Exabeam’s Extensible UBA Supercharges Enterprise Security via Integration, Partners

As 2016 kicks off, User Behavior Analytics (UBA) will be a hot area for security investments, according to Gartner analysts. The reason: UBA can deliver big security results, especially when integrated with other security solutions. IDN looks at Exabeam UBA, and the company’s program to forge wide-ranging partnerships with Exabeam’s Rick Caccia.

Tags: analytics, cyberattacks, dashboard, Exabeam, Gartner, HP, identity, IP, IT ops, QRadar, risk management, RSA, security, SIEM, Splunk, UBA, UEBA,

Rick Caccia

"Exabeam can resolve individual security events and behavioral anomalies into a complete attack chain."

CyberSecurity Summit
Identify, Combat, Neutralize and Predict Threats to the Enterprise
January 28, 2016
An Online Conference

As 2016 kicks off, User Behavior Analytics (UBA) will be a hot area for security investments, according to Gartner analysts.


UBA (and related Entity Behavior Analytics) technologies are delivering big security results -- especially when they are integrated with other security solutions, according to Anton Chuvakin, vice president at Gartner's GTP Security and Risk Management group.


“In my opinion, evolved UBA… is probably where REAL security analytics will emerge. At the very least, this functionality seems to be converging on common needs,” Chuvakin wrote in a recent blog post.  In specific, Chuvakin listed three areas where integrated UBA solutions are demonstrated to provide real results:


a) Substantially reducing alert volume and prioritizing alerts that remain
b) Speeding time to investigate security events
c) Finding the bad guys


Exabeam’s UBA Platform; Why Interest in User Behavior Analytics is Surging   

Exabeam typifies the explosion of interest in UBA. 


“I’ve been in security 20 years and this UBA analytics space seems to be fastest subsets of security I’ve seen.  We launched version 1.0 at the start of 2015, and we’re already monitoring one million employees, running at 60 sites – with both paid customers and PoCs [proof-of-concepts],” Exabeam chief marketing officer Rick Caccia said.


Two main factors are driving the skyrocketing interest in UBA, in Caccia’s view.  “First, especially on the government user side, the [Edward] Snowden thing has really freaked many people out about employees and a rogue insider taking data. Second, many of the big headlines over data breeches came from hackers that stole valid credentials,” he said.


Exabeam UBA works by leveraging existing log data to quickly detect advanced attacks, prioritize incidents and guide effective response, he said.  The Exabeam UBA platform is engineered to provide standalone capabilities, as well as be extensible to integrate with other security-focused technologies, he explained.


“With Exabeam UBA, security analysts can see quickly and easily which users might be compromised, as well as which systems they accessed. We can resolve individual security events and behavioral anomalies into a complete attack chain,” Caccia noted.  “This lets us uncover attacks, and the impact of those attacks, as well as dramatically cut response time.” 


Under the covers, Exabeam’s trademarked Stateful User Tracking technology automates much of the complex and time-consuming work done by security analysts. When working with SIEM systems, SUT provides at-a-glance a rich analysis of all user and entity activities -- tracked across identity and IP address switching. This lets users see relationships between alerts, credential behaviors, and IT assets.


Technically, this works as Exabeam applies machine learning to create a baseline of normal behavior for each employee or contractor on a corporate network. It then compares each user’s activity against that normal baseline to determine if particular actions are risky, even if that user switches devices, accounts or IP addresses, Caccia noted.


Exabeam also presents a timeline showing all activities – from log-on to log-off – as well as the associated risk, Caccia added.  To get all the processing power required for all this intensive machine learning and monitoring, Exabeam UBA comes as a preconfigured, extensible appliance.   


UBA Better Together with Third-Parties – Exabeam Integration, Partner Programs

In recognition that UBA techniques can be even more valuable against cyber threats when it works with a varied ecosystem of security and data solutions, Exabeam can easily integrate with all the major SIEM/log management products that can capture and store logs, as well as manage workflows for security-related IT ops.


On this list is IBM Security’s QRadar SIEM offering. Exabeam UBA for QRadar provides bi-directional integration between both companies’ products. It integrates with IBM security intelligence technology to let users analyze data in real time to identify potential security threats and improve incident prioritization for fast and effective response.  Exabeam UBA for QRadar uses IBM QRadar’s open API.


Exabeam UBA also works with popular offerings from Splunk, ArcSight, RSA Security Analytics, McAfee ESM, among others.


“Exabeam provides user behavioral analytics on top of these logs, providing important and discrete details to answer questions such as: Who did what? Is it risky? Is the behavior normal?” Caccia said.  Beyond packaged solutions, Exabeam customers have even integrated the UBA platform with their homegrown systems, via syslog, he added.

“You can easily add new streams in addition to the logs, and some we have used are DLP scans, physical badge readers, USB drive logs, and endpoint (i.e. desktop/laptop) logs,” according to Caccia. “Our context scores can show up inside of the SIEM console, so that a security analyst using one of those products can manage work while also seeing our risk scores.”


Thanks to this extensibility of the Exabeam UBA platform, customers can safeguard both data-at-rest and data-in motion, Caccia said.   He shared the example of a global construction firm.


“They use the Symantec DLP [data loss prevention] product to scan servers and laptops for sensitive data. Exabeam ingests the scan results to understand which systems contain confidential info,” Caccia told IDN. As a result, their system can auto-increase risk scores when users try to access certain records, he said, noting “It’s much riskier if someone accesses a server with all your customer records on it, versus accessing a server with inventory records.”


The construction firm customer also uses Symantec DLP on employees’ desktop computers to scan when users copy files to USB thumb drives, Caccia added. “Exabeam tracks this and creates normal baselines and can then flag it if a particular employee is copying confidential data when he normally doesn’t, or if he is copying much greater volumes of confidential files to a key,” he said.


“The key point here,” Caccia concluded, “is that DLP is a noisy type of system with little historical context. Exabeam cuts through the noise and can understand if some action on sensitive data is normal or unusual.”


Exabeam late last year unveiled an even wider-ranging technology alliance program. The Exabeam 3D Technology Alliance Program includes some 35 companies from a widening range of security ecosystems categories, Caccia noted. Among them:    

  • endpoint protection
  • cloud security
  • data loss prevention
  • log management
  • network security
  • security intelligence and
  • threat intelligence

The Exabeam’s 3D Technology Alliance Program takes its name from its focus on enriching UBA for three major areas of data – data integration, data analytics, and data applications. Technology-speaking, Exabeam’s 3D Technology Alliance Program plays to the company platform’s extensibility to work with external data feeds, data models, security rules, and end-user applications, he said.


Among members of Exabeam’s 3D Technology Alliance Program are:


Bit9 + Carbon Black - By working with the company’s real-time endpoint visibility, threat detection and incident response capabilities, Exabeam helps organizations reduce endpoint risks by uniting endpoint and user behavioral analytics. “People, processes and technologies must all work together to drive better detection and faster responses to advanced threats.”
-- Brian Hazzard, vice president at Bit9 + Carbon Black.


Centrify - “Securing access to privileged accounts and enterprise users is critical to protecting data today. Exabeam’s risk analytics adds context to our access control and enforcement, resulting in better protection of sensitive data and applications.”

-- Shreyas Sadalgi, SVP Business Development at Centrify.


Dtex Systems - “In the modern enterprise, the endpoint is the perimeter [and] understanding unusual behavior directly from the point of access is critical for detecting threats. Our solution, combined with Exabeam, provides end-to-end coverage of user behavior from the endpoint through the network, to the cloud.”
-- Mohan Koo, CEO, Dtex.


Situational - “Workforce mobility and cloud architectures are forcing many enterprise customers to rethink security and move beyond perimeter based defenses. Integrating behavioral context into real-time access control decisions is one important way to improve overall security in the new mobile and cloud world. Situational and Exabeam work together to provide a unique level of behavioral context.”
--  Chris Ceppi, CEO, Situational.


Skyhigh Networks - “The cloud is fundamental to corporate computing today, but most enterprises simply don’t have the necessary full picture of how their data is used across data centers and cloud services. Skyhigh’s. . . cloud access security broker along with Exabeam’s user behavior analytics provide CIOs and CISOs with a complete understanding of the situational user and service risks, and an ability to take policy-based corrective action.”
-- Sekhar Sarukkai, co-founder, Skyhigh Networks.


Navigating the ‘Sea of Noise’ for User Behavior Data

Thanks to Exabeam’s ability to integrate with this wide array of systems, their various technology solutions can communicate effectively with each other – and avoid what Caccia said was the hazard that “threats might be lost in a sea of noise.” 


Speaking of this “sea of noise,” Caccia left us with one final perspective on the benefits of UBA.


“We do something else important that we don’t see anyone else do: We’re able to stitch together a picture of all activity – good and bad. Most products only show anomalies – when things go wrong. But, Exabeam can prove UBA is useful to help IT (or security analysts) quickly validate that what might have looked like a breech is just a normal hiccup – or at worst just human error.


“We’ve heard customers at larger organizations say they need at least one full-time head count just to troubleshoot something as basic as account lockouts (This is when an account gets locked down after too many unsuccessful attempts at logging in.) “So, when we show them they can use UBA to resolve lockouts and quickly see if there is – or is not – unusual activity, they can see a real benefit to IT operations,” Caccia said.


Buoyed by all these benefits, Gartner predicts the UBA market will grow from $50 million in 2015 to approximately $200 million by the end of 2017.