May 5, 2020
Organizations of all sizes are dealing with more data than ever before, and as Castra learns about increasingly complex attack vectors, it is worth noting that traditional SIEM may no longer fit the purpose of the modern security program.
Traditional SIEMs are based on correlation rules, with no machine learning and no behavioral monitoring. Security teams, and especially SOC Analysts, are under enormous pressure to protect an organization. While Castra does have a reputation within the industry for generating meaningful value using traditional SIEMs, we invite you to see what we can do with even better tools!
If you speak with the likes of Gartner, they will tell you that logging, UEBA, and SOAR are now the three key components of a modern-day SIEM.
Castra believes that logging is a commodity and that the value of SIEM is in automation and analytics. As such, Exabeam was the first Gartner MQ SIEM leader to disrupt the pricing model of this market. They did this by launching their SIEM/UEBA/SOAR with a user-based pricing model, as opposed to the volume-based pricing models imposed by the large majority of the industry.
Since Exabeam introduced this model, some traditional SIEM vendors have been forced to respond by introducing their own user-pricing model.
Today, data lakes are popping up everywhere, and organizations need a SIEM that can pull data from many locations – SIEM differentiation will no longer be in the collection and storing of logs, but in the application layer. In parallel, IoT and OT devices are raising the level of importance of Information Security. As well as monitoring users, laptops, and servers, security teams need to monitor everything IoT that accesses company data or can access company systems, including customers, partners, or vendors (supply chain).
What makes up a "modern SIEM"?
Castra’s unique approach as a transparent, agnostic, and affordable service provider will ensure all organizations (no matter their size or industry) have a robust and flexible approach to their Security Program.
The Exabeam Security Management Platform is a modern SIEM that helps security teams work smarter. Organizations can take advantage of the big data architecture, advanced analytics, and automation capabilities. Exabeam delivery consists of three simple constructs: objects, insights, and actions.
- Objects – such as a user, account, or device – are containers for sharing information. There can be any number of objects, including employees, consumers, computers or IoT devices, and vendors.
- Insights – information gleaned through analytics about the status, behavior, and relationships of an object.
- Actions – invoke a change in policy or other activity related to an object. Each of these will be significantly enhanced by the use of machine learning and the addition of context from third-party sources.
And critically, not only will objects, insights, and actions be available within Exabeam’s platform, but they can also be shared with other applications in orchestrated responses. The platform will include tools to allow Castra engineers to create custom content: parsers to ingest data, IR integrations and even machine learning (ML) models to improve detection, and playbooks with near-limitless outputs.
Castra will have the ability to add additional applications to the Exabeam platform – playbooks executing on-demand vulnerability scanning or managing cloud security configurations, just to name two. Exabeam and Castra can create custom application actions relevant to any organization’s security program needs. Each application on the platform can share objects, insights, and actions with Exabeam, and with each other.
Of course, analysts will be able to source data from any repository, be it on-premises or in the cloud. And it is built with the needs of an organization’s future in mind: multi-region cloud, scale, automation, reporting, RBAC, HA/DR, archiving, and more.
This new platform will allow hybrid security operations teams to help reduce risk, time, and exposure:
- With data lakes commoditizing, this open platform can potentially reduce costs.
- Castra analysts’ vision is enhanced. Shared object data and insights will lead to improved visibility into the overall risk of users and accounts, devices, and other transitory objects in environments.
- Collaboration will improve through shared intelligence between applications, security teams, and regions, and will eliminate siloed insights.
- The ability to create custom content and applications will allow the Castra team to improve security by tackling a broader range of use cases.
- Additional automation will remove a lot of mundane tasks.
AI & Machine Learning
Exabeam is a leader and visionary in the use of AI and machine learning in its platform, which enables Castra to better detect and respond to all cyber incidents.
Since its inception, Exabeam applied AI and ML to create various techniques to identify adversaries in the customers’ environment, looking at behavior amongst peer groups and organizational commonalities.
With AI and ML in Exabeam’s Advanced Analytics, the other Exabeam tools, Case Management and Incident Response yields, alert mitigation for analysts that would make their work more efficient by leveraging learned data models and new detection technique attacks spanning multiple MITRE TTPs.
Lastly, Exabeam’s strategy is to continue to invest in and foster innovations that would be incorporated into the platform to simplify workflows and provide excellent and automated visibility into customers’ technology environments. Below are some specific capabilities in Exabeam to consider:
- UEBA: It stands for user and entity behavior analysis. The entire process begins with accounts in Active Directory. User and entity behavior analytics is a new category of security solutions that use innovative analytics technology, including machine learning and deep learning, to discover abnormal and risky behavior by users, machines, and other entities on the corporate network.
UEBA can detect security incidents that traditional tools do not see, because they do not conform to predefined correlation rules or attack patterns or because they span multiple organizational systems and data sources.
- MITRE ATT&CK enhancement: Exabeam currently supports use cases and rules that map to the MITRE ATT&CK framework. Castra and Exabeam plan to expand coverage for other MITRE ATT&CK techniques as well. Additionally, Castra and Exabeam plan to use the MITRE ATT&CK framework as a scorecard to assess the defensive posture and to allow teams to understand where critical gaps exist in their security coverage. Where there are gaps, organizations can be specific on how security investments can help close those gaps (e.g., explaining how adding EDR, CASB, IAM, or other technology would improve security coverage).
- Detection use cases: adding new detection use cases for “beyond the SOC” items like enhanced monitoring with SWIFT information, OT/IoT (connected grid monitoring, logistics), and fraud use cases (transaction, data handling, elevated access).
- Alert prioritization: Akin to what you are using today but bringing in further automation and efficiency around alert triage beyond our existing human alert triage and workflows.
- Seamless investigation workflow: We want to enable SOC/IR teams to perform investigations, collect evidence, and attach artifacts more effectively and quickly. Analysts will be able to add elements to an investigation such as files, logs, endpoint forensics, and binary analysis to an incident from anywhere on the Exabeam UI, using Case Management.
- Integrations & playbooks: Exabeam has 70-plus integrations today, including SIEM, EDR, FW, IPS, TI, ITSM, and more. Castra will support far more integrations (along with new actions) based on ABN direction. Castra will also provide additional SOAR checklists and playbooks. Further, as Castra has shown, we are well-qualified to write these directly, ensuring reduced time to production for nearly any automation.
Cyberattacks continue to infiltrate companies at an alarming rate. In just one recent example, we saw Cognizant, a supplier hit by MAZE. Cybercriminals steal valid credentials to impersonate legitimate users, span IT environments, and conduct malicious activities along the way. Exabeam and Castra can detect the subtle anomalies and correlate them across the complete attack chain, leveraging the existing log repositories to search and scan when detecting malicious behaviors.
Exabeam adds security intelligence to existing log management or data repositories to understand a complete picture of the user’s session, allowing the technology to detect and assemble the full attack chain. The Exabeam User Behavior Intelligence solution uses a powerful combination of session assembly and Stateful User Tracking™, behavior analysis, and risk-scoring to automatically determine the likelihood of an attack and prioritize responses. Its revolutionary technology focuses on user behavior and minimizes the mundane steps in detecting cyberattacks.
Key Proposed Platform Components
Exabeam Advanced Analytics (or UEBA) is the behavior analysis component of the offering in which Exabeam detects anomalies. Exabeam continuously maintains a baseline of normal behaviors for each user, entity, and each group (e.g., department) within the environment. New activities are then compared to the baseline and reported as anomalies if they are deemed inconsistent. Exabeam analyzes discrete events to build user sessions from the time a user logs in until the user logs out or the session ends. Exabeam then compares the behavior of each new user session to all previous sessions. Comparing an entire session’s behavior, as opposed to a single event, drastically reduces false positives and dramatically improves the accuracy of threat detection. As hosts change IP addresses or users switch credentials, Exabeam is able to intelligently track these changes and attribute these activities to the correct user session.
Incident Responder and Case Management
The Exabeam Security Intelligence platform includes Exabeam Incident Responder (EIR), an incident response automation product. EIR includes a fully customizable incident response management system that can be used to track the status of incidents, gather artifacts and entities, assign ownership of the incident to analysts, and perform investigations.
All fields within this system are fully customizable, allowing security teams to create a response management system that matches their desired workflows and processes. EIR’s incident management system is context-aware, and the UI automatically displays different information to users based on the specific type of incident being viewed. For example, phishing incidents will show information about senders, recipients, and subject lines, whereas malware incidents would show fields related to hosts, malware names, attacker URLs, and so forth.