The announcements include Exabeam’s support for the MITRE ATT&CK Framework, and showing commitment to that community by being the first third party vendor to have a submitted new MITRE technique accepted.

Today, at the Exabeam Spotlight19 event for users and partners, the company is both recounting its trumps from a strong year that just ended, and announcing improvements to their Exabeam Security Management Platform [SMP]. These include support for the MITRE ATT&CK Framework, and the first acceptance of a submission of a new MITRE technique.

This is Exabeam’s second annual user conference, and is being held at the Hyatt Regency in San Francisco.

“We had about 160 customers and partners last time, and we have 240 this year,” said Trevor Daughney, Exabeam’s VP of Product Marketing. “Those numbers are very good because we focus on large enterprises, so have around 300 customers.”

Exabeam monitors about 7.5 million employees and 5.5 million devices, which Daughney said are excellent numbers because their device monitoring is  comparatively new.

“We started with UEBA, which monitors users, and only began to track the behavior of machines and devices last year, when we introduced Exabeam Entity Analytics, our most recent product,” Daughney said.” Since the end of last year, the number of devices we track has gone to 5.5 million from 1.9 million, and the numbers of users has gone from 4 million to 7.5 million over the same period. The number of devices is growing rapidly, and we expect to see a 3-1 ratio of devices to users as our product line matures.”

Spotlight19 kicked off with a year in review from CEO Nir Polak.

“He emphasized that while our original goal was making a smarter SIEM with behavioral analytics, now half our business is replacing other SIEMs, since we have a broader product portfolio,” Daughney said. “We are also growing internationally quickly, which ties in with our SaaS product being available outside the US. This gives added opportunities for partners to accelerate the sales cycle.”

Polak also talked about what future looks like, and the growth of use cases for Exabeam.

“In a world with data everywhere, we expect customers will be in all public clouds and own data centres, and we will be supporting that more federated world,” Daughney stated. “We will also be expanding our detection use cases.”

A key theme of the event is customers talking about use cases, including a customer panel featuring United Airlines and Delta Airlines talking about the use cases they are making of the Exabeam software.

“They track airplanes as devices within our software, which shows abnormalities, which are sometimes security and sometimes maintenance,” Daughney said. “They are also being used for fraud detection, such as employees taking advantage of Friends and Family programs. For example, a desk agent checking customers in who has access to bookings can book out entire business class sections, and release them 15 minutes before a flight, so staff and companions get upgraded to business. Another use case is detecting baggage handlers adding contraband like blue jeans at the U.S. end, which is taken out before it is picked up, and sold on the gray market. We can detect this because we track the bags.”

The airline example points to a key recent theme in the space.

“People being able to customize security management tools for more use cases is becoming more relevant,” Daughney said.  “We also have some bank customers talking about their use cases for us. When people send data outside their  companies, they put it on thumbdrives, in sync and shares or in emails. The banks have used our ability to monitor and prevent data exfiltration to shut down vectors holistically. Levis took our incident response technology to automate a playbook from nothing, which they now use to protect all their retail locations.”

A major new announcement being made at the event is that Exabeam detection methods are now mapped to the MITRE ATT&CK Framework, providing a common taxonomy for security analysts to label adversary behavior and enabling improved collaboration.

“While MITRE has been around for decades, the ATT&CK Framework is only about five years old, and the number of daily searches in MITRE has grown really consistently over the last couple years,” Daughney stated. “We are also announcing that we are the first SIEM company to have submitted a new MITRE technique and have MITRE accept it.” This is Domain Generation Algorithms (T1483).

“The acceptance of this submission is extremely exciting for us and speaks to the fact we want to be evolved in that community,” Daughney emphasized.

Exabeam is also emphasizing that their mapping approach lets security analysts  view and filter MITRE techniques within Exabeam Smart Timelines, machine-created timelines that sequence events into plainly worded narratives which allow less technically advanced team members to investigate event details. Analysts can also easily search for MITRE tactics and techniques with Exabeam Threat Hunter.

“Companies are very interested in the framework, and want to know how to use it in day-to-day environments,” Daughney said. “We are counselling them that they can use it like a heat map defensively to determine where they are strong and weak, and that red teams can use these techniques to see if they can get into their organizations.”

Exabeam also announced several other platform enhancements. One is allowing senior analysts to create incident response checklists.

“This allows grouping of standard actions into different phases of the incident lifecycle, aligned with the NIST framework,” Daughney indicated. “Having these checklists is another way we help solve the skills gap. A senior analyst can create the checklist, and junior ones have a specific checklist to follow.”

Analysts can now customize incident types, values and layouts for incidents created in Exabeam Case Manager, building their own incident ticket templates with custom incident types and information fields or edit existing templates.

“These case management and incident response capabilities leverage a newer part of our product, around orchestration,” Daughney said. “It further continues our customization narrative. The tickets can be customized to align to specific industry compliance to meet regulatory requirements.”

Another new capability in the SMP is cross cluster search.

“This is useful in very large global deployments, and event some large ones within the U.S.,” Daughney noted. “Analysts can now search up to seven clusters across all different locations, cloud or on-prem, and get full context  with role based access controls.”