We seem to be getting a lot of threat analysis tools lately. Each one seems to approach the problem of cyberthreat analysis a bit differently from its peers. Some are good at response – after-the-fact analysis and future prevention. Some are good at spotting trends in malicious activity that suggest a bot, malware, hacker or whatever. Some – very, very few – look specifically at the user and say, “Is this user behaving the way we expect based on past behavior models?” The most impressive one of these latter types is the tool we're working on this time.
Threat Hunter from Exabeam focuses on the user's behavior and builds a model. This is a very complete profile and the system constantly is learning and refining. That sounds simple – not a bit, though. The combination of machine learning, deep behavioral tracking and the addition of lots of other data from other resources all fit together to provide a quick warning when things start to go bad. The folks at Exabeam call this process stateful user tracking.
Product Threat Hunter
Price Pricing is based on number of users, beginning at $30 per user per year, and is licensed via subscription.
What it does Threat hunting based on anomalous user behavior.
What we liked It really doesn't matter to Threat Hunter what activities are going on in your network because it's the behavior of users that counts. This can identify spoofed accounts, account takeovers and other things that point to a malicious actor rather than an authorized, ethical user.
The bottom line This fills the gap between event behavior and the malicious actor to help explain malicious activity in the enterprise– important because it's the actors doing the damage using the malicious tools (malware, hacking, etc.)
This actually is pretty cool because it is far different from other – event-based – approaches. In typical event-based approaches the event is the stateful object (it doesn't move or change) that gets analyzed in the context of other events. Then subjects – people, programs, etc. – are factored in and conclusions are drawn. Threat Hunter leaves the users static – stateful – and pivots around them. Activities of other users, events, known events, TTPs (tools, techniques and processes), imported data and actors all add to the mix. Exabeam calls this part of the data collection process “enrichment” and it gives a lot of context to the “user's” actions which may be indicative of malicious activity.
Once the behavior of a user is analyzed in the enriched context it is measured by Threat Hunter's risk engine and scored based on the entire model and impinging behavior. Analysts can see threat scores immediately and pick out candidates for further analysis. So if your CFO suddenly starts exchanging emails with a foreign adversary you'll know. And if the CFO simply is communicating with a counterpart at your Russian subsidiary, for example, the risk engine might flag it as risky, though not abnormal or malicious, behavior.
The system can consume just about any appropriate data source and you can write your own rules and models. That, really is the key to Threat Hunter's success rate. Every user is modeled in formal detail and deviations from the models are noted and analyzed further. By being able to write your own models and incorporate your own data feeds – in addition to what Exabeam provides out of the box – you customize the tool to your precise environment. As it learns and builds up refinements to its models, the precision increases. All of the data going into the models is played against external “bits and bytes” data and that, too, becomes part of the analysis.
After we logged into the tool, we landed on a menu that offered us a collection of users – both notable for their behavior and those on a watchlist – as well as stored sessions for specific users and account lockouts. Besides looking at each user and the stored sessions for that user, there is a summary panel that puts everything happening on the enterprise in context. Drilling down we can decompose the user activities and look at some generic summaries. This – the risk timeline, for example – can point to hot spots that need more analysis. This is tied to the user – or, perhaps, an actor masquerading as the user. One might be particularly interested in a sudden spike in user activity.
Further drill-down gets us a lot of very specific detail. It all seems simple and that is one of the tool's high points: All of the complicated stuff is under the covers.
Threat Hunter is priced reasonably for what it does and it is well-supported. It is 100 percent on-premises so your data never leaves your shop.