Exabeam looks to channel to take SIEM booster solution to market

The startup, which utilizes user behavior analytics purpose-built for security, is well ahead of initial sales forecasts, and is building out a focused channel that will be the company’s only route to market.

Ted Plumis

Ted Plumis, Exabeam’s vice president of channel, business and corporate development

Big Data analytics is one of today’s hottest properties. However, San Mateo CA-based startup Exabeam is based on the premise that previous solutions in a key area – user behavior analytics – was significantly flawed. Their User Behavior Intelligence platform is now on the market to address this, and they are looking to a 100 per cent channel strategy to take it to customers.

“In 2013, the two cofounders noticed there was a hole in user behavior analytics – a gap between what users are doing on the network and keeping track of that user behavior,” said Ted Plumis, who recently joined Exabeam as vice president of channel, business and corporate development.

“The issue SIEM customers have always had is that while they got a lot of great information, the user context was lacking, and the customer had to piece it all together,” Plumis said. Exabeam is able to maintain what they have branded as Stateful User Tracking to address this.

“We are the only ones who can track a user from the minute they log on to the minute they log off,” he said. “Other solutions go blind because they don’t maintain the session on that user the entire time. Our improved detection tracks all users fully, and baselines what normal behavior is with more context around the alerts for the SOC [Security Operations Centre] team. This Stateful User Tracking enriches the SIEM feed with this additional data, and speeds up the time for remediation. It becomes the last mile for a SIEM deployment.”

For instance, Plumis said that failed logins can take up to 20 per cent of a SIEM admin’s day trying to determine if it is a true security event threat, or just someone forgetting their password again. He said their algorithms, with fuller and more detailed background on a user’s behavior, are capable of weeding out the non-threats without triggering a security alert.

“Our competitors have good technology, but our DNA is security people,” he said, noting that most of the company’s senior executives came out of Imperva – as did Plumis himself, more recently. “Our competitors’ algorithms come out of different types of analytics, like networking or patient health care records, or CRM. Their algorithms were built for different types of analytics and moved into security. You can’t use off-the-shelf algorithms for security, because you aren’t trying to stop machines, but to stop people. You have to write algorithms specifically for security use cases.”

While the Exabeam team spent the last two years building the product, Plumis said their solution has an advantage because of the way it was built.

“We didn’t build it in a lab, but on actual customer sites, companies who saw the vision we had, and let us build their solution on their network,” he said. “As a result, when it was released six months ago, it had been already vetted by very sophisticated companies.”

Initial customer response has been strong.

“The product has been available for six months, and we achieved our original annual goal in the first month,” Plumis said.

Their go-to-market strategy is entirely through channel partners, which Plumis maintains is the most sensible approach for security startups.

“Security products are driven by the channel,” he said. “In addition, early stage companies like us don’t have market reach off the bat. If you look at the security startups who have been wildly successful, like CheckPoint, FireEye and Palo Alto, they have had channel-only strategies.”

Plumis emphasized that people in the company have a strong channel background, and that that is huge.

“Anyone can say they are a channel company, but when a deal is coming down the pipe and there is friction, the key question is whether they understand the channel, or whether they just see it as another route to market, which will make them more likely to take that kind of deal direct,” he said.

Plumis said their platform also has elements which are very channel friendly.

“We are complementary to SIEMs, not a competitor to them, which makes it easy for partners with strong relationships with these vendors,” he said. “We also have emphasized making the product easy to use, which is good for partners. SIEM has gotten what I think is something of a bad rap of being hard to implement, because people want to pull a lot of information in. We focus on giving value out of the box quickly.”

The original idea was that Exabeam’s sweet spot would be at the top of the market, and while they have had a good response there, the market has turned out to be broader than that.

“We initially thought it was a play for the Fortune 250 – and it is, as we have some as customers already,” Plumis said. “But it is not the size of company as much as the use case that is important. We have some mid-size customers that have invested in us, like 400 person financials, based on their use cases – which we weren’t expecting. Our best prospects generally have to have a SOC. If they haven’t invested in that, they aren’t as good a fit.”

Plumis said the objective is to have a fairly limited but highly skilled group of partners.

“My plan for Europe and Americas has the high end in the next 18 months being around 50 partners,” he said. “We do have SIs who work with us on the services side, but the big bulk of our partners is resellers who sell SIEM, log management, and analytics solutions, people who have built the SOC infrastructure for their customers.

“We invest a lot in a partner, which is one reason we don’t want hundreds of them.”

While Exabeam has some U.S. partners who also have large Canadian presences, they also have Canadian-based partners and are recruiting for more.

“My background with both Arcsite and Q1 Labs was Canadian-focused as well as the U.S., so we have good contacts there,” he said. “Canada has some very strong regional partners, and you want to work with them, as well as have some strong pan-Canadian partners, and a major telco.”

Plumis said that their partner program is in the process of being designed, with the nuts and bolts of a basic program being assembled. It includes an NFR program for partners with reimbursement past a certain sales threshold, and a guaranteed margin program which he said was “well over 10 points.”