Exabeam’s CEO Brings Speedy Analytics, Teamwork To Fight Against Ransomware

Exabeam is taking a two-fisted approach to the fight against ransomware. It is bringing together speedy analytics with a strong collation of willing security vendors.  IDN talks with Exabeam CEO Nir Polak.

Tags: analytics, behavior, breech, compromise, endpoints, Exabeam, fingerprinting, integration, profiling, ransomware, risk, security, UEBA,

Nir Polak, CEO - Exabeam
Nir Polak
Exabeam Logo

"Customers have invested in security, but technologies often work in silos. To fight ransomware, they need some way to stitch all the data together."

Enterprise Security
Identify, Combat, Neutralize and Predict Threats to the Enterprise
July 28, 2016
An Online Conference

There’s a saying: Don’t bring a knife to a gunfight. And, if you can, don’t go along - bring some friends.   These days, that’s how many security professionals might feel when you ask them about their fight against ransomware.  


What makes ransomware attacks especially scary to CISOs  is that they can bypass security tools and camouflage themselves against already-overburdened security analysts, Nir Polak, CEO of Exabeam, told IDN.


But help is coming from Exabeam. The company has built a reputation for enlisting behavior analytics to the fight to better secure data. Now, Exabeam has optimized its technologies and patterns to fight ransomware. The appropriately-named Exabeam Analytics for Ransomware looks to deliver a ‘early warning system’ to battle ransomware.


As its name implies, “ransomware” works by locking down access to data, preventing an organization’s own employees from accessing it. The effect is to shut down day-to-day business operations. The data remains locked until a ‘ransom’ is paid, Polak said. Some ransomware attacks can be so bad they do result in “temporary, and potentially permanent, data loss,” he added.  


Exabeam Analytics for Ransomware combines speed, accuracy and tons of data and analytics to reveal tell-tale signs of intrusion. The product takes a two-fisted approach of analytics technologies and tight security partnerships woven into an end-to-end and multi-point ecosystem to fight ransomware attacks.


“Exabeam Analytics for Ransomware addresses both detection and response, bringing relief to stressed security departments,” Polak said.  The product is designed to quickly seek out where ransomware might be at work, or where it may be quietly lurking waiting to strike. It works across networks, servers, workstations, mobile devices, and even into off-prem cloud services.


There are several reasons why ransomware required a new level of smarter and speedier response, according to Polak. 


“First, ransomware attackers are different from a conventional data breech. Those doing ransomware don’t sell the data, so they don’t need to get the data out of your systems. The data stays where it is and the attackers just restore your access. So, there is no data actually leaving your systems,” he told IDN.  Worse, ransomware attacks changes often, spread quickly and even sit quietly dormant for weeks or months, making them hard to detect until the attack is on.  


“Many legacy detection techniques are ineffective against such attacks to businesses,” Polak said. “That’s a big reason why ransomware attacks are usually detected too late to stop its effects.”


Inside Exabeam Analytics for Ransomware

Technologically, Exabeam Analytics for Ransomware uses user entity and behavior analytics (UEBA), file analysis, machine learning, fingerprinting - and gobs and gobs of data from many points.


Among Exabeam’s techniques are:

  • Ability to detect even unknown ransomware profiles. Even without signatures or static correlation rules, Exabeam can learn the normal file and document behaviors of an organization’s employees. From that learnings baseline, it quickly finds the anomalies associated with ransomware infection.
  • Pinpointing indicators of compromise. It is well understood that known ransomware processes use certain file extensions and follow recognizable patterns. Exabeam’s threat research team members verify such indicators and implements them in the product.
  • Infrastructure-wide, (hybrid-cloud) ransomware protection. By looking at machine logs, Exabeam detects ransomware operating on endpoints, in the datacenter or against cloud-based storage services.
  • Power of cooperation, collaboration. Exabeam interoperates with a range of specialized security technologies to gather rich sets of data, correlate it with its own analytics, models and assumptions to perform additional analytics


Exabeam ‘Ecosystem’ Key Allies in the Fight Against Ransomware

Exabeam Analytics for Ransomware also demonstrates the point that the whole is often wocan the sum of its parts (or in this case, data points).


“A lot of our customers have already invested in security, including for endpoints, proxies and networks. But these technologies often work in their own silos,” Polak said.   In fact, he said that many customers may already have access to data that could be the key to staving off ransomware attacks. “They just need some way to stitch all the data together to tell them the story of what happened,” he said.


That’s where the Exabeam ecosystem of security partners comes in.


To super-charge speed and accuracy for Exabeam Analytics for Ransomware, Polak is working closely with an array of security vendors to capture tons more data from disparate parts of networks.  Working together, Exabeam and partners will make it easier to find and fight ransomware by gathering all sorts of raw metrics and data; and then compute and score the risk.


In fact, with Exabeam’s security ecosystem approach, “we can slap a brain on top [of all these data points] and connect between the silos and endpoints, network and user and model behavior of these silos, Polak said.


“Our integration with major security players helps us identify two types of ransomware,” Polak said. These include: “known” threats, which can be thwarted by looking at file extensions and fingerprints; and “unknown” (yet-to-be-seen) threats, which can be taken on by gathering analytics and performing profiling.


It works like this, Polak told IDN:

Exabeam gathers raw data and events from a number of point solutions across a network, the devices, OS, registries and user directories. “This data lets us finger print behaviors and file access patterns, even down to a specific user,” Polak said. Exabeam’s far-reaching ecosystem of security partners lets it tap into weblog, endpoints, proxies and networks, (Internet and internal

In turn, Exabeam’s Stateful User Tracking brings automation to the task of analyzing individual security events and behavioral anomalies. The result: Users avoid time-consuming (often had-crafted) analysis, and quickly receive a correlated view that displays a given attack chain.  

At present, Exabeam works with, and can capture data from, products from these vendors: BlueCoat, Carbon Black, Centrify, Demisto, FireEye, HPE, IBM, Imperva, Intel Security, Ping Identity, RSA Security, SailPoint, Skyhigh Networks, Splunk and Symantec.


The Need for Speed in Fighting Ransomware

Speed is a necessary part of any program to protect organizations against ransomware. “Ransomware is such a big threat because it changes often, spreads quickly,” Polak said.  Take too long to find or diffuse ransomware, and the battle could be lost, he added.


Ransomware is also stealthy and sneaky. Polak shared an example why speed is such an important element in fighting ransomware:

Consider an employee accessing corporate files from home using a personal device. The worker is not directly logging into on-premises data, but simply using a cloud sharing service (Box, DropBox, etc.).

In that process, the user could allow ransomware to begin encrypting the Box files. Worse, once other employees start to access those files, the ransomware attack can spread to those on-prem workstations. From there, the ransomware begins moving across the corporate network. Time is the key to containing damage, and Exabeam, with tons of data from associated security devices, can detect this type of activity end-to-end, and early enough to prevent disruption.

The release of Exabeam Analytics for Ransomware comes on the heels of an April Department of Homeland Security (DHS) report that found National Cybersecurity and Communications Integration Center (NCCIC) had received 321 reports of ransomware-related activity affecting 29 different federal agencies since June 2015. In the same month, HIMSS Analytics released survey results indicating that half of the U.S. hospitals surveyed had been hit by ransomware. Another 25% indicated that they had no way of knowing if ransomware had penetrated their networks.


Exabeam Analytics for Ransomware is available as either a physical appliance or a virtual machine. It can be deployed in hours.  Readers can request a demo here.