Connect with us

Hi, what are you looking for?


Incident Response

Exabeam Challenges Traditional SIEMs With New Security Intelligence Platform

Exabeam Leverages UEBA Experience to Launch New Next-Generation Security Intelligence Platform

Exabeam Leverages UEBA Experience to Launch New Next-Generation Security Intelligence Platform

SIEMs, although still a must-have for most enterprises, are considered to be past their sell-by date; and are being supplanted by the rising star of user and entity behavior analytics (UEBA). Now one UEBA leading light claims that it was just the beginning — UEBA was part of a route map on the path to a complete next generation security management platform.

“We started,” Nir Polak, Exabeam‘s CEO and founder, told SecurityWeek, “as a SIEM-helper.” The intention was always to be more, but the route to a complete platform was designed to be in steps. SIEMs, he suggested are broken, difficult to use and no longer fit for today’s needs; and a SIEM-helper was the obvious starting point. “SIEMs were born some 20 years ago, before the age of big data and before the skills gap became as severe as it is today. So, we used machine language and analytics to help find the threats for the SIEMs.”

Now, he added, “we’re moving to the next phase, ready to take on the incumbents — Splunk, ArcSight and QRadar — head on.” He announced Tuesday the arrival of the Exabeam Security Intelligence Platform, with the two most important additions being a log manager and an incident responder.

The UEBA side works by building a user fingerprint for all employees. This is compiled automatically from logs. Whenever user behavior deviates from that fingerprint it can be indicative of an intrusion. False positives are minimized, explained Polak, by marrying data science with security experience. In science, a sudden change of logon IP address would be a big anomaly; but it could signify nothing more than a change of home ISP. Security experience will say that it only becomes an issue if combined with other anomalies. “If the user IP address changes and uncommon credentials are used or perhaps access is attempted from a strange location, then it becomes a security concern.”

Analytics work best on big data, and the bigger the better. This is the reasoning behind the launch of the new Exabeam Log Manager product. While many products have, or are, log managers, they are priced by the byte collected. “This can rapidly become expensive,” explained Polak; “so customers reduce their bills by reducing the number of logs they try to collect.”

But threat detection through analyzing big data works better with bigger data — the analytics improve their accuracy with more data to analyze. “We have built,” said Polak, “a log management system based on open source big data technology, and we’re changing the market by eliminating cost-per-byte charges. Our system is priced not by byte but by the number of employees in the organization. Customers can put in as much data as they want and the cost will change relatively little.”

He illustrated the effect by saying that one beta customer who used the system for a month “has already put 30x the amount of data into the Exabeam log manager as he had previously put into Splunk.”

Advertisement. Scroll to continue reading.

The new Exabeam Incident Responder is designed to improve the efficiency and speed of response. Detecting an anomaly is only the first step — it needs response. Not all companies have senior analysts to cover all eventualities, and junior staff might have neither the knowledge or experience to respond efficiently. “To address chronic security hiring shortfalls,” explains Exabeam, “Incident Responder provides automated playbook creation and execution, so that detected attacks are shut down quickly and completely.”

It includes out-of-the-box playbooks for most common attacks, such as phishing attacks, malware, stolen passwords, and data theft. “We’ve developed playbooks for different events so that the customer knows exactly how to respond to any particular situation,” said Polak. He expanded on phishing as an example. “A large organization may get hundreds or thousands of suspected phishing emails per day. The playbook knows how to respond to a suspected phishing email; examine, check links, sandbox and detonate, etc.” Done automatically, they can all be examined in a fraction of the time it would take without the automated playbook.

“Threat detection is one side of the picture; effective incident response is the other,” said Ryan Makamson, senior infosec analyst for Washington State University. “Exabeam Incident Responder helps even new analysts respond consistently and efficiently to internal and external threats.”

Both the new Log Manager and Incident Responder will be on show at the RSA Security Conference, February 13-17, in San Francisco.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.