The Game-Changing Benefits of Cloud-Native SIEM
Webinar Transcript | Air Date July 6, 2023
Watch the Webinar | Read the Blog Post
Kevin Binder:
Okay, well, good morning, good afternoon or evening, depending on where and when you’re watching our webcast. Before we get started, let’s take a little bit of housekeeping information. Today’s webinar will be recorded and we will email you a link to the recording after the live event. I’m sure you’re gonna wanna listen to this twice, so the recording will be sent to you. Secondly, we’ll have a Q&A session at the end of the webinar. So please submit any questions in the webinar, sidebar, sidebar, you’re welcome to ask them in, in the chat, and we’ll get to those at the end of the webinar. So let’s go ahead and get started. Thank you for joining, taking your SIEM solution to the next level, the power of SIEM in the cloud. My name’s Kevin Binder. I’m a senior product marketing manager here at Exabeam, and today the star of the show is gonna be my colleague, Manoj Mohanan, director of Product Management.
Let’s take a quick look at the agenda. First thing we’re gonna do is look at the evolution of SIEM and security operations. Then we’ll look at some of the common challenges facing security operation Leaders today will discuss the benefits of cloud native SIEM. Some people call this modern SIEM, but we’ll talk about the benefits of the economics of the cloud that go along with it. Then we’ll get into some of the exciting stuff building upon cloud native SIEM. What’s that extra value that Exabeam can bring to the equation? Menino is gonna walk through some areas of functionality that are quite unique to us. And then after that we’re gonna get into a demonstration. We’re gonna demonstrate Exabeam SIEM SIEM and then we’ll look at some of the key takeaways of Exabeam SIEM.
So here we can see sort of the evolution where the network operations center and the Security Operations Center were at one time, the one one in the same. If we look back around the year 2000 ish, and a lot of times they were run by the same group of people. So why the split? The network operations center is largely focused on availability and uptime. That includes things like system monitoring, moving data patches, and of course, one important aspect of security is managing the access. Moving data is, is, is one of the big ones these days. And, and, and many knock initiatives are focused on cloud migration. The security operation center, on the other hand, has also evolved branching out on its own. And this is largely due to the increasing importance of data security. There’s obviously, there’s a lot at stake, and security operations really require the proper attention. And if we look at all the SOC functionality that’s been added across this chart, keep in mind that every customer is different. You may not need all the stuff listed in the SOC 4.0 today, but you might next year or the year after. And as your SIEM requirements also evolve, we believe there’s a value in taking a platform approach to growing your soc. We’re gonna talk a lot about this today, but finding a platform you like and simply lighting up new features and functionality along the way As your SOC matures.
One thing we know for sure, SOCs are evolving at a rapid pace, but why is this? Well, you can see here on the slide, cyberattacks are becoming more common. The cost of those cyberattacks is ever increasing and the attacks are becoming more and more sophisticated. So this can put your business at risk.
So let’s take a look at the risk. And I know everyone hates doom and gloom slides, and we’re not trying to use fear to get you to buy something, but there’s some important information we would like to share with you. Starting with compliance risk. What happens if you’re out of compliance? Well, legal penalties, fines, l loss of customers and partners. If you’ve got a vendor contract and you’re out of compliance, you could actually lose a vendor contract. So it’s quite a bit on the line. And if you are out of compliance, what is the cost of remediating that and getting back within compliance. Of course, the one that everyone knows about is the risk to the reputation and brand, right? Something goes south, there’s a good chance it’s gonna make the news and the newspaper. Some of your customers may not feel quite as comfortable with you storing their data for them anymore.
So reputation is quite important. But you’ll notice I use the red font for operational risk. And this to me is the most costly. This is the big one. A ransomware attack can literally limit the availability of your organization, the ability to operate and generate revenue. And we recently had two local governments here in Northern California suffer ransomware attacks. And these attacks were serious. In fact, one city had to declare a state of emergency because all of their services were down, their emergency services, their dispatch services, 9 1 1. Nothing was available because of this ransomware attack. They were completely shut down. So these things can actually impact your business in such a way that you can no longer do business. And in doing my research for this webinar, I came across some interesting statistics that kind of help put things in perspective.
I think we all know that the number one most common way for cyberattacks is starting with a spear phishing email, right over 90%. And we know that a cyberattack is costly, right? I think the latest numbers are over $4 million the average cost of an attack. But one of the statistics I thought was really interesting is the average number of days to identify and contain a cyberattack, can you guess, almost 300 days, 277 days. And imagine the damage that can be done. I worked for a company years ago and we didn’t realize we had been hacked until years later. And it proved to be very costly to the business. In fact the business ended up shutting down and, in fact, 60% of businesses closed their doors within six months of a cyberattack. So all really good information, but probably the most important bit of information I think that everyone on the webinar here can relate to is we’re experiencing a global IT talent shortage.
And this affects everything across the board. There are over three and a half million unfilled cybersecurity jobs in 2023 alone. And what this means is that we have to look at the human resources we have and use those resources to the best advantage. And one way we can do that is upleveling those security analyst resources that we’ve got. And we’re gonna talk quite a bit today about how we can do that. How can you take a level one security analyst, turn them into a level two security analyst, and really improve their ability to, to threat to, to threat hunt? So today’s cybersecurity reality, you need to collect more of the right data without question. There’s increasing demand for security log data processing, but the data also needs to be normalized to ensure your systems are using high quality data to identify the threats. I’m sure you’ve heard of garbage in and garbage out, and this is very true when it comes to security operations.
We wanted to avoid all those distracted false positives at all costs. And you need to know what you’re looking for. The and the right security solution can help. We’ll talk more later about how Exabeam can help in this area. But you wanna look for lots of out of the box features that are gonna help you experience success from day one. And threats are buried in the sea of noise. You need the right tools and functionality to uplevel your threat hunters. And lastly, we know manual investigations lead to incomplete outcomes. I’m sure this comes as no surprise, but automation is everything we wanna automate whenever and wherever possible. Let the computers do the work, save us time, and reduce human errors.
Cloud native SIEM to the rescue first generation SIEM solutions in many SIEM deployments that are still deployed today are primarily on-premises solutions. That means they live in the customer’s data center and they’re managed by the customers. And like most on-premises solutions, there’s infrastructure that needs to be managed. Everything from the cooling, the electricity racking and stacking patching servers, that all takes away from some of the real work your IT resources need to be doing. So cloud native SIEM offloads that infrastructure management piece and allows your SOC personnel to focus on threat detection, not managing infrastructure. And when we talk about scalability as it relates to on-prem soc, you have to build that in. You have to build the scalability in, in order to support your peak periods of operations, you need to build in extra capacity that in many cases goes unused. You’re paying for infrastructure you may or may not be using. And with cloud-based solutions, you’re typically only paying for what you use. Software updates, patches, that’s all taken care of with the managed service. So, you’re always up to date, you’re always evergreen. Bug fixes all that can happen on the fly without any intervention on behalf of the customer.
The final benefit here is to highlight that cloud infrastructure is built by experts. Really the best of the best are building this cloud infrastructure. So from a security perspective, from an availability perspective, being able to build in redundancy and ensure your business continuity during unforeseen events. These are all things that can be handled with the cloud-based service. And so that’s why we are seeing such tremendous growth in cloud native SIEM solutions compared to the more traditional on-premises. So cloud native SIEM, it sounds great, but why Exabeam for the next section, and this is the exciting stuff. This is the meat that you’ve been waiting for. I’d like to introduce or reintroduce Manoj Hannan and he’s gonna talk us through these critical areas of functionality for today’s modern SIEM, and how Exabeam delivers on those areas of functionality. And then he is gonna give a really cool demonstration of the product in action.
Manoj Mohanan:
Thanks Kevin. You very well outlined the key challenges faced by SOC teams today and how cloud native SIEM would address those challenges. So let us dig in further. What are the top considerations and evaluating a modern SIEM? Modern organizations are globally evolving and modernizing their infrastructure and processes with cloud transformation and adoption of SaaS application, this all translates to ever increasing volume of logs and security data that needs to be ingested and processed to manage the threat landscape and the attack surface. A modern SIEM should be able to ingest and process such a large volume of data at pace and on demand. Not only should a modern SIEM be able to ingest and process security data logs at scale, but also make the data onboarding process simple and reliable for the soft team. A modern SIEM should provide capabilities for security analysts to seamlessly search, detect, visualize all collected data, and provide capabilities to manage and automate detection investigation and response workflows. Knowing your current security posture is more and more important, the gaps to improve are very critical for a successful SOC. And a modern SIEM should provide such critical insights.
So we need a SIEM that packs the necessary host horsepower to meet these requirements. And that is where Exabeam comes into play. Via Exabeam released the new scaled cloud native Exabeam SIEM powered by cloud scale security log management platform that can ingest, parse, enrich, store, and analyze large volumes of log and security data collected from your infrastructure both on-prem and cloud environments. Exabeam SIEM can sustain over 1 million plus E P s processing hundreds of petabytes per tenant. Cloud economics of the new Exabeam SIEM allows you to optimize your SOC cost by eliminating your traditional infrastructure cost and providing a better return on investment by allowing you to pay for what you need and scale on demand. Exabeam SIEM comes with a new modern search and visualization application that allows you to instantly search petabytes of data and use of data without having to reload, reload or rehydrate data. Exabeam SIEM also comes with a new cloud scale correlation engine that can run hundreds of correlation tools concurrently. <Inaudible>, the new platform also comes with 500 plus product integrations and 9,000 plus pre-built parsers to allow seamless data onboarding for all your security data from your on-prem and cloud environment.
So let us understand more about the key capabilities of Exabeam SIEM. It all starts with collection. Most organizations today have a hybrid setup with applications and services deployed across on-prem and multi-cloud environments. Exabeam SIEM provides two sets of collectors purpose built to collect security data from your on-prem and cloud deployments. Exabeam SIEM supports find to plus on-prem log sources with site collectors and 80+ API-based cloud collectors decide design to ingest security data from various cloud and SaaS. Application collection is not just limited to log data, but also other security data, including third party alerts. Context information like threat intelligence feeds, geolocation information, user and asset information needed to enrich your log events is also collected through these correction mechanisms. Exabeam has collectors purpose built to ingest logs from other data lakes like Splunk on-prem, Splunk Cloud, Azure Sentinel, et cetera.
You can manage all of these collection configurations with a new centralized collection management interface. The news management console for all the collectors also provides health monitoring and telemetry to enable you to ensure reliable and healthy data collection, which is very critical for threat detection. Once data is onboarded, it is so once data is collected, it is critical to process it and reach it and store it for further analysis. Exabeam SIEM introduces a new data pipeline management application called Log Stream, which packs the power needed to parse, normalize and enrich security data at scale. Using the 9,000 plus prebuilt parsers supporting 500 plus products, log stream normalizes the ingested data using the Exabeam SIEM common information model, an open specification that we defined in partnership with other security vendors who are members of the Open XDR Alliance group.
Many SIEM vendors encourage you to ingest all and more data, increasing your cost. While Exabeam SIEM focuses on processing the right data, Log Stream is not only able to process and transform data at scale, but also provides you the ability to manage the data processing pipeline and fine tune it, the telemetry and health metrics exposed by log stream, which includes processed data volume per vendor and product and per parcel parcel, past log percentage. So you can identify what volume of incoming logs are actually getting parsed. The quality of the parsing itself depicted through a metric enables security analysts to fine tune your data onboarding to extract the right data, you can fine tune your parsers to make sure you have the right data for your detection. Log Stream provides you a guided experience to fine tune these prebuilt parsers and create custom parsers to meet some specific use cases not addressed out of the box.
You can validate, troubleshoot any parsing and customizations that you have made at real time using the live tail feature of the Log Stream application. The goal is to make yourself reliant. So in summary, you can manage and optimize your data onboarding with the Log Stream application with ease. So once you have onboarded the security data into Exabeam SIEM, you need to analyze it to detect threats. Exabeam SIEM introduced a new past modern and intuitive search and visualization application for threat investigation and threat hunting purposes. Exabeam Search provides a unified experience for searching all your security data, including logs, events, alerts, anomalies, and any context information that has been ingested. It can search millions of logs in matter of seconds. So it’s really fast given earlier highlighted a very important challenge that the cybersecurity world faces today. That is the talent shortage. The lack of resources get 3.5 million resources shot today. We need to optimize talent and need of a security analysis to uplevel quickly to address this gap. Exabeam SIEMaddresses this challenge by making the applications intuitive to reduce the learning curve. The search application introduces a new query builder experience, a click-through experience that provides a guided workflow to build search queries that will enable even a tier one analyst on is day one to get started without any additional learning curve. This tremendously helps in upleveling our analyst.
SIEMall provides a guided experience to automate your detection by building correlation rules from the search query itself. The correlation rule builder application also provides an intuitive rule building experience that can help even a tier one analysis to author or modify detection rules. This goes again to the notion of quickly upleveling your analysis. It’s very important for security analysis and administrators to visualize the security data in dashboards and reports. These should, these reports should be scheduled and should be in a, in a format that can be shared with other stakeholders. Exabeam SIEM comes with a new dashboard application that helps you build compelling visualizations like using a BI application for your SOC so that you can use the prebuilt dashboards to address your threat investigation, compliance and auditing use case. It can also customize these dashboards to meet any additional use cases not met by the pre-built content.
So we have seen how the threat investigation hunting data onboarding can all be achieved with the Exabeam Security Operations Platform. Now security analysis needs to triage, investigate, and respond to threats detected using the rules. Exabeam alert and case management application is a ticketing solution that centralizes all alerts and cases. It provides a triage investigation and response workflow. So a c m in short <inaudible> case management, which we also call as a c m, provides all the relevant context like Mitre attack labels and threat line timelines in a single pane to optimize the threat investigation workflow. So many of your security analysts would spend a lot of time in this particular application triaging and responding to threats.
The timeline capability in alert and case management brings in all the relevant if needed for threat investigation. In the same pain, helping your analyst to have to do threat investigation much more quickly and much more easily go into the details of this application. During our demo, the SOC team is effectively running blind if they do not have any insights of current security posture. Exabeam Outcome Navigator exactly addresses this by assigning coverage score for various use cases, which it calculates based on the onboarded log sources configured products data, the parsing quality, and the configured rules that are relevant for each of the use cases. Outcome Navigator also identifies gaps in your coverage and provides recommendations to address gaps and improve your security posture. The coverage reports and the details are available for download as a report and can be shared with your stakeholders and executives. So as you saw, Exabeam SIEMaddresses all the considerations of a modern SIEM and does more.
So now let us quickly see the Exabeam SIEM in action in the demo. So when we launch the Exabeam security operation platform, you are greeted with the new navigation layout. This is the new security operations platform ui. The new navigation layout categorizes all the applications in the order of a SOC workflow. This layout helps you navigate to the right option to perform a specific SOC operation. For example, you can use one of the collector apps to configure your data collection or you could use Log Stream to to manage your data pipeline or you could use search for a threat investigation, a threat hunting workflow.
So this homepage can be personalized to the role. So based on the permissions and based on the role of the logged in user appropriate applications will be made visible, the SOC admin who has the permissions to configure and personalize it and assign specific applications to the specific roles. So before I proceed further with the showcase, I would like to reiterate a fact. Opim is a full stack TDIR threat detection and investigation and response provider and covers all SIEM anti functions including its differentiating UEBA solution for which we are an onshore Exabeam Prides zone is ability to be a true plugin place of platform allowing users to choose from the various offerings. So you can use the Exabeam offering as a security log management solution or as a security investigation event management solution. Same for short, or you could just use its U E P A capabilities or you could use all the capabilities through its fusion offering. The underlying platform remains the same and the necessary capabilities are simply enabled based on the subscription that you have gone from.
But for today’s demonstration we will be primarily focusing on the SIEM capabilities only. So let’s get started. So for the next few minutes, I will pretend to be a security analyst. So my day has just started and I’m having my second cup of coffee. I would like to start my day either by looking at a couple of interesting dashboards that I like to use to gain additional critical insights, for example, so do that. Launching my dashboard platform and dashboard application in a new window. I’ve already done that and I’ve already marked a few of my dashboards as favorites. So these are the ones I would like to get with. So the couple of dashboards that I’m going to look at, one is related to all the alerts that have been triggered by my detection rules and certain I o c statistics.
So these dashboards are prebuilt dashboards available as part of the dashboard application itself, and it provides some relevant information that enables me to make certain decisions around threat investigation or identify certain alerts that I need to work on. As you can see here, there are all the alerts by various use cases, and it also provides me with the necessary drill down option if I need to do so. Similarly, the IoC statistics dashboard identifies all the IoCs that have been detected by my SIEM application through the threat intelligence feed enrichment. And then, again, it provides various visualizations and generates necessary insights that allow me to take the necessary action. So for example, here I can see the various IoCs that have been identified over a period of time in a heat map, I can see the number of IoC matches and I different IoC types that have been detected and including a T trend chart.
Identify the top destination and source IPs for these IoCs. I can drill down into those details as well. But for this particular use case, I would like to go and start working on the cases alerts and cases that are assigned to me. I can do that by launching the alert and case management application under the TDIR group. I’ve already launched the application, so let’s navigate to that. So this is the alert and case management application. I can quickly search for the cases assigned to me. So the distinction between alerts and cases is very simple. Any alert generated by any of the configured correlation detection rules will be available in this application. Under the tab alerts cases are those alerts for which we need to may which needs investigation and their response so they get automatically or manually assigned as a case.
So cases are basically where the security analysis will do the investigation and add details and take that case or the incident to closure. So as you can see, there are four cases currently assigned to me. This is a quick summary view. I can go into the details of any case by clicking that particular case. It provides me a single pane with all the necessary cases for that particular case. But in this case, in this scenario, it is a brute force attack for a particular user. So there were fortify fail login and within a 15 minute interval, which triggered the alert, I can see the assigning in this case myself, I can see the priority and I can see additional information about source and destination, and any other entities that may be allocated to that. It also maps it to a PTP on the right pan.
We can see the current state and how the progress and the various stages are for a given incident. I can also add attachments and take notes as a art investigating tried and investigating the case. What is available by default is the threat timeline. The cool feature is that it groups all the related events which triggered that alert into the timeline in chronological format. So be a chronological order. So you could see all those events and you can do the necessary investigation right here from the alert and case management terms console, though it’s provided summary review by default, you can go and look into the details of each of those events, look at all the fees that has been extracted from the log message and the raw log itself. Now assuming I’m doing a threat investigation and I want to investigate this further I can open this particular log message in the search application itself.
I’m still a tier one analyst. This is the first week of me joining here and I’m still learning the application, but it is very intuitive and makes it easy for me to navigate. So now I’m in the new search application, which provides a very simple interface. On the top is the search bar and if I click on the search bar, it launches the query builder experience built into this application. It is very helpful for tier one analysts like me because it makes it very easy and seamless to build my query. I can select one of those, all the vendors and products that I’m interested in or use the fees of the common information model and start building my query. But in this case I’m interested in a particular event. It’s of the endpoint login type. I can see the activity type here. If I want to see the additional details very similar to how it was in alert and case management, I can see all the fields and I can see the roll log message itself.
Now I wanna investigate further. I’m interested in seeing all the endpoint login events that have happened over a given period of time. So let me build a query here. So endpoint login is the activity type that I want to query. So I can click the field and select the option which automatically starts building my query here in the search bar. If I want to add additional information I can continue to do so I can just filter and further tune the query. So basically now I’m looking for all endpoint logging alerts. I want to do that for a specific duration or I could actually go back and select a much easier way of specifying the time range. I’ll stick with the current time range and click search.
So in this given time period, there were two sets of endpoint login alerts that have happened. Most probably there are two separate brute force attack scenarios that have happened in this environment. If needed, I can expand this time period to a much larger duration and see if there was a particular trend. So as I wait for the search result, I can see there are 11 million results in the last seven days where endpoint login alerts, endpoint login fail even have been identified. You can see how fast this application is where it is able to search millions of records in a matter of seconds. That is a field summary view as well, which allows us to quickly identify various values of leads from the search result. So for example, I can see there are two values for the outcome: field success and field. I’m interested in more of the failure events so I can further fine tune my query by clicking that option.
I can definitely go ahead and change this from the UI here or I could switch to a much more advanced query language interface where I can type in the query as needed. But I’ll switch back to the query builder experience for the time. So let me execute this search so I can see it filters down the search result to a smaller subset and I can see a bunch of such endpoint logging failure events that have happened. So there is definitely <inaudible> happening in this environment. And if I want to convert this into an alert, into a rule, I can as a tier one analyst myself, go and build a rule right from the search query. I click on the option convert to rule, it goes ahead and launches the correlation rule builder application and it’s a three-step wizard to get to a new detection rule.
So the query is automatically prefilled here. What I need to do as the first step is to specify any additional condition in this case. I want the rule to trigger an alert when there are more than 50 failure events within the span of 10 minutes. And I would look for each of the users. I can select the appropriate feed from the dropdown box and I have the necessary condition built since I’ve already navigated from the search application. I know that this query is correct. So I’ll continue to the next step. This is where we specify the outcome when the rule conditions are matched. So here either I cannot automatically assign a case to that particular alert or I can send it as an email to a certain set of recipients. So I select more than one outcome or send it to a webhook. If you have a third party integration or an integration with a third party getting system in this case, I would skip any outcome. I just need it to be an alert so I can proceed further. And this is where you specify the configurations of the rule. So basically I’m building a root force attack rule.
I specify the name, specify the use case, and assign them might attack my TT tag. I can assign severity, let’s say it’s medium. I can also specify additional conditions like suppression logic, any delay of our rule evaluation if needed. And I can choose to either keep it disabled or enable it. And I have a unique mode, which we call as the test mode, which allows the Rule D run. And when the rule conditions are true, it’ll trigger, but it’ll not perform any of the outcomes that you may have configured here. So I can click on test mode and click save. This goes ahead and creates the name that already exists. So let me change that.
I was able to create a brute force attack rule. It is already enabled, it is of the severity medium and this particular was that it is running in a test mode. So this is the correlation rule management console, which shows all the active and disabled correlation rules. It gives you the health statistics as well. And you can go into the templates where we have over 150 plus different templates that can be used to create additional correlation rules. So as you can see, even a tier one analyst like me does not really require a lot of time to get used to this product. The learning curve is very less. In fact, you can get started on day one. Now let’s shift gears. Let’s assume I’m a security SOC admin and I’m required to give a quick report on my current coverage and the security posture. This is where the outcome navigator application is very beneficial and useful.
(39:39):
So when I launch this application, it quickly gives me various use cases and gives me a coverage score for each of those. Covering over a specific use case gives you a quick summary on the current coverage. The coverage score is anywhere between no score to a best score. Obviously we would be driving to be the best and improve so that it improves our security posture. So if we select a particular use case and we can go into the details to see how the coverage has been over a period of time, it gives a trend chart showing if the coverage has improved or the or has it degraded over a period of time. It also gives additional details how it is actually calculated. For example, the product categories that have been configured, it has a lot of resources which helps you understand this Further, it gives you a mapping to the Mitre attack tactics and techniques. It shows any rules that have been configured. Track based rules as well as if you are using our UEBA offering, any analytics rules, any dashboards that are associated with these use cases, all the products that have been configured. And it also highlights the ones which are missing.
So the coverage report is exportable so you can download it and shadow with other stakeholders. The function of Outcome navigator does not stop there. It not only gives you the current status and the trend, but also gives you recommendations highlighting the gaps and how it can be improved. So as you can see here, it identifies the products which are missing. So basically you can go ahead and configure your <inaudible> these products if it is relevant in your environment or you could go ahead and improve your existing data extraction through parsers and strive to get to a tier one for each of your parsing. Basically we are in the common information model and using that to identify parsers where we have incomplete data extraction.
So let’s, in this case, pick one off the parser and see what we can do. So I think click the options. That is a very interesting capability called improved parsing. So not only does the outcome navigator give you recommendation, but also guides you to improve your security posture by improving your past, it automatically launches you into the Log stream application, which is the Send Data Pipeline management application where you can manage your end data extraction process end to end by managing process fine tuning it and and taking additional actions. It has already launched. In the context of that specific use case, there are two relevant parsers which are extracting data. We see that for the last 24 hours we have received 6 million plus log events. For this specific parse, if I want to assess this detail, I I can see the quality is tier two.
Ideally in the best case it’ll be tier one. If I want to analyze this further, we have an option to launch what we call the live tail application. So the, as the name is, it’s a real time view of the data pipeline and it shows the logs as it is being processed in real time in the data pipeline itself. As you can see, it’s a live stream and keeps showing new log samples as in when they’re being processed. I can pause the stream so that I can look at the various logs here. I can go into the details by clicking a few details and I can see the actual raw log and <inaudible> have been extracted and how many of them are actually missing. Not only can you see the details of the parser, you have an option to go ahead and even customize the parser right from the log stream UI on clicking the customize option it takes into a auto parser generator visit that allows you to create your own parser.
It’s a six step workflow and guides you on creating an optimizing UI parser. So this is the log line that was used and it brings and loads that information to share to provide you the necessary context. It automatically tokenizes the log message where you can go ahead and further add additional feed or remove existing feeds by adding regular expressions, or you could tokenize the string to extract the values. So for example, if I can use the option to manage tokens where I can specify millimeters, separators, and codes, I wouldn’t do that. The parser is in decent condition and I can see most of the value feed is being extracted. So I can skip that step so you, it takes you through the rest of the steps and you are, and if you make any changes to the parser, it’ll automatically be saved and you will be taken back to the log stream ui.
I can see all the PaaS that are available for my instance in this log stream application, I just cleared the filters and we can see there are over 10,000 plus parsers currently enabled on my environment. I can filter and see the parsers which are actually active. So these are the ones which were triggered at least once in the last 24 hours. I can look at the volume of various parsers and identify the ones that are most active. Same information is also available in this console. So Log Stream provides you an end-to-end management capability of your pipeline and provides you telemetry information to optimize your data onboarding process. So with that, we come to the end of the presentation. I touched upon some of the key capabilities of the Exabeam SIEM that it’s back to you Kevin.
Kevin Binder (46:02):
Thanks Manoj for a great demonstration. It was really cool seeing the product in action and, you know, interesting to see that someone can work within that management interface without having to know how to code, be an engineer, know CLIi. So I know there was a lot going on there, but it was really neat to see everything in action. All right, so down the home stretch here, we got a couple slides to go. I wanted to drive home the point here on taking a platform level approach to modern sim. And you know, when you look at the complete stack of security services for the soc, you’ve got a lot of acronyms, you’ve got SIEM and you’ve got SOAR, and you’ve got UEBA and XDR. And a lot of times some of these acronyms, which are presentative standalone services, are actually features or functionality, which within another system.
And so, you know, one thing I’d like you to encourage you to do as you think about modern SIEM in terms of a platform, and there are many advantages to taking a platform approach, but traditionally when you think of IT or security operations, the approach to solving a problem is going out and finding a solution to that problem. And that makes perfect. But what happens when the next problem comes along? Well then you go find another solution, maybe a best of breed solution and maybe that comes from another security vendor. And before you know it, you’ve got 10 solutions to 10 problems from 10 different vendors where you’ve got 10 different management interfaces and multiple reporting tools. And this approach can get very complicated and very expensive quickly. And so if you compare the sort of one-off approach to an organization you know, we want that organization to look two to three years down the line and select a platform that allows you to light up those additional services and functionality as you need them.
And ultimately this is gonna reduce complexity and save you a lot of money. I mean, think of all the licensing costs associated with a 10 vendor stack of security solutions. A couple more points to make on this slide. Yes, there are other vendors that appear in multiple quadrants. One thing I would, I would remind you all is that as I mentioned earlier, a lot of these legacy and traditional solutions still are on-prem. And so one of the unique things that Exabeam can do to deliver value to our customer is that we are cloud native and all of these things we’re delivering from the cloud, and we’ll continue to, to, to deliver additional features and functionality from the cloud on this platform. Another thing to keep in mind is that portfolio and platform are not one in the same. You may see a vendor that has a portfolio of solutions, but to me, a platform is when there’s integration between those layers of the stack and you get that from building something from the ground up. If you are able to offer a portfolio of security services and that portfolio has come from mergers and acquisitions and on-prem and cloud, the integration between those layers can get complicated. So a couple of things to think about as you are looking at where you are today and where you might wanna be in the future.
So today we primarily focused on the SIEM and the log management side of the equation here in the red box. And I’ve, I’ve spent time talking about a platform approach to security operations. Exabeam Fusion is that platform. And you can start with SIEM and log management today, maybe replace your legacy sim, but then expand to the right and add advanced analytics, more investigation tools, taking advantage of AI and machine learning with behavioral analytics really the complete stack of technology. So the key takeaways from today’s session with Exabeam, you get a SIEM solution that’s built from the ground up, it’s purpose built for security. It’s native in the cloud and it’s built to scale. And, that’s Exabeam Cloud native managed infrastructure that saves you time and money, cloud scale, security, log management and SIEM to ingest and parse and store and search data from, from anywhere to collect more of the data that you need. Advanced tools for searching and for managing those alerts. Lots of out of the box features and functionality, integration with over 500 products, prebuilt, dashboards, parsers and more. And ultimately what all this means is more meaningful work for your team, not having your team spending time on tedious tasks, but rather up-leveling your security analyst, making them more effective. And in doing so, boosting morale and reducing analyst churn.
Now don’t simply take my word for it. Exabeam is currently deployed by some of the largest brands in the world across vertical segments including healthcare, finance, manufacturing, retail, and the public sector. Thank you so much for joining Manoj and I today. I can’t believe we filled up that entire hour. We really appreciate your time and hope that you now have a better understanding of how Exabeam can add value to your business and security initiatives.