ed-amoroso-nov15In my private files, I have a note from Dorothy Denning saying that she enjoyed my 1998 book on intrusion detection. If you live in the security industry, then you’ll know that this is like having Einstein tell you he liked your physics paper. Professor Denning was the first, for example, to show that activity timelines could identify anomalies from normal behavior. Her 1987 IDES paper remains iconic reading for all students studying cyber security.

This concept of activity timeline turned out to be especially useful to security analysts hunting threats in an enterprise SOC. Weaving normal and abnormal events into a step-by-step progression allows, for instance, the detection of lateral movement across a corporate network, which is so characteristic of modern APTs. And this detection is best done in the context of detailed information about users and endpoints on the network of interest.

Integrating user and endpoint information into the threat hunting task was front-and-center during my discussion on Fulton Street last week with my friend and industry veteran, Chris Stewart from Exabeam. Chris was in town from Canada and we scheduled some time for cappuccino and chatting – and I am so pleased that we did. The evolution of Exabeam’s cyber security platform is exciting, and I’ll do my best to share below what I learned:

“For many years, Exabeam served essentially as a sort-of SIEM helper,” Stewart explained. “And this gave us a unique vantage point for understanding the real requirements, as well as pain points, for enterprise users of existing SIEM solutions. It was this valuable security insight that prompted us to evolve our platform into a modern, Next Generation SIEM (NG-SIEM) – one that would incorporate our deep capabilities in user behavioral analytics.”

I’ve long been fascinated by the idea of a first-generation solution helper learning the ropes with customers, and then becoming a second-generation solution provider. It’s a platform playbook that we’ve all seen executed before; Palo Alto Networks, for example, followed this approach for firewalls. So, the notion that Exabeam would use its vantage point to develop an NG-SIEM solution across detection, investigation, and response seems rational.

“We see three primary requirements customers demand from an NG-SIEM,” Stewart said. “First, they demand more flexible license terms as collected data stores grow at high rates. Second, they need support for behavioral analytics to detect anomalies in our attack timelines. And third, they require support for automated incident response workflow as attacks are detected by analysts. The Exabeam solution delivers on all three of these areas.”

I asked Stewart how behavioral data can find attacks in timelines (which is right out of Dorothy Denning’s work, by the way). He shared this: “If the SIEM detects that an access, perhaps to your VPN, has occurred, then the question is whether this is normal. Rather than rely on a human analyst to investigate, we integrate behavioral profile information directly into our NG-SIEM to baseline users and assign risk scores from anomalies.”

I also asked Stewart about the flexible licensing options for storage and he shared that with virtualized computing and cloud technologies that it was now possible for a provider to offer fixed terms with variable growth. “Our customers do not have to concern themselves with the financial uncertainty of huge data stores on the back end of their SIEM. We price per user or per device, not by data volume. This is a key user requirement.”

We spent some time on the corporate story of Exabeam, and I hadn’t realized that they'd grown so much since I last deep-dived their offerings. With over 250 capable staff serving a large swath of Fortune 2000 companies, Exabeam is a substantial player in an important and growing market. I personally believe the company’s brand is less familiar to many in our industry as it should be, but with their platform advances, I suspect this will change.

If you are considering changes to your SIEM environment, or if you want to turbo-charge your existing commercial SIEM with improved user behavioral context, then give Chris Stewart a call and ask him to outline the specifics of the Exabeam NG-SIEM. And if you really want to impress Stewart, then read Denning’s paper first, and ask him how the company supports attack timeline analysis. (I suspect you’ll like his answer.)