Ransomware is becoming more common than ever. Corporations both large and small, are increasingly finding themselves the targets of advanced ransomware campaigns. Unfortunately, most security teams haven’t had enough experience with ransomware in corporate environments to stop infections before they run rampant. This post explores some of the challenges security teams may face when trying to use SIEM correlation rules to identify the behavior and activities associated with a ransomware infection.
When I ask our prospective customers why they are interested in UBA and Exabeam specifically, most have a common answer; they are looking to cash in on the promise of deriving usable intelligence out of the vast amounts of data they have spent time and money collecting. Organizations want increased visibility into the activities of users on their network to detect modern attacks and respond quickly. Solving these problems is at the center of what Exabeam was built to do, however there are also some hidden benefits users receive simply by using the Exabeam platform. Many of these benefits center around the finding logging quality issues, identifying changes in configurations and augmenting stale or non-existent asset management information.
As a software vendor, it’s always nice when the fruits of hard work, purposeful design decisions, and unwavering focus on customer feedback are recognized. Recently, Exabeam had the honor of being selected as the recipient of six awards at the 2016 Network Product Guide IT World Awards.
Topics: awards and recognition
The size of hard drives, logs, and other data sources has grown immensely in the past few years. I've had many different roles within the DFIR (digital forensics and incident response) space, including SOC analyst, incident responder, and forensic examiner, and this massive increase in available data poses challenges in all of those areas. Fully combing through a multi-terabyte hard drive takes longer than smaller drives. Intrusion investigations can rapidly balloon from one computer to many, as attackers become more sophisticated and move around their victim’s environment. Many intrusion or breach investigations can span dozens (or even hundreds) of devices. Companies are increasingly getting better about logging; both by collecting from more sources and by logging more verbosely.
20 years ago, I was working the graveyard shift as a policeman on the south side of Chicago. Part of the area I patrolled included one of the largest railroad freight yards in the U.S. Occasionally, we would get calls to assist the railroad police. On this particular day we received a call to assist with a “theft in progress”. Upon arrival at the railyard, we found a freight train with 50+ rail cars stopped waiting to be unloaded. After inspection, we found a single car with the locks broken, doors open, and a single crate pried open. There were a couple of boxes missing from the crate.
Last Thursday, we presented a webinar and discussed how UEBA technology can improve Insider Threat detection as well as overall SOC operational efficiency and noise reduction. I would like to thank the participants who were very active and showed interest by asking lots of questions. We felt we owed everyone the answers to the questions that were asked and may or may not have been answered during the webinar. And took the privilege to remove questions that were not tied to UEBA subject matter. Here are the questions asked during the live event…
When asked why he robbed the bank, the old saying goes, the thief replied: because that’s where the money was. But in fact, there was no need to rob; applying the modus operandi of recent ransomware attacks, all the thief had to do is disrupt the entrance to the bank, and collect the money without any extra effort.
In this blog series, I’ve talked about the applicability of data science for user entity behavior analytics (UEBA). The use of statistical analysis is best driven by expert knowledge; some machine learning examples were given to find contextual information for alert prioritization. In this blog, let’s explore more use cases and examples where machine learning applies.
Topics: data science
In my last blog, I talked about the role of statistical analysis in a User Entity Behavior Analytics (UEBA) system. Expert-driven statistical modeling is a key and core component of an anomaly detection system. It is intuitive and easy to use and understand for analysts of all levels. In part II of this series, I’ll discuss the role of machine learning in a UBA system.
Topics: data science
This 3-Part blog series will demonstrate how data analytics of a User Entity Behavior Analytics (UEBA) product is at work to address cyber threats. In concept, a UEBA system such as Exabeam’s monitors network entities’ behaviors in an enterprise and flags behaviors that deviate from the norm. While the benefits are understandable, there are many challenges. In this blog series, I’ll focus only on the data analytics part of the system that has proven to work well in the field for a large number of customers with different environments. Part I covers the statistical analysis the system. Parts II and III will talk about some machine learning applications.