When I ask our prospective customers why they are interested in UBA and Exabeam specifically, most have a common answer; they are looking to cash in on the promise of deriving usable intelligence out of the vast amounts of data they have spent time and money collecting. Organizations want increased visibility into the activities of users on their network to detect modern attacks and respond quickly. Solving these problems is at the center of what Exabeam was built to do, however there are also some hidden benefits users receive simply by using the Exabeam platform. Many of these benefits center around the finding logging quality issues, identifying changes in configurations and augmenting stale or non-existent asset management information.
In many cases, organizations take a set it and forget it approach towards log collection where a project is created to collect X logs from every Y system. Once the initial log collection effort is finished, these activities are rarely revisited or audited. Without regular reviews, the logging policies may become stale, and critical logs for detection and response might be lost. On-going configuration of log collection for new assets is often an afterthought. Organizations struggle to ensure new assets that enter an environment are configured to log critical data, which can lead to significant gaps in visibility. Other scenarios that result in logging gaps occur when network changes are made, systems go down, or their logging services are interrupted.
All of the above logging issues can cause severe headaches for your security team when the critical logs they need are not available when they need them most. Deploying Exabeam can help organizations close some of these major logging gaps and ensure the security team has the data they need to effectively detect and respond to threats.
The first way Exabeam can solve this is by leveraging Exabeam’s system Heath Checks. Exabeam can analyze log data to ensure that critical servers that were reporting data during the last hour are still reporting data now. Exabeam can also take a more granular approach by analyzing individual log events themselves. This level of granularity can be very helpful when trying to identify which of your domain controllers have incorrect audit policies and are only logging failed logins.
The second way Exabeam can help ties directly to Exabeam’s User Session Data Model. Since Exabeam stitches all log events together into a single timeline per user, it is very easy for security analysts to view these timelines to validate all of their actions are being logged. Security analysts don’t have time to sift through all the raw log events to ensure their daily actions are being logged completely, a process which could take hours. With Exabeam this can be accomplished in a matter of minutes.
A final benefit our users enjoy relates to asset management and helping SOC analysts cut down the time it takes to add user context to assets. SOC analysts are challenged with identifying what an asset is and who owns it. Many security tools in an environment will trigger alerts and only provide the context of the asset involved. It is up to the analyst to figure out the user context related to this asset. Asset databases are difficult to keep up to date, especially in the era of BYOD. Analysts are left utilizing their tribal knowledge of their environment and system naming conventions to determine who owns an assets and what its function is.
By simply modeling the authentication logs Exabeam can model user logins to assets. These assets do not have to be known or tracked in an asset DB they just need to be present in the logs. Once the data is modeled, Exabeam provides a list of every user and group that has logged into any given asset. In a matter of seconds, security analysts have a starting point for understanding who might own an asset. The security team can easily understand who logs into the asset the most, and can get that user’s contact information with one click. Analysts can also begin to form an understanding of whether or not the asset is a workstation or a server based on the number of different users logging in. Having the ability to quickly identify the user context behind an asset can ensure that the analysts are more accurate and efficient in their response.
In my short time at Exabeam, my customers have realized these hidden benefits of Exabeam to help ensure the effectiveness and completeness of their logging efforts. Here are a few examples:
Shortly after installing Exabeam, Company A’s security analysts were reviewing their session timelines to validate completeness. The analysts noticed some significant gaps in their activity, after confirming that there were no logs for this activity in the SIEM, Company A confirmed that they were missing a log collection agent on one of the most trafficked Domain Controllers in their environment.
During the initial configuration of Exabeam it was discovered that only local logons were being logged. Company B’s policies for logging successful Kerberos and NTLM authentications were not in place. The limited logging policies implemented were severely limiting their visibility into what users were doing on their network.
Another popular benefit of the Exabeam platform is providing visibility into network configuration changes without the need for the logs from devices being changed. At Company C, Exabeam detected multiple similar anomalies for a group of users on the same network subnet. After investigating these events, it was determined that there was a network change made, in which all workstations were put behind a single NAT’d IP. These are the kinds of activities that occur all the time and are not known by the security group until it appears that something is going wrong, and these changes impact an investigation. In this scenario, Exabeam was the only tool to provide Company C with insight into the fact that there was a change made to the network, simply by analyzing logs from the Domain Controllers.
These are just a few of the many scenarios in which I have seen our customers benefit beyond Exabeam’s detection, hunting and response capabilities. It might be time for your organization to test Exabeam to find out what hidden benefits you can discover.
About the Blogger
Andy Skrei, a Solutions Architect at Exabeam, previously worked as a Lead Security Engineer at eBay developing and deploying technologies for their global SOC. Prior to eBay he was a manager at KPMG, helping major companies increase security maturity and reduce risk.