Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages - Exabeam

Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages

Published
May 27, 2021

Author
Ofer Gayer

Exabeam recently released our Fusion offerings,  which include Exabeam Threat Detection Investigation and Response (TDIR) Use Case Packages, for general availability. In this post, we explain more about each use case package and where to find supporting information in the Content Library.

TDIR Use Case Packages Overview

Exabeam currently offers three use case packages: External Threats, Compromised Insiders, and Malicious Insiders, covering 20, threat-centric use cases:

Figure 1: Exabeam TDIR Use Case Packages provide all the content and tooling SOCs need to address common and advanced threats such as those listed above.

External Threats

External threats refer to techniques commonly employed by adversaries to deceive users, gain access to valid credentials, or exploit corporate assets. Attack vectors like phishing or malware provide adversaries ample opportunities to breach a company’s defenses. According to the 2019 Verizon DBIR, phishing is still the number one attack method behind data breaches. Even worse, with the global pandemic and shift to remote work, phishing scams disguised as legitimate communications containing critical information are on the rise. With the sheer volume of attacks on a daily basis, SOCs must be prepared to properly detect, investigate, and respond at a moment’s notice. 

The External Threats Use Case Package is particularly helpful for smaller or under-resourced teams that can benefit from enhancing analyst productivity through security orchestration automation and response (SOAR). Our Turnkey Playbooks for common threats like phishing make Exabeam the simplest SOAR to implement with no additional licensing or configuration required, significantly accelerating time to value.

Compromised Insiders

Compromised insiders refer to situations when someone outside the organization exploits user credentials for data theft and/or sabotage. In 2019, stolen credentials were used in 80% of reported data breaches, according to research by Verizon. By hiding under the cover of valid credentials, attackers can gain access to critical assets and sensitive information without raising suspicion. Worse still, security teams that build complex correlation rules and dashboards to find these bad actors are often overwhelmed with noisy false positive alerts. 

The Compromised Insiders Use Case Package is designed to detect these types of attacks by using behavioral analytics to identify anomalous activity associated with user compromise. Unlike security tools that rely on static correlation or signature-based rules, we establish a baseline for normal user behavior, and then capture deviations from that behavior in a user’s risk score. This allows us to find attacks such as compromised credentials, lateral movement or privilege escalation that would otherwise be missed using indicator of compromise (IoC) based-detection, such as compromised credentials, lateral movement or privilege escalation. 

Malicious Insiders 

Malicious insiders refer to intentional sabotage or data theft by an employee, contractor or partner for either personal reasons or financial gain. With the advent of remote work and the rise in M&A activity in the market, organizations are increasingly worried about threats from the inside, such as job “leavers”, or recently terminated employees. Because these threats use known identities, access privileges and machines, tools like network traffic analysis, or data loss prevention (DLP) solutions and even XDRs, are poorly suited to detect these types of attacks. 

The Malicious Insiders Use Case Package allows security and insider threat teams to understand user intent. Exabeam automatically provides visibility into risky activities such as job searches or sending data to a personal email that may ultimately lead to a data leak. These events are all automatically assembled into a user’s timeline, which are presented in clear, plain language that allows analysts to easily navigate all user activity without needing to write a single query. Further, our watchlists allow organizations to continuously monitor employees such as “Suspected Leavers,” to identify risk before an incident occurs. 

Where can I learn more? 

We’ve updated our Content Library documentation on Github to include our new TDIR Use Case Packages.

Figure 1: Content documentation is organized by TDIR Use Case Package and use cases

We make it easy to explore by use case so security analysts and engineers have a better understanding how each data source can be used to expand their coverage. 

Figure 2: Each use case contains a comprehensive listing of supported products organized by vendor with additional detail on event types, MITRE TTPs, with a count of associated detection rules and models.
Figure 3: Viewers can drill down on a specific vendor and product and see additional detail on rules and models mapped to a particular use case.

Security teams can also quickly understand how Exabeam can help improve their coverage by referring to our MITRE map.

Figure 4: We provide a listing of all techniques covered as well as counts of available rules and models mapped to MITRE subtechniques.

Want to learn more?

Check out the Content Library on our GitHub.

Recent Information Security Articles

Cybersecurity Awareness Month: Time to Recalibrate and Prioritize Security

Read More

Ransomware: Prevent, Detect and Respond

Read More

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Read More

What Are TTPs and How Understanding Them Can Help Prevent the Next Incident

Read More

Five Steps to Effectively Identify Insider Threats

Read More



Recent Information Security Articles

Exabeam Fusion XDR and Exabeam Fusion SIEM now available in Google Cloud Marketplace

Read More

SOC Analyst: Job Description, Skills, and 5 Key Responsibilities

Read More

Cybersecurity Awareness Month: Time to Recalibrate and Prioritize Security

Read More

SOC Processes and Best Practices in a DevSecOps World

Read More

Cloud SIEM: Features, Capabilities, and Advantages

Read More

Ransomware: Prevent, Detect and Respond

Read More