Cyber Threat Intelligence

Interview: The Perimeter Is Gone; Behavioral Analysis Is The Best Way To Stay Secure 

Expert Insights speaks to Joe Fitzpatrick, VP of Analyst Relations and James Anderson, Area Vice President, EMEA Channels at Exabeam to discuss the need for better threat detection and remediation.

Expert Insights Exabeam Interview

Data breaches are on the rise, and traditional security tools are struggling to adapt to a world where the network perimeter is no longer the office or network, but in our home offices, coffee shops, bedrooms and living rooms. At the same time, security teams are dealing with an ever-growing number of daily threats, while also managing tools pinging off hundreds, if not thousands, of alerts about potential threats – with no way of seeing through the noise. 

To discuss these industry-wide issues, Expert Insights spoke to Joe Fitzpatrick and James Anderson of leading SIEM and XDR provider Exabeam on the conference floor of Infosecurity Europe 2022. Fitzpatrick is Exabeam’s VP of Analyst Relations, working on their Security Operations platform category development. Anderson is their Area Vice President for EMEA, responsible for their MSP and Channel growth programmes. 

Our interview covered the Exabeam platform, the need for better detection and response in the security industry, challenges facing SOC teams today, and their advice for organizations to better improve their cybersecurity resilience. 

Can you give us an overview of the Exabeam platform and what sets you apart in the SIEM and XDR space?

Anderson: Exabeam is well known in the industry for being very good at automation and visibility. And the whole point of our stand at Infosecurity is that you can’t put right what you cannot see. And a lot of what we see in the market across the threat landscape tend to be credentials based or identity based. 

So, it could be somebody in your business who is trustworthy and has valid credentials, but may have accidentally had those credentials compromised by someone like Lapsus$. What we are trying to do is allow you to see this kind of threat in your environment, which traditional tools might not be able to. 

We’re also about automation. So, if you detect something like this happening in your environment, you can piece together exactly what did happen. And you can judge if it is an important incident that you need to respond to, or if it is just noise that you can ignore. That’s really what Exabeam XDR is, and we’re very, very good at that. 

Because we are so good at that, we also entered into the SIEM (Security Information and Event Management) space. Because what we do is analyze a lot of logs and information coming from various different systems, and our customers need help with log management as well. 

So, we’re a SIEM and behavioral analytics organization, and we’re focused on highly sensitive verticals. Most companies are pretty sensitive, but we do very well with financial services and infrastructure. Particularly the movement with the attacks we are seeing a lot of utilities organizations, infrastructure organizations, who want to protect what they do. These organizations have also been mandated by legislation to do more and prove they do more. 

Exabeam was founded in 2013 and the company is already valued at $2.4 billion. Even though we’ve only been around for eight years we’ve got an ARR over $100 million now, and more than 600 customers. People really trust us with what we do. We’re trying to innovate in a space that’s been lumpy and old for a long period of time. So that’s why we’re in the top right position in Gartner’s SIEM Magic Quadrant. They see what we’re doing and recognize our innovation in that space. 

When it comes to those organizations protecting sensitive data, what are the typical threats they are facing today; why is your solution so important for them?

Anderson: A lot of people in the industry say that it’s all about identity and making sure that you have got ‘Zero Trust’ technology in your business. That’s really hard to do. What we talk about on the threat intelligence side is this risk of the insider threat. And it’s really all about credentials. It’s about people trying to get into your network and then moving around. 

They can do that by effectively trying to trick you into giving them your credentials. But more recently what we’re seeing is that they’re buying credentials from disgruntled employees who are looking to sell them. And when attackers have got a set of valid credentials from a known user that you have given access to your system, how can you protect against that?

What we do is look at the behavior. Every individual in an organization will have a baseline of behaviors that will tell you what’s normal. So, when they do something that is not expected – maybe someone suddenly appears logging in from China – we can flag that as a risk. Because we can see what users are doing on a daily basis, and we see their normal integrations. 

We apply all of these models to every single individual on an individual bases. We’re providing artificial intelligence and machine learning to do that analysis in real time, rather than the old way which has been to do a load of searches in a database to try and piece together information to find out what’s happened. We’re doing that in real time and presenting that information to you. 

Fitzpatrick: One of the things that we like to talk about too, that compliments what James is saying, is that we’re trying to disrupt the security paradigm. And the traditional security paradigm is working on detections. So that’s rules and signatures designed to detect known threats. 

Well, the problem for these technologies comes in with the instances that James has talked about. So, while we should always support having rules and signatures, the real problems, the real devastating data breaches, are ones where credentials have been stolen. 

In these cases, someone has stolen credentials, they’ve moved laterally, and they’ve basically gone undetected and acquired data, or protected IP, and exfiltrated it. We’re continuing to break that conventional thinking and move from detection-based rules and signatures to more behavioral based thinking. 

This is a theme we’re hearing more and more in our interviews. Does there need to be a shift away from trying to detect threats at the perimeter towards having the systems in place to be able to remediate much more quickly and much more effectively?

Fitzpatrick: Definitely. I would say that Zero Trust is a great model, it’s a great concept. But it’s not a product. And it has a big weakness in that it assumes that people using legitimate credentials are a trusted individual. There are ways of getting around the Zero Trust paradigm. 

NIST, which is an important independent cybersecurity framework in the US, recommends that Zero Trust in and of itself and by itself isn’t enough. They’re saying it needs behavioral analytics and automation. Two of the things that James first mentioned was our visibility and automation features. We make Zero Trust better with the additional features we offer. 

Anderson: We’re not necessarily saying anywhere here that we will stop all breaches. And anyone who claims that in this industry is probably stretching the bounds of truth. It’s not a question of if, it’s a question of when. It’s a question of how you respond, how long it takes you to respond, and this will define whether you are seen as a good cybersecurity company for people to deal with. 

So, if you let threats fester and go undetected, and there’s no response for a while, you’re way more at risk than if you have a greater visibility into what is going on in your network. The automation helps you to respond here. So, we can’t stop the threats from coming, but what we can do is tell you how it’s happened, but also who the affected users are so you can respond faster and in a more effective manner. 

Fitzpatrick: I might add to that statement, we can stop attacks, but breaches are going to happen. We have all the rules, we have all the known knowns to stop that, but where we are really providing value is finding the attacks you can’t see with other tools. 

What’s on your upcoming product roadmap for your solutions? 

Anderson: We’ve partnered with Google now for a little while. All of our products are built and exist within Google Cloud, so we don’t have anything now that sits on site with the customer. Our go-to-market is moving to a purely cloud-native SIEM tool. 

So, Google is a really, really important relationship. Not only do they provide us tools and a place for us to put our product, but we also have a go-to-market with them as well, which allows us to go and talk to their customers, and they can talk to our customers, about how they can help on that journey to being able to have all the data they need all of the time. 

And that probably involves some sort of shift to public cloud infrastructure. Because the days of owning and maintaining your own data center, or even a private version of that cloud, are probably gone. There still things people will always want on premises, but absolutely Google’s cloud platform is critical for us to be able to execute. And that provides us with a go-to-market so we can go and educate customers, it provides us with infrastructure. 

Right now, not even half a mile away we’ve got an event we’re hosting with Google where we’re taking customers through a capture the flag like exercise where we’re educating them about our tools, how you use them, and looking at using the tool to stop threats in real-time. 

What is your final advice to organizations who are looking for a way to improve their cybersecurity resilience against some of the attacks we’ve mentioned today, particularly compromised credentials and insider risks?

Anderson: It’s really all of the things we’ve talked about. For me, it’s about visibility and automation. We did a study a while ago which shows that in the Security Operations Center, a lot of time is spent in the investigations phase. 

That’s because as an industry we’ve done a really gone job at creating tools that can detect ‘bad stuff’. And we’ve done a really good job at being able to automate some response. But what we’ve not done a very good job with is being able to show if that bad stuff is actually bad. 

And that phase of investigating whether reports are actually bad takes up 60 – 65% of your resource as a security professional. There are really intelligent, highly paid analysts using the tools, and yet the industry is doing nothing to help them save time in terms of automation. 

That’s what we’re doing and that’s where organizations should really spend their time. Because then, those really great people can get on a more proactive front. That’s what we’re all about, and that’s my advice for organizations: stop thinking about the things the way you used to. Think about a different way, so you can use your people a different way, and you can get into a situation where you are more efficient, less costly, and you have reduced your risk because you are more proactive. 


Find out more about Exabeam: https://www.exabeam.com