During its annual user conference, Spotlight19, Exabeam, the Smarter SIEM™ company, announced enhancements to the Exabeam Security Management Platform (SMP), including integrated MITRE ATT&CK Framework labels and customized incidents to speed investigations, as well as cross-cluster searches to improve responsiveness for global deployments.
MITRE ATT&CK (which stands for adversarial tactics, techniques, and common knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. They’re displayed in matrices that are arranged by attack stages, from initial system access to data theft or machine control. There are matrices for common desktop platforms—Linux, macOS and Windows—as well as mobile platforms.
Exabeam has, since its inception, used behavioral analytics to detect attacker tactics, techniques and procedures (TTPs). To do so, it created hundreds of models and rules to identify and monitor normal user behavior and detect anomalies, as well as associate them with an appropriate level of risk.
Demonstrating the maturation of the Exabeam SMP, detection methods are now mapped to the MITRE ATT&CK Framework, offering a common taxonomy for security analysts to label adversary behavior and enabling improved collaboration. The MITRE Corporation has also accepted Exabeam’s submission of a new MITRE technique: Domain Generation Algorithms (T1483), making Exabeam the first and only security information and event management (SIEM) provider to have a technique submission accepted.
In another first for SIEM vendors, the new mapping approach enables security analysts to view and filter MITRE techniques within Exabeam Smart Timelines, machine-created timelines that sequence events into plainly worded narratives. Smart Timelines allow security teams to easily investigate event details with minimal technical expertise and without querying multiple systems. Analysts can mouse over event labels for MITRE techniques for a pop-up description or click on labels to open the MITRE webpage for a detailed description.
In addition, security analysts can easily search for MITRE tactics and techniques using Exabeam Threat Hunter, which replaces the need for complex search queries, across users and devices using drop-down menus and a point-and-click interface, which only Exabeam offers.
“Various other solutions detect MITRE techniques, but most take a static approach to detection. This can create a high number of false positives because, in many cases, the behavior associated with MITRE techniques can be part of a user’s legitimate day-to-day activity. To enhance and mature our SIEM platform, we have mapped anomaly detection methods to MITRE techniques, speeding investigations and reducing false positives,” said Anu Yamunan, VP, Product Management and Research, Exabeam. “As a committed member of the MITRE community, Exabeam is investing to further establish the framework as a standard for cybersecurity. We are excited to be interacting with the framework in new ways that other SIEM vendors have yet to explore–and making SOCs more efficient and productive along the way.”
Exabeam also unveiled the following Exabeam SMP enhancements:
- Cross cluster search: Security analysts can now efficiently search large, complex environments using cross cluster search, for up to seven clusters, whether data is on premises, in the cloud or both; further improving SOC productivity.
- Customizable incidents: Analysts can now customize incident types, values and layouts for incidents created in Exabeam Case Manager – and accessible from Exabeam Advanced Analytics, Exabeam Entity Analytics and Exabeam Incident Responder. To do so, they can build their own incident ticket templates with custom incident types and information fields or edit existing templates. Tickets can now be customized to align with existing or third-party ticketing systems, as well as company or industry compliance incidents requirements (e.g., HIPAA, GDPR, PCI).
- Incident response checklists: Senior analysts can now create checklists to standardize incident response efforts, guide junior analysts to perform more complex tasks, and provide SOC managers visibility into the response progress. Checklists can be constructed to specify standard actions (‘tasks’) for analysts to take based on incident type, grouping actions into ‘phases’ in the incident lifecycle, aligned with the NIST Framework. Managers can also assign specific tasks to different analysts and set due dates.
- Disaster recovery: Disaster recovery is now available for Case Manager and Incident Responder, providing the ability to recover incidents, critical case details, playbooks and actions, and configurations.
Exabeam is the Smarter SIEM™ company. We help security operations and insider threat teams work smarter, allowing them to detect, investigate and respond to cyberattacks in 51 percent less time. Security organizations no longer have to live with excessive logging fees, missed distributed attacks and unknown threats, or manual investigations and remediation. With the modular Exabeam Security Management Platform, analysts can collect unlimited log data, use behavioral analytics to detect attacks, and automate incident response, both on-premises or in the cloud. Exabeam Smart Timelines, sequences of user and device behavior created using machine learning, further reduce the time and specialization required to detect attacker tactics, techniques and procedures. For more information, visit https://www.exabeam.com.
Exabeam, the Exabeam logo, Threat Hunter, Smarter SIEM, Smart Timelines and Security Management Platform are service marks, trademarks or registered marks of Exabeam, Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Exabeam, Inc. All rights reserved.