Reduced time spent on threat hunting by 30% with Exabeam

The challenge

Working in the heavily regulated and frequently targeted financial services industry, our client (a global financial services group) needed to ensure its cybersecurity posture was extremely robust to protect its infrastructure and customer data from threats.

The previous threat detection solution posed challenges, notably with a high volume of false positives. Without a robust SIEM tool and relying on less effective UEBA processes, the team recognised the need to fortify its security framework to align with their stringent standards.

Another key area of focus was enhancing visibility within their security infrastructure. The existing setup presented an opportunity for improvement in consolidating monitoring capabilities into a unified interface. Additionally, the team wanted to enhance oversight of active directory actions, specifically addressing enumeration attacks, and monitoring the controlled export of company data by internal users.

The solution

Brought in to increase visibility and reduce overall risk, RiverSafe suggested they implement Exabeam, which would provide the company with all the best-in-class UEBA tools needed. RiverSafe suggested Exabeam due to the platform’s efficient data processing, simple architecture, scalability, and ease of deployment.

The off-the-shelf content within Exabeam’s UEBA dashboards and reporting tools offered another key benefit, giving the security team access to data pre-built models and statistics that would allow them to start monitoring and flagging events immediately.

Finally, Exabeam’s smart timeline feature that merges all user activity into one stream would address the visibility issue.

With the client ready to implement, RiverSafe deployed Exabeam on their AWS Environment following best practice guidelines.

The team mapped out relevant log sources for the system, and onboarded all data streams, filtering and fine-tuning everything to ensure any information being ingested was relevant for security and monitoring purposes.

RiverSafe then developed and deployed use cases scoped out in partnership with the client, helping them to get maximum value from their Exabeam implementation. This documentation included custom roles, models and parses, as well as other quality of life improvements, additional search filters, and guidance on maintenance and monitoring techniques.

The outcome

The client now has an established monitoring workflow for its security team that’s baked into their day-to-day tasks. The team can monitor the entire environment quickly, and has significantly reduced the time it takes to assess threats like phishing and brute force attacks, and investigate unusual internal behaviours.

Following RiverSafe’s advice, the client has been able to scale its Exabeam solution by accessing the right hardware required to run the product efficiently.

Noise from the SIEM has been reduced thanks to the optimisation work conducted on log source onboarding. This has resulted in less complexity, fewer false positives, and easier access to the precise information that the team really needs.

The security team now has visibility into email, endpoint, active directory, and web activity, and is able to monitor these frequently targeted areas for suspicious events and behaviour.

This visibility now also extends to file activity, protecting the company from potential data loss and maintaining data integrity.

Siloes have been eliminated, with security insights now located in a single repository for maximum perceptibility. From server performance to traffic flows, whatever’s happening across its pan-global regions, the security team know about it.

Exabeam has equipped the team with a simpler, more effective way of managing security data and identifying trigger points—resulting in a 30% reduction in time spent on threat hunting.