This ESG Lab review documents hands-on testing of the Exabeam Security Intelligence Platform, Exabeam’s entry in the security information and event management (SIEM) market. We focus on how Exabeam’s Log Management System, Advanced Analytics, and Incident Responder empower security operations center (SOC) and incident response (IR) analysts to be more timely and effective in responding to threats and attacks. Exabeam positions these products collectively as a next-generation SIEM.
In ESG’s 2017 IT Spending Intentions Survey, 39% of respondents noted that increasing cybersecurity capabilities was one of the top business initiatives to drive technology spending during the year.1 Of those respondents, 69% stated that they would increase their cybersecurity spending in 2017 over what they spent in 2016, showing that this area continues to be top of mind for organizations in light of recent high-profile data breaches and ransomware attacks.2
One challenge that continues to plague IT organizations is overcoming the lack of in-house cybersecurity skills. ESG research reveals that 45% of respondents note this as one of their significant skill gaps, as depicted in Figure 1.3 With the ever-growing amount of data SOC and IT analysts must analyze to uncover and resolve threats quickly, keeping skills sets up to date remains difficult. The skill gap threatens the ability of organizations to implement budgeted cybersecurity projects. Organizations will need to consider investing in developing skills and seeking products that improve operational efficiency.
To address this skills shortage, it is critical that an organization have tools and processes that allow it to bring new SOC and IR analysts onboard quickly, with less training time. This requires tools that will correlate activity across the attack surface—covering endpoints, networks, cloud services, and users to detect threats, allowing analysts to focus on threat hunting, identification, and resolution. Additionally, these tools will incorporate security analytics that will educate analysts on recurring threats and assist on automating playbooks for more timely incident response.
The Solution: Exabeam Security Intelligence Platform
To assist IT professionals in providing more effective and efficient cybersecurity services, Exabeam has introduced three new tools—Log Manager, Advanced Analytics, and Incident Responder. Building upon its User Behavior Analytics platform, an Exabeam product ESG reviewed in 2016,4 these three tools leverage the platform’s Stateful User Tracking (SUT) capabilities. SUT connects individual user events to activity sessions, creating a distinctive session data model that ties together users’ activities as they use different account credentials, change devices, and connect from different IP addresses. The resulting detailed timeline tells a security story about each session. This enables Exabeam to quickly and accurately identify anomalous behaviors, enabling accurate threat detection and accelerated response. Figure 2 shows how these tools fit into Exabeam’s overall solution.
To address the ever-growing amount of data that challenges today’s organizations, Exabeam offers its Log Manager for data collection. The data originating from endpoint, network, and security devices and user and application activity is now coming both from internal networks and the cloud, so it can grow easily into petabytes. This can result in log collection, storage, indexing, and search costs becoming more expensive for an organization. Exabeam built its Log Manager on Elastic 5.2, an open source stack of software tools, to help in data collection and insight, and address this cost issue. Instead of charging by GB of data, Exabeam charges by user. Thus, the customer is free to leverage any amount of data for ongoing security monitoring, enabling analysts to stay ahead of potential threats.
Exabeam leverages the following Elastic 5.2 tools in the Log Manager:
- Beats are lightweight data collectors that can be created and deployed easily to collect data apart from syslog messages collected by other SIEMs and security products used by the organization. Analysts can customize these collectors.
- Elasticsearch is the search and analytics engine in which data is stored.
- Kibana is the user interface that Exabeam leverages for the Log Manager, as well as for Analytics and Incident Responder.
The Advanced Analytics tool, along with Threat Hunter (also reviewed by ESG in March 2016), provides additional security breach detection capabilities. This component ingests data collected by the Log Manager and constructs “sessions,” which are timelines based on what it deems normal and abnormal user activity. This tool denotes activity as normal and abnormal based upon rules and models that are continuously trained as this tool ingests more data. Advanced Analytics also constructs “sequences,” which are timelines that denote events whether or not a user is active. Exabeam offers these analytics to decrease the manual work done by security analysts to construct such timelines today, thus decreasing the time to respond to potential security breaches.
The Incident Responder allows an organization to orchestrate and automate the appropriate responses to security-related events. Usually, security analysts must prioritize responses because they are unable to address all events in a timely manner. With Incident Responder, analysts can create automated workflows to address recurring incidents. As a result, analysts can decrease response times as well as manual errors.
ESG Lab first reviewed the capabilities of the Log Manager. We navigated to the home screen as shown in Figure 3. An analyst begins a session by viewing the summary screen that displays the number of logs collected in discrete time intervals.
In the search bar at the top of the screen, we typed an asterisk to see all logs that have been collected in the last 15 minutes. The number of logs are counted and reported every 30 seconds. The analyst could choose to see log counts over a longer period of time by clicking on the down arrow of the menu to the right of the search bar.
On the left-hand side of the screen, the Log Manager lists logs based on category, along with the tags associated with them and associated counts. To view individual log details, we clicked on the Enhanced tab. Each log shows the specific value noted for each tag. ESG Lab then typed “Web” into the Search box and generated the results shown in Figure 4. We saw those logs that contained the term “Web” within their detailed records.
ESG Lab noted specifically the “Privileged Access” category. Exabeam relies on the organization’s rules for privileged account management to formally note users for a given device or application and monitor against that record. Exabeam not only relies on the organization’s rules for privileged account management, which formally notes users for a given device or application and monitors against that record. Using its SUT technology, the Log Manager will analyze user behavior to derive a more comprehensive record of people who fall under this category. For an analyst, the level of automation for monitoring logs and updating established categories saves time in updating what to monitor and allows them to focus more on identifying potential security holes.
ESG Lab then proceeded to examine the Collector Management screen in the Log Manager, as shown in Figure 5. We clicked on one collector and viewed details associated with it. Analysts can create custom data collectors using Beats or Exabeam-defined templates. ESG clicked on one collector related to logs from Microsoft Windows Server 2016 Datacenter to view its attributes. Collector attributes included CPU and memory usage and configuration details, such as events tracked and number of events collected in a given time period. Viewing these attributes can help analysts monitor how active certain collectors are and determine the health of the endpoint and the logs being collected.
ESG Lab then reviewed the capabilities of Exabeam Advanced Analytics. We navigated to the screen shown in Figure 6. Exabeam’s updated dashboard displays summary statistics across the top, including users, assets, sessions, and events, but now also includes a cumulative count for anomalies. We noted that the analyst can create user groups to monitor (e.g., executives or human resources). Other groups can focus on listing users associated with events, such as those infected with malware. The analyst can leverage user-specific groups to isolate sources of potential security threats.
Within the groups, the tool will assign a Risk Score to each user that denotes how risky an individual’s activity is to the organization. Assigning risk scores allows the analyst to identify and monitor potential security breaches more quickly as the scores are updated continuously via the Log Manager data.
ESG Lab also noted the updated timeline that stiches together both proxy and process logs for specific users. Figure 7 depicts the timeline layout for a fictitious user named Fredric Weber.
The left side of the timeline contains events related to accessing websites and executing actions along with timestamps. The right side denotes details of these events. Specifically, the timeline will note event details in context of the specific user. For example, this user attempted to access a website, which then triggered a domain generating algorithm (DGA). This may be a security risk as a DGA is typically used in malware. The timeline will note if the activity detail is suspicious, along with individual risk scores. Using this timeline can help an analyst in pinpointing specific activities, which either leads to further investigation of the user or educates the analyst on new malware to take note of in the future.
Advanced Analytics for Insider Threat
In addition to the example above, Advanced Analytics includes built in content for detecting insider threat activity, where an employee purposely attempts to exfiltrate sensitive information. Figure 8 shows a timeline for Gary Hardin, a software engineer who badges in at an unusual time, accesses source code in an unusual manner in GitHub, and then copies it to a USB drive.
Finally, ESG Lab reviewed the capabilities of Incident Responder. Exabeam designed Incident Responder specifically to log incidents that an analyst may overlook, as well as automate corrective activities should specific incidents occur. We navigated to the home screen shown in Figure 9. Incidents can be pushed or pulled into Exabeam’s Incident Responder from many sources such as an existing SIEM, ticketing system, or other security products. An analyst can create a new incident by clicking on the New Incident button in the top left-hand corner. The Advanced Analytics tool can also report incidents of any notable user listed on the dashboard. As seen in Figure 9, the Incident Responder has generated an incident based upon the activity of a notable user, Fredrick Weber. Generating incidents automatically helps the analyst to spend more time on fixing issues as opposed to logging incidents to address. An analyst can obtain specific details about a specific incident by double clicking on the incident title. Details include incident source, affected IP addresses, and actions taken by the tool to resolve the incident. Additionally, the analyst can view the rules used by Exabeam for the resolution.
Exabeam also helps the analyst by allowing the analyst to partly or fully automate responses to incidents encountered, depending on the nature and severity of the incident. The analyst can also leverage playbooks, which are defined and automated procedures for dealing with incidents. For incidents common to many organizations, Exabeam provides prebuilt playbooks. For incidents specific to an organization, an analyst can build a playbook using Exabeam’s visual playbook editor, as shown in Figure 10.
The playbook editor enables the analyst to create partially or fully automated resolution procedures for incidents not addressed by those playbooks that Exabeam already supplies. Instead of resolving incidents manually, an analyst can now easily script and automate new procedures via playbooks, rather than learning a new programming or scripting language. The playbooks can now run the in the background without the analyst searching actively for specific incidents.
Figure 11 shows an example of an actual incident playbook, for Frederick Weber, who has been flagged as a notable user. The playbook has determined that Frederick was infected via a suspicious email, identified the sender and other recipients, identified other emails from that sender, and reported the risk of the attachment based on analysis by the Cisco ThreatGrid sandbox.
Why This Matters
Leagcy SIEM products are increasingly unable to keep up with the rising number of data breaches and cyberattacks. Beyond aggregating data and analytics into one repository, today’s SIEM products are evolving to enable analysts in consuming and processing security data in real time.
As organizations continue to grapple with a gap in cybersecurity skills, next-generation SIEMs will help analysts to keep up with the increasing tide of security breaches. The skills gap affects an SOC or IR analyst’s ability to identify and resolve breaches quickly, placing the organization’s information assets at significant risk. This loss in operational efficiency can lead to significant cost increases and loss in revenue and brand reputation. Additionally, these SIEMs decrease the risk of unsuccessful implementation as analysts can perform their duties more effectively, protecting an organization’s investment.5
Exabeam offers three products—Log Manager, Advanced Analytics, and Incident Responder—that allow analysts to focus on issue identification and resolution. Leveraging SUT technology, the three products stitch together disparate data from endpoint, network, and security devices, and combine it with user and application activity into timelines that track individual user activity, whether the user is logging into an organization from an internal network or the cloud. Exabeam’s products also enable an analyst to identify and resolve issues more quickly by leveraging analytics to search continuously for recurring patterns of security breaches and automating responses to those breaches via prebuilt or customized playbooks.
ESG Lab reviewed the user interfaces and capabilities of Log Manager, Advanced Analytics, and Incident Responder. We verified that the Log Manager notes cumulative log activity over preset time periods and provides details for individual logs under various categories, such as privileged access management. We then reviewed the Advanced Analytics tool and verified that it creates timelines or sessions of user activity to detect potential breaches, removing the need for an analyst to construct such timelines manually. Finally, ESG Lab verified that the Incident Responder not only allows an analyst to note reported incidents but also generates incidents uncovered via the analytics engine. All three tools work together to increase operational efficiency and the effectiveness of analysts.
The Bigger Truth
While organizations are encountering an increasing threat of cyberattacks, they are also facing the challenge of closing the cybersecurity skills gap. They are realizing that any continuing investment in cybersecurity must include tools that will increase the SOC and IR analysts’ efficiency in identifying and resolving issues, or risk losses in both revenue and brand equity. Exabeam has leveraged its SUT technology to build out its Security Intelligence Platform, specifically the Log Manager, Advanced Analytics, and Incident Responder. All three tools work together to collect user activity and device logs to create sessions of individual user activity, learn about recurring incidents, and automate incident response when applicable. For those recurring incidents, an analyst can leverage continuously updated rules and models to automatically identify, prioritize, and resolve incidents. These tools also allow an analyst to conduct deeper investigations with little manual activity and construct playbooks to deal with unique incidents automatically.
ESG Lab verified that the Log Manager collects and aggregates data efficiently from disparate devices and user and application activity, both from the internal network and the cloud. The analyst can leverage the Log Manager to investigate activity in a consolidated manner and identify potential problem areas, rather than spending time aggregating data from various logs into a digestible format.
The Advanced Analytics tool constructs sessions using Log Manager data and enabled ESG Lab to view activity from both a user and timeline point of view. By detailing user activity in this manner, the analyst can identify risky behavior, affected assets, and potential root causes more quickly and shorten response and resolution time.
Finally, ESG Lab looked at the Incident Responder that facilitates automated responses to resolve security issues. This ultimately allows the analyst to focus more on resolution as opposed to issue identification.
ESG Lab validated that Exabeam’s Security Intelligence Platform helps organizations overcome the cybersecurity skills gap with end-to-end detection, analytics, and response capabilities. For organizations that want to move beyond the capabilities of legacy security information and event management (SIEM) platforms to gain more complete visibility into threats in their environment and orchestrate intelligent, automated response, it would be worthwhile to take a closer look at Exabeam’s Security Intelligence Platform.
1. Source: ESG Research Report, 2017 IT Spending Intentions Survey, March 2017.↩
3. Source: ESG Brief, 2017 Cybersecurity Spending Trends, March 2017.↩
4. ESG Lab Review, Exabeam User Behavior Analytics, March 2016.↩
5. Source: ESG Brief, 2017 Cybersecurity Spending Trends, March 2017.↩