NEW TECH: Exabeam retools SIEMs; applies credit card fraud detection tactics to network logs

By Byron V. Acohido

Security information and event management, or SIEM, could yet turn out to be the cornerstone technology for securing enterprise networks as digital transformation unfolds.

Related: How NSA cyber weapon could be used for a $200 billion ransomware caper

Exabeam is a bold upstart in the SIEM space. The path this San Mateo, CA-based vendor is trodding tells us a lot about the unfolding renaissance of SIEMs – and where it could take digital commerce.

Launched in 2013 by Nir Polak, a former top exec at web application firewall vendor Imperva, Exabeam in just half a decade has raised an eye-popping $115 million in venture capital, grown to almost 350 employees and reaped over 100 percent revenue growth in each of the last three years.

I had the chance to visit with Trevor Daughney, Exabeam’s vice president of product marketing at RSA 2019. He explained how Exabeam has taken some of the same data analytics techniques that banks have long used to staunch credit card fraud and applied them to filtering network data logs. For a full drill down on our conversation, please listen to the accompanying podcast. Here are a few takeaways:

Very Big Data

The earliest SIEMs cropped up around 2005 or so. Led by the likes of Splunk, LogRhythm, IBM and Exabeam, the global SIEM market is expected to grow to over $5 billion annually in 2022.

Related: Autonomous vehicles are driving IoT security innovation

Fundamentally, SIEMs collect event log data from internet traffic, as well as corporate hardware and software assets. The starting idea was for a security analyst to then sift meaningful security intelligence from a massive volume of potential security events and keep intruders out. Yet, SIEMs never quite lived up to their initial promise.

And now, Big Data is about to become Very Big Data. Consider that 90 percent of the data that exists in the world today was generated in just the past couple of years. That includes everything moving across the internet: email, texting, online searches, social media posts, entertainment streaming, global finance, scientific research and cyber warfare. And on the horizon loom a full blown Internet of Things (IoT) and 5G networks, which will drive data generation to new heights.

This accelerating flow of corporate data means rising opportunities for two equally bad outcomes: detection of actual security events to fall, and false-positive alerts to rise. Clearly, there is a greater need for innovations to make SIEM systems a more viable security tool.

Poor usage

A fundamental weakness with legacy SIEM systems has always been the brittleness of the correlation rules, Daughney told me. These rules connect the dots between log events from disparate sources to determine if something appears to be outside the norm. “The problem with using rules is twofold,” Daughney said. “One, it creates a lot of false positives. Another problem is that different types of security threats get missed.”

For example, there are numerous ways for a credentialed employee with malicious intent – the classic insider threat – to access and remove sensitive files without getting detected. Edward Snowden did just that. And legacy SIEMs also require a high degree of manual culling of the lowest-level correlations. This has led to poor use of experienced analysts, while also contributing to a huge shortage of analysts.

Going forward, this approach just isn’t going to cut it, especially as Big Data pressure steadily worsens in the years ahead. “There needed to be a new way to detect threats in this environment,” Daughney told me.

Coming of age

One breakthrough technology Exabeam is leveraging are data lakes, the repositories for the huge flows of data arising from cloud computing. Having a place to park large amounts of data is crucial. Machine learning routines can then be set up to draw from these data lakes and with human tweaking get incrementally smarter over time.

Just as credit card companies have gotten lightning quick at detecting attempts at credit card fraud, even on Black Friday, Exabeam is using machine learning, tapped into data lakes, to steadily get faster and more accurate at identifying anomalies flowing through enterprise data logs. What once took hours or days eventually will take minutes and then seconds.


“I think a lot of companies were having issues with the amount of data they were putting into their SIEM, and they weren’t able to go in and search through that in a timely manner,” said Daughney.

The proprietary techniques Exabeam is bringing to the table to help its customers work smarter come as a natural extension to a couple of other major SIEM add-on technologies: user and entity behavior analytics, aka UEBA tools, and security orchestration, automation and response, or SOAR systems. These technologies can recognize when a user is doing something unusual, isolate the problem and then remediate it. UEBA and SOAR vendors, likewise, have been a magnet for venture capital over the past couple of years.

There is a clear need for more efficient and accurate sifting of data logs for evidence of unfolding attacks, Daughney told me. I agree. Smart cars, smart buildings and smart transportation are the future. So is the continuing rise of global subcontracting as well as greater reliance on gig economy workers, many toiling remotely.

SIEMs are positioned to play an important role identifying and diffusing snippets of malicious  code that threat actors will surely blend into the rising volume of data logs arriving from these  myriad new sources. The success of Exabeam and other innovators in this space is vital. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone