in 2013, was simply just augmenting existing sims. And we still provide that avenue today with our security investigations and security analytics packages. But what you, what we tend to see over and over is that not everybody has all the data they really want in their existing SIEM today, or in this case Splunk here. And so what ended up being was this customer realized they had a ton of telemetry that they wanted to bring on board, but that was not gonna be an easy task for both the onboarding processes, the technical limitations and the pricing to do in their existing sim.
And that’s where the full value of Exabeam Fusion comes in. But specifically with New-Scale SIEM is that ability to quickly bring on that, that data that we already had a cloud connector ready to go for, to easily bring that data onboard in minutes, not in days or weeks to get the, all of it onboarded, but at a, at an attractive price point as well. That really puts everything into one platform, a singular platform to manage and have that ability with the analytics on top to continue bringing additional investment and value to the data sources they were onboarding.
Jenelle Davis:
That’s great. Well, that’s a perfect segue because speaking of our platform, I think let’s show the platform and John’s gonna lead us through a demo of the Exabeam platform to show how insider’s threat is how we’re protecting against insider threat in real life.
John Nowotny:
Yeah, absolutely. Let me bring this back over. And so what we’re seeing here is the Exabeam analytics platform, and again, this is really where the power of, of EXIM comes into play, what we’re really, you know, known for in, in the market and why we continue to be a market leader. In the SIEM category, what we’re looking for here is a way to understand your logs automatically by stitching and understanding the events that are coming through to every user and asset. As these events are stitched in the timelines for every user and asset, we’re understanding how risky potential events are, are they abnormal, are they normal events? And if there’s associated risk to them, we add a risk score to that person or that asset day or we call it a session. It’s not always necessarily 24 hours.
But as that risk score gets above 90 points, we say that that entity is now notable. It’s worth investigating. I have a colleague who likes to say this, his one-sentence pitch is that” Exabeam shows you the weird,” or “Exabeam shows you the interesting,” is maybe how other people would say it as well, but I, I personally like the weird one on there as well. But see, you’ve got a number of users and assets who have risk scores above 90 points here. And specifically thinking about kinda that insider threat scenario, there’s compromised credentials. I always love picking on Barbara Salazar. I can see I’ve got a case for her open here at the top that I could dive into. But I can also just go straight on to her profile to go take a look at what we’re seeing here for her when I come in here, one of the great things that EXIM does is that we’re always against starting with the context of who or what you’re looking at.
So I’m not looking at just user ID and then trying to gather all my logs against that user ID or against that email address, user id here, user name on this particular app. Regardless of whether cloud sources on-prem, hybrid type scenarios, we’re understanding the persona of who that user is regardless of what their naming standard is. So in some platforms you’ve got, you know, Barbara’s email address and in other ones, you’ve got her user id, other one, it’s the VPN. All these are getting tied back to one single timeline that’s being evaluated against, again, power of analytics and being able to take that enrichment and providing that context automatically. But we’re also understanding, you know, in some large organizations that are larger than others, you know, you don’t know every single user or every single asset in your environment. And so understanding who or what you’re looking at is incredibly important as well.
So we’ll help pull this from your identity stores automatically as well. Things like your title and location, the department, what kind of employee they are and even, you know, their manager of course, but we also use this information to peer users together. So if I click on here, I can see what peer groups Barbara’s a part of, she’s a part of the human researchers coordinator that she’s based outta Chicago that she is part of this job VI group as well. And when I look at any of these, I can also see who else is a human resources coordinator and see how specific is her, how similar her behavior I should say is to the other ones in here as well, based on the behaviors of everybody else in here. And so this is great information. We’re gonna see this context later on and how this actually aids during investigation helps to speed up how, how abnormal, how malicious might this attack be here.
So as I scroll down, I can see what Barbara’s risk trend look like over time that she, we can see this risk is going up and not down over time, but I can go further back and see, you know, Barbara doesn’t really have any sort of risk that’s happened in the past month. She’s kinda a user who comes in, does her day-to-day job and nothing really is getting added until recently. I’m gonna scroll down here. I can see all of a sudden all of our risk reasons for this day in order of risk. So we’re gonna dive into the timeline here shortly. We’re gonna put it together, but just as a quick view in here, we’re showing you this risk in order because Exing, we’re really trying to help you as you’re trying to understand insider threats as you’re trying to understand other other security investigations you’ve got going on outside of just that one specific use case to understand is this malicious or not?
What’s going on here? And so I see some and risk reasons that have 40 points of risk added, others just have ten five. Again, it’s that aggregate that takes us to that 90 points that we need in order to have a notable, but I like focusing on these top three rules for a second. Cause they show you the easy ways we add risk to a session for a user. The first is obviously any of your security alerts we’re gonna bring into the platform and into the timeline here as well. And one of the things to note is if I click on the event details here, I’ll actually see this not in a raw log form but in a security alert event type, one of the things XM does is that we ha consume all these raw logs, but to understand behaviors, we actually have to convert, translate everything into event types.
So we’ve got hundreds of out of the box event types, this one being security alert and this one happened to come from Palo, but you can imagine this could say CrowdStrike or Office 365 or something else in here. We’re gonna always provide the alert metadata here, any of the source desk IP information, any URLs or process or file information here as well in this, it makes it really easy for your most junior analysts all the way to your senior analysts to be able to get value outta the platform quickly to get the information they need and not have to comb through raw logs to understand every single vendor and how they produce their logs in the platform. The second is a, is a normal correlation rule. You can write this in any SIEM, but one of the things to note for Exabeam is that we make this very glass box.
So I can go to my rule definitions and even go see the expressions in here, the scores, all these are completely customizable in here. To be able to take advantage and be able to modify this, make this specific to your organization, the SA account here, maybe you would say, Hey, I don’t need this for my DBAs. I’m gonna put them on an allow list that doesn’t need to fire off this or fires off a less amount of risk. And one of the other things for Exabeam though that does differentiate our correlation rules is the ability to have these rule tags here. And so some of these are actually, all of our rules are mapped back to miters. So if I click on valid accounts here, I’ll actually get the mire attack technique of why this is important to understand why this squeeze and fire and why we should be concerned about it potentially on here.
The top rule, though, of course, is one of the Exabeam powerful behavior analytics rule sets. This is because we’re saying this is the first high activity from Ukraine for Barbara. And if I click on this data insight button that we now have, I can actually see what’s normal alongside the abnormal. So this rule fired off because it was not because of Ukraine, the unfortunate war and because of it being on some list anywhere in our platform, it’s because this is the first time we’ve seen Barbara login from anywhere outside the United States. Before the same rule would’ve triggered off risks from logging from Brazil, Australia, Canada, doesn’t matter this was being done because we understand what’s normal for Barbara. And one of the great things that Exabeam does is we make it really easy again to see that normal alongside abnormal in many ways on the platform.
The first is just in these quick data insights. Here I can see what her normal work stations assets look like, what network zones we see her communicate on and what countries we see are coming from. So of course it’s been the United States before this particular date here, what time of the week she normally works. I can click on more insights to see the hundreds of other models that are populated for her as well and go look at it, go look at that information in there as well. But now I wanna take you to the timeline. This is really where the kind of aha moment comes in together because we’re able to see all the logs you would normally go query for in your normal SIEM, whether it’s Splunk or something else, but we’re automatically stitching this all together. This is all happening without me having to use a search bar, seeing anything else in the platform to be able to get to this.
But of course you’re able to pivot down into those raw logs when necessary. And of course there’s a lot of use cases for that as well. But we see this particular day start off at 4 52 in the morning with a VPN login from Ukraine. Again, I can click right on this VPN login and see that we’ve enriched that it came from Ukraine and what I see is it was from based on our GIP enrichment information. But now we’re seeing all the risk reasons that are associated with this event. So this one event had a lot of risk cuz not only like we saw earlier, was this the first time from Ukraine for Barbara, it was the first time for anybody to log in from Ukraine for the entire organization. We see some first activity from ISPs, first VPN connections. We didn’t see a first VPN connection for the device for the organization.
Again, adding all this information for you to help understand and make good decision making processes of is this just weird or is this something actually malicious going on? And so as I scroll down, we can start to see some normal alongside abnormal. She has remote access to her own laptop, okay, she accesses her laptop. There’s no risk reasons fired there. But then we see a remote access to a server that she doesn’t normally go to very much on as part of her day-to-day operations. We then see that translated into a remote, a first time remote access to a particular server and finally a remote log on to what looks like a systems database server that we’ve never seen before. And again, adding that context in the timeline here, but understanding not only is this the first time for Barbara to log onto the server, it is the first time for anybody in the human resources coordinator group to log in as well.
We didn’t see a privilege activity happen here where we see an account switch. So we went from lateral movement to now privilege escalation I should say, of an account switch to the SA account. And so not only do we have this normal correlation rule of hey, someone switch to the SA account, we see it as the first time for Barbara to ever do a credential switch, especially to the SA account on here for her. We then see her use that account in remote log on into a particular SQL server. And on that SQL server, because we’ve got database audit logs, we can see that she did a select star from the payroll table. And because we’ve got this information tracked for Barbara and for every user in your organization, we see that normally or with her normal Excel connections and running her own reports and pivots, she gets spend 10 kilobytes returned on a daily on a, on a particular query on an average query size.
And instead we see over 500 gigabytes return on this query. Shortly after she runs this on her machine, we see her go to file share.com and then finally we see Palo send off its security alert that a large outbound traffic volume was seen on a particular asset and for this user, and this is the first time we’ve seen this alert name. And so when I click on here again, we see that same security alert details, but notice that the outcome has no block on here. So we understand when there’s an allow or block and because there’s no block here, this we really did have a data exfiltration scenario. And so what we were able to see just by scrolling up and down, I didn’t have to do a single query pivot, I didn’t have to plug anything into the Splunk search bar in here, is that we see that we had a, a compromise credential that led to lateral movement follow by privilege escalation and prolog activity.
And finally data exfiltration is all happening here. One of the powerful things about Exabeam is that, again, I’m just scrolling up and down to see this information and just by looking at the titles of this information, I could put together a story very easily, but I can export this information as well, create more detailed reports, pivot back down into the raw logs if I’m needing to see that as well. But the powerful thing of where this helps out for Exabeam, like we saw for that first real customer story for defending against attacks from organizations like Lapsus$, is that Exabeam gives you that fighting ability, that fighting chance to catch left more earlier in the cyber kill chain that already at 4 52 in the morning, six hours before the security alerter fire from Palo, we already had a user that was in a notable state.
Now not everybody has the ability to have a 24/7 SOC. And so even halfway through this attack at seven or around seven 30 in the morning, we already saw what looks like a strange login to lateral movement to privilege escalation all happening on here that gives you that finding chance to really catch the attackers and, and lock down your organization before the attackers really get to their in-state that data exfiltration, ransomware, whatever have you on there. So really powerful stuff here in Exabeam. Again, being able to see that abnormal alongside normal and the timelines here and give you that leg up, that leveling up of your sought capability using our platform. One other thing I’d like to highlight this, a newer feature in the New-Scale SIEM platform is actually the ability to understand these different log sources coming in and how that aids in your detection capabilities.
So we saw things like authentication activities, file activities, database, web activity here in this timeline we can understand how helpful that is for being able to have coverage in your platform. And so we actually have what’s called Outcomes Navigator here in an Outcomes Navigator in the SIEM platform. We’re actually taking a look at all the different log sources you’re bringing in, all the different data sources you have coming in, categorizing them, understanding what information is getting parsed and extracted out of the platform to understand how good are you in your organization of detecting these kind of attacks and techniques in in your organization. And again, this becomes important for understanding do you have the right data sources? Going back to the Splunk example, you may have a SIEM that you’re enjoying today, but you’re locked down from being able to to be able to onboard the sources you really want.
Or maybe you’re throwing too much at your SIEM and you’re not focusing on the right areas. Again, this is where EXIM is always trying to aid and help you understand. Are you bringing in the right things to detect the kind of attacks you’re wanting to have coverage for? And so if I look at these outcome categories, you’ve got malicious insiders, external threats, compromised insiders. And as we take a look at these different ones, we can kick click on any of these different categories to see how we’re doing in here and how we could aid in having better detections in the platform. And so to click on privilege escalation here, I can see some details here. I have good coverage. We’ve got 11 out of 40, 48 product categories enabled though. And so we’ve got some, some ability to be able to add on some more information here.
So I click on see details here. I can actually see what my use case deal details look like and what my coverage is looking like. I can even see that my coverage over time has increased since September. We’re getting better here. And this is really great because we provide coverage exports for you to be able to send back to your leadership to show the progress that you’re making in your SIEM investment, in your sought capabilities for your leadership, for your organization to understand what’s going on in here. We provide some resources around what’s helpful and how you can help get better adoption into here. How you can do investigations and privilege escalations here and how these might map back to mire. In here we can see the different advancing analytics rules of how many are available out, out of the box and how many have been satisfied based on the log sources we have coming in, basic correlation rules as well.
And the number of dashboards you might have tied back to this as well in our SIEM platform. And you can see further other resources we have on dashboards that we can dive into at a later time. But if you scroll that in here, we can see the different product categories that exist and what products we have configured. So we’ve got some good endpoint auditing, we’ve got some good access management firewalls, but we don’t have any files sharing logs coming in. If I go down into the other rows on here, I can see we’re missing some user authentication, some event management forwarding in here, network devices, nac, identity administration, CASB log sources. So these might be things where you say, Hey, these are log sources or data sources that I could bring on board because I have investments into these technologies.
It may also be a way for you to be able to help get funding in these areas that you know that you’ve wanted. I know that I’ve needed nack, but now I can actually showcase how this would be helpful, how this actually aids us in, in these kinds of detection capabilities in our soc. And so again, I can click through the rest of these and look at some other ones that are missing in here, but if I go up to the top, we really make this easy to see as well on a recommendations tab. So one of them is around parsing. We can take a look at our log sources that are coming in. Are we actually extracting all the amount of information we want out of the logs that are coming in? And so I can actually click on improve to go look at the different partials that are related to the event viewer for PowerShell or our five Xs policy managers to make sure that we’re extracting all the information that we want out of there in our log stream platform.
But I can also see down here at the bottom that we know what of the product categories we’re not providing any information from. So we saw that earlier of CASB identity administration file sharing and we’re just gonna provide, we saw on that list earlier 48, there was a few other ones that aren’t on this list, but we’re showing you the top ones in here that if you brought on board these categories would actually really aid and investigate an in investigation capabilities detection capabilities that would increase this score. Here We’re seeing at the top here for privilege escalation here. Again, I can click through any of the rest of these to go see what’s happening on theirs as well onto the recommendations. And again, I can provide this as a simple export for my leadership here. So with that, I just wanted to end things. And there’s a ton more to show off in the platform, but just wanted to show off the ability to see the timelines but also understand like we’ve seen for some of our real customers, how we can see that the right data coming in aids us in these insider threats, aiding us in helping to detect this informa and be able to detect these kind of attacks and further our security investments. So thanks very much on that when we pull it back over to the presentation here to end things off.
Jenelle Davis:
Thank you so much, John, that was really good. So hopefully that sparked some, some thoughts, some questions. And if you have left any questions in the chat, don’t worry. We will make sure to follow up with you via email. You’ll also receive a recording over this webinar via email. We will appreciate your time. Thank you for joining us today and we hope to see you on a future webinar with Exabeam.
John Nowotny:
Yeah, thanks everyone.
Jenelle Davis:
Bye-Bye.