Expand Coverage Against Threats with Exabeam Content Library and TDIR Use Case Packages
Exabeam recently released our Fusion offerings, which include Exabeam Threat Detection Investigation and Response (TDIR) Use Case Packages, for general availability. In this post, we explain more about each use case package and where to find supporting information in the Content Library.
TDIR Use Case Packages Overview
Exabeam currently offers three use case packages: External Threats, Compromised Insiders, and Malicious Insiders, covering 20, threat-centric use cases:
External threats refer to techniques commonly employed by adversaries to deceive users, gain access to valid credentials, or exploit corporate assets. Attack vectors like phishing or malware provide adversaries ample opportunities to breach a company’s defenses. According to the 2019 Verizon DBIR, phishing is still the number one attack method behind data breaches. Even worse, with the global pandemic and shift to remote work, phishing scams disguised as legitimate communications containing critical information are on the rise. With the sheer volume of attacks on a daily basis, SOCs must be prepared to properly detect, investigate, and respond at a moment’s notice.
The External Threats Use Case Package is particularly helpful for smaller or under-resourced teams that can benefit from enhancing analyst productivity through security orchestration automation and response (SOAR). Our Turnkey Playbooks for common threats like phishing make Exabeam the simplest SOAR to implement with no additional licensing or configuration required, significantly accelerating time to value.
Compromised insiders refer to situations when someone outside the organization exploits user credentials for data theft and/or sabotage. In 2019, stolen credentials were used in 80% of reported data breaches, according to research by Verizon. By hiding under the cover of valid credentials, attackers can gain access to critical assets and sensitive information without raising suspicion. Worse still, security teams that build complex correlation rules and dashboards to find these bad actors are often overwhelmed with noisy false positive alerts.
The Compromised Insiders Use Case Package is designed to detect these types of attacks by using behavioral analytics to identify anomalous activity associated with user compromise. Unlike security tools that rely on static correlation or signature-based rules, we establish a baseline for normal user behavior, and then capture deviations from that behavior in a user’s risk score. This allows us to find attacks such as compromised credentials, lateral movement or privilege escalation that would otherwise be missed using indicator of compromise (IoC) based-detection, such as compromised credentials, lateral movement or privilege escalation.
Malicious insiders refer to intentional sabotage or data theft by an employee, contractor or partner for either personal reasons or financial gain. With the advent of remote work and the rise in M&A activity in the market, organizations are increasingly worried about threats from the inside, such as job “leavers”, or recently terminated employees. Because these threats use known identities, access privileges and machines, tools like network traffic analysis, or data loss prevention (DLP) solutions and even XDRs, are poorly suited to detect these types of attacks.
The Malicious Insiders Use Case Package allows security and insider threat teams to understand user intent. Exabeam automatically provides visibility into risky activities such as job searches or sending data to a personal email that may ultimately lead to a data leak. These events are all automatically assembled into a user’s timeline, which are presented in clear, plain language that allows analysts to easily navigate all user activity without needing to write a single query. Further, our watchlists allow organizations to continuously monitor employees such as “Suspected Leavers,” to identify risk before an incident occurs.
Where can I learn more?
We’ve updated our Content Library documentation on Github to include our new TDIR Use Case Packages.
We make it easy to explore by use case so security analysts and engineers have a better understanding how each data source can be used to expand their coverage.
Security teams can also quickly understand how Exabeam can help improve their coverage by referring to our MITRE map.
Want to learn more?
Check out the Content Library on our GitHub.