Bad actors are getting smarter in the enterprise today. Thanks to enhanced information sharing, the people that want to do bad things in your systems know how to cover their tracks. It’s not just the knowledge of how to evade detection either. There are tools that can detect your traces in a system and eliminate them before the detection tools have a chance to find out what happened.
It’s even worse when you consider that most of the bad actors today get a paycheck from your company. Insider threats are growing at an alarming rate. A report by CA last year said that 90% of organizations feel vulnerable to insider threats. And 53% of those surveyed confirmed they had been attacked by insiders. Even the most amateur of people can find a way to exfiltrate data and get around security controls if they are motivated.
Ray of Light
So how do you defeat the people that are going to try and get around you with their shady behavior? You have to watch that behavior and remember it. And that’s where a company like Exabeam comes into play.
I had a chance to talk to Trevor Daughney, Vice President of Product Marketing, during RSA Conference this year about the Exabeam solution. We discussed their approach to building a Security Information and Event Management (SIEM) platform to detect threats. Most of the time the SIEM is directed at finding threats from external actors in an enterprise. SIEMs log all kinds of information and start correlating things to see patterns that don’t quite look right.
Exabeam is taking a different approach. They’re using machine learning (ML) and applying it to the data lake they generate from all the information they collect. Because they price based on user instead of by event or by volume of data collected per second, they can offer much better data collection than their competitors. And the more data you have, the better machine learning works.
Exabeam takes the data they collect and they start applying intelligence to it. This allows them to model behavior of users over a timeline. These SMART timelines allow them to see the actions that lead up to a potential incident and then what happens afterwards. Just like a thief casing a house beforehand, it’s often the behaviors you see before the crime that tip you off to intent. Most insiders don’t randomly decide to exfiltrate data on the spur of the moment. Absent events like layoffs or disciplinary action, most insiders will test the system for days or weeks in advance to see how far they can get without being detected.
The way the Exabeam can make this work for their solution is by apply their algorithms and adding context to actions. A person trying to access a forbidden file is an anomaly. A person trying to do it repeatedly at midnight on a Saturday via VPN is a problem. Each time a user goes to “work”, Exabeam starts a timeline. They analyze the behavior of that user and they apply a risk score. The risk scores from previous sessions also play into the current score. So if a user has been doing some risky behaviors in days or weeks past, that behavior will flow through to the new session.
Once a user crosses a specific threshold, there is an alert that triggers on the Exabeam dashboard. This is an alert that tells administrators that they need to examine this user a bit more closely. It’s a wonderful way to track people across different sessions. This is really handy for HR or auditors that need to establish intent before disciplinary action.
Battling Bad Actors
For example, let’s say a sales manager knows they’re going to be leaving the company soon. They know that as soon as someone puts in their two-week notice they’re under a security microscope. So, the sales manager decided to discreetly start copying documents out of their email to a USB drive weeks in advance. They do it after 5:00pm every day when everyone is gone from the office. Normally, this would go undetected. But, with Exabeam each one of those spurious file transfers is logged. Now, when the sales manager goes in to give their notice, HR can pull the behavior logs from Exabeam and see that files have been copied over to a USB drive a few at a time past 5:00pm every day for the last three weeks. It may not be a customer list or a document of other information, but it’s a good starting point for a discussion about severance packages and other ways of data protection.
There are a ton of other solutions that Exabeam can be adapted to, such as manufacturing or airline operations. Any anomalies can be assigned confidence values and trigger alerts when they cross the threshold. They can also trigger a Playbook, a pre-defined set of actions that occur when an event is triggered.
Bringing It All Together
If you’re in an industry that is highly regulated or has a penchant for having valuable data stolen frequently, you would do good to check out Exabeam and integrate it into your enterprise. You gain all the value of a traditional SIEM while also being able to perform some behavioral analysis agains the potential bad actors in your organization. It may not be enough to catch the next thief waiting in your midst, but it’s better than just leaving the door open and letting them walk out.