Behavior Analytics | Exabeam

Behavior Analytics

Together, Exabeam Advanced Analytics and Exabeam Entity Analytics form a UEBA solution that leverages behavioral analytics for modern threat detection and investigation.

Get a Demo

Complex threat identification using behavioral analysis

Cyberattacks are becoming more complex and harder to detect. Analysts often can’t find attacks using correlation rules because they lack context or cannot set up rules for incidents they’ve never seen, generating false negatives. Correlation rules also require significant maintenance. Advanced Analytics and Entity Analytics take a user and entity behavior analytics (UEBA) approach to threat detection, automatically identifying the anomalous behaviors indicative of a threat. They also fully integrate with the Exabeam Threat Intelligence Service and third-party threat intelligence services to provide real-time, actionable intelligence into potential threats in your environment by uncovering indicators of compromise (IOCs) and malicious hosts.

Pre-built timelines automatically reconstruct security incidents

An analyst’s time is precious. Using legacy tools, it can take days or weeks to manually construct an incident timeline. Our behavior analytics provide a machine-built incident timeline for every user and entity, including IoT devices and cloud storage objects. Anomalies are flagged and details of the incident and its context are displayed, including data insight models which easily explain how our algorithms determined something was abnormal. What took significant time to investigate in a legacy SIEM now takes minutes, making security teams more productive and investigations more calculated.

Extend behavioral analytics to cloud storage objects

Organizations are moving their data to the cloud to leverage the scalability, security, and performance of an object storage service. But cloud data storage has been the root of many breaches, because configuration blunders go undetected and easily expose sensitive data. Exabeam uses behavior analytics to log activity from cloud storage objects in multi-cloud environments—namely Amazon S3, Azure Blobs, and Google Cloud Platform Cloud Storage buckets—to provide organizations complete visibility into their cloud storage activity and any databases unintentionally exposed to the internet. Our solution then builds behavioral models to detect malicious user activity, like inappropriate access, to prevent compromise or exfiltration of sensitive data stored in the cloud.

Align detection to the MITRE ATT&CK framework

Inconsistent taxonomies across analysts and tools make collaboration during threat detection and investigation needlessly complicated. The MITRE ATT&CK framework solves this problem by providing a common framework for analysts to use to describe attacker tactics and techniques. Our behavior analytics solutions map Exabeam detection methods and event labels to the MITRE ATT&CK framework, allowing security analysts to view and filter MITRE techniques within Exabeam Smart TimelinesTM. Analysts can mouse over labels to see a pop-up description of that technique, or click on labels to open the MITRE webpage for a more detailed description.

Dynamic Peer Grouping

User behavior patterns often differ based on attributes, including: the team the user is on, what projects they are involved in, where they are located, etc. To provide an additional layer of detection, Dynamic Peer Grouping uses machine learning to assign users to groups based on their behavior, and then cross-references their activity against that of those groups to identify anomalous, risky behavior. Dynamic Peer Grouping provides additional criteria upon which an analytics solution can analyze user behavior, this in turn can provide more accurate analytics. The result of effective peer grouping is better detection, both in terms of reduced false positives and false negatives.

Lateral movement

Lateral movement is a method attackers use to move through a network by changing IP addresses, credentials, and machines in search of high-value data or assets. Tracking this activity is difficult, because data must be analyzed from everywhere and logs are often incomplete. Advanced Analytics and Entity Analytics allow security teams to see an attacker’s movement by using patented host-IP-user mapping to fill in the log gaps, and attributes all activity to users and devices. Lateral movement tracking reduces the risk of falling victim to attacks that might cause a security breach. Lateral movement tracking does this by improving SOC teams’ ability to detect advanced threats, even if the threat changes IPs, credentials, or devices during the span of their attack.

Asset ownership association

One part of performing a security investigation is the manual process of determining who owns or regularly uses the devices involved in an incident. It’s incredibly time-intensive for security teams. Exabeam’s patented host-IP-user mapping easily and efficiently allows analysts to determine the owner of a device based on their behavior and interactions.

Need a strong user and entity behavior analytics solution?

Featured Articles