Not all SIEMs are Created Equal
Webinar Transcript | Air Date April 11, 2023
Watch the Webinar | Read the Blog Post
Jeannie Warner (00:04):
Thank you for joining. We will get the webinar started momentarily. Good morning, afternoon, or evening, wherever you happen to be when you’re watching our webcast. We will be starting in just a minute, but I wanted to cover some housekeeping information first. Today’s webinar is being recorded and we will email you the link to the recording after the live event. Secondly, we’re going to have a Q and A session at the end of the webinar, so please go ahead and submit any questions you have as we’re chatting in the webinar sidebar. You’re welcome to ask them as we go. But due to technology, I may or may not see them until the end, but we will review them. And if we can’t get to every single question asked, we will follow up via email in the responses directly to everybody answering those questions. So thank you. We will start momentarily.
(01:11):
Welcome to our webinar, building an Insider Threat Team, and not all SIEMs are created equal. I’m Jeannie Warner, director of Product Marketing here at Exabeam, and I’m joined by the delightful and knowledgeable Vlad Babiuk, manager of Marketing Intelligence. Lemme tell you a little bit about who we are. I’ve been in security for over 20 years in infrastructure, operations, and security. I started out my career in a knock, and then in the trenches of a SOC, one of the first that was ever built. That was IBM back in 2001. So nine years, multiple hats later, I left to wander through technical product management, security program management, and a variety of security companies from Microsoft, Symantec, Fortinet, time at AppSec through White Hat and Synopsis. I was a global SOC manager for Dimension Data, building out their multiple SOC global approach. So my background is very much about security, analytics, forensic investigation, and incident response, and recently a whole lot of marketing. Vlad, can you tell us about yourself?
Vlad Babiuk (02:17):
Yes. Perfect. Thank you Jeannie. A little bit of myself. I started my career in the Canadian forces. I originally occupied a couple of different roles. First in signal intelligence, I did a little bit of a security investigation as well, working in SOC. I then later on got an opportunity to work at Deloitte, where principally focused on doing threat intelligence on providing some consulting work as well. And then I focused a little bit a couple years working at the financial institution here in Canada, CIBC predominantly, as well as BMO was product manager around UEBA. Afterwards I got a chance to work at Devo where, once again, I was product manager working under security operation offering and finally here as a market intelligence working here at Exabeam.
Jeannie Warner (03:04):
Perfect. So kind of our summary is that Vlad and I have both been tool users, tool choosers, and now here we’re here to kind of talk about both security operations and tools most in particular SIEMs. So as we get through this, we’re gonna talk a little bit about the greatest hits of 2022. I mean, I know you have your favorite, Vlad. We are frequently back and forth about, Hey, did you see that hack again? We’re gonna talk about what transactions your security teams need to see. Then Vlad’s gonna dive really deep into the market and the tools of the trade. I’m gonna do a little bit more on the human part of the team, and then we’re gonna cooperate on pulling it all together. <Laugh>. Sound good? The fun part last year was kind of exciting with a lot of the ways that people were attacking ransomware. Oh gosh, that was big. How many, as near as I can tell, Vlad wasn’t it basically everybody was saying they were seeing ransomware. When is this service out there?
Vlad Babiuk (04:02):
Stop. Stop. It just never ended. And they’re increasing as well. They’re becoming more complex as well, which is another thing that people don’t realize is that the complexity is also changing. Definitely.
Jeannie Warner (04:12):
Yeah. I always thought of RaaS as robots as a service, but now finding out there’s ransomware as a service, it’s pretty impressive. We all have, that’s true in individual horror stories about how it can be attacked. But something new that I saw last week was last week. Last year was LastPass getting hacked. What are your thoughts on all the password keeper VPN hacks?
Vlad Babiuk (04:35):
Yeah, that’s definitely gonna be an increasing thing. And because you’re assuring yourself that the tool is gonna provide everything that’s gonna safeguard everything, but eventually, like the tools that are supposed to safeguard are also being compromised. You’re kind of worried about what are the next steps for you to make sure that you can protect all your information as well. I do expect this to continue increasing and also the complexity around how it’s done and how easy it is to be able to find the right tools in order to do so for the attackers as we’re going more towards the automation side and things like this.
Jeannie Warner (05:10):
Oh, I agree entirely. I mean, the minute we all started working remotely due to covid, we started seeing, you know, all of the virtual desktop environments being attacked. We started seeing VPNs being attacked. So that’s only gonna go on as people discover that if they attack the very security tools themselves, everything is gonna be vulnerable sooner or later.
Vlad Babiuk (05:30):
Exactly.
Jeannie Warner (05:31):
A big one we saw coming up more is Lapsus, and I’m gonna say, or disgruntled employees, but Lapsus is how you monetize it. And I, I used to go out there and say, if anybody wants all of my logins to everything for 5 million, I will walk away and give you my access <laugh>. But this can matter a lot at different levels of your company. Even let’s say you have a department secretary, if $10,000 would make a material difference in their life, they could be for sale. So seeing a malicious insider or compromised insider in a new way continues to be important, right? And the final one is data destruction as well as exfiltration. I mean, it’s security. We’ve been banging the drum about stealing your IP, et cetera, but with the NotPetya attack, like for instance that DLA Piper did, they discovered it looked like ransomware.
(06:25):
It looked like a Petya attack from Fancy Bear, but it turned out to be destructive that their goal was to simply do corporate industrial sabotage. And all of these are tools that say people need to get in and start finding a way to automate, bring all of their security tools together to see it and make the human being’s job easier. So I’m gonna get in a little deeper of what kind of transactions do your security teams need to see. The needs: It’s simple as collecting more of the right data, because the absolute answer is, it really does depend. If you have an infinite team and budget, naturally you’re gonna buy everything, build a security empire, rule the world, and fight off the unknown <laugh>. However, if there’s a single person listening to this who says, yes, I have all the budget I need, I want you to know that you are a magic unicorn with wings. And for everybody else, we have to figure out what to put together and what’s gonna defend our own empire and how to see the right threats in a sea of noise and avoid manual investigation wherever possible. Because a computer can click through things faster than a human being can cut and paste.
(07:35):
So I look at in standard zero day attack, I remember when everybody said we’re supposed to appear zero days. This is kind of the order it happens in: a threat is discovered or shared, or sometimes the CWE or CVSS score happens later. Somebody says, oh, right, clever enough, I’ve got a mitigation, I’ve gotta workaround. But meanwhile, somebody’s selling out all of the exploits somewhere on the internet. Now in the known threats, the minute there is proof of concept for that exploit, vendors are pushing updates over time happening from all of your IT departments, and naturally we’re scanning to see if we actually have it. But the important thing is finding the team, the needle in the haystack. How do you educate your team about new activity? How do you do it as automation is possible? How do you, how do you make computers do what they’re supposed to do, which is count things and repair themselves as much as possible?
(08:27):
All of these things have patterns. Now, the good news, there’s a lot of different ways to look at these patterns. My favorite is MITRE ATT&CK, which is a really comprehensive end-to-end mechanism that includes not only things that a machine can detect, like, yes, I can see things that are happening on my endpoint, on my website, et cetera, but they do talk about things that no a human can do, like dumpster diving and making a phone call and psyching somebody out and stealing information that they shouldn’t have just because I can do a social attack and manipulate somebody with my words. So back when we were talking about what a SOC needs to see, you can start mapping the biggest attacks against your industry of your type that costs you money, puts you in the news, and map your security tools to them to combat them. So it’s a commonality that are looking at big attacks, trying to find, enter, and move along through credential activity, sideways, lateral movement, et cetera.
(09:26):
This is, I think, why you’re seeing a lot of new, often author authentication and authorization tools coming up in the market. And frankly, as we’re saying, seeing a lot of hacks against those tools. We saw the Okta hack, we saw the LastPass hack, we saw people attacking secondary services that serve these bigger accounts. This is all the things when you have your own security stack. Maybe you have email, you have endpoint, cloud network, maybe you have a little bit of ot, you use some cyber analytics and some SIEM. All of these pieces mapped to something to give you a place to start. And we hope that we’re gonna talk a little bit more about the tools.
(10:05):
When I’m talking about fidelity at the right place, I’m gonna put my dusty old SOC analyst hat on in between when I saw a red dot on the screen for a higher critical alert, I would spend about 75% of my time figuring out what was going on. First of all, is the red dot something I care about? Like, is it a firewall just doing its job? Like, hey, somebody’s hit it, my firewall with 10,000 events in the last five minutes, but the firewall stopped it. That’s the firewall doing its job. And I don’t necessarily need to see that or investigate it, but I can say, if I get a note that Vlad’s laptop, sorry, Vlad just put five new files into quarantine, that’s his EDR doing its job, right? So how much I need to investigate any of those places may or may not matter.
(10:54):
What I need to figure out is how do I apply my brain to what is anomalous, what is happening for the first time? What if something touched out Vlad’s laptop and then reached out to lovingly escalate its privileges and create a new user on my domain server? This is why people buy SIEMs versus UEBA to look at different feature sets because all of those areas with feature sets help you determine what’s gonna be important to you, what you wanna automate and what you don’t need. So, Vlad, I’m gonna, if you don’t mind, take over here and say, will you tell us about the tools that are out there on the market today?
Vlad Babiuk (11:34):
Sure. Thank you, Jeannie. I think it’s still loading. So there’s a lot of options today. It’s it’s definitely, I think it, it becomes a little bit of a burden for some of the analysts to really understand what is exactly that they need for their current, how is it gonna simplify some of the work that they’re currently doing in order to have, not necessarily the exposure, but the visibility in, in the environment around understanding what the attacker is doing. How is it doing, why is it doing, how quickly can I, can I can I meantime to detect and respond to that particular threat? So when we’re looking at it, what first started as security log management and, and then eventually transitioned towards more you’re seeing additional offerings coming in like QDR, MDR Open XDR UEBA, threat detection.
(12:27):
And now we’re moving towards more of the next generation sim where you have this combination, the combination of different capabilities like UBA and sort coming into play in order to offer you the full kind of spectrum of of of components that will enable you to eventually not only automate some of the, the more redundant kind of process, but also provide the tools to the analysts so they can excel at their work and they can simplify their work as well in focus on the bigger items. But there’s so many options, and it’s, I think this is one of the hardest things that you’re seeing the analyst right now is like, what do I actually need? What is actually good? What kind of gives me that type of balance that I’m looking for between the complexity of the tool, but also how effective it can provide me with the information that I need nowadays. So it’s, it’s a lot, that’s for sure. But it has its purpose. When you combine all of it together, let’s just say.
Jeannie Warner (13:18):
It does, I mean, we have people that are talking about if they have a need for just basic log management of getting it all in one place, you might offer them one thing versus if there’s somebody who says, I need an insider threat team, it’s, that’s a kind of a different tool set, isn’t it?
Vlad Babiuk (13:34):
Exactly. And it’s, it’s also some of the things that I feel that some don’t consider is, is the, the fret that we’re currently faced with depending what it is, not only from an insider threat from the zero days, the ransomwares, all of this, it’s, it has progressed to becoming like almost like this huge empire. There’s so much going on, so many different attacks that are going on. And so you want to offer the analyst that’s a tool that kind of balances all together where it offers you the different components so you can actually do your job more effectively and quickly without losing track on, on building your soc, building your different playbooks and, and, and managing all those different things. But yeah, you’re exactly right, Jeannie.
Jeannie Warner (14:19):
Yeah. So security log management, there’s a lot of players. I mean, this is, I love your choices. There’s even more than you have listed here,
Vlad Babiuk (14:26):
<Laugh>. Exactly. There’s, there’s a lot of, there’s a lot of folks out there that are trying to do the same thing. Some are more legacy that are, that have been in the business for some time, like ArcSight that was recently acquired by OpenText Devo that started as a security log management, but actually transitioned towards the security components. Splunk has been a big player as well. Chronicle coming in strong with Sentinel as well Securonics and Cortex and of course, Exabeam, which is, is our baby <laugh> Exabeam definitely is a major player, has a cloud native provider for data lake and things like this.
Jeannie Warner (15:06):
Yeah. And of course, we made our numbers bigger, or our letters bigger, but in terms of security log management, this is a really good fit for people that are just getting started at pulling all their logs into one place, right? They maybe they, maybe they’re not ready for automation, maybe they’re a small team, but that could be really good for the security log management of if you’re just starting to get all of your CIS logs together into one place, look at security log management, right?
Vlad Babiuk (15:31):
Exactly. At the end of the day, security log management, why it was designed is, is the collection, the processing, being able to have everything in a centralized location so you can have a more of a unified view of your environment. Is it healthy? Are you getting the type of information that you need? And this is why it’s so important. If you’re looking for a more extensive view on a, from a security perspective, maybe it’s not necessarily the right approach. And so you’re gonna be looking for something different, which is on the next page,
(16:02):
Right? SIEM contenders. Yes, <laugh>, there’s a lot of players right now when you think about it. Like one thing that I wanna mention as well is not all came to becoming a SIEM. Some of them have done some acquisitions that gave him the advantage of becoming more of a SIEM contender. Some of them have developed some of those tools in order to become more of a SIEM contender. Some are more as well that have been in the business for some time. As you can see, Elastic, Microsoft Sentinel used to be Azure Sentinel. Arcsight, like I said, was recently acquired by OpenText, but previously that was Microfocus. Devo moving towards the SIEM as well has developed some tools around that and is moving towards getting their automation from a threat hunting perspective, but also on the SOAR capability. Splunk has been in the business for some time now, and people have seen it. And, Exabeam is rightfully there as well. And one of the things that I really like about Exabeam is that it kind of offers you the balance of everything, which we can talk about in the next one afterwards.
(17:14):
So who has it all and at what price? Can you click another one? I think there’s a, oh, okay. Just a little thing. That’s
Jeannie Warner (17:24):
It. <Laugh>, I was gonna make it easy for you. <Laugh>,
Vlad Babiuk (17:27):
Even better, right? I didn’t even think about it. <Laugh>. so who has it all and at what price? And so one of the things to really take away from this is regardless of how much capabilities you’re putting together in having a SIEM and having an SLM and having a, so there’s always gonna be something that you’re probably gonna miss a little bit. If you’re looking from a Splunk perspective, some of the things that we’ve heard from customers is expensive pricing model, significant learning curve, and really understanding how the tool works. When you think about the Splunk enterprise or Splunk cloud Splunk Enterprise security spl query language. Some folks like it, some don’t like it because they wanna be able to stand out a, a platform that works for them right now and without the complexity that goes into it, right?
Jeannie Warner (18:15):
Yeah. I mean, I wanna stop and say something in praise of Splunk here. Splunk is huge. If I add something like let’s say I own the Coca-Cola or Nabisco or PepsiCo or Anheuser-Busch franchises, and I need you to know how many cases of Budweiser boxes of Keebler chips I had sold in Peoria, Illinois on a Tuesday. Splunk is magnificent for that, but that’s not exactly the same set of things that my security team needs to know. And it was originally built for one thing, and then they have tried to evolve into the security space a little bit more. Has it been as successful? That’s, that’s kind of for, well, Vlad, for you to judge.
Vlad Babiuk (18:59):
<Laugh>. Yeah, yeah, no, that’s exactly true. I mean, they have some great features that have been built upon that provide the analysts what they need, but you need to have the resources to be able to, to manage that type of platform. It’s extremely complex. It’s a heavy, heavy load from a security perspective when you’re trying to actually manage it. So you need to have the resources, a well-defined SOC. If you’re looking for someone who’s more like maybe three to four kind of SOC, it might not be the best decision to move towards a Splunk. Same thing goes for Sentinel. There’s complexity. There’s the learning curve that needs to be adapted in order for the user to really understand and utilize every little feature that it has so they can have the kind of visual effect of their environment, right?
(19:47):
And same thing, like Sentinel price surprise. It’s a very complex pricing perspective where folks that we’ve spoken with are having trouble really understanding like, what am I looking at the end of the day? How much am I actually gonna pay for it? What do I actually need in order to make sure that it meets within my budget? Poor third-party integration, they really focus on Microsoft. For someone who is heavy on Microsoft, that might be a great solution for them. Yeah. But when you also think about having a full telemetry of, of all the information nowadays, you’re not gonna solely focus just on Microsoft products. You’re gonna need additional telemetry to really have that big visual effect that I was mentioning before. And then complex configuration was one of the other things that I’ve seen, but at the end of the day is, this is what I was trying to say, is there’s, there’s some that’s, that are gonna have a little bit more of this, a little bit more of that, but they’re not gonna have the balance.
(20:42):
And that’s one of the things that I really like about Exabeam is we, we took everything that we saw in the market and we put it together in a way that the analyst has that ease of use. Yes, you can still make it complex enough for your environment, but it’s easy to use. Anybody can come and start using it and working with it, and becoming better at it. We have new capabilities coming in every day that will offer you that visual opportunity to, to enable additional use cases that are currently being that threat actors are currently using against you and things like this. So really really focus, ease of use and enabling the user to become more in understanding of their environment and becoming better and things like this.
Jeannie Warner (21:27):
Exactly. I mean, I talked back, I don’t think we have it featured on a slide here, but in like 2003, we moved off of a homegrown SIEM that we’d made and started using ArcSight for a bit. And we loved ArcSight and it did everything we needed it to at the time, which was, we just looked at firewalls and IDS data. But the minute we started to wanna bring in heads and other things, ArcSight also got sold for the first time to, I think it was Hewlett Packard. And suddenly everything slowed down and we stopped getting new log parsers, and it started going from, that’ll be six weeks ma’am, to, that’ll be three months to, okay, that’s kind of on our roadmap for the next calendar year.
Vlad Babiuk (22:06):
Six months, a year, <laugh>,
Jeannie Warner (22:08):
And, and it’s just simple what happens. So I, I wanna caution everybody out there as you’re going there to judge it. Look at the marketing pages. Sure. Cuz we love saying things happy in marketing. Go look at documentation too. And Microsoft is great for documentation that says, yes, this part of it is absolutely free until you pass this mark, et cetera, et cetera. So read all of the words before you make your final decisions there. Hugely important.
Vlad Babiuk (22:33):
Very good point, Jeannie. Very good point.
Jeannie Warner (22:37):
All right, so I have your SIEM and security log management systems stitching together all of the critical logs, right? We look at everything from, maybe you’re gonna use a CASB out there, or I think Netscope just bought Woot Cloud, which does OT, which is fantastic. Go netscope. Maybe you have an endpoint, which is a CrowdStrike or a SentinelOne or a Microsoft Defender, or ExtraHop or Expel. All of these different pieces give you signals and you need to put them together, which is why we value third party integration. So very highly. Exabeam does a fair bit of this automation because they take all of those millions of data points, combining a weak signal into a meaningful event timeline. Like if I did something on a VPN for the first time and then I had an authentication failure, then another authentication failure, then I moved to a machine that I’ve never done before.
(23:30):
All of these might be meaningless if I look at them as one-offs, but when I put them together, they create timelines and timelines create anomalies and allow me to say, right, this might be a general low level threat, but it becomes a little bit higher when I combine it with A, B, C, and D. So identifying those dangers at scale is something where you start talking about wanting your little UEBA versus do I just need to see it all and I can write good…if you can write good correlation rules and you get it, maybe your team is gonna be fine with his straight up SIEM or security log manager. Sources: this is where, what are you gonna look at? I think I would start as saying, what will shut my business down or cost me the most money If it stops and I work back from there in terms of what my security stack needs to look like, for instance, say I am prepared to pay fines if my HR data gets exposed, but I will lose millions if my ICS system hurts a human being on the floor for manufacturing, then I need to protect the access and operation of my critical assets first.
(24:35):
Like if I, I’m a geek, sorry. So if I am doing an MMORPG or transactional gaming website, I care about uptime and I care about the fidelity and protection of my micro-transactions because that’s somebody’s credit card. And if they have their credit cards exposed, they might not play my game so much. So Vlad, I know you’ve dealt with most of these and we can argue about whether a WAF belongs in one category or another here, right? <Laugh>.
Vlad Babiuk (25:02):
Exactly. Yeah.
Jeannie Warner (25:05):
I mean, in the end of it, I highly recommend getting Syslog pieces together because your syslog or CEF formats, what is the common format of getting everything together of what’s going on in your network? What’s going on on every entity? And by entity I mean credential or I mean laptop, I mean server, I mean tower, any of those objects. I need the mapping of what human is using them, where they come from, which organizational unit I might belong to, and then what am I doing? For instance, if I have a corporate Google account and Jeannie has a personal Gmail, Google account, I care very much if Jeannie starts copying things over into her personal area. So each of these different areas, you have to decide. I can’t tell you which is the best. You figure out what you need for your environment and you build your security stack accordingly. And that’s what you need to pump in your SIEM.
(26:01):
When I wanna talk in here, I start talking about the individual questions and responses that I need to decide. For instance, I might tell, go to my HR team and say, I’m trying to figure out what I need to set up for security. How much do you care of what’s going on? Do I need to be aware of, are we caring about insider threats or am I just looking at my application uptime or am I doing business with Europe and I need to care about GDPR? Or maybe I’m in Europe, my privacy officer needs to have a certain level of visibility that is more beyond what my standard SOC person can see. Maybe I need a full visibility into every authentication authorization that happens anywhere in my network for my compliance team. That’s pretty easy. Any security log management system should be able to generate the, this is all of the authentications that happened.
(26:53):
On the other hand, maybe I need to know of fast notification of high risk activity, or maybe I have a DLP and Jeannie gets super sad or goes off her meds for three days and starts writing very questionable emails. How quickly do I need HR and my manager to know that Jeannie needs a hug or some other assistance? So I think about, do you have a clear incident response flow? Do I have a clear step to remediation and mitigation? What do I do if my outsider reports something to the SOC? Any of these will help inform what kind of tools that I wanna get and what they need. Like when do I need to get my legal team involved or upper management or what does my CEO want to know in the morning if he opens the door to a crowd of reporters?
(27:37):
If my CEO’s going to something and she looks out at the audience and sees somebody in the front row that asks a question, what information about the security does that person need to know? So this is why your SOC can’t operate outside knowing what your risk teams are. A lot of people go to saying, Hey, I wanna go to an MDR and MSSP, that’s great. Outsourcing is awesome. It may or may not feed the information. Maybe you want to say, Hey, I want to have a tool, but I want somebody else to operate it for me. And that’s totally cool. So let’s talk about pulling it all together. My, my big piece of this is saying that my mission and scope drives my choices. I want my CPU to put in the effort, not my humans. My issues are human bandwidth and my human focus on integrations, triage investigations, I already told you earlier, that’s 75% of what my humans are gonna be doing.
(28:31):
I can get automation for anything, it creates repeatability and it drives efficiency. So if I can create a timeline of events that can take a hundred queries, I can take a thousand queries. What was the first time? Have I seen it before? Do I have log4j in my environment? These are all things that have come up in the past couple years. It is easier and more efficient if I can have a machine do it for me. If that is the answer of my scope, maybe I need something to see getting the right logs together, just get some good parsings, some really solid correlation rules and I’m gonna be fine. Or maybe I want to say I don’t have a long-term storage need. I’m just Jeannie. I’m just a small organization. I wanna run a game. I only need maybe a 30 day rolling visibility of what’s going on. All of these things can help me decide which of my tools do I want, in the most cost effective way.
(29:23):
So when I say mission and scope drive my choices, I may want all the bells and whistles of a SIEM. Maybe I wanna build in UEBA and SOAR, but I’m mostly gonna build a timeline. Now, I’m kind of gonna show you this internally by saying if I have a UEBA and a SIEM in one, I can see a lot with a timeline. This normally is a thing that a human being can do. Like saying, all right, this is my service account, which is a service account. If you say, this is what runs my website, maybe it’s my transactional website, I want to know the first time it does anything. Because a service account hypothetically goes between a database and a website goes onto one of two, three, four places tops to send logs. If it starts talking to other different systems, I care about the first time.
(30:09):
If it starts being logged into or going to countries that it has never gone to before, I absolutely wanna see that kind of thing. All of these different pieces, I bring it together and tell me what is my risk looking like and how is my risk growing by each time I see something new and interesting. So this is how a UEBA, whatever kind, if it’s a standalone, if it’s built into your SIEM, can add that little bit of putting it all together to see what’s going on. If my service account is acting like a user, I want a clear way of escalating to say anything that has to do with the service account. I need to know who owns that machine and I need to get them on the phone as quickly as possible. So this kind of gives you an idea of something that I would, I can either do all this myself, I can have correlation rules set up to say, first time something new, send me an email.
(31:01):
Or I can have it pulled all together into a timeline with the UEBA tool. Three of our current Exabeam product lines can offer this security analytics, security investigator naturally or Exabeam Fusion. Another picture of this is when I start talking about my insider threat, I care about constructing what happened, accelerating and streamline. I don’t wanna log into all of my different systems. So if I’m logging into this, I can say, Hey Sherry got an email from a competition. Well, salespeople travel between places all the time. Totally happens. But when I start seeing different things like saying, Hmm, there’s a new process up execution. Maybe she got that from her SentinelOne or her CrowdStrike coming in telling us there’s something new. It’s, uh, that’s WannaCry ransomware. She may be compromised. Maybe she got a spear phishing attack. Maybe we’re starting to get a test scheduler and some domains.
(32:01):
I look at TOR and, not to insult every salesperson out there, I’m sure there’s very smart salespeople, but the majority of salespeople I’ve ever talked to probably don’t know how to set up a TOR network. So if she’s writing a TOR network on her thing, it may not be Sherry Lee in this instance because it’s not her area of expertise. So I wanna look at the email logs and file logs and the endpoint security logs. If I care about insider threat, if I care about something that’s knowing in there. So maybe it’s got ransomware, maybe she did nothing wrong, but look at an email, any of these things can happen. This is why I wanna have my right security teams with the right, getting the right information from the end pieces and compare it to look good in my SIEM tools. So those are basically saying what tools I’m gonna have together.
(32:50):
But in the end of it, I wanna talk people. A lot of people I get, I mean you first level SOC people, I get them from help desk or maybe I got them from network operations if I’m super lucky. Or maybe they were the person who read all of the manual and figured out how to migrate from a McAfee solution to an ExtraHop solution or a Symantec solution for their endpoints. Somebody came to my security table because they learned enough to be dangerous and I wanted them. I love curiosity, but they don’t know everything. For instance, your standard pers your standard soccer that might know everything about firewalls or everything about endpoints and desktop support may not have deep in-depth active domain knowledge. Maybe they don’t know the difference between LDAP, LDAPS, NTLM, Kerberos, maybe they don’t know what’s NTLM is forever going to be vulnerable, so if you see it, you should always, you know, that’s, that’s knowledge they don’t have. So I wanna have something maybe for a beginning SOC that gives them information of what to do step by step. How do I assign it? How can I get a checklist? How can I get use cases set up that allow me to do familiar activities over and over so that my humans learn on the job because I want them all to graduate from tier 1 SOC to sophisticated security analysts to CISSPs that I can put in charge of things. So in that case, the tools I’m looking for are default incident types. I’m looking for checklists, I’m looking for guided investigations. I’m, what can I get that’s built into my tools for those repeated processes? Because the individual humans are what build everything. There’s no tool that ever stands alone. So seriously sit down and involve your team when you’re picking out any of your tools because they need to understand it. They’re the ones that are going to use it. So they should attend at least your last demo or your POC and be involved at those different levels. Glad you’ve done this. Do you have any input you wanna add to that?
Vlad Babiuk (34:53):
No, same thing. Like what you said, Jeannie, like really making sure you sit down and really understand exactly what are some of the focus that you want to bring up and continue towards off paths in order to make sure you’re successful at the end of the day.
Jeannie Warner (35:04):
Yeah, I mean, I hate to say it, but as much as we vendors like to be very proud about our tools and the training on our tools, tool use is easy. Finding a human that’s really curious and interested and engaged and wants to learn more and do a great job, that’s harder. So I wanna find the tools that support my people rather than just finding people to operate my tools, if that makes sense.
Vlad Babiuk (35:27):
Yeah, no, I completely agree.
Jeannie Warner (35:29):
Yeah, so basically that comes to an end of saying when I’m detecting my undetectable, I really do want to be able to see what’s hard to see through a lot of different pieces here. And I think the tool is important to do that. We like it at Exabeam because I have a basic security log manager, yet I have a basic load a UEBA on top of your tool, or I can do UEBA plus SIEM plus SOAR in my, in my flagship product. So you tell us what you need out there. So let’s go look at a couple questions. I see that there’s some that have been accumulating in here. There’s one, Vlad, that they said, can you elaborate a bit on the difference between SIM and a SIEM? So SIM, SEM and SIEM as it were in the lingo?
Vlad Babiuk (36:19):
Yeah, for sure, Jeannie. The biggest difference, I mean the way you can kind of look at it is like the SIM, the SEM is essentially <inaudible>. But when you look at it a little bit deeper, like the SIM, so the security information management essentially looks at just the log data itself, the different types of log data that you have. The security event management is gonna be a little bit more specific on the events itself. So you can look at it, some experts might call it like a super user kind of citing it as a super user. So looking at account logins, identification, high privilege and things like this. So this is where you kind of combine both of them, the information itself, log data and also the event. And it provides you with the security investigation event management system where you’re gonna have the full kind of view.
Jeannie Warner (37:06):
Yeah, I wanted to give an example out there. I, when I worked in a SOC down at Dimension Data, we had our sim, we used ArcSight at the time, and we also, in addition to that, had SolarWinds because I had that, who watches the watcher? What is my, I, I needed something that gave me the, basically operating as an application management and is it up, is it working? Is everything going? Versus my security event management system, which is where my analysts were looking. So one was owned by my IT department, which was hugely important and events mattered to them, but they mattered differently than they did to my security team that was doing callouts and investigations and escalations. So they both have a purpose in life.
Vlad Babiuk (37:51):
Yeah, they both do, that’s for sure. <Laugh>.
Jeannie Warner (37:55):
Okay. Oh we have what somebody in here said, I have ElasticSearch. Now what are your differences? Well, <laugh> funny you should say, years ago, part of our product was built and we used ElasticSearch as part of our backend. The challenge and why we moved off ElasticSearch, honestly was throughput. So if I need to bring in like searches of over 2 million events per second, ElasticSearch was not always able to surge with me. So that was sheer volume. So I would say if I had a small, maybe a small local credit union or something, and you’re just looking to collect everything local, that’s looking at your own, you’ve got a WAF, you’ve got some stuff, you’ve got your end, you’re trying to prevent fraud, ElasticSearch might be okay for what you need there, but it also is not sophisticated. You gotta layer something on top of it for correlation rules, et cetera. Oh, here’s one for you. Did you see any difference between your experience? This is definitely you for the military versus a commercial organization?
Vlad Babiuk (39:08):
I would say that surprisingly in the military, things are a little bit more on the slow side, I would say. On the commercial side, things a little bit more on the quick side there’s definitely more tools that are available at your disposal on the commercial side of things and really, really more on the progressive side of like what’s currently kind of being utilized. And the military things are a little bit slower in some cases are not, not to say anything bad about the Canadian army or anything like this, but it’s just like typically working in the government things think a little bit slower. There’s a heavy focus on security, making sure that we’re taking appropriate actions, one, taking a decision that will benefit the, the, the organization itself, in this case, the Canadian forces. But on the commercial side, very quick turnaround. Definitely more visibility when it comes to security products and things like this.
Jeannie Warner (40:08):
Yeah. And okay, I got one more question on, oh, somebody was making a comment on sophistication of new SOC people. Like yeah, I gotta say, once I had somebody, I had a VP come to me and say, look, can you turn my babysitter into a SOC person? And I said, of course I can. It’s just gonna take a couple extra weeks of training cuz I have to explain how computers talk to each other. So this is why I really do love pictures like OSI stack and there’s a lot of stuff out there. I would send your SOC through a network plus security, plus training. You know, SANS has some good training out there, but there is established, I mean literally Google this, like, I need to train a SOC. What do you recommend? Because there’s no perfect way, but troubleshooting anything is important. So if they’re the ones that their family calls to troubleshoot and fix something, then they understand the step-by-step mechanism of trying to figure out what’s wrong. And I, I literally mean this fact too, is it there, is it plugged in? Is it like, are the logs flowing? Can I see the logs flowing? Are events flowing? Am I getting information in there, <laugh>? So yeah, just that kind of mindset is what you need.
(41:21):
And I think, yeah, that was duplicated. Okay. That seems to be all of our questions today. So thank you so much for joining us on, on behalf of your ex marketing team, product teams, et cetera, we are delighted and invite you all to come out to our site, sign up regularly to hear what we’re doing new in product management. We tell you every month about our new releases and I encourage you to go out and look at documentation for every vendor, get past the top pages and dig in deep because that’s the best way to determine does that tool meet your particular needs? Can it do what you want it to? Any final thoughts, Vlad?
Vlad Babiuk (42:03):
No, same thing. Thank you everyone for joining us. Really appreciate it. And as always, keep track of some of the great things we’re working on. You’re definitely gonna really enjoy it.
Jeannie Warner (42:14):
Right. Thanks very much for joining us today. Thank you. Okay, we’re done.