The threat landscape has changed significantly in recent years. Attacks such as SQL injections, viruses, etc. were usually isolated transactions; they were executed, the results were typically visible, and the threat ended. While the effects could be significant (for example, customer data loss due to SQL injection), the attacks were contained. In contrast, attacks in recent years are very different. Attacks via compromised credentials are complex, spanning multiple targets, multiple accounts, multiple devices, and multiple IP addresses. Threats from malicious insiders are similar, as employees or contractors use their access rights to copy and exfiltrate data over time. These modern attacks may last for months; they are not isolated transactions. As a result, detecting and containing them is much more difficult.
When attacks were isolated transactions, the log event was a useful data structure. Log events on their own, however, can’t help analysts detect and understand today’s complex attacks. Security analysts need to know, for every activity, where did this user come from, where did she go next, and most importantly, is this behavior normal? A new data structure is required.
Read the white paper and learn how Exabeam provides a new data layer for your security analytics.