The Smart Way to Update Your SOC: Interview with Exabeam
Promoted by Exabeam
Over the course of the last four or five years, artificial intelligence has moved from the area of academic research into practical business focused solutions. Unfortunately, with this move has come countless claims of machine learning in all sorts of products, ranging from smart cars to smartphones that use AI to improve the quality of photographs. One of the few areas in technology where claims of machine learning must be practically verified is cybersecurity: one can simply not take risks with this business-critical part of the IT stack.It was thoroughly refreshing for us at Tech Wire Asia to speak to Gareth Cox, the VP of Sales at Exabeam, one of those companies leveraging true machine learning as part of an organisation’s toolkit of solutions combating both external and internal cyber threats.Industry watchers will know that Exabeam first came to market at a Splunk conference where it launched as a SIEM (security information and event management) helper. Since then, the company has added analytics and data science on top of the initial manifestation of the platform and has clearly made a name for itself as an independent practitioner of cybersecurity. “So even to this day, 50% of our business is sitting on top of any logging platform, it could be a cloud platform, or […] homegrown. We’re pulling that information to drive cybersecurity use cases.”We asked Gareth about some of the practical aspects of leveraging machine learning in cybersecurity settings, beginning with the difficult establishment of a learning corpus inside an organisation. This critical stage sets a normalised benchmark against which abnormal behaviours can be measured. Does the platform come with a blank slate, we wondered?“The platform comes from scratch. On the back end we’ve got over 800 different models built in. If your company is looking at a certain use case, like a compromised insider, what we would like from you is your AD [Active Directory] logs, your VPN logs, your Windows logs…three or four sources. Once they get populated into the system, a week later or so you would actually have visibility of what people’s roles are and [what] activities are happening.”[embedded content][embedded content]Cybersecurity remains a hot topic in the APAC region, not least because of the preponderance of smaller businesses in the region. But larger organisations are not assured safety — in fact, it’s often the contrary.“In Asia Pacific, [many of Exabeam’s clients] have got anywhere between 2 to 12 security analysts in their organisation. We come in and look at adding the analytics on top of the platform to really focus in on cybersecurity use cases like external threats, insider threats, or phishing attacks.”Every organisation experiences external threats from outside parties or bad actors, but internal threats or insider threats are not so often discussed. Typically, employees are perhaps going through disciplinary procedure, and there’s a danger of them walking out of the company with data they have no right to take. But systems that log strange or out-of-the-ordinary activities will gather these incidents, too.“We use host to user to IP mapping. For every single user in your business, we create a day in the life of that person 365 days a year. So, in the olden days before machine learning, if you had a breach, [you would] probably call a company who would come in, take all your logs, and then they’d build out an incident timeline or a day in the life of that asset. We’re doing the whole investigation every single day. [The platform] has a track record of everything I do, and you can go down [the list of events], and it points out points of risk.”In many businesses today, the IT function uses in-house resources, whether on bare metal on-premise in a private data centre and multiple cloud providers: so-called hybrid topologies. That fluidity of infrastructure will clearly be something that, theoretically at least, may well confuse systems designed to detect anomalies. However, Cox told us that the knowledge that elasticity is ever-present in today’s IT stack was built into Exabeam.For the large financial institutions in Southeast Asia, the COVID epidemic meant just such a rapid change — specifically, the entire workforce (and their laptops) moving from office to home. Cox said the concern was, “Who’s accessing our corporate information from these laptops? [But] the baseline fixed in a week. [Anomalies] went high, right, obviously, because they’ve never seen the company work from home. And then [the numbers of anomalies] went back down in a week. [The customer] went back to the board and said, ‘Yes, we have we put 20,000 employees at home, and our data is safe.’”With the need for greater security ever more pressing, we asked what sort of timescales would be involved, after which clients could begin to start seeing results in the form of improved attack detection and resolution metrics? “You probably get [results in] a week — you’d see a glimpse of the picture. In a month, you’d probably see a pretty-much tuned environment.”In our next article around Exabeam, we’ll be taking a deeper dive into many aspects of this intelligent solution that is increasingly forming a part of organisations’ cyber defence shields. Cox and Exabeam are not naive enough to claim that the platform is enough, on its own, to entirely protect every aspect of an organisation. We’ll be looking at the more advanced roles Exabeam can play in a broader cyber defence strategy. However, in the meantime, if what you’ve read here has piqued your interest, head on over to the Exabeam website for more information and a demo.
Source: https://techwireasia.com/2022/03/anomaly-detection-response-red-flag-soc-security-cybersecurity-ml-ai-best-review/
