Exabeam is a recently launched cybersecurity company, entering the very crowded SIEM market. The SIEM strategy involves sorting through a lot of data and Exabeam aims to make its services better than the competition by excelling at that key task.
Many of the features of Exabeam are matched by its rivals. However, the service includes some features that other cybersecurity producers charge extra for. Such features include User and Entity Behavior Analytics (UEBA) and Security Orchestration, Automation, and Response (SOAR). The world of cybersecurity has its own language and is very fond of acronyms, so let’s take a look at what SIEM really means before we examine whether Exabeam hits the target.
The purpose of SIEM
SIEM systems aren’t intended to block malware – that is a task for edge services and firewalls. The intention behind SIEM design is to flush out hacker attacks that manage to get past traditional boundary defenses.
A particular big threat to the private IT systems of organizations is the Advanced Persistent Threat (APT). The discovery of APTs occurred relatively recently and made SIEM systems essential for any business. SIEM systems have existed for about a decade longer than APTs. An APT involves hackers hijacking user accounts. The use of legitimate accounts makes the hacker difficult to track down. A hacker group gains access to a network and many have used those facilities for years without being spotted.
The hijacked account is used to launch automated processes, such as malware, but it also facilitates manual entry into the system for exploration. The hackers are particularly interested in accounts with admin privileges because they can then use system commands and utilities to cover their tracks and make their presence very difficult to spot.
SIEM stands for Security Information and Event Management. It blends two strategies, which are Security Information Management (SIM) and Security Event Management (SEM). A SIM searches through log files for signs of suspicious activities. Each action by itself might not seem to be unusual and so gets allowed by traditional firewalls and anti-malware systems. However, taken together, a group of actions can indicate hacker activity.
SEM searches the network for anomalous behavior. It looks into the headers of packets as they travel on the network and records the source and destination of each message. It also examines other factors about passing packets, such as the total size of a stream of packets and the location of the computer that is involved in the connection.
SIEM systems are also useful for tackling insider threats. An authorized user might engage in illicit activity either out of resentment towards the business or through being tricked or manipulated by an impersonator pretending to be a superior or colleague.
What is UEBA?
User and Entity Behavior Analytics (UEBA) uses machine learning techniques taken from the field of Artificial Intelligence (AI). It aims to address a big problem that was encountered with early intrusion detection systems – that their rules mark legitimate activity as suspicious.
It is very difficult to tell the difference between a stealthy hacker and a regular user. UEBA tracks all of the activities of each user and also all users together to establish a baseline of what is normal behavior on that system. An anomaly is then defined as anything that deviates from that customized norm. This approach has drastically reduced the incidences of false-positive reporting.
What is SOAR?
Security Orchestration, Automation, and Response (SOAR) is a technique used by intrusion prevention systems. It collaborates with other security systems on a network to gain a centralized view of threats. The two main associated systems that SOAR brings in are access rights management and firewalls.
SOAR orchestrates automated data flows from these two sources into the SIEM database of events. It then uses a list of action workflows that will be triggered automatically once a threat is identified and those actions are implemented by the access rights manager and the firewall to suspend a user account or block all communications with a specific IP address.
About Exabeam
Exabeam was set up in 2013 and is based in Foster City, California. The business is the brainchild of cybersecurity pioneer Shlomo Kramer who was one of the founders of Check Point and Imperva. He also owns big stakes in Cato Networks and Sumo Logic, among other cybersecurity and IT service companies.
Kramer pulled together a team of executives from Imperva and Sumo Logic to create the company. Exabeam is a private company and Kramer is not the sole owner – a list of key IT venture capital funds are investors, too.
The first Exabeam product was its UEBA system, which was intended to be an add-on that companies could buy to improve the performance of an already-installed SIEM. The company expanded its services to launch its own SIEM in 2017. The SIEM is billed as a next-generation security intelligence platform.
Exabeam SIEM overview
Exabeam’s main strength is in data processing. Its creators see it as a big data processor and so it is heavily skewed towards the SIM part of SEM. Its network monitoring features are used as a data collection point to feed into its event search engine. The four main phases of the Exabeam strategy are:
- Exabeam Data Lake
- Exabeam Advanced Analytics
- Exabeam Incident Responder
- Compliance Reporting
These services are explained in more detail below.
The Exabeam Data Lake
In Exabeam terminology, the log file manager is called the Data Lake. This is really a log consolidator, receiving log messages from agents installed on the monitored system and reorganizing them from their native layout into a neutral, common format.
All records can be searched manually, which is a necessary feature needed for data standards compliance because auditors want to be able to form their own ad hoc searches on the records. The storage of log records in the Data Lake supplicates the information that will be stored in files on the monitored system. As the threat hunting service of Exabeam operates on the Data Lake and not on local log files, hackers are wasting their time in altering log files to hide their activities.
Whereas most SIEMs include a live network monitor, in Exabeam, this is reduced to the status of a data collection agent.
Exabeam Advanced Analytics
This feature has two components. One is the UEBA, which keeps adjusting the baseline for comparison and the other is an anomaly detection system.
SIEM systems work on event correlation models. They look for indicators of compromise (IOCs), which are a series of actions that a hacker typically performs. So, the advanced analytics engine will search through the Data Lake looking for specific events that it knows are typical of APTs or insider threats.
If it finds a user account or IP address that is involved in one of a number of IOC patterns then it raises an alarm. This alarm will appear on the dashboard of Exabeam.
Exabeam Incident Responder
The Incident Responder is part of Exabeam’s SOAR implementation. The response service is made up of a series of rules. Each type of detected threat leads to an automated response, which usually involves suspending a user account or blacklisting a domain or IP address.
Automated responses can be customized and some action workflows, which are called playbooks, can be suspended. The analytics module also allows the IT support team to identify threats manually and take manual remediation actions.
Compliance Reporting
One of the early motivations for businesses to take on SIEM systems was to qualify for data protection standards accreditation. This was before APTs became known.
A big problem with data security compliance is that it involves a lot of documentation and the information stored in log files is key to compliance reporting. Compliance auditors want to get a look at all of the log files stored by a business to see for themselves whether a data breach occurred but was covered up by the business. Therefore, the storage of logs for long periods is necessary and their records need to be indexed and searchable. SIEM systems are very good at furnishing those log record management needs.
Exabeam can be tailored during setup to enforce compliance with the following standards:
- GDPR
- PCI DSS
- HIPAA
- SOX
Exabeam SIEM dashboard
The Exabeam dashboard is resident in the cloud and so can be accessed through any standard browser.
The main focus of Exabeam is its log management system, called the Data Lake. Users get access to their company’s Data Lake through a search screen.
This facility will also be used by standards compliance auditors when looking for evidence of data leaks.
The Exabeam Advanced Analytics section of the dashboard explains identified problems by cross-referencing the suspicious user account or IP address to actual user or connection source data. For example, when the system identifies a user account that may have been compromised, the Exabeam dashboard gives details of that user and reason why activity on the account is suspicious.
Exabeam SIEM configuration options
Exabeam is available on the SaaS model on cloud servers. The servers also provide storage space for logs, which can optionally be backed up on a third-party storage system. Data collection for the Exabeam Data Lake requires agent programs to be installed on the monitored system. Interested companies can test Exabeam on a free trial.
Exabeam has entered into agreements with partner companies that offer the Exabeam software on a network appliance. It is also possible to have Exabeam hosted privately on an AWS server.
Pros & Cons
Pros:
- Supports incidents response workflows, playbooks, and automation
- Offers useful query features for filtering large datasets
- Can be used for compliance reporting and internal audits for HIPAA, PCI DSS, etc.
Cons:
- Lacks live network monitoring capabilities
- Wasn’t initially designed as a SIEM tool
Alternatives to Exabeam SIEM
Exabeam is a good and thorough security system and its automated responses will save your IT management team a lot of time. The service is a little light on the SEM part of SIEM, though and it doesn’t seem to have much live traffic monitoring.
Take a look at the best SIEM tools post to get a deep understanding of SIEM tools.
Before you plump for Exabeam, take a look at a couple of other SIEMS. Here is our list of the ten best alternatives to Exabeam.
- ManageEngine EventLog Analyzer (FREE TRIAL) Very strong on SIM but almost no SEM, invest in Log360 as well to get network monitoring alerts. It installs on Windows and Linux. Start a 30-day free trial.
- Datadog Security Monitoring This is a cloud-based SaaS system that is part of a suite of infrastructure monitoring tool but can also be deployed as a standalone system.
- McAfee Enterprise Security Manager A comprehensive security system with one of the best threat intelligence feeds in the industry. Installs on Windows and macOS.
- Fortinet FortiSIEM A cloud-based SIEM system that is very similar to Exabeam. This tool includes UEBA and automated threat response.
- Rapid7 InsightIDR Similar to Exabeam, this SIEM is a SaaS system with built-in UEBA and automated response mechanisms.
- Heimdal Threat Hunting and Action Center This is a cloud-based service that coordinates the activities of on-site Heimdal tools, creating a hybrid cybersecurity protection system that combines a SIEM with an automated response system.
- SolarWinds Security Event Manager Like Exabeam, this tool is not so hot at SEM, but it remains a powerful security service. The on-premises software installs on Windows Server.
- OSSEC This is a free, open-source host-based intrusion detection system that is very good at log file management and analysis. It completely lacks a live network monitor. However, that shortfall can be resolved by feeding in a stream from a third-party tool. Installs on Windows, macOS, Linux, and Unix.
- IBM QRadar A security intelligence platform that includes a SIEM module. This is on-premises software that includes vulnerability scans, a threat intelligence feed, live traffic analysis, and log management functions. It installs on Windows Server.
- AT&T Cybersecurity AlienVault Unified Security Management A strong SIEM brand with a heavy R&D budget provided by AT&T. It installs on Windows and macOS.