We are particularly pleased to see a wide variety of questions being asked of Cyberseer’s Threat Analysts who are recognised for their expert capabilities in research, monitoring and in-depth investigations using the Exabeam Security Intelligence Platform.
To help you find the answers you are looking for more easily, we have listed the questions here. Just click on the question and it will take you to the answer. If your question isn’t listed, please send it to our Threat Analysts team.
UEBA is a cyber security process that addresses many use cases and solves many problems around the detection of insider threats, targeted attacks and malicious and abusive behaviour which goes unnoticed by existing security monitoring systems, such as SIEM and DLP. UEBA solutions look at patterns of human behaviour and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns that are indicative of threat.
The Exabeam Security Platform is delivered as a single physical or virtual appliance and can be installed, configured and, subject to the quality and hygiene of the log data being fed into the solution, up and running in a matter of hours. All user interfaces are accessed by a web browser, including Exabeam Advanced Analytics, Exabeam Log Manager and Exabeam Incident Responder.
All Exabeam appliances are 1U boxes.
Exabeam ingests data from different log sources, such as Windows, AD, VPN, database, badge file, proxy, endpoints, etc. It supports up to 1,200 manufacturers out of the box. If a log source is not supported then it takes around 48 hours to get a custom parser written to add it.
The Exabeam platform easily integrates into your existing security infrastructure. If you do have the resources in house, Cyberseer can install, configure and operate the Exabeam appliance as part of our threat detection and analysis managed service.
Cyberseer offers a threat detection and analysis service which leverages expert human analysis to provide real-time, accurate and actionable intelligence about threats identified in an enterprise environment.
Cyberseer’s Analysts are experts in interpreting suspicious activities around probable threats and recommending appropriate mitigation. This service involves analysing the results from behavioural modelling technology and proactively investigating the severity of any anomalies that may be indicative of threat.
Investigative work is collated into a comprehensive threat report of discovered threats which are classified and scored in terms of severity and confidence, in conjunction with recommended actions.
Exabeam not only compares an individual’s behaviour to themselves but also to their peers in the organisation. For example, if during Exabeam’s learning period, Dan in HR is exfiltrating data out of the company to China every Tuesday at 11 pm, that behaviour may be considered normal for Dan and Exabeam will know no difference.
However, his behaviour is also compared to his peers in HR. It is unlikely that anyone else in HR is sending data to China on that same day at the same time and therefore Exabeam would highlight Dan’s activity as risky and abnormal compared to his peers.
If behaviour during a user session is flagged as risky and after an investigation is deemed to be acceptable for that user, then there is the ability to accept the session. Exabeam then learns not to give that behaviour such a high-risk score if it is seen again. If that behaviour is seen multiple times then it will learn it is normal over time and no risk score will be applied.
Exabeam doesn’t predict an attack. It is a threat detection solution.
Yes, Exabeam offers an Incident Response solution that provides workflows and automated workflows to follow depending on the type of threat detected by the Exabeam Advanced Analytics solution.
We have APIs so that Exabeam data can appear in other products e.g. Qradar & Splunk App. The entire Web GUI exposes a RESTful API.
Yes, it can run in AWS. Exabeam itself can run as a VM.
Yes, rule-based administration (RBAC) is supported. Exabeam provides the option to obfuscate subject credential name and all associated Personally Identifiable Information (PII) (full name, department, job role, manager name, location etc.). Once enabled, PII data within Exabeam is either hidden or hashed in the user interface and may be de-obfuscated only by members of the Data Privacy Officer (DPO) role.
This supports a work-flow whereby Analysts can perform their job role responding to incidents and triaging risky session activities without visibility of any PII. When reasonable grounds for a full investigation of an individual’s activities has been established, an escalation to the DPO is made and where appropriate the complete session details may be exposed so that a full investigation may be concluded.
Yes. Risk scores can be configured to reflect higher priority servers, applications or users with admin rights. An additive score of over X generate a syslog for a generic SIEM or a Splunk alert.
Attackers know that many businesses have two-factor authentication and will build remote-controlled malware that can harvest the user’s credentials to wait until the two factor is complete before running. This is the classic Man in the Machine Attack. We’ve also seen two-factor misconfigured leaving a back door open (humans make mistakes).
Approximately 120 days of log data are stored on the Exabeam system before they are rolled off. For more data, the right place to store logs is in your log management system or a NAS. User sessions are stored for a year.
By combining Exabeam’s machine learning approach to advanced threat detection with human intelligence of Cyberseer’s forensic Security Analysts, you can:
If you would like to know more then you can download a data sheet, white paper, request a demo or get in touch with us!