Security

Exabeam handles security threats in real time with user behavior intelligence

Too many firms lack security visibility into their networks, while hackers prowl using stolen credentials. The solution, says Exabeam, requires user behavior intelligence.

exabeamlogo.jpg
Image: Exabeam

The biggest data security threat to enterprises, said Exabeam CEO Nir Polak, "is their lack of visibility into their networks and the amount of time it takes them to find the threat actors using valid credentials to get inside their IT infrastructure." He added that "most organizations don't have a strategy for dealing with this identification problem." Exabeam's approach is to employ "user behavior intelligence and credential use tracking" as a solution to the rising tide of more sophisticated cyberattacks.

Silicon Valley enterprise startup Exabeam has developed a big data security analytics solution meant to enable security teams to respond to insider threats and cyberattacks in real time. The solution is currently in beta.

In an email Q&A with TechRepublic, Polak also discussed the factors that hamper IT pros' efforts to combat security threats, said that attacks increasingly are aimed at destroying data and systems, and that companies are dealing with a lack of security skills in the job market. In addition, he answered questions about Exabeam's technology and goals, and the release of its User Behavior Intelligence Platform in October 2014.

TechRepublic: What are right now the biggest data security threats for enterprises?

nirpolak-exabeam.jpg
Nir Polak
Image courtesy of Exabeam
Nir Polak: There is a confluence of several factors that keep today's IT professionals from effectively detecting security threats. The habitual underfunding of cybersecurity budgets, the adoption of BYOD practices across companies and government agencies, and the proliferation of social engineering attacker tools used to penetrate an organization are all contributing security threats.

The biggest threat to organizations is their lack of visibility into their networks and the amount of time it takes them to find the threat actors using valid credentials to get inside their IT infrastructure and blend in with normal user traffic. The use of valid credentials supports multiple phases of the typical attack chain. Most organizations don't have a strategy for dealing with this identification problem once the attacker gets inside — an event that is almost inevitable. We see user behavior intelligence and credential use tracking as a strategy for dealing with this problem.

TechRepublic: What do you consider to be the main data security trends over the next one to two years?

Nir Polak: We've seen attacks in which data has been stolen by the attacker because of its value and sold to the highest bidder. The Stuxnet attack in Iran, the Aramco breach in Saudi Arabia, and the Sands Casino properties breach are the first examples of a new wave of the worst kinds of attacks: ones that destroy data and systems. These kinds of attacks can destroy a business or disrupt critical infrastructure beyond creating a bad reputation and a hefty price tag.

Over the next few years, we will see an acceleration in the amount of money being spent on security, both on personnel and solutions. The cybersecurity industry is being flooded with recent college grads that have little real-world experience, creating a bidding war environment for top talent. Senior-level security practitioners will have to spend time training junior staff while continuing to deal with a growing pool of threat actors.

Driven in part by the ongoing skills shortage, we'll see a shift away from the purchase of platforms to the purchase of solutions. (We are defining a solution as something that solves a problem with little user intervention.) Since new platforms, in general, require some level of expertise, they generally take longer to learn and get the most out of. Existing security platforms will be looked at as scalable data collection or creation systems that complete solutions will plug into.

TechRepublic: How would you introduce Exabeam's User Behavior Intelligence platform to an infosecurity professional?

Nir Polak: Usually, it starts with a discussion about the traditional lack of a strategy employed to deal with portions of the attack chain where the attacker is resident inside the network. At this point, the attacker is accessing systems and performing actions that are inconsistent with normal user behaviors. This is the longest portion of the attack and can last days, weeks, months, or in one recent case, five years. The discussion reveals the flaws in current strategies that focus only on two short-term periods of the attack chain: the detection of the moment of initial attack and the data exfiltration phase.

After that, we talk about the difference between a security point product and our approach, which uses security information and event management (SIEM) technology. The SIEM approach forces security teams to take an alert and try to tie it to a user's activity, where as a security point product will only find abnormal user behaviors and require the security team to tie alerts back to the user. The latter has always been the harder problem to solve.

Finally, we talk about how Exabeam creates a fingerprint of normal users, learns it, and uses behavior models that have been custom built for security and user activity data. Too often, solutions use off-the-shelf algorithms created for very linear data and apply them to non-linear data sets generated in dynamic business environments. Implementing this type of solution can compound the number of false positive alerts for the security team.

TechRepublic: In the crowded and active security marketplace, what differentiates your technology as an enterprise solution? What do other solutions lack, in your view?

Nir Polak: Exabeam has developed and refined the user behavior intelligence approach to security. Its second strategic layer after initial compromise detection is finding the attacker that is impersonating a legitimate user. It also drives down the level of expertise and the amount of time needed to achieve this type of detection.

Many vendors have managed to convince buyers that gaining insight into a problem is the same as gaining a solution to a problem. This is not a subtle difference. Insight is useful in that it may provide a user with a clue, forcing him to do additional work to uncover a problem. A solution solves a problem. Exabeam solves the attacker visibility problem by identifying and stopping the attacker in real-time.

TechRepublic: What are the main benefits of the Exabeam security solution?

Nir Polak:

  • We make it easy to identify a hacker using legitimate credentials to access a network, showing IT teams the subtle divergence between legitimate user behavior and attacker behavior.
  • We perform stateful user tracking and user session assembly so IT teams can chain together attacker activity, seeing the systems the attacker has touched, any identity switches used, and all IP address changes.
  • We present this data in a visual, self-explanatory way that allows a security analyst to pick up the phone, call a user, and ask, "Was that you logging in from Shanghai over the VPN to the terminal server, switching identities, accessing servers we've never seen you or your peers accessing before, and pulling data off of them via FTP?"

These are all activities that have traditionally required a great deal of expertise from tier-three security analysts and usually take days to perform. We reduce these activities to a matter of seconds and use transparent risk scoring to drastically reduce any chance of a false positive.

TechRepublic: What results and feedback have your customers reported since your launch in October 2014 of the User Behavior Intelligence platform?

Nir Polak: The results so far have been extremely positive. Just a few of the many suspicious behaviors our customers have identified with Exabeam include:

  • A human resources (HR) department employee's credentials being used to log into thousands of point-of-sale systems;
  • Factory floor terminals being used to access HR system data;
  • The discovery of a user connecting to a corporate VPN from a TOR network (a network that disguises an identity by moving traffic across different servers); and
  • A multitude of security policy violations.

These elements of various attack chains would have taken days to uncover without a user behavior intelligence tool and may never have been seen using more traditional SIEM tool sets, yet the underlying data was all found in the customer's SIEM log data repository. Exabeam was able to go the extra step and spotlight these unusual behaviors.

TechRepublic: What are your major goals through 2015? Do you have a plan for coming out of beta?

Nir Polak: Platforms that require you to "ask your data questions" have been the focus of vendors for the last few years, and there is pent up demand for real solutions to real problems. Even though we are still in beta, we already have customers using the product in a production environment and many customers telling us they are ready to buy now.

We find that the best way to build and launch a product is to listen to customer needs and success stories. We use their needs and desires as a roadmap to build a product that will best support their businesses. As success stories start to develop from beta customers, we will begin to share these with other potential customers and the media to explain to the industry what is possible.

User behavior intelligence is a new product category and we have to constantly work to create awareness. Because security professionals have been taking the same approach to the same problem for so long, getting people to think differently takes time. The simplicity of the user interface and the value of the information being provided to the security team likens Exabeam to a master analyst on the response unit. As we launch out of beta, we have to explain the hard problems the system is solving under the hood while it tactfully tracks the use of credentials and presents the entire attack chain to the IT security team.

Also see

Disclaimer: TechRepublic, ZDNet, and CNET are CBS Interactive properties.

About Brian Taylor

Brian Taylor is a contributing writer for TechRepublic. He covers the tech trends, solutions, risks, and research that IT leaders need to know about, from startups to the enterprise. Technology is creating a new world, and he loves to report on it.

Editor's Picks

Free Newsletters, In your Inbox