Security startup Exabeam has a particular focus on where the riskiest part of an enterprise infrastructure is to be found. For Exabeam the risk isn't about the data, but rather about the users -- more specifically user credentials that enable access to data and resources.
This week Exambeam updated its platform to version 1.7, providing even more focus on understanding user behavior. A new stateful user tracking feature monitors the regular user credential behavior in an organization.
"The idea behind Exabeam is to use machine learning to help analysts in the rapid detection of risks," Nir Polak, CEO of Exabeam, told eSecurityPlanet.
An increasingly common risk is attackers that are able to execute privilege escalation attacks, giving a specific account controlled by an attacker extensive access to a network.
"We're focused now on modeling the user creation process," Polak said. "The reason for that is that if someone is creating a new account from a normal location, that could be an indicator of risk."
Exabeam looks at Microsoft ActiveDirectory as the primary directory of users in organizations. While ActiveDirectory now has a synchronization feature that can enable the directory information to be present in multiple physical locations, Polak said this ActiveDirectory Sync isn't a problem for Exabeam.
"There is specific event code that the domain controller sends out to signal that a new user has been created, as well as identity the user's group membership," Polak said. "So it's possible to distinguish between the sync stuff and normal privileged administrator activities."
Exabeam 1.7 also provides a dashboard that can deliver visibility into systems across an enterprise. For example, the dashboard can identify how many users work from home rather than the office and the number of employee-owned devices on a network.
"So with the dashboard we're not just focused on the individual user, we're able to look at the organization as a whole and the behavior of the organization," Polak said.
From a technology perspective, Exabeam leverages the open source MongoDB database and then utilizes its own purpose-built machine learning algorithms. From a bare metal operating system perspective, Exabeam appliance runs on a CentOS Linux.
Moving forward more emphasis will be given to helping out the response side of security, whereas now the focus is on detection, Polak said.
"We're going to put more emphasis so that everything needed for quick response will be available to security analysts," Polak said."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.