Complex Threat Identification with Behavioral Analysis Cyberattacks are becoming more complex and harder to find. Often correlation rules can’t find the attacks because they lack context or miss incidents they’ve never seen — generating false negatives. Correlation rules also require much maintenance. Advanced Analytics automatically detects the behaviors indicative of a threat. Now teams don’t have to spend time with frequently faulty correlation rules. Prebuilt Timelines Automatically Reconstruct Security Incidents Analysts shouldn’t spend days or weeks gathering evidence and constructing timelines of incidents by querying and pivoting through their SIEM. With Advanced Analytics, a prebuilt-incident timeline flags anomalies and displays details of the incident for the full scope of the event and its context. Now analysts can stop spending time combing through raw logs to investigate incidents. What took weeks to investigate in a legacy SIEM can now be done in seconds. Dynamic Peer Grouping User behavior patterns often differ based on a myriad of attributes, including: the team they are on, what projects they are involved in, where they are located, and more. Thus, behavioral baselines shouldn’t be static. Dynamic peer grouping uses machine learning to assign users to groups based on their behavior, then to compare their activity against that of those groups to identify anomalous, risky behavior. Lateral Movement Detection Lateral movement is a method attackers use to move through a network by using IP addresses, credentials, and machines in search of key assets. Tracking is difficult because the trace information only tells part of the story. Data must be analyzed from everywhere, linking the attack to the source. The Advanced Analytics patented technology tracks suspected activities even if there are changes to devices, IP addresses, or credentials. Asset Ownership Association Another time-intensive part of performing a security investigation is the manual process of determining who owns or regularly uses the devices involved in an incident. There isn’t a convenient IT database linking devices to their owners, and mobile devices can exist outside of any tracking. Advanced Analytics is able to determine the owner of a device based on their pattern of behavior and interactions.

The Next Generation of SIEM Legacy SIEMs cause heartburn for users in each of their functional areas, including: data collection, threat detection, and incident response. Between volume-based pricing models that gouge at security budgets, static correlation rules that consume precious analyst resources as well as create false positives, and case management that does nothing to automate or amplify incident response; legacy SIEMs leave a lot to be desired. After years of suffering at the hands of these vendors, customers are finally able to get reprieve in the form of Next-Gen SIEMs. Next-Gen SIEMs are characterized by their use of modern solutions like open-source, big data architectures, artificial intelligence, machine learning, and behavioral analysis, to solve today’s pressing security management problems. Next-Gen SIEMs provide tangible value to security teams by automating manual tasks, increasing threat detection, and amplifying productivity instead of simply consuming SOC resources like their predecessors. This platform includes five key components: Exabeam Log Manager: Exabeam Log Manager offers the high performance of a modern data management system without the volume-based pricing models that have typically prevented customers from taking full advantage of the data they have available. To do this, Exabeam built Log Manager on the popular open source Elasticsearch stack and combined its components with the additional functionality enterprises demand of their security solutions. Exabeam Log Manager operates at lightning-fast speeds and can be scaled far beyond the capabilities of legacy data management technologies. Since Log Manager was designed for security data management, it includes context-aware capabilities that improve ease of use for security analysts. For example, Log Manager parses raw data – logs, network, endpoint, etc. – into a security information model and formats records based on their types, highlighting the most relevant fields for easy visual scanning by human readers.  Finally, Exabeam streamlines the Elastic user interface with several custom built components that greatly improve security analyst workflows. Exabeam Advanced Analytics: Exabeam Advanced Analytics is the world’s most-deployed User and Entity Behavior Analytics (UEBA) solution.  Advanced Analytics detects insider threats, compromised accounts, and data loss via deep learning and specialized statistical risk models.  With the ability to accurately model the behavior of users, entities, and even security alerts from other security solutions,  Exabeam can quickly detect complex threats, prioritize security alert investigation, and slash the response time of incident investigations. By automatically recreating entire attack chains, and piecing together both normal and anomalous behavior of users and entities, Exabeam dramatically reduces the time and effort security analysts must spend on investigations.  Based on a patented session data model, Exabeam creates, in seconds, automatic incident timelines that show all activity – good and bad – across multiple IP addresses, devices, and credentials. Exabeam Advanced Analytics amplifies the abilities of SOC and IR staff by automating the manual drudge of investigations, thus freeing up resources for more proactive security initiatives like threat hunting. Exabeam Incident Responder: When Exabeam detects an insider threat or other incident, the job isn’t completed. Organizations must still respond efficiently and effectively to the newly discovered threat. Exabeam Incident Responder automates a firm’s response procedures through the use of incident workflows and playbooks. Incident Responder includes prebuilt playbooks for many of the most common incident types that response teams face, such as malware alerts, phishing incidents, data loss alerts, departed insider issues, etc. Exabeam playbooks can also be modified, allowing customers to create and share their own playbooks.The benefits of automated, guided response are clear: reduced response time, fewer human induced errors, and improved productivity for incident response teams. Incident Responder can perform automatic actions (e.g. resetting a user password or containing an infected endpoint machine) or guide manual actions by IR staff. Exabeam IR workflows tie together the many specialized security technologies that already exist within most organizations. Exabeam Cloud Connectors: Today’s IT environments are complex and distributed; often including a variety of cloud based services which serve critical functions like file storage, email, CRM and more. Exabeam Cloud Connectors offer direct log collection capabilities for a host of popular cloud based services including Salesforce.com, Box, Office365, and others. This set of pre-built connectors augments the natural log collection capabilities of Exabeam Log Manager to easily report and analyze users’ cloud activity and behavior alongside activity on internal systems. Exabeam Threat Hunter: Where Exabeam Advanced Analytics uses machine learning techniques to notify an analyst about emerging threats, Exabeam Threat Hunter enables security analysts to search and pivot across multiple dimensions of user activity to find sessions that contain specific unusual behaviors or find users that match certain criteria. For example, an analyst might ask to see “all sessions where a user logged into the VPN from a foreign country for the first time, then accessed a new server for the first time, after which FireEye created a malware alert.” This level of analysis across disjoint activities and systems would be difficult if not impossible with the traditional query language approach of most SIEMs.Designed around a simple point-and-click interface, Threat Hunter enables even junior analysts to ask new and complex questions of their organization’s behavioral data without needing to learn a proprietary query language.  Analysts can easily pivot through and drill down into user sessions to follow complex, multi-stage attacks. With Threat Hunter, machine learning provides intelligent answers, in addition to alerts.