Exabeam FAQs

What is User & Entity Behaviour Analytics (UEBA)?

UEBA is a cyber security process that addresses many use cases and solves many problems around the detection of insider threats, targeted attacks and malicious and abusive behaviour which goes unnoticed by existing security monitoring systems, such as SIEM and DLP. UEBA solutions look at patterns of human behaviour and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns that are indicative of threat.

Where can I put Exabeam?

The Exabeam Security Platform is delivered as a single physical or virtual appliance and can be installed, configured and, subject to the quality and hygiene of the log data being fed into the solution, up and running in a matter of hours. All user interfaces are accessed by a web browser, including Exabeam Advanced Analytics, Exabeam Log Manager and Exabeam Incident Responder.

How much rack space does Exabeam take up?

All Exabeam appliances are 1U boxes.

What data can Exabeam ingest?

Exabeam ingests data from different log sources, such as Windows, AD, VPN, database, badge file, proxy, endpoints, etc. It supports up to 1,200 manufacturers out of the box. If a log source is not supported then it takes around 48 hours to get a custom parser written to add it.

How much resource do I need to run Exabeam?

The Exabeam platform easily integrates into your existing security infrastructure. If you do have the resources in house, Cyberseer can install, configure and operate the Exabeam appliance as part of our threat detection and analysis managed service.

What is Cyberseer’s Managed Security Service?

Cyberseer offers a threat detection and analysis service which leverages expert human analysis to provide real-time, accurate and actionable intelligence about threats identified in an enterprise environment. Cyberseer’s Analysts are experts in interpreting suspicious activities around probable threats and recommending appropriate mitigation. This service involves analysing the results from behavioural modelling technology and proactively investigating the severity of any anomalies that may be indicative of threat. Investigative work is collated into a comprehensive threat report of discovered threats which are classified and scored in terms of severity and confidence, in conjunction with recommended actions.

Exabeam takes 2-3 weeks to learn what normal user behaviour looks like for an enterprise. If there is a compromise or breach during those 2-3 weeks how will Exabeam know that user behaviour is abnormal?

Exabeam not only compares an individual’s behaviour to themselves but also to their peers in the organisation. For example, if during Exabeam’s learning period, Dan in HR is exfiltrating data out of the company to China every Tuesday at 11 pm, that behaviour may be considered normal for Dan and Exabeam will know no difference. However, his behaviour is also compared to his peers in HR. It is unlikely that anyone else in HR is sending data to China on that same day at the same time and therefore Exabeam would highlight Dan’s activity as risky and abnormal compared to his peers.

How does Exabeam know when to learn and when to report something as anomalous?

If behaviour during a user session is flagged as risky and after an investigation is deemed to be acceptable for that user, then there is the ability to accept the session. Exabeam then learns not to give that behaviour such a high-risk score if it is seen again. If that behaviour is seen multiple times then it will learn it is normal over time and no risk score will be applied.

Can Exabeam predict an attack?

Exabeam doesn’t predict an attack. It is a threat detection solution.

Does Exabeam have alert and case management work flows?

Yes, Exabeam offers an Incident Response solution that provides workflows and automated workflows to follow depending on the type of threat detected by the Exabeam Advanced Analytics solution.

Does Exabeam have API’s?

We have APIs so that Exabeam data can appear in other products e.g. Qradar & Splunk App. The entire Web GUI exposes a RESTful API.

Can you run Exabeam in the Cloud?

Yes, it can run in AWS. Exabeam itself can run as a VM.

Is there rule-based access control? What about all the sensitive PII/German Worker’s Council?

Yes, rule-based administration (RBAC) is supported. Exabeam provides the option to obfuscate subject credential name and all associated Personally Identifiable Information (PII) (full name, department, job role, manager name, location etc.). Once enabled, PII data within Exabeam is either hidden or hashed in the user interface and may be de-obfuscated only by members of the Data Privacy Officer (DPO) role. This supports a work-flow whereby Analysts can perform their job role responding to incidents and triaging risky session activities without visibility of any PII. When reasonable grounds for a full investigation of an individual’s activities has been established, an escalation to the DPO is made and where appropriate the complete session details may be exposed so that a full investigation may be concluded.

Can risk scoring be changed?

Yes. Risk scores can be configured to reflect higher priority servers, applications or users with admin rights. An additive score of over X generate a syslog for a generic SIEM or a Splunk alert.

I have two-factor authentication, why do I need Exabeam?

Attackers know that many businesses have two-factor authentication and will build remote-controlled malware that can harvest the user’s credentials to wait until the two factor is complete before running. This is the classic Man in the Machine Attack. We’ve also seen two-factor misconfigured leaving a back door open (humans make mistakes).

How-much-storage-of-data-is-required?

Approximately 120 days of log data are stored on the Exabeam system before they are rolled off. For more data, the right place to store logs is in your log management system or a NAS. User sessions are stored for a year.

Why have a Proof of Concept (PoC) for Cyberseer’s managed service proposal powered by Exabeam’s Security Intelligence?

By combining Exabeam’s machine learning approach to advanced threat detection with human intelligence of Cyberseer’s forensic Security Analysts, you can:

• Reduce the risk of data theft by detecting if attackers have stolen employee’s credentials to gain access to the corporate network.
• Dramatically reduce the risks of fines enforced under new data protection regulations starting in 2018 by detecting a compromise before any breach occurs.
• Adhere to regulatory bodies requirements for organisations to demonstrate effective controls to protect customer data, with comprehensive reports of all access made to confidential customer data.
• Detect if an attacker has privileged user credentials to access sensitive or confidential corporate data.
• Monitor activity of employees who have resigned and be alerted to any unusual activity such as stolen corporate data or files.