Introducing Exabeam SIEM: Cloud-native SIEM at Hyperscale
Webinar Transcript | Air Date November 15, 2022
Watch the Webinar | Read the Blog Post
Christopher:
Thank you for joining us, everybody, this morning. Let’s give it a few more minutes for folks to come into the meeting room and then we’ll begin.
Again, welcome, everybody, to the Exabeam Webinar series, Detecting the Undetectable. My name is Christopher. I’m a senior product marketing manager here at Exabeam. And with me is Rocky, one of our principal product managers. This morning we’d like you to be introduced to Exabeam SIEM. This is one of the products that we’ve introduced here in the last month and we’ll be talking about what Exabeam Security Information Event Management means, and give you a little bit of a demo at the end.
When we’re talking to customers, there are four things that we care consistently that they’re struggling with. First, that you’re in a position where you need to collect a lot of data, but not just data, but the right kind of data. Every security sensor, detection product, security tool, everything you’re bringing into security stack is creating and driving the collection of more and more data, generating gigabytes, even terabytes of logs, creating two really important issues. One, this is driving up storage costs if you have to store this information for any length of time, and it’s making your SIEM product super expensive. Two, it’s making it harder for you to get to the right data to see a holistic picture of what’s happening in the environment.
We’ve talked about this since inception here at Exabeam. Today’s cyber landscape, the defender always has to know what they’re looking for. They might get a clue, maybe something from the EDR product sends an alert, then you have to run a series of manual investigation steps to get a full kind of scope and picture of what’s happening. You have to anticipate every possible scenario, which is just simply impossible. The issue is really around correlating and understanding what you have in the environment, but unfortunately, even the threats are buried in a sea of noise.
One example of this, we had a recent customer. They were looking at about 59,000 alerts that were missed. I’m like, “Wait a minute. How do you miss 59,000 alerts?” Well, it’s because it was buried in a billion security alerts that they were processing, so it’s the less than one-hundredth of a percent of the alerts that they needed to see. They couldn’t see because of all the noise. Finally, we’re relying on humans to do a lot of manual investigation processes. Everyone is going to do it in a different way. You can miss the big picture if you’re not understanding what the outcome is that you’re looking for. These are the cybersecurity realities that we’re sort of living with.
Now, how have we dealt with this in the past? One of those tools is your legacy SIEM? And if we think about legacy SIEMs, they weren’t really built for today’s environment. They were not designed really to look at the volumes of data sources we have today, the exposure points that we have today, the types of attacks that we’re seeing today, and it’s causing a lot of noise and you just don’t have the staff. We can’t hire enough people to sort deal with these things. But if we step back a little bit in really understanding this problem, if you step back through time, generation one was back in the days of ArcSite and QRadar. It was all about alerts, getting logs, and correlating those things. The problem was with storage, putting all this information into relational databases, creating those correlations. They weren’t very efficient, this was very expensive, it was slow and it took a lot of horsepower.
It quickly spilled into generation number two, where Splunk joined the game. Splunk was very disruptive. They proved relational databases weren’t good for storage, so they used flat file databases, added indexing of all the alerts and logs and data points that were coming in. All the information was stored into their data platform. This gave you the ability to drill down a bit and it was transformational for the SIEM market at the time. However, it wasn’t really focused on security concerns. Splunk’s a data company and we didn’t have the lens, the foresight, the insight that you were really needing to deal with security problems.
If we look at the third generation, Exabeam sort of joined the game at this point. We started thinking about how do we look at all this data from a security point of view? We started adding things like behavioral analytics and automation to help deal with the security components of this. Securonix, Phantom, everybody kind of joined at this process. Well, today it’s about taking this to the next step. Again, fourth generation is about getting cloud-native hyperscale performance from your SIEM solutions. So this really can be described as a SIEM effectiveness gap. The fact that we’re not quite there yet, where we need to deal with all these different issues, but you need to start someplace.
And lucky for us, what I want to talk to you about is the multiple ways that you can get started with Exabeam, and very specifically, I’m going to talk about Exabeam SIEM this morning. But with Exabeam, you’re partnering with an innovator and a global leader in this space. 20% of the Fortune 1000 uses Exabeam. We’re a Visionary in our first year and have been a leader in the Gartner Magic Quadrant ever since. We’re also a Gartner Peer Insights Customer Choice vendor and a leader in the Forrester Wave for security analytics. I know our customers are coming from forward-thinking organizations from all around the world, all different kinds of industries, whether it’s finance, retail, manufacturing, healthcare, government, and more. Well, half of them are using our behavior analytics, but the other half are using our SIEM solutions.
Whether you’re one of the world’s leading airlines or strong healthcare company, our customers are very healthy and fast-growing as a customer base and we like you to join this journey with us. The great part is we’re very modular. What we’ve introduced this year is a modular approach to understanding how to deal with all the security information within your environment. Whether it’s collecting that information from the very beginning with security log management or putting analytics on top of the information that you already have. We have a way of structuring solution for you, where you don’t have to rip and replace every time you want to improve your security posture.
This morning, though, let’s talk about very, very specifically, and what I’m going to do is I’m going to walk you through some of the features that we have within our SIEM application, and then Rocky’s going to show us how it really works in real life. We’ll get a demo of these capabilities. First, I know I need to throw an a chart up to you guys. We’re talking about our Exabeam SIEM, but I wanted to have you see it in comparison to the entire portfolio. And we’ll get into the specific Exabeam SIEM features, including collectors, log stream, search, dashboards, correlation rules, and so on. I’m not going to go through all of these features, but I wanted to give you a good understanding of what comes in this product and other things that you might want to think about for the future, and which products might be appropriate for you at that time.
Let’s talk about the SIEM features. The first step is all about collection. The fuel for a SIEM is the data that you collect. We’ve created a very simple, unified approach to collecting data, whether it’s from your on-premise solutions, your cloud solution and so on, and pulling that in through a centralized single interface. The Exabeam security operations platform, through data collection, has this interface and it covers on-premise cloud context sources, collection from 200-plus on-premise products, 30-plus cloud delivered security products, another 10-plus SaaS productivity applications, so we can make all those connections, and still more context from security and threat intelligence, and bringing that all in one place so that you can get everything that you need from your security stack to understand what’s happening in the environment.
The next step, once we collect all that information, is about processing and parsing all that information. We’ve created log stream. Log stream delivers a rapid log ingestion process at a sustained rate over a million events per second. Again, a central console across all of Exabeam’s products to enable you to visualize, create, deploy, and monitor your parsers within this unified ingestion pipeline, for all of Exabeam products and features. As the data is ingested, this parse is using upwards of 8,000 plus pre-built log parsers. So, we’ve done a lot of the work for you and enriched with context from open source and commercial threat intelligence feeds, so that you can see more than just what your data’s doing but how it pertains to the rest of the world.
The next kind of feature that is important here is, really, search. We collect the data, we parse the data, we understand kind of how it’s configured. We need to be able to search it. With a new centralized search application, we’ve created a simplified search of experience with faster queries, instant results over large volumes of data and even years worth of data. When you think about this, if you’re thinking about the SIEMS that you’ve worked with in the past, a lot of times you’ve had to take data that you needed to store for regulatory compliance but offload that from the application because of performance. And we wanted to eliminate all the performance issues and gaps so that you can search not only data from two hours ago, but data from two years ago, and all within this centralized management experience. So, you get that visibility, you get that fast search regardless of the historical data and you can do so without a learning curve. You don’t have to have a PhD in a search language in order to build appropriate queries. We really utilize a point-and-click capability so that any field that is ingested is available to you within the interface. Makes it super easy.
Along with searching, it’s about taking that result and doing something with it. And we use dashboards for this function. You can print, export, view data within a number of prebuilt dashboards, but the ability to create some of your own dashboards using 14 different chart types. Whether it’s compliance that you’re trying to get to, you can build these very powerful dashboards. I think Rocky’s going to show us some ways to take a look at that and, more importantly, be able to share this information outside of the application to people, non-users of the Exabeam platform. You’ll be able to get that information out to whoever needs to know about the security posture within your environment.
And the last thing that I want to talk about, just to give you a capability of list here, is all about correlation rules. You’ll be able to compare incoming events with predefined relationships, entities to identify and escalate if you’re finding things in your environment. Write, test publish, and monitor upwards of a thousand custom correlation rules really around the most critical business entities and assets within your environment and be able to define higher criticality with some context. And if something is happening in your environment, be able to trigger what the response is going to be. You get those detections, you have a very intuitive interface to help you do that, and it’s really, from a search kind of interface, one click to create a correlation rule. These are the big features and benefits that is important to understand about our Exabeam SEIM application.
I’m going to go ahead and turn it over to Rocky now to show us Exabeam SIEM in action.
Rocky:
Thank very much, Chris. Let me go ahead and get mine brought up. Let me know if you guys can see my dashboard or my screen, I should say.
Christopher:
Yes, we can.
Rocky:
Awesome. Awesome. Well, hello, everyone. My name is Rocky Rashidi and I’m a principal product manager here at Exabeam, leading our Analytics and Detection. Today, I would like to talk to you guys about Exabeam’s latest offering, our hyperscale cloud-native SIEM solution, and I’ll be demoing that for you guys. As Chris mentioned, Exabeam delivers limitless scale to ingest, parse, store, search, and report on petabytes of data from anywhere. You can now bring data in at a million-plus EPS sustained across 500 IT security products and really leverage Exabeam SIEM to search, detecting threats across petabytes of data.
For this demo, I’m a security analyst logging to Exabeam’s Next-Gen SIEM. Exabeam Next-Gen SIEM amongst its many features has a rich and interactive dashboard and visualization experience, which analysts can leverage as their starting point. It also focuses on really quick time to value and we offer a variety of out-of-the-box prebuilt dashboards that these aim to present the most important piece of information to the analyst to give them that starting point. Now, some of these dashboards include our active investigation dashboard, our case management overview, compromised credential, and correlation rule dashboard just to name a few. I can also create custom dashboards on top of any data which I’m bringing into Exabeam Next-Gen SIEM. It allows building of highly interactive and beautiful visualizations, using some of the most popular visualizations such as a bar chart, heat map, map views, and pie charts just to name a few.
Here, I have created a dashboard for myself called the IOC dashboard, IOC statistics. I’m trying to see using this dashboard, what has been hitting me and any patterns that stick out to me. The dashboard visually gives me this information and it’s beautifully rendered for me to see array of different visualizations. And to put that key information right in front of me so I can understand ultimately what is my next step, what do I need to do here if is anything off or things are sort of business as usual. I can see different types of IOCs over time. I can see notable trends in IOCs and also seeing my top five IOC IPs. Now, most of these should get blocked by my tools. However, I want to make sure, in case if any do make it through establish a [inaudible 00:19:15] connection, that I do get alerted. To do that, I will go ahead and pivot over to our Next-Gen search.
Our Next-Gen search is built with a brand new user experience, which does not require me to learn any new language just to run a simple query, create detections. And this is simple and has an easy to use click-and-query building experience that allows me to see the list of my vendors, the variety of fields that are available to me, and many of our new CIM 2.0 fields such as subject that I can quickly build my query, get my results, and be able to move on to the next step. And now, in addition to that, I can leverage any safe searches that are already created either by me or by others within my organization. Here, I want to look at any network connection that comes in. And you notice I’m putting in subject equals network. This is part of our common information model [inaudible 00:20:11] out that aggregates all logs from a multitude of different vendors that is coming to my environment and categorize them under a subject called network, without me having to name these one by one. And I’m looking for any successful outcomes, any successful network connections.
Let’s go and search this over seven days of data. Now, we can see that the results come back in within seconds and it’s getting rendered beautifully. As I said, I know that most of my attempts from various IPs are being blocked; however, I don’t want to manually go through this and try to look at log by log to see if any of them are trying to access a large number of internal ports within my systems. What I really want is a way to create a rule that can correlate these network events and a port scan rule really to see if any source IP is scanning any open ports from the outside. Now, I can see that I have the right logs, and from the looks of it I see that I have the right data that I need. I would need to know the source IP and also a destination port.
Let’s go ahead and now build a correlated detection on top of this result set. And to do that, I can easily click on the menu here and say convert to rule within a single click. Now, this brings me into my correlation rule building author experience. The wizard will really take me step by step through the author experience and it’s meant to be an easy to understand, an intuitive way to create correlative detections. Now, that I have my query, it looks right to me. If I need to make any modifications, I can go ahead and do that here with the same familiar query building experience. I like the query, I’ve tested it, I’m going to click next to set the condition for this rule. I know a typical port scan. Typically, you’re accessing a large number of ports within a short period of time. So, I want to see if a single source IP is scanning more than 500 ports, let’s say, within five minutes. And our condition builder lets me build exactly what I want without really needing to know any specific syntax, while having validation and error checking built in.
I will go ahead and type in source IP here and I’m looking for the unique count. And here, we have encountered a invalid condition, so I will go ahead and actually change this to field to make it valid. And the field we’re looking for is des port, destination port, and we set more than 500 within five minutes. All right, awesome. So, I’m going to go ahead and click next. We got our query and we know how we want the rule of trigger or what condition it needs to trigger in. And let’s decide what we want to happen once the rule is triggered. A variety of different options are available to me. I can go ahead and generate a security alert if this is something that deems triaging. I can also create a case for someone to actually start an investigation on this, depending on what the rule is, and also send an email to a variety of different email addresses, up to 20 email addresses in order to alert them of what has happened in any combination of these and with the relevant information present within the email.
In this case, I’m going to say generate security alert so that my tier one can triage. Possible port scan rule. All right. Now, in the last step, I will go ahead and get this rule enabled. I will give it a name. I will assign a use case to it, I’ll call it brute force for now. I’ll set the threshold to medium and I’ll put a suppression threshold here of, let’s say, one hour. Now, the basics are there. Now, it’s also worth mentioning all the outcomes that you saw on the previous step, there’s really nothing for me to configure. Everything just works out of the box, the email, the alert generation, as well as the case creation. And I will go ahead and save this.
All right. We see that our rule is created, it’s enabled, and I’m seeing a variety of different information when I go to my rule list to see all the lists of my correlation rules that are created within my system. I can also see how many times are triggering. I can see the relevant use case, any severity level, and whether they’re enabled or not. Now, additionally, we offer a continuous updated library of pre-built correlation rules, targeting some of the most common and emerging threats so that our customers can quickly operationalize these needed detection without needing to invest and put in the time upfront. And this library is updated on a regular basis by our security and threat research team. Any user that would like to take advantage of this, all they got to do is go to the Exabeam template tab within the correlation of application. You can view the detail of all of these rules, look at what the query is, look at the condition that it’s triggered. All you got to do is click on use. If needed, you could modify the query. You could also modify the condition if need be, assign your own outcome, and then create the rule and enable it. I’ll go ahead and cancel out of this.
I start on my day by reviewing some IOC insights. From there, I did some [inaudible 00:26:04] and created a correlation rule. Now, once my rule fires, let’s look at how the triage experience looks like for our tier one analyst. For this, I’m going to go into alert in case management, which is one of our newest offerings within the SIEM package. What is alert and case management? It’s another component of our hyperscale cloud-native solution, expect to be that single experience while all triage and investigation takes place. Alerts or cases are created from correlation rules as well as any third party security alerts. They’re all in the single rich experience, which allows me to look at all the relevant information, containing the alert in order to determine the proper course of action.
We could see… Actually, let’s search here. Source, Exabeam correlation rule, and I will search for this. We currently have a rule which triggered here with the right severity. We could see a few different pieces of information as a top level. Within this page, you could see any source host, any destination host, obviously, some basic information like creation time, the alert type that we selected, which is the use case, as well as the severity and the alert source. Once I open the security alert… Did I click on the right one or the wrong one? I clicked on the wrong one. There we go.
Once I open the security alert, I’m presented with a host of information that I will walk you guys through. Obviously, the name of alert shows up here, the source is exiting correlation rule, the severity that I selected gets propagated to the priority field, and also a description which tells me easily what is this rule that actually fired. A lot of times, the person who crafts the detection rules may not be the person who’s triaging it. So, very simply right off the bat, the analyst understands why did this rule trigger, in this case, for the source IP 10.228.43.255 more than two unique values for it. The destination host, a des port were observed within 20 minutes.
Now, of course I can edit any of these fields. I can go ahead and assign additional use cases to this alert. I can optionally escalate it to a case which would route it to the appropriate person within my team to conduct an investigation, as well as I could easily see… Well, let me go ahead and look at the events that were actually responsible for triggering this rule itself. I can simply click on that link, run a search, and what this would do is it would show me all the logs that ultimately were responsible for triggering this rule. Here, we could see that the series of logs within this timeframe, within this 20-minute timeframe, there were four unique values for des port that matches our logic and exceeds the value that we put in within our correlation rule.
And of course, at this point, I can go ahead and manage this alert. As I said, one way is to create a case, the other one is to mark it as dismissed or mark it as red. Now, we’re very excited for this new offering from our amazing NextGen platform. It allows us to build these cloud native applications and deliver them an incredible speed to our customers. We look forward to showcasing more of our Next-Gen capabilities with you guys in the new future, including our Next-Gen detection and analytics solution. Thank you very much.
Christopher:
Thank you Rocky as well. Again, if anyone has a question, I see some questions might have come into the chat or the question area, go ahead and do so and we’ll take a pause a moment and see what’s in there. Looks like there was a question, Rocky. Can we create useful reports such as MTTD or MTTR, a mean time to detect, a mean time to respond? How many incidents were open and closed, et cetera, in the case manager?
Rocky:
Great question. Our SIEM offering comes with our alert and case management application, which is different than our case management solution. Same set of capabilities; however, it is the next offering. This is sort of the evolution of where case manager will go towards and it’s available as a part of the SIEM package. Now, given this new capability that we have, we do have out-of-the-box dashboards that do focus on case management and a variety of metrics surrounding case management, such as the number of open cases. These all come out of the box, the number of cases that are new, in progress, and pending, as well as open cases by priority and open cases by queue. And also mean time to detect, mean time to remediate, those are also part of it as well, as well as mean time to [inaudible 00:31:14]. I hope that answers your question.
There, let me go ahead and repeat the question. We have customers requesting that we provide our healthcare security data [inaudible 00:32:16] program. I’m not understanding the question. If possible, get contact with us. You can email me [email protected] if you want to emphasize a little more on this question. I apologize, I’m not sure if I fully understand the question, but feel free to reach out [email protected] and I’ll be more than happy to correspond with you and get an answer.
Christopher:
Fantastic. We’d like to thank everybody for joining us for today’s call. Hopefully, you found it as exciting as we do that this new offering, Exabeam SIEM, as part of the larger portfolio. We will be doing future webinars, as Rocky had mentioned, about some of the other components within the portfolio as well, and we look forward to seeing you on one of those calls.