compliances , security

Exabeam POC Considerations

May 5, 2024

Exabeam provides security intelligence and management solutions to help organizations of any size protect their most valuable information.

The Exabeam Security Intelligence Platform uniquely combines a data lake for unlimited data collection at a predictable price, machine learning for advanced analytics, and automated incident response into an integrated set of products.

The result is the first modern security intelligence solution that delivers where legacy security information and event management (SIEM) vendors have failed.

Exabeam UBA is not a standalone product it requires a log source feed from a SIEM.

  • Exabeam uses an API to search and received the logs that it analyzes.
  • Exabeam’s API integration has noticeable effect on Splunk performance.

Splunk UBA uses search analytics and ingestion of active directory logs and App node is recommended for deployment.

  • Exabeam is a young startup that offered UBA.
  • One thing I noticed that there is not a reporting engine Exabeam.  
  • In addition, it is not intuitive how to modify or tune the rules are used.
  • Splunk UBA the rules are defined in the CRE.
  • You can see why an event was triggered and tune as needed.

Exabeam offers their SIEM solution as a collection of components, all of which can be run on dedicated servers or installed as software or virtual appliances.

It is also well equipped for integration-based platforms.  

Exabeam Security Intelligence Platform is a set of different components that collectively deliver the Exabeam SIEM solution.

  • It uses a variety of big-data technologies such as Elastic, Hadoop, Kafka and Spark.
  • Exabeam’s Security Intelligence Platform focus on providing comprehensive, end-to-end detection, analytics and response capabilities from a single security management and operations solution, while also having elastic scalability using a big-data and machine-learning architecture that ingests and analyzes data at any scale.

Context-Aware Log Parsing

Digesting event logs can be dull and painful work for analysts. By leveraging a built-in context awareness, Exabeam is able to parse logs according to their type, highlighting the attributes of that specific log type, which are most interesting for security analysts.

Exabeam Security Intelligence Platform

The Exabeam platform includes five key components, each of which can be purchased and deployed separately or as a complete solution:

Collect

  • Log Manager – Unlimited log data capture and search, based on open source big data technologies.
  • Cloud Connector – Pre-built log collectors for popular cloud services such as Office 365, Box, Salesforce, and more.

Detect

  • Advanced Analytics – Machine learning led threat detection based on User and Entity Behavioral analytics (UEBA) solution.
  • Threat Hunter – Proactive, user session based threat hunting for the entire SOC; powered by an intuitive point-and-click interface.

Respond

  • Incident Responder – Customizable incident management, API-based security orchestration, and automation.

Service Integrations for Incident Responder

  • Authentication and Access Management
  • Cloud Security and Infrastructure
  • Email Security and Management
  • Endpoint Security (EPP / EDR)
  • Firewalls
  • Forensics and Malware Analysis
  • Information Technology Service Management (ITSM)
  • Security Analytics
  • Security Information and Event Management (SIEM)
  • Threat Intelligence Platform
  • Utilities / Others
  • Web Security and Monitoring

Inbound Data Sources for Log Ingestion

  • Firewalls
  • VPN Servers
  • Authentication and Access Management
  • Business Applications Security
  • Cloud Access Security Broker (CASB)
  • Cloud Security and Infrastructure
  • Data Loss Prevention (DLP)
  • Database Activity Monitoring (DAM)
  • Email Security and Management
  • Endpoint Security (EPP / EDR)
  • Forensics and Malware Analysis
  • Information Technology Service Management (ITSM ServiceNow, Remedy, etc…)
  • Network Access, Analysis and Monitoring
  • Physical Access and Monitoring
  • Privileged Access Management (PAM)
  • Security Analytics
  • Security Information and Event Management (several third party SIEMs)
  • Threat Intelligence Platform
  • Utilities / Others
  • Vulnerability  Management (VM)
  • Web Security and Monitoring (CASM / CASB vendors)

Threat Hunter UI

Date: date – time

User Names                      User Sessions         Asset Sessions                 Sort by

Assets

Network Zones

Peer Groups

Account Names

Event Types

Threat Hunter Support for EA

Exabeam Analytics

User Names

Assets

Network Zones

Peer Groups

Account Names

Event Types

Exabeam                          xxx.xxx.xxx.xxx   search window

Notable Users