Scribd
Upload
317 views32 pages

Exabeam Security

Exabeam is a security analytics company founded in 2013 that provides user behavior intelligence by leveraging existing security information and event management (SIEM) and log management data. Our technology detects modern cyber attacks and simplifies security operations. Nearly all major data breaches in recent years involved stolen user credentials, which attackers used to impersonate employees, move laterally within networks, and avoid detection for weeks or months before data exfiltration. An example attack on the South Carolina IRS showed how stolen credentials were used at various stages over a month-long period while important anomalies went unnoticed by security tools.

Uploaded by

Abie Widyatmojo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
317 views32 pages

Exabeam Security

Exabeam is a security analytics company founded in 2013 that provides user behavior intelligence by leveraging existing security information and event management (SIEM) and log management data. Our technology detects modern cyber attacks and simplifies security operations. Nearly all major data breaches in recent years involved stolen user credentials, which attackers used to impersonate employees, move laterally within networks, and avoid detection for weeks or months before data exfiltration. An example attack on the South Carolina IRS showed how stolen credentials were used at various stages over a month-long period while important anomalies went unnoticed by security tools.

Uploaded by

Abie Widyatmojo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Who

 is  Exabeam?  
A  security  analy.cs  company  founded  in  
2013.  We  provide  user  behavior  
intelligence  by  leveraging  exis.ng  SIEM  and  
log  management  data  repositories.  Our  
technology  detects  modern  cyber  aDacks  
and  simplifies  security  opera.ons.  

Sylvain  Gil  
Co-­‐founder  and  VP  Products  

1
What  do  nearly  all  of  the  worst  
data  breaches  have  in  common?  

1.1  Million  customers   40  Million  customers   100,000  customers   SHll  Unknown  

3  Million  customers   4.5  Million  customers   215  Employees   56  Million  customers  

83+  Million   1,000  Stores   3.6  Million  Employees  


Stolen  user  credenHals  
were  involved  in  every  case  
•  ADackers  impersonate  employees   STOLEN  CREDENTIALS  
using  stolen  creden.als  
•  Able  to  move  throughout  the   ATTACK  

network  avoiding  detec.on  


COMMAND  &  CONTROL  
•  The  vic.ms  learned  about  their  
breach  through  outside  sources   LATERAL  MOVEMENT  

EXTENT  OF  IMPACT  

Most  companies,  if  not  all,  had  


made  significant  investments  in  SIEM,  
firewall,  anH-­‐malware  and  IPS.  
The  Typical  A`ack  Chain  

Move  
Maintain   Laterally  
Presence  

Internal  
IniHal   IniHal   Establish   Escalate   Complete  
Recon  
Recon   Compromise   Foothold   Privileges   Mission  

Hours   Weeks  or  Months   Hours  

S o u r c e :   F i r e E y e   M a n d i a n t   A P T 1   r e p o r t   ( F e b   2 0 1 3 )  
4  
Use  of  Stolen  CredenHals  

Move  
Maintain   Laterally  
Presence  

Internal  
IniHal   IniHal   Establish   Escalate   Complete  
Recon  
Recon   Compromise   Foothold   Privileges   Mission  

POSSIBLE  CREDENTIAL  USE  

Hours   Weeks  or  Months   Hours  

S o u r c e :   F i r e E y e   M a n d i a n t   A P T 1   r e p o r t   ( F e b   2 0 1 3 )  
5  
Undetected  A`ack:  
A U G U S T  

13   Spear  Phishing  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  


•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
6  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  credenHals  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  


•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
7  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  


•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
8  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  


•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  Thee  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   Exfiltra.on  
9  
Undetected  A`ack:  
A U G U S T  

Spear  Phishing  
13  
South  Carolina  IRS  
A U G U S T  
VPN  in  with  
At  various  stages  of  this  aDack,   27   stolen  creden.als  
important  anomalies  went  unno.ced:  
A U G / S E P T  

•  VPN  access  off  hours   29-­‐11   Server  &  App  Recon  


•  VPN  access  from  new  device  
S E P T E M B E R  
•  Unusual  access  to  servers  
12   File  Data  TheZ  
•  Crawling  of  sensi.ve  servers  
•  Copy  of  large  DB  backups   S E P T E M B E R  

  13-­‐14   ExfiltraHon  
10  
Challenges  in  DetecHng  Stolen  CredenHal  Use  

Million   ADack  may   We  don’t  


ways  to   not  use   know  what’s  
compromise   malware   good  or  bad  

11  
Using  Splunk  for  Behavior  Profiling  

1   2   3  
Define  
Create  a   Detect  and  
Characteris.cs  
Baseline   Score  Anomalies  
of  User  Behavior  

12  
Splunk  Benefits  

1.  Access  to  historical  log  data  =  immediate  ability  to  baseline  
2.  Log  data  spans  en.re  stack  from  network  to  app  transac.ons  
3.  Unstructured  data:  collect  first,  get  insight  later  
4.  Powerful  search  and  sta.s.c  func.ons  
5.  You  already  own  it!  

13  
1   Defining  User  Behavior  CharacterisHcs  
•  Challenge  fundamentals  of  aDack  chain  
•  How many assets accessed
•  When do activities take place
•  What accounts connect to what machines
•  Did user ever connect from this country

•  Rely  on  likely  available  log  sources  


•  Windows Domain Controllers
•  Windows Servers
•  SSH logins
•  Remote Access VPN
•  Single Sign-On
14  
Windows  DC  and  Server  logs  
•  Use  Splunk  Universal  Forwarder  for  out-­‐of-­‐the-­‐box  fields  extrac.on  
h"p://docs.splunk.com/Documenta4on/Splunk/6.1.3/Data/Monitorwindowsdata  

•  Domain  Controllers  event  codes  


(EventCode=4769 OR EventCode=673)

•  Other  Windows  Servers  or  Worksta.ons  


(EventCode=4624 OR EventCode=528)

•  Make  sure  to  log  successful  logins:  GPO  >  Audit  Logon  Events  

15  
Fields  of  Interest  in  a  Windows  DC  Logon  
Log  Name:            Security  
Source:                MicrosoZ-­‐Windows-­‐Security-­‐Audi.ng  
Date:                    10/27/2009  9:58:02  PM   •  _Hme  
Event  ID:            4769  
Task  Category:  Kerberos  Service  Ticket  Opera.ons  
 
Level:                  Informa.on  
Keywords:            Audit  Success  
User:                    N/A  
Computer:            dcc1.Logis.cs.corp  
Descrip.on:        
A  Kerberos  service  .cket  was  requested.  
Account  Informa.on:  
 Account  Name:  
 Account  Domain:  
 [email protected]  
 LOGISTICS.CORP  
•  AccountName  
 Logon  GUID:    {9A6EBA7B-­‐42EE-­‐E3E3-­‐EC65-­‐5DD3DD4C77A9}    Look  for  non  $  values  to  filter  out  computer  logons  
Service  Informa.on:  
 Service  Name:
 Service  ID:
 
 
 TERMSERV1$  
 S-­‐1-­‐5-­‐21-­‐1135140816-­‐2109348461-­‐2107143693-­‐1000  
•  ServiceName  
Network  Informa.on:   Computer  being  accessed  
 Client  Address:    192.168.23.189  
 Client  Port:
Addi.onal  Informa.on:  
   0  
•  ClientAddress  
 Ticket  Op.ons:    0x40810000   Misleading,  oZen  IP  of  des.na.on  
 Ticket  Encryp.on  Type:  0x12  
 Failure  Code:    0x0  
 Transited  Services:  -­‐  
16  
2   CreaHng  a  Baseline  
•  We  want  to  gather  daily  usage  stats  per  user  
•  We  cannot  afford  to  search  over  en.re  history  everyday  

•  Solu.on  à  Splunk  Summary  Indexing  


•  Similar to Map Reduce concept

Search   Calculate   Save  stats   Search  


logs  daily   stats   to  index   index  

17  
Demo:  Storing  daily  user  stats  in  summary  index  

We  store  a  daily  count  of  servers  per  user  and  save  this  info  in  the  userstats  index  

EventCode=4769
| bin _time span=1d
| stats dc(ServiceName) by _time user
| rename dc(ServiceName) as count
| collect index=userstats

18  
3   DetecHng  and  Scoring  Anomalies  

•  Run  sta.s.cal  analysis  on  daily  stats  stored  in  summary  index  

•  Splunk  offers  several  possibili.es:  


•  Xth percentile analysis – percX(Y)
•  Standard deviation analysis – stdev
•  Build your own with lookups

19  
PercenHle  analysis  

index=UserStats AccountName=bob
| eventstats p95(AssetCount) as threshold
| where AssetCount>threshold

•  Returns  days  where  bob  accessed  more  than  his  95th  percen.le  number  of  assets  
•  Runs  in  seconds  even  for  several  months  of  data  

20  
Standard  DeviaHon  
VPN  session  dura.on  

msgType=juniper-vpn-*
| transaction user startswith="msgType=*start" endswith="msgType=*end"
| eval type="VpnDuration"
| table type,_time,user,duration
| collect userstats

index=userstats type="VpnDuration”
| eventstats mean(duration) as avgdur, stdev(duration) as stdevdur by user
| eval threshold=tonumber(avgdur)+3*tonumber(stdevdur)
| where duration>threshold
| table user,duration,threshold
21  
First  occurrence  with  Lookups  
Known  VPN  endpoints.  We  store  all  past  endpoints  of  each  user  in  a  lookup.  
We  then  filter  for  endpoints  that  are  not  found  in  that  lookup.  

eventtype=vpn-login
| eval key=user+"-"+src_host | eval value=1
| dedup key | table key,value
| outputlookup UserVpnHosts.csv

eventtype=vpn-login earliest=-2d@d latest=-1d@d


| eval key=user+"-"+src_host
| lookup UserVpnHosts.csv key OUTPUT value as result
| where isnull(result) | table user,host
22  
AggregaHng  Anomalies  and  Scoring  
•  We  want  to  sum  up  anomalies  and  create  a  daily  score  per  user  
•  Each  anomaly  detec.on  search  will  increment  the  daily  score  

•  Solu.on  à  Splunk  Summary  Indexing  


 
Run  detec.on   Roll  up  daily  
Assign  score  and   Collect  in   score  with  
searches  on  
reason   UserScores  index  
index   |  stats  sum()  

23  
Keeping  Score  and  Reasons  
index=UserStats AccountName=bob
| eventstats p95(AssetCount) as threshold
| where AssetCount>threshold
| eval Reason="Asset count exceeded threshold of $threshold”
| eval Score="20”
| fields _time,AccountName,AssetCount,Score,Reason
| collect index=userscores

•  Comments  

24  
Demo:  Aggregate  and  Trend  User  Score  

We  sum  up  the  scores  per  user  per  day  and  collect  the  associated  reasons  

index=userscores
| bin _time span=1d
| stats sum(Score) as Score, values(Reason) as Reasons by _time,user
| table user,_time,Score,Reasons

25  
Possible  Caveats  
•  There  may  not  be  enough  data  for  the  baseline  to  be  valid  
•  New users, new machines
•  Exabeam uses a proprietary Confidence Factor algorithm
•  Session  Tracking  
•  Logs are stateless by nature, hard to track identity switches
•  User  Interface  
•  Representing log events of diff. nature alongside anomalies can be tricky
•  Peer  analysis  
•  New behaviors should be compared to the users’ peers (lookups?)
26  
The  Exabeam  Approach  
IT S E C U R I T Y   E R P   C M D B  
Research  &  
M A C H I N E   D A T A   H R M S   I T M S   Community  
L O G   M A N A G E M E N T   A C T I V E   D I R E C T O R Y   Insights  

Log  ExtracHon   +   User  Session   +   Behavior     +   Risk    


&  Context   Tracking   Analysis   Engine  

Risk  Scoring  
SCORE
Incident  Ranking  
75   A`ack  DetecHon   27  
Exabeam  Tracking  
of  User  Sessions  

•  Context  on  who  the  user  is  


•  Peer  group  and  manager  info  
•  Risk  trend  over  .me  
•  Quick  view  of  risk  reasons  

28  
Session  Timeline  
•  Lists  user  ac.vi.es  from  logon  
to  logoff  

•  Track  reasons  per  event  and  


associated  score  

•  Transfers  risk  from  one  day  to  


the  next  

29  
Takeaways  

•  Add  user  behavior  and  anomaly  detec.on  to  your  rules  

•  Start  simple  with  logs  you  have  and  basic  analysis  

•  Use  a  scoring  approach  to  rank  risk  

30  
Ques.ons?  
 
 
Visit  our  booth  for  a  demo  
www.exabeam.com  

31  
Thank You

Questions

CONFIDENTIAL  

Common questions

Powered by AI

Exabeam's system integrates with existing security infrastructure by leveraging data from SIEM systems, log management tools, and other sources such as network and application transaction logs. By using existing data, Exabeam builds on an organization's current capabilities, providing enhanced behavioral insights and anomaly detection without the need for additional infrastructure investments .

Stolen credentials allow attackers to impersonate employees, enabling them to maneuver through a network undetected by existing security measures. Attackers can escalate privileges, move laterally, and maintain their presence, often completing their mission before detection occurs, as victims typically learn about breaches from external sources .

During the South Carolina IRS attack, specific indicators of compromise that went unnoticed included VPN access outside normal hours, VPN access from new devices, unusual server access, extensive crawling of sensitive servers, and copying large database backups .

Exabeam uses user behavior intelligence, which leverages existing SIEM and log management data repositories, to detect modern cyber attacks and simplify security operations. This approach allows the detection of anomalies and the analysis of user behavior to identify potential security threats .

Exabeam simplifies the analysis of extensive log data by utilizing Splunk's powerful search and statistical functions. It collects unstructured data and creates summary indexes, making historical data immediately accessible for baselining user behavior. This indexing approach helps streamline the process of detecting and scoring anomalies with efficiency, using techniques akin to MapReduce .

Exabeam's system tracks user session activities by providing context on users, peer group information, and risk trends over time. It employs a risk scoring model that aggregates and trends user scores and reasons for risks over daily sessions. This helps in understanding user activities from logon to logoff, transferring residual risk scores day-to-day, enhancing the continuous tracking of potential threats .

A primary challenge in detecting the use of stolen credentials without past behavioral data is the lack of a baseline for normal behavior, making it difficult to distinguish between legitimate and suspicious actions. Log data is stateless, complicating attempts to track identity switches or determine new user and machine patterns, which can hinder the timely detection of threats .

Statistical analysis in Exabeam's anomaly detection process plays a critical role by providing quantitative measures to evaluate deviations from established behavioral baselines. Techniques like percentile analysis and standard deviation calculation are employed to identify and score anomalies, ensuring that significant deviations from normal behavior are flagged for further investigation .

Exabeam detects anomalies through a three-step process using Splunk for behavior profiling. This process involves defining user behavior characteristics, creating a baseline of normal behavior, and then detecting deviations from the baseline using statistical analysis methods such as percentile analysis or standard deviation. Identified anomalies are scored and contribute to a cumulative risk score for each user .

Setting up a baseline for user behavior is crucial for detecting deviations indicative of potential security threats. It allows organizations to define characteristics of normal user activity, thus enabling the identification of anomalies. The benefits include improved threat detection by highlighting unusual access patterns and behavior, facilitating quicker response times, and enhancing overall security posture .

You might also like