Cutting-edge software helps detect cyberattacks, insider threats

Oct. 22, 2014
Exabeam solution learns normal user behaviors and provides alerts about potential anomalies

There has certainly been no shortage of large-scale data breaches in the news this year, which has placed intense scrutiny on the way organizations secure information. What most people don’t realize, however, is that the vast majority of cyber intrusions are not caused by hackers breaking in through an obscure virtual backdoor, but rather the result of valid login credentials falling into the wrong hands. In fact, according to Verizon’s 2014 Data Breach Investigations Report, 76 percent of network intrusions reported last year involved attackers using authorized credentials.

Exabeam, a San Mateo, Calif.-based big data security analytics firm, is looking to make it harder for cyber criminals to use valid login credentials by offering a new software platform that enables users to detect cyberattacks and insider threats in real time. The company has developed a solution that adds a layer of user behavior intelligence on top of existing security information and event management (SIEM) data repositories to provide IT security personnel with a complete view of the full attack chain and spotlight valid attack indicators that currently get lost in the noise.

According to Mark Seward, vice president of marketing for Exabeam, the company’s software platform looks for and baselines normal behaviors by credentialed users that have access to various systems within an organization and then checks for any unusual patterns in access by those users.   

“In other words, it learns your behaviors and watches for behavioral outliers. When it identifies those it reports them as potential intruder behaviors or potential attack behaviors,” explained Seward.

For example, Seward said a person will typically access several different IT systems during the course of a normal workday – Internet, email, etc. – and what Exabeam looks for is unusual activities as it relates to a business context.     

“You may login remotely from home via a virtual private network (VPN) and once you do that, our solution actually asks several questions about the characteristics of that particular access. First of all, is this the first time you’ve ever used the VPN? Is this the first time you’ve ever used the VPN with this particular system that you’re connecting with? We look for unusual times of day and a wide variety of pieces of context around that access that would indicate that it is unusual,” added Seward. “We actually assign a risk score to all of those different attributes and when we assign those risk scores we’re looking for a variety of scores that may total an exceedingly high amount. Once that amount is reached, then that would spawn an alert to a security professional to investigate this particular activity as suspicious, even though there may not have been a signal from a traditional piece of security infrastructure like a firewall, for example, or an intrusion detection system.”

Nir Polak, co-founder and CEO of Exabeam, said that users also don’t have to worry about false positives because the platform only generates alerts for highly-suspicious behaviors.  

“Let’s say you’re a traveler and you travel all around the world so every week you are in a new place. The fact that you’re now logging in from a new country that we’ve not seen in the past doesn’t really generate an anomaly because we’re going to have a very low confidence about that. What we need to see is a cohesiveness in your behavior to be able say that a behavior is suspicious or anomalous,” said Polak. “We also don’t rely on one or two anomalies to make a decision, we usually slice the data into very thin slices and then we start looking at a user since the moment he connects into the IT environment and everything he does until he leaves the IT environment. The more abnormal activity he does, the more his score is going to increase. The idea is not to rely on one or two anomalous activities, but a series of them to have a high confidence to say, ‘hey, we think this user may have been compromised.’”

Polak added that one of biggest problems in IT security today is being able to find imposters, which is why Exabeam is using these techniques to be able to uncover users that may have had their credentials compromised quicker and more efficiently.

“When we look at the entire chain of events from reconnaissance by an attacker all the way to exploitation or exfiltration of data out of systems, there’s typically maybe four or five different activities that attackers go through as they’re using legitimate credentials searching for higher power users or administrators of systems that would allow them to access data that they are really looking for,” said Seward. “A good portion of those activities are preceded by credential use, so when we think about the commonality across the entire attack chain it’s the fact that legitimate credentials are being used. When we think about that, it leads us to be able to sort of focus on that to the exclusion of a lot of other things and filter out all of the other noise and stop those attacks before the attacker actually steals all of the data and walks out the door undetected.”

Polak said the company’s platform is currently deployed in five active implementations including supermarket chain Safeway, which operates more than 1,300 stores across the U.S.   

About the Author

Joel Griffin | Editor-in-Chief,

Joel Griffin is the Editor-in-Chief of, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.