WIXLIB

WHITE PAPERSIEM MIGRATION GUIDEMoving from Splunk Enterprise Security to the ExabeamSecurity Management PlatformINTRODUCTIONTHIS MIGRATION GUIDE IS FOR ORGANIZATIONS THAT ARE CURRENTLY USING SPLUNKENTERPRISE SECURITY (ES) AND ARE MIGRATING THEIR SIEM TO THE EXABEAM SECURITYMANAGEMENT PLATFORM (SMP).Migrating a legacy SIEM to new technology is aSpecifically, this guide provides a task-list thatcomplex process. Exabeam’s 8-step model fordescribes how to:SIEM migration presents a process that accounts forA. Install and Configure Exabeam Advanced Analyticstypical scenarios such as augmenting a legacy SIEMwith behavioral analytics or replacing a legacySIEM entirely. For a strategic overview of preparingB. Set up Context and Event IngestionC. Select Exabeam’s Out-of-the Box Use Casesfor SIEM migration, please see our whitepaper, EightD. Install and Configure Exabeam Data LakeSteps for Migrating Your SIEM.E. Install and Configure Exabeam Cloud ConnectorsThis guide assumes you have already completed steps1-3 including having determined the business prioritiesfor migration to Exabeam, selected use cases for themigration, and that you have scoped the data sourcesrequired for log collection (see Figure 1). This guidefocuses on activities related to steps 4-6 of Exabeam’smigration model and a high-level overview of theactivities needed to get Exabeam up and running.F. Migrate High-Value Correlation RulesG. Forward Event Data from Exabeam Data Laketo Exabeam Advanced AnalyticsH. Decommissioning Splunk ESI. Forward Incidents to Exabeam Case ManagerJ. Implement Playbooks in Exabeam IncidentResponderK. Prepare Reports for Compliance and KPIs

These tasks do not necessarily have to happen inreplace Splunk ES. For example, one option is to setsequence. Administrators have the option to startup Exabeam in parallel with Splunk ES. Once yourby deploying Advanced Analytics or they can startSecurity Operations Center (SOC) is comfortable withby deploying Data Lake. Administrators also haveusing Exabeam SMP, you can then proceed to shut offoptions related to whether they initially augment orSplunk ES if desired.FIGURE 1: EIGHT STEPS TO MIGRATE YOUR SIEMexabeam.com 2

Preparing for SIEM AugmentationAn effective starting point when replacing avia dynamic behavior modeling. Exabeam’s tightlylegacy SIEM is to first ease the workload on yourintegrated case management and security orchestrationSOC analysts by implementing a User and Entitycapabilities, respectively Exabeam Case Manager andBehavioral Analytics (UEBA) solution like ExabeamExabeam Incident Responder, can also be used toAdvanced Analytics. Traditional SIEMs generateassist and accelerate analyst workflows and reduce theenormous volumes of unactionable alerts that musttime required to resolve incidents.be investigated – and subsequently create a majorwaste of time. Augmenting Splunk ES with AdvancedAnalytics, you will dramatically reduce the typicalvolume of alerts flowing into the SOC while improvingthe productivity of your analysts by adding powerfulinvestigation capabilities such as Exabeam SmartTimelinesTM. Smart Timelines eliminate wastedtime and effort by revealing user and asset activityImplementing the full Exabeam platform, includingExabeam Data Lake, should lead to improvedcollection of user and event data, automatic detectionof anomalies, easy investigation of root causes andfaster incident response. The tasks described in thisguide can be used to start feeding high fidelity alerts toyour security teams to achieve these benefits.FIGURE 2: EXABEAM PROVIDES ALL OF THE FEATURES OF AN INNOVATIVEAND EFFECTIVE MODERN SIEM COVERING THE FOUR PHASES OF SOC OPERATIONS:COLLECTION, DETECTION, INVESTIGATION AND RESPONSE.exabeam.com 3

A. Install and Configure ExabeamAdvanced AnalyticsExabeam Advanced Analytics is available in hardwareAdvanced Analytics provides powerful alertappliance, virtual machine and Amazon Web Servicesprioritization that allows SOC analysts to focus onAMI template formats. Installation and configurationthe highest risks. This should be a significant changeis quick and easy thanks to an easy to understand webfrom your experience with Splunk ES where alerts areuser interface. User and asset context information istypically voluminous and difficult to investigate due toeasily retrieved from Microsoft Active Directory orthe lack of context.other LDAP sources, as well as from CSV and otherpopular human resource systems. Event informationcan be absorbed through syslog or API calls to thesource systems.FIGURE 3: NOTABLE EVENTS IN SPLUNK ES ARE SINGLE DIMENSIONAL AND CONVEY LITTLE CONTEXTexabeam.com 4

FIGURE 4: EXABEAM PROVIDES EVENT CONTEXT AND A TIMELINE OF ACTIVITYTO ACCELERATE INVESTIGATIONSexabeam.com 5

B. Set Up Context and Event IngestionAdvanced Analytics can acquire event data frombehavioral analytic models for your desired use casesSplunk ES using the Splunk API interface, making it(see Activity C). This eliminates you needing toeasy to augment your existing SIEM with behavioralforward your entire event stream. Advanced Analyticsanalytics. Additionally, API queries can retrievecan easily be configured to pull specific event typeshistorical event data. This results in faster timefrom your Splunk ES instance. Next, configureto value as that historical data builds baselines ofAdvanced Analytics to pull user and asset informationnormal activity faster than if you just used real-timefrom Microsoft Active Directory (AD) or anotherqueries alone.LDAP source.Using this API interface, we recommend retrieving theAfter completing these activities, you should have anspecific event types that map directly to the Exabeaminstance of Advanced Analytics installed, configuredand starting to learn your environment.FIGURE 5: AUGMENTING SPLUNK ES WITH EXABEAM ADVANCED ANALYTICS(USER AND ENTITY BEHAVIOR ANALYTICS)exabeam.com 6

C. Select Exabeam’s Out-of-the-BoxUse CasesAdvanced Analytics includes more than 400 out-of-flowing into Advanced Analytics, Exabeam startsthe-box machine learning models to support yourlearning both user and asset behavior and willuse cases. They are a powerful replacement for legacybegin providing high confidence alerts based onstatic correlation rules, which are often noisy andanomalous behavior.sometimes of little value. As soon as event data isAccount Creation andManagementAccount SwitchesAnomalous AccessApplication / CloudAccessCompromised CredentialsData Loss/ExfiltrationDatabase AnalyticsEmail AnalyticsEndpoint AnalyticsExecutive UsersFailed Logons and Account File Access AnalyticsLockoutsHigh Risk EmployeesHigh Value AssetsPhysical AccessPrivileged UsersSecurity AlertsService AccountsVPN Remote AccessWeb ActivitiesFIGURE 6: A SAMPLE OF PRE-CONFIGURED EXABEAM MODELSAdvanced Analytics also offers static rules (calledMany SIEMs, like Splunk ES, license based onFactual-based rules), which can be used to replicatedata ingest volumes. As data volumes grow mostyour existing static rules where appropriate. Fororganizations struggle to afford licenses. This financialexample, a static rule could entail adding risk factorsvariable is a negative incentive that forces securityinto user or asset sessions based on Indicators ofteams to make decisions on what data sources to notCompromise (IOC) or a violation of companyingest into Splunk ES. Choosing to not collect datasecurity policy.results in lower visibility. Even with sufficient licenseD. Install and Configure ExabeamData LakeThis task entails preparation for ingesting andcapacity, older pre-big-data technology can lead toqueries taking a long time to execute, sometimestiming out and hindering investigations.retaining event data in Data Lake to replace SplunkBy contrast, Exabeam licenses using a predictableES event forwarders, indexers and storage as your loguser-based pricing. With the ability to ingest all neededmanagement platform. Data Lake is the collection anddata, including logs from cloud and SaaS applications,consolidation tier of the Exabeam SMP for any eventsyour visibility into user actions can be dramaticallythat could possibly have security value.expanded. This is one more benefit of migrating fromSplunk ES to Exabeam.exabeam.com 7

Data Lake is available in hardware appliance, virtualmachine and Amazon Web Services AMI templateE. Install and Configure ExabeamCloud Connectorsformats. Similar to Advanced Analytics, installationThis step entails installing Cloud Connectors toand configuration is quick and easy with a typicalingest logs from popular SaaS solutions includinginstall taking less than a morning with the easy-to-AWS, Azure, Box, Cisco AMP, CrowdStrike, Dropbox,understand web user interface. By using ExabeamDuo, G-Suite, GitHub, Office 365, Okta, OneLogin,collectors, Data Lake can ingest event data fromProofpoint, Sales Force, and ServiceNow. Other cloudsyslog, Windows, databases, eStreamer, files, Kafka,logs can be ingested using Exabeam’s custom APIas well as common cloud SaaS platforms. Exabeamconnector (see task D).has prebuilt collectors for over 200 products, withover 2500 parsers.FIGURE 7: AN OVERVIEW OF HOW EVENTS FLOW INTO DATA LAKE AND CLOUD CONNECTORSexabeam.com 8

F. Migrate High-Value Correlation RulesAdvanced Analytics also uses a focused set ofSplunk ES customers will likely have a large numbercorrelation rules (Factual rules) in the default contentof custom rules that they have built over time, manyto highlight risky events in user and asset Smartof which consist of layers of static correlations inTimelines when specific conditions are met.a building block format. Static correlation rules aregood for detecting known threats, such as matches toindicators and warnings or violations of security policy.All of these are candidates for replication in Exabeam.G. Forward Event Data from ExabeamData Lake to Exabeam AdvancedAnalyticsAs previously discussed, Data Lake is the collectionCorrelation rules can be configured in Data Lake toand consolidation tier of the Exabeam SMP. It cancreate actionable or informational alerts. Informationalbe used to ingest any event that could possibly havealerts can be forwarded to Advanced Analytics forsecurity value through syslog, Windows, databases,inclusion in user and asset Smart Timelines, whileeStreamer, files and cloud APIs. There will be a subsetactionable alerts can be forwarded to create anof those events that will be Events of Interest for theincident for investigation.desired use cases in Advanced Analytics.Any Events of Interest can easily be forwardedfrom Data Lake to Advanced Analytics by usingpreconfigured filters or adding custom log types.FIGURE 8: LOG FEEDS CAN EASILY BE FORWARDED FROM DATA LAKE TO ADVANCED ANALYTICSH. Decommissioning Splunk ESWith cutover of event ingest through Data Lake, youES systems, which will save maintenance andcan begin the decommission process for your Splunksupport funds.exabeam.com 9

I. Forward Incidents to ExabeamCase Manager and ExabeamIncident ResponderSplunk ES SOCs are typically overwhelmed by hugeincidents to Case Manager and Incident Responder.numbers of alerts that are difficult to investigate andAlerts can be forwarded from both Data Lake andrequire large numbers of personnel due to the lackAdvanced Analytics.of context and lack of substantial automation. TheExabeam SMP includes rich case management in CaseManager and security orchestration through IncidentResponder. One of the ways to improve your SOCoperations workflow and significantly reduce timeto investigate incidents using Exabeam is to forwardThe first step in this task entails configuring theconditions for static correlation alerts to be forwardedfrom Data Lake to Case Manager and IncidentResponder (blue arrow in Figure 9). This is easily donein Data Lake using the Correlation Rule UI.FIGURE 9: EVENT FLOW IN THE EXABEAM SMPexabeam.com 10