One of the most common questions we heard when talking to potential customers about our UEBA product was “Okay, your system found something. Now what do I do?” It was eye-opening to see so many organizations that simply didn’t have response processes defined, and had limited tools to run those processes, anyway. This lack of incident response expertise drove the development of our recently-announced Exabeam Incident Responder product.
Incident Responder goes far beyond the automatic investigation timelines created in Exabeam UEBA. It comes with pre-defined playbooks for common incident types such as malware, phishing, and data exfiltration. These playbooks include actions that can automatically run (e.g. go get reputation data for this IP address) or guide a team member (reset this user’s password). As actions complete, they are displayed in cards, in a Pinterest-like canvas. Responders can share notes and actions with team members, as well.
A major goal with Incident Responder was to take the best practices currently performed by your “ninjas” and make those available to anyone, even your interns.