External Threat Detection, Investigation, and Response:
Exabeam provides the leading Next-Gen SIEM and XDR. The reality of today is we are dealing with highly trained and committed adversaries. The headlines don’t lie, attacks are on the rise, and their one thing in common is use of valid user or entity credentials.
Start tour
Respond
Investigate
These hackers or insiders are hidden in plain sight, masquerading as legitimate users or devices. Signatures and Rules aren’t enough to detect these types of advanced attacks. Understanding the data, behavior and identity of our users and assets is a critical requirement for any SIEM or XDR.
The Exabeam Way
Exabeam provides the leading Next-Gen SIEM and XDR.
No matter what your security vendor claims, external attackers consistently find ways to bypass defenses. Once inside, you are likely oblivious to their presence. Exabeam helps eliminate the blindspots of external attacks by identifying abnormal activity and providing purpose-built investigation and response capabilities.
External Threat Detection, Investigation, and Response
Minimize Dwell Time
Speed investigations, improving productivity
Mitigate threats fast, limiting the scope and potential harm
Continue
1 of 10 — The Exabeam Way
Overview
If an attack bypasses your security stack. No worries, Exabeam has your back.
Every action a user or asset takes is analyzed against normal. If an action is outside normal parameters, that user’s risk score increases.
Login
File access
Website access
Email
Download
Upload
Read
Write
Open
Close
VPN
Intranet
Internet
Local connection
Logoff
Location
Geolocation
IP address
Remote logins
Multiple failed logins
Connect from unknown country
Connect at off hours
Upload large files
Download large files
Escalating user privilege
Creating new users
Deleting users
Locking files
Large email attachments
Heavy network traffic
Moving laterally
Accessing new assets
Private email
While some external attacks use brute force, many successful attackers do reconnaissance. Exabeam identifies that recon and scores it.
To start the investigation click on Sherri Lee.
Sherri Lee’s risk score is high, especially for her role.
Notable Users
2 of 10 — Overview
You can see that Exabeam has identified five potential security events.
Billie emailed huge amounts of data outside the company and also printed more than usual. Billie might be a malicious insider.
Click the first one in the list
Let's continue the investigation
Watchlist
3 of 10 — Notable Users
Exabeam analytics identified potential malware based on analyzed actions.
At the bottom of the screen are the “Risk Reasons”, written in easy to interpret language that anyone can understand.
Task Lists
4 of 10 — Watchlist
Rather than manually searching across systems, Exabeam automatically creates a Smart Timeline that includes the data and context needed for your investigation.
Let’s check Data Insights for more context.
You see an odd web communication attempt, this looks like malware, and Sherri’s risk score increases by 10 points.
Smart Timelines™
Drill down on any activity in the timeline.
Click to see more
5 of 10 — Task Lists
Rather than manually searching across different systems for your investigation, Exabeam automatically puts it into a single timeline. This gives you the data and the context.
Scroll down to see more.
6 of 10 — Smart Timelines™
Next we see some concerning executions, including tor.exe and @wanadecryptor@.exe.
Sherri’s score increases by 15 more points
He then emailed lots of files to his Gmail account, clearly against internal policies.
Remediation
Click here to learn more
Now the clincher, Sherri, or an attacker using Sherri’s credentials, tried to connect to a known WannaCry Ransomware domain; this added 90 points to her risk profile. Once over the threshold, this event is now an incident. Note: this occurred without any 3rd party security alerts.
Within a few minutes, you know that ransomware has bypassed your security controls and is an imminent threat to your organization.
Checklists can be modified for any step of your investigation. We even allow you to automate responses based on the risk score.
Automated Response
The Exabeam Smart Timeline illustrated the story. Ransomware checklists guided the next steps in the investigation, and all of the questions needed to complete the investigation were answered.
7 of 10 — Remediation
There are checklists, that can be modified, for every step of your investigation. We even allow you to automate some of the responses based on the risk score.
Click to move to the Workbench
Another benefit is the audit trail, we provide a complete picture of all the steps taken in this investigation. Some use this to train new analysts. Now that you know there’s an incident, let's see how Exabeam helps resolve it fast.
8 of 10 — Automated Response
Workbench
Click to scroll down
When we run the turnkey Malware playbook, it kicks off a request to lookup files in VirusTotal, scans the file using Yara. You see the results within a single view, saving you time.
9 of 10 — Workbench
The playbook also shows geolocation information and domain scores, automatically providing you with critical information for your investigation.
Click to see the full playbook.
Now that we know we have a security incident, you can take remediation actions directly within Exabeam, no coding or programming required.
Exabeam playbooks help standardize your triage, investigation, and response processes. Repeatable processes, regardless of the expertise of your analysts. That’s External Threat Detection, Investigation, and Response the Exabeam way.
Detect external-based threats by analyzing the attacker's behavior
Quickly and consistently conduct comprehensive investigations
External threats can, and will, get past your controls. Exabeam gives you the confidence to:
Automate response actions to mitigate damage
Eliminate some of your blindspots
Exabeam shines a light on external attackers.
They may find a way in, but they cannot hide.
Request a 30-minute live demo with an Exabeam Expert.
Conclusion