Modern Technology for Security Intelligence
The Exabeam platform is designed to provide security intelligence in a modern, flexible package that fits within any enterprise’s architecture. Here are a few notable features:
The Exabeam platform architecture benefits from modern technologies, as well as our many decades of experience building commercial security solutions. The first platform component was our leading User and Entity Behavior Analytics product, and unlike many competitive products, Exabeam UEBA is not a legacy identity management or professional services toolkit that has been repurposed. The product was designed from day one to completely support behavioral analytics and to be deployed very quickly, without expensive service projects.
Next, one of the most common frustrations of enterprise software is waiting for the vendor to provide a new release that includes the features that a customer requires. Exabeam was specifically designed to be extended via content, not code. This means that the product can be extended – with new data sources, new models, new use cases, etc. – simply via content updates. In practice, this separation between underlying platform components and application functionality means that customers can modify their Exabeam systems significantly, in very little time and without waiting for a patch.
Finally, Exabeam was designed for very flexible deployment. A customer might initially deploy on a single physical appliance because it’s easier to procure, then add multiple VMs on premise or in the cloud. The architecture supports this level of scale-out, across data centers and clouds, without losing the ability to deploy and get running in hours.
At the heart of Exabeam’s platform is a new data structure: the stateful session.
The stateful session object stitches together all events for each user, from session initiation to termination, and ties these to a user even if she changes accounts, changes devices, or changes IPs. Without this linking, analysts would have significant blind spots. Consider this example: An employee, Barbara Salazar, is planning to resign and to sell confidential customer data to a competitor. She logs into the network via her workstation using her Windows domain ID, bsalazar. Later, she remotely accesses a Unix database server with a shared admin account DB_ADMIN, and copies the customer records to a local file. She then switches back to her domain account and continues her normal work. This session includes different machines, different IP addresses, and multiple and semantically-unrelated account credentials. It is difficult to connect these simply by looking at the related event logs – the behavior isn’t obvious.
In contrast, the stateful session object contains each of these events, and others as well. They are all tied to Barbara’s identity, and arranged by time. The session contains metadata such as “user switched accounts,” and baseline data such as “user accessed the customer database for the first time.” As you can see, the stateful session is quite powerful.
It contains not only the information needed for an incident investigation, but also queryable metadata. For example, an Exabeam analyst can search for “all sessions where someone accessed a server for the first time and also came in from the VPN from a country for the first time and also generated alerts from our DLP system.” This doesn’t require knowledge of the underlying SIEM search language, nor understanding of the event layouts. As a result, session data objects enable questions and analytics at a different level.
Data science is at the heart of any behavioral analytics system, including Exabeam. While we have found that a pure anomaly-based approach does not work well in the real world, the platform has significant machine learning and statistical modeling capabilities – informed and enhanced by security research.
A well-tuned statistical analysis system is fundamental to the Exabeam UEBA product. Our security researchers define a collection of more than a hundred statistical indicators for users, assets, peer groups, applications, network locations etc. Anomalies are triggered based on a statistical model and given expert-assigned risk scores, which encode critically-important security knowledge. Without this knowledge, any pure anomaly-based detection system based on unsupervised learning will suffer from a high false positive rate, rendering it impractical for field deployment. Combining expert knowledge and data analytics increases ease of use for analysts of all levels. Neither a purely expert-driven system nor a purely data-driven approach, this hybrid method has proven to work well in production.
Exabeam flags risky activity using advanced statistical analysis with baseline profiling for deviation measurement. Analysis is based on categorical data, numerical data, and contextual information. Categorical data includes events that fall into specific quantifiable categories, such as the number of logons for a user from a specific country. Numerical data—such as number of assets accessed, duration of a user session, and time of day—is processed using real-time unsupervised clustering for discretization. Contextual information provides additional insight, such as whether an asset is a workstation or server; whether an account is a human or service account; or if a device belongs to a privileged user. Context is estimated by multiple machine learning methods and helps calibrate and sharpen alerts. That analysis is extended even further through additional methods Exabeam’s techniques also support broader monitoring, such as cloud access, file-level access, database table access, and application log monitoring. As data science and security threats evolve, the Exabeam platform architecture supports new data science techniques to meet new security challenges.
While data science is very powerful, it cannot be fully effective within the security domain on its own. For example, the definition of ‘malicious behavior’ is broad; data science can’t necessarily detect this in a vacuum. Security research can add great value here. Good security researchers know how to extract useful information from event logs and will know the meaning of many event types, as well as which ones are not worth tracking. Codifying this knowledge as additional contextual rules within the product makes Exabeam data science that much more effective.
Open Source Big Data
In recent years, open source data management technologies have advanced rapidly, and are scalable and reliable enough for any production use. Where legacy SIEM vendors were required to create their own proprietary data collection and search solutions, Exabeam is able to leverage the massive advances in open source systems such as Hadoop and Elasticsearch for our log management solution.
Hadoop offers proven technologies for analytics at scale, including HDFS. The Elastic Stack is better suited than Hadoop for time series data, i.e. the typical security event log record. Both are missing certain pieces that enterprise deployments require. Exabeam uses the most suitable components from each ecosystem and has integrated them with management features such as remote deployment for agents, remote start/stop, and remote update. As a result, our customers enjoy a modern data management system with proven technology and enterprise-class management, in a fully-supported commercial package.