Exabeam: Get User Behavior Intelligence in 2015

EXABEAM IS AVAILABLE!

For every company, the first general availability (GA) release – Exabeam version 1.6 in our case – is a major milestone. The software is enterprise-ready, scales to monitor over 150,000 users with a single appliance, and it just plain works out-of-the-box. Exabeam enables organizations to realize the promise of their existing security information and event management (SIEM) deployments by applying user behavior intelligence to identify the attacker who evades detection from initial point-of-compromise solutions by using valid user credentials in the land-and-expand phase of the attack chain.

Many, if not all, of the beta customer suggestions have been added to the product or are on our near-term road map. I’d like to thank all of our design partners for giving us a behind-the-scenes look at their data. After all, without the ability to analyze real-world data, there’s no way to build a product that takes SIEM data, combines it with active directory (AD) data, and then is able to find compromised accounts, score anomalous access behaviors and characteristics, perform Stateful User Tracking™ across identity switching and present a visual user session timeline to an analyst.

Along the way, we’ve focused on making Exabeam simple to get up and running. Implementation times from racking the appliance to reviewing first user sessions has taken between one to three days, with no agents, additional storage or network changes required.

With more than 25 deployments that cut across multiple industry verticals and more than 800,000 sets of credentials actively monitored, we can make a few generalizations about the customer base and their IT environments that our user behavior intelligence software has revealed:

1.   Misconfigurations let attackers access systems. Two-factor authentication is only as good as the humans who configure it. Misconfigurations open backdoors for attackers who eventually find them. As hard as people try, humans are fallible and even the best testing doesn’t catch everything.

2.   Stealthy malware still defeats host-based detection systems and even the latest in-line malware sandboxing solutions. Malware that has been out in the wild for more than a year can be altered and re-purposed in ways that make it new again to evade the best detection systems. Remote controlled malware can ride along the virtual private network (VPN) to valuable data by acting as the user, with the attacker attempting to increase the level of access privileges along the way.

3.   Breakdowns in IT process and procedures waste valuable security team time. What might look like a full-fledged attack can often be the result of a process breakdown. Many times, we were able to identify anomalous user behaviors that looked like an attack to the security team, but really resulted from miscues and a lack of communication between IT operations and security.

4.   Users do crazy stuff without thinking. Multiple security policy violations from users using TOR networks, borrowing and sharing credentials, and testing the limits of their own access were not previously visible to the security team. Any of these incidents could have been part of a full-fledged attack.

In the last three months alone, all of our customers have experienced one or more of the problems listed above. One customer prevented a data breach that could have been on a scale as massive as Target’s. In each case, Exabeam exposed the entire attack chain of events for the security team to see. Follow-up was as easy as contacting the user and verifying their activities on the Exabeam timeline. After a positive verification, the user was cut off from the network and forensic analysis was performed on their system, as well as the systems touched during the anomalous activity session.

Prior to deployment, none of these businesses (all with very capable security teams) had a strategy for detecting attackers that managed to get past point of compromise detection systems. All had a SIEM or log management platform, and most had the latest and greatest tools.