Skip to main content

On True Positives and Security Incidents

The Potential POS Breach Exabeam recently discovered unusual behavior at one of our retail customers. On some of the most sensitive point of sale (POS) devices, a local account was added to a privileged active directory group. Some of the audit functionalities on these machines were then disabled and a few minutes later the account was removed from the privileged group and the audit functionalities were reactivated. This was happening on hundreds of POSs at[…]


Ransomware: Why Steal When You Can Disrupt?

When asked why he robbed the bank, the old saying goes, the thief replied: because that’s where the money was. But in fact, there was no need to rob; applying the modus operandi of recent ransomware attacks, all the thief had to do is disrupt the entrance to the bank, and collect the money without any extra effort. Ransomware recently made the headlines when several organizations, including hospitals, were infected and forced to pay tens of thousands[…]

Topics: ransomware, SECURITY

Data Science and Security Research: Two Parts of the Whole

My friend, and Exabeam’s Chief Data Scientist, Derek Lin, previously wrote a blogpost about the wrong and right ways for data science and security operation teams to interact. In this post, I would like to expand on that idea and talk about the nature of the two disciplines, their complementary aspects, and how each is indispensable for meaningful security analytics. Data Science Data science has done wonders in many vertical domains, from retail to marketing[…]

Topics: data science, SECURITY

Circumstantial, Your Honor!

I love legal shows and movies in which an impossible case is made or innocence proven against all odds. I especially enjoy courtroom scenes in which attorneys passionately stand up, bang on the table, and ask the judge to dismiss a piece of evidence as circumstantial: “Circumstantial, your honor!” Working in the security log analysis business for over 10 years, I realize that much of our work is similar to that of a courtroom judge, who[…]


Security Event Management Basics (What We've Seen Companies Are Not Doing)

If you are reading this blog, I am probably preaching to the choir when I say that monitoring logs is an extremely valuable and cost effective way to identify security issues in the network. What is not so obvious, however, is that purchasing a SIEM/Log Management solution is the first, not last, step in extracting the value hidden in these logs. There are several steps that must be taken, and constantly reviewed, to ensure that[…]


Why Your SIEM Doesn’t Work

This is why your security information and event management (SIEM) doesn’t work: No, it’s not Gartner’s Magic Quadrant. It has to do with a highly disproportional ratio between benign and malicious events that are collected and processed. Every event that is generated by SIEM systems in an IT environment can indicate either a benign or a malicious activity. This creates four possibility: True positives (TP): Truly malicious events that the SIEM identified as malicious. False negatives (FN): Truly[…]


The End of SIEM as We Know It, or Why I joined Exabeam

For the better part of the last decade, I’ve been fascinated by the promise of security information and event management (SIEM) systems. I joined one of the most advanced SIEM vendors as a security engineer, and worked tirelessly to make this passion a reality. The ability to monitor all security activity from a central location was a complete game-changer in my mind, and adding a querying engine that would ask any question of the data[…]