Download Exabeam

ACCESS SECURITYMonitor building access and geolocationExabeam detects changes in behavior, like badges into a building or when a user travels between locations at an impossible speed. These incidents could show an employee who has shared their badge or a malicious insider attempting to access and destroy physical assets. Frequently Asked Questions How does Exabeam cover insider threats? Exabeam covers insider threats through two main categories:Malicious Insiders: Abnormal Authentication and Access, Data Leak, Privilege Abuse, Destruction of Data, Data Access, Workforce Protection, Audit Tampering, Physical SecurityCompromised Insiders: Data Exfiltration, Privileged Activity, Compromised Credentials, Lateral Movement, Account Manipulation, Evasion, Privilege Escalation, Cloud Data ProtectionThese indicators are monitored through rule coverage within Outcomes Navigator, included with the platform. To comprehensively monitor insider threats, sourcing for each category is advised. Exabeam provides pre-deployment workshops and online documentation detailing the content and sources for each. Essential logs include event login/ authentication, server/asset access, and data exfiltration indicators. Does Exabeam map Lateral Movement to the MITRE ATT&CK® framework? Yes. The Lateral Movement tactic includes the Remote Services technique, which in turn encompasses sub-techniques such as Remote Desktop Protocol (RDP), SMB/Windows Admin Shares, Distributed Component Object Model (DCOM), Secure Shell (SSH), Virtual Network Computing (VNC), and Windows Remote Management (WinRM). These services can each be exploited in different ways. Exabeam detects lateral movement and insider threats with UEBA, lets you build correlation rules to alert and build cases, automates responses through Automation Management, and offers pre-built dashboards sorted by ATT&CK TTPs. Can I keep my current SIEM and use Exabeam as augmentation? Absolutely. Many customers integrate data feeds from various SIEMs like Splunk, Microsoft Sentinel, IBM Qradar, OpenText ArcSight, McAfee Nitro, Sumo Logic, and Google Cloud Pub/Sub. Exabeam offers fast integration and value, enhancing your existing SIEM with UEBA and efficient workflows, without the need for extensive team re-training. What common SIEMs can Exabeam augment with AI-driven threat detection, investigation, and response? Exabeam has pre-built collectors for several common SIEM platforms, including Splunk Enterprise Security, IBM Qradar, Microsoft Sentinel, XDR, and Sentinel. Additional supported vendors include Palo Alto Networks, Fortinet, CrowdStrike, and others, detailed here. “In 90% of real attacks, we see compromised credentials used, which can be very hard to detect and defend. We chose Exabeam because their tools can successfully detect these kinds of attacks as they use many sources, not just security alerts. Their technology effectively analyzes and baselines normal usage to quickly alert

Day. Pricing for RSA NetWitness UEBA is based on users monitored, and pricing for RSA NetWitness Orchestrator is based on number of analysts. RSA NetWitness Logs and RSA NetWitness Network can be licensed by appliance capacity (for physical appliances) or metered (data volume) license on a perpetual or term basis. Metered licensing provides entitlements to all required components. Customers can mix appliance and metered licensing to enable granular capacity growth across the deployment architecture.To Take Under Advisement:The number of technical components of the RSA NWP solution and the licensing models provide extensive flexibility in designing the deployment architecture, but they also require understanding of the breadth of the options and the implications for cost, functionality and scalability.RSAs’ focus on larger customers and those with more mature security monitoring capabilities results in a poor match to the needs and resources of less mature buyers.Who uses it: mid- to large-size enterprisesHow it is deployed: subscription cloud serviceeWEEK score: 4.7/5.0ExabeamValue proposition for potential buyers: Enterprises with behavior-focused use cases, along with those that want integrated orchestration and response capabilities with SIEM, should consider Exabeam SMP. Exabeam’s Security Management Platform (SMP) is composed of six products: Exabeam Data Lake, Exabeam Cloud Connectors, Exabeam Advanced Analytics, Exabeam Entity Analytics, Exabeam Threat Hunter and Exabeam Incident Responder. Each of these products has a release/update schedule, and some are more mature than others. They are available in several form factors: hardened physical appliances, virtual appliances, and private or public cloud deployments (Amazon, Google and Azure). A deployment can consist of multiple form factor (physical/virtual/cloud) options.Version 2 of SMP was released in March 2018. It included the introduction of Entity Analytics and flow collection, improvements to Incident Responder, support for more SaaS platforms, and stronger correlation rule management features and compliance reports. It also included content updates related to existing and new use cases, and a UW (ML) SDK/API.Key values/differentiators:The scalable architecture is based on Elasticsearch and Hadoop (HDFS), with Kafka message bus and Spark for ML processing.There is an easy-to-understand pricing model based on users and entities.Orchestration and response capabilities include automated playbooks available with Incident Responder.SMP

PrevNextNoteTo complete this procedure, you need administrative access to both Exabeam and your identity provider (IdP).Log in to your IdP and perform the initial configuration steps for adding Exabeam:Begin the procedure to add a new application in your IdP for Exabeam (if needed, refer to your IdP's user guide for instructions).In the attribute mapping section, enter descriptive values for the IdP user attributes.You need to provide values for the following user attributes:Email addressFirst nameLast nameGroupUsername (this attribute is optional)For example, if Primary email is the user email attribute in your IdP, you could enter EmailAddress as the descriptive value. The following is an example of an attribute map in Google IdP:ImportantYou will use the same descriptive values to map the Exabeam query attributes with corresponding IdP user attributes.Do one of the following:Download the IdP metadata file. (Preferred)Copy the Entity ID and Login URL (sometimes referred to as the "SSO URL"), and then download the SAML certificate (the exact names of these items may vary between IdPs).NoteThe information obtained in this step needs to be entered into Exabeam.Log in to the New-Scale Security Operations Platform and do the following:On the lower-left side of the page, click Settings , and then click Single sign-on.The Single Sign-On (SSO) page opens.On the upper-right side of the page, click Add new provider.In the Identity provider name box, enter a name for the IdP.In the Email domains box, enter any user email domains in the IdP (example: exabeam.com).ImportantThe email domains must be unique. They cannot be

Risk-aligned use casesUEBA rules for anomaliesthreat feeds on IoCsbehavior modelsLEVERAGE MACHINE LEARNING AND AIDetect undetectable insider behavior with AIIntentional or not, insider threats are some of the greatest risks to organizations. Whether it’s credential misuse, accessing sensitive data, or destroying proprietary information, Exabeam UEBA capabilities help you detect and respond to risky behavior patterns.IDENTIFY ABNORMAL CREDENTIAL USAGEYou can’t fight what you can’t seeExabeam stands out by detecting invalid use of credentials. Industry-leading behavioral detections score insider activity based on risk, revealing anomalies. Most SIEMs can’t provide this, and EDR tools lack the context.UNCOVER AUDIT TAMPERINGIdentify and isolate log tamperingAn insider with knowledge of auditing and event logging can tamper or clear logs to avoid detection. Exabeam enriches abnormal activity with user and business context data, so analysts can determine if an insider is tampering and acting with malicious intent.DELETION AND DESTRUCTION OF DATAMonitor user activity, flag abnormalitiesA malicious insider may intentionally destroy critical business information in order to disrupt operations or cause financial harm. Exabeam baselines user activity and flags abnormalities in the number of files deleted to help detect malicious insiders motivated to wreak havoc on an organization.DETECT MALICIOUS INSIDERSSpotting credential misuse for personal gainMalicious insiders pose a significant risk due to their access and knowledge of secrets, vulnerable IPs, and critical systems. Organizations need comprehensive monitoring and instant incident scope measurements for rapid risk communication.DISCOVER DATA LEAKAGEUnderstand user intent quickly and accuratelyData leaks can closely resemble normal activity, making them challenging to detect. The Exabeam platform combines DLP alerts with authentication, access, and contextual data sources viewable in a user activity timeline – a complete picture of a user’s activity.Determine the intent of user activityAnalyze initial or failed host access against historical behaviorMONITOR PRIVILEGED USERSAttackers exploit privileged accounts to evade security measures, disrupt operations, or exfiltrate sensitive data. Exabeam detects and prevents unauthorized privileged activity by analyzing user context and identifying abnormal behavior patterns.DETECT PRIVILEGE ESCALATION Monitor credential use, identify anomaliesPrivilege escalation grants unrestricted access to critical assets. Exabeam combats this by detecting techniques like credential enumeration and bloodhound execution, thwarting attackers’ privilege escalation attempts.MONITOR FOR DATA ACCESS ABUSEIdentify and isolate high-risk access to sensitive corporate dataMalicious insiders abuse their privilege to access sensitive corporate data. Flagging anomalous activity helps security teams detect a malicious insider abusing data access, preventing them from causing greater harm to their organization.Establish what normal access activity looks likeAnalyze access against historical behaviorPHYSICAL