Insider threats come from employees and contractors using their access rights to steal confidential data. Exabeam first creates behavioral baselines for every user to determine normal access. Then, we also compare each user to peers, monitors shared, and privileged accounts. We also analyze locked accounts for signs of potential insider data theft. Exabeam User and Entity Behavior Analytics incorporates common data feeds into its threat analysis, such as access logs, identity services, DLP scans, USB thumbdrive activity, badge readers, print servers, databases, and others.
Many breaches use valid—but-stolen—credentials, which a hacker uses to impersonate an employee and gain access to sensitive data. Distinguishing between an employee going about his normal job and a hacker impersonating that same employee can be challenging. Exabeam uses a variety of techniques, driven by per-user baselines, to determine when an account is exhibiting unusual and risky behavior. Our UEBA techniques include monitoring for privilege escalation, new account creation, first-time remote login, first access to systems, and other unusual events.
Locked-out accounts provide a strong signal of compromised accounts. Unfortunately, most IT organizations receive account lockout support tickets all day long, each requiring hours of investigation to resolve. Exabeam includes specialized analytics for account lockouts that assess risk of each, so that IT staff can focus on risky lockouts that are risky and avoid wasting time on those that aren’t.
Ransomware can enter the corporate network from nearly anywhere, and often moves undetected from system to system. By the time it’s detected by endpoint security products, it’s too late. Exabeam applies behavioral analytics to system processes to detect anomalous behavior, no signatures required. It also applies research-driven knowledge of ransomware file extensions, names, etc. to determine whether unusual process-behavior matches activity of similar malware. Early detection enables Exabeam customers to prevent disruption to business operations and data security.
Many enterprises already have integrated public or private clouds into their architectures, so behavioral analytics must include the cloud. Exabeam accepts log data directly from cloud services, such as Salesforce.com event log files; web proxies that track cloud access, such as SonicWALL; and from cloud security brokers, such as Skyhigh Networks, that control access to multiple cloud services. These services receive the same level of behavioral analytics as your on-premises systems, and data from them is automatically integrated with other on-premises log data in Exabeam.
Exabeam integrates with data loss prevention (DLP) products from McAfee, Symantec, and others to provide risk context around sensitive data. Exabeam can ingest DLP scans to identify systems that contain sensitive information and then adjust risk scoring when users access those systems. It can identify users who are copying sensitive data to thumbdrives or sending it to a printer. Exabeam also enhances the effectiveness of other DLP products by provide risk context data back to them. For example, a company using DLP to quarantine email can accelerate the process and reduce “noise” with Exabeam risk context scores.
Privileged users, such as system or database administrators, have escalated access rights and their accounts can be rich targets for hackers. Exabeam uses special analytics for privileged and shared accounts and can flag unusual behavior within both types. Privileged accounts typically receive higher risk scores than standard employee accounts.