The Gately Report: Exabeam Offering Partners More Choices for Customer Sales
Microsoft customers' information was exposed by a misconfigured server.
![More, more, more sign More, more, more sign](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltd47fca91aadf88aa/65241244202ede7adb1f7413/More-More-More-sign.jpg?width=700&auto=webp&quality=80&disable=upscale)
More! More! More! card isolated on white backgroundShutterstock
Channel Futures: This summer, Exabeam partnered with Google Cloud to create hyperscale cloud-native SIEM and cybersecurity analytics offerings. Are partners benefitting from this partnership? Was New-Scale SIEM the end result of this?
Ted Plumis: I don’t want to call it the end result. It’s an innovation in what we’re doing because we’ll keep developing. This summer, we partnered with Google and really leverage their their data analytics platforms, so products like BigQuery, DataFlow and Looker, where we were now able to really hyperscale what we’re doing in terms of collection and building on a cloud-native platform. That’s how we got to the million plus EPS, supporting 500-plus security vendors at scale. Our cloud archive product was built on that platform. So we’ve been releasing products on that platform throughout the year. This is just the major announcement of the New-Scale SIEM, and that is the next iteration of what we’re building on that. But we’ll continue to build. This is a step along the way, not the end of the journey with the Google platform.
CF: What was the theme of this week’s Exabeam Spotlight22? Is there a message for partners?
TP: The theme around this year’s event was really the launch of the New-Scale SIEM. So really coming to market, changing the game in terms of being able to do what we do best, which is the automation of TDIR. So that was the focus of Spotlight22. Now the good news is about half of the attendees of Spotlight22 were partners both in person and online. So partners are very interested in what we’re doing. We got to spend a lot of time with them in New York, the ones that attended in person, and the message we’re delivering to them is, the obvious one is we now have more tools to go compete in more different areas and solve customer pain points in different ways than we used to. Partners have always been the core of what we do at Exabeam. So whether you’re a technology partner, an MSSP, an SI or a reseller, we have different ways of partnering with you in the market and we’re just expanding that. That message is so core to what we do with partners being central to that.
CF: It’s been awhile since we last talked. What sort of growth has Exabeam experienced over the past few years in terms of partner ecosystem and partner program?
TP: The biggest change that I’ve seen in our partner ecosystem since we spoke is we’ve really expanded outside of partners that just wanted to resell technology to partners that want to build solutions around Exabeam, managed services, professional services, in some cases taking other third-party tools and integrating those into Exabeam via APIs we’re doing or integrating that with our response stuff. We’ve obviously had substantial growth in the last few years just overall in terms of sales. But from a partner standpoint, we’ve always been about quality over quantity. So it’s not that we measure ourselves by do we have 1,000 partners this year and 2,000 next year. What we measure is are the partners that we’re bringing on able to not just grow their own business with Exabeam, but to grow those solutions around it. And what we’re finding is the amount of partners that are building additional workstreams around Exabeam is growing exponentially. So very few of our partners are just sell the product only and then walk away.
CF: Has the war in Ukraine impacted Exabeam and its partners? If so, how?
TP: We have co-workers in Ukraine. And I think the impact we’re feeling is take the business side out of it and it’s a personal one. We have partners based in Ukraine. We had partners in Russia before all of this happened. And you feel, we’re all human at the end of the day, and I think that’s the most important thing we worry about right now, the impact it has on the people in that region. In terms of business, Ukraine and Russia were not the biggest parts of our business even prior to the war. So we haven’t seen a dramatic shift in the business.
What we have seen is nation-state attacks and threats to businesses have always been a concern. We are seeing a lot more partners in regions where historically we haven’t had a lot of people ask questions about those things. We’re now starting to get those questions. We’re also starting to get those around things that are non-nation state attacks, like the Lapsus$ type hackers and things like that. But it seems like it’s focused the attention more on are we really protected from these threats that we know would have been out there, but it’s never been something right in our face until now. People are asking their partners much more about how to deal with those.
CF: What do you find most dangerous and threatening about the current threat landscape?
TP: There’s a lot of things out there to be nervous about. But the thing that I find most dangerous and most threatening is the fact that the No. 1 attack point for adversaries today is still someone’s credentials. You can look at these Lapsus$ attacks and they’re basically searching through people, trying to connect with people within organizations, and get them to sell them their credentials and get them access. Whether it’s a phishing attack or social engineering, it’s still about the credentials. And that’s still a major blind spot for most organizations. So I think part of my angst is this problem is just getting bigger and organizations are looking at all the ways to try to stop it before it gets in, but not looking at how to identify it once it’s there. And the most devastating attacks right now are all credential based. So that’s what scares me the most.
CF: What sort of feedback did you receive from partners during Spotlight22? What are their latest needs and how is Exabeam helping with those?
TP: The feedback I’m getting is really good. It’s when you launch something and you just have an event that there’s a lot of buzz and a lot of people are excited. But what makes me most excited is they understand the problem today that we’re dealing with, at least in our industry with SIEM. I’ve been in SIEM for 15 years and three different vendors, and since the beginning it started with trying to collect the data and write correlation rules. But the amount of data is just so exponentially more than it was that these tools haven’t been able to keep up. And there’s this gap in the effectiveness of the SIEM today, and it’s the third biggest market in security. So all of our partners are looking at this major need out there. There’s a big gap because there’s credential-based attacks, there’s too much data coming in, and the older generation of products can’t keep up with that data. And now they see Exabeam with this New-Scale SIEM we’ve released that can now do this security at scale, but maintain all the things that made Exabeam Exabeam.
Knowing what normal behavior is. Being able to use those analytics to solve real-world problems. That’s what they’re excited about because now they know they can go into any account and actually either improve what they’re doing by adding on our analytics or replace the things they were doing before and effectively with the New-Scale SIEM that we’re offering, in addition to the services and managed services piece that they’re excited about as well.
CF: Is economic uncertainty having a negative impact on Exabeam? How are you helping partners impacted by this?
TP: Actually our growth this year is really good in the market we’re in. In times of economic uncertainty, companies start to focus on what investments are the most effective for what they’re spending. And right now, security analytics, and the ability to collect data and stored it is an important thing for businesses. So we haven’t seen a dramatic impact in the willingness to look at what we’re doing and investing. What we’re seeing is they’re actually becoming much more focused on am I getting the most value out of what I’m doing. There’s a lot of products out there that log and store data for compliance reasons that are very expensive and suck up your whole budget. The value of storing the logs for compliance is huge, but you don’t want your whole budget going to that because you still want to do all those other things around analytics. So for us, having a competitive offering that makes people save money with the things they have to do but gives them the ability to also then spend budget on things they need to do has helped us quite a bit this year.
CF: What can partners expect from Exabeam during the months ahead into 2023?
TP: They can expect that in three ways. The first one is from the the product side. You can to expect to see us continue to release products on the Google Cloud platform, the New-Scale SIEM platform, that are designed with customer use cases at the core, so solving real-world problems. From the business side, what you’re going to see is we’re very focused on having a core group of partners that when they invest in Exabeam, they get a return on that investment that helps grow their business as well as ours. So we will continue to invest in things like channel marketing funding, We’ll invest in things like training both for sales, pre-sales and post-sales. So our goal again is not to sign multitudes of partners. It’s to have a stable of partners that we can grow horizontally. And then finally, they can expect to see from us what they’ve always seen, which is great interactions in the field. So our field teams integrating with partners, selling with partners, putting a joint solution together with the partner in front of the customers and not having to battle it out with our sales teams as well as the competitors. It’s hard enough if you’re a reseller to go sell against your competitors and sell against other vendors, to then also having to sell against the person you’re partnering with. So we’ll continue to keep them in lockstep with us as we go to market.
In other cybersecurity news …
Microsoft this week announced that some of its customers’ information was exposed by a misconfigured Microsoft server accessible over the internet.
According to its blog, business transaction data was exposed.
After being notified of the leak on Sept. 24 by security researchers at threat intelligence firm SOCRadar, Microsoft secured the server.
“The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner,” Microsoft said. “The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability. We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints. ”
Erich Kron is security awareness advocate at KnowBe4.
“While some of the data that may have been accessed seems trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers,” he said. “This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organization’s networks.”
While cloud services can be convenient and secure if secured properly, when a misconfiguration occurs, the information can be exposed to many more potential people compared to traditional internal on-premises systems, Kron said.
“This is simply something organizations that are hosting applications and data in any of the various cloud platforms need to understand,” he said. “Policies related to double checking configuration changes, or having them confirmed by another person, is not a bad idea when the outcome could lead to the exposure of sensitive data.”
Verizon has warned a number of its prepaid customers that attackers gained access to Verizon accounts and used exposed credit card information in SIM swapping attacks.
SIM swapping is a form of account takeover fraud. The attacker will contact the victim”s mobile phone provider and trick its customer service representative into porting the telephone number to a SIM card owned by the criminal.
Verizon posted the following in a customer alert:
“During our regular account monitoring, we identified unusual activity on the prepaid line that received the SMS linking to this notice, it said. “Upon further review, we determined that between Oct. 6 and Oct. 10 … a third-party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice. If a SIM card change occurred, Verizon has reversed it. To be clear, your full credit card number was not viewable to the third party. Only the last four digits of the credit card number were exposed.”
Verizon spokesperson Rich Young said about 250 customers were impacted by the breach. At this point, there’s no information to share about who’s behind the breach.
“We recently identified possible unauthorized activity involving about 250 prepaid wireless accounts,” he said. “We secured these accounts and put in place additional measures to protect our customers from further unauthorized access or fraud. Verizon has notified the impacted customers and advised on additional steps the customers can take to enhance their account security. We take these matters seriously, and continually enhance and evolve our security protocols to keep customer data and accounts secure.”
Szilveszter Szebeni is CISO and co-founder of email encryption-based security solutions company Tresorit.
“While Verizon seems to have handled the breach well, this is another example of how SMS two-factor authentication (2FA) can be hacked using unauthorized SIM swapping,” he said. “Users should not fall back on SMS 2FA for security while reusing passwords. The use of a password manager and using a unique password for each service is still rule No. 1.”
Intel 471‘s latest report shows ransomware attacks dropped during the third quarter compared to both the second and first quarters of this year.
The report highlights how many victims, countries, sectors and industries have been impacted by the 27 different ransomware variants that appeared in the third quarter.
Key findings include:
Intel 471 observed 455 ransomware attacks during the third quarter, a decrease of 72 attacks recorded from the second quarter.
The most prevalent ransomware variants in descending order were LockBit 3.0, Black Basta, Hive and ALPHV aka ALPHV-ng, and BlackCat.
The most-impacted sectors, in descending order, were: consumer and industrial products; manufacturing; professional services and consulting; real estate; public; technology, media and telecommunications; energy, resources and agriculture; life sciences and health care; financial services and nonprofit.
The most-impacted regions, in descending order, were North America, Europe, Asia, South America, Oceania, Africa and the Middle East.
The dissolution of the Conti group likely impacted the overall quantity of breaches, as well as placement of most impactful ransomware variants for the third quarter.
Brad Crompton is director of intelligence at Intel 471. He said the decrease in ransomware attacks isn’t surprising.
“A decrease in incidents over the summer months wasn’t unexpected,” he said. “The third quarter covered the summer months and ransomware operators also often take breaks from their ‘work’, like we all do during summer. Additionally, we have also seen some ransomware groups disappear in Q3 and new groups emerge. The decrease in events may also have been attributed to these groups disappearing.”
Ransomware groups are finding a high-degree of success in compromising businesses, with many organizations paying ransoms, Crompton said.
“Often it is easier, and in some cases more cost effective, for a company to pay the ransom demand,” he said. “This is likely for the following reasons: reduce overall impact on their business through downtime; their data will not be published publicly therefore limiting exposure (if the ransomware groups do not double cross them); and multiple extortion tactics employed by ransomware groups may force these businesses into paying. Of cours, paying these demands only perpetuates this cycle of criminality and increases the amount of ransomware activity. However, often businesses are left with little option(s).”
The decrease in attacks likely won’t continue during the fourth quarter, Crompton said.
“It is possible that we may see an increase in attacks as we approach the holiday season, during it and shortly after it,” he said. “We have seen some groups disappear completely, we have seen several new groups emerge, and these will almost certainly target a number of businesses into Q4 and 2023. Legacy groups will also continue to target businesses into Q4 and beyond, with many increasing operations over Q4 as the holiday season approaches and security is often more relaxed, along with numerous businesswide and employee personal vacations.”
Moreover, as the world is looming on the brink of a global recession, we will likely see an uptick in cybcercriminality, as people turn to other means to make quick profits. Many of these people that turn to criminality will likely turn to one of the most financially lucrative areas of cybercrime within the cyber underground, ransomware.
Mike Parkin is senior technical engineer at Vulcan Cyber. He said while an apparent reduction in ransomware attacks is welcome, “it doesn’t mean we’re winning the war, so to speak, against these cybercriminal gangs.”
“The frequency of these attacks ebb and flow based on everything from law enforcement activity to what exploits are effective, to internal politics within, or between, the gangs,” he said. “It’s entirely possible that the advantage currently lies with the defense, at least for now. However, it’s not something we can count on. It’s impossible to predict when the next wave of cybercrime will come rolling in, but we know that it will.”
GroupSense has launched a new ransomware negotiation training service offering. During the three-day, in-person training, participants will learn the proper strategies to combat the negative consequences of an attack from negotiation experts at both GroupSense and Max Negotiating.
As a result of the training, participants will be able to help their client organizations identify threat actors, learn key cyber negotiation principles and strategies, protect brand reputation, avoid unnecessary business losses and stay ahead of emerging threats. Participants will discover the ins and outs of ransomware attacks, the intricacies of threat actor engagement, discern their role in a ransomware negotiation and master a proactive ransomware response strategy.
As part of the three-day training, GroupSense and Max Negotiating design a case simulation according to the structure of the client’s organization, putting the client’s response team through a fire drill to consolidate their strengths and highlight vulnerabilities, and prepare the team for worst-case scenarios.
The training agenda includes:
Day 1 – participants begin by learning the anatomy of a ransomware attack, including how they are conducted, the roles involved and the ransomware ecosystem. Next, the GroupSense and Max Negotiating team provides a framework for conducting ransomware negotiations and delves into core principles as they apply to cybercrime and ransomware.
Day 2 – the framework is then put to the test in a multi-party simulation of a ransomware attack. The simulation is recorded for future review and coaching on the third day.
Day 3 – the team provides feedback as participants review recordings of the previous day’s negotiation simulation. The team leads participants in exercises to strengthen the vulnerabilities identified in the simulation. The training is then concluded by building out a team response plan.
Bryce Webster-Jacobsen is director of intelligence operations at GroupSense.
“Our ransomware negotiation training service is directed at law firms, cyber insurance companies, incident responders and other organizations who may be called on to lead ransomware negotiations on behalf of their clients,” he said. “Some of our existing partners fall into those broad categories and will find value in GroupSense’s new training offering.”
After the training program, client organizations will have access to the video recordings as well as the Max Negotiating digital toolkit. They will also have the opportunity to engage in additional ransomware negotiation training and coaching opportunities from both GroupSense and Max Negotiating.
“Ransomware and other cyber threat negotiations require knowledge of both traditional negotiation principles and the understanding of complex, sophisticated cyber threat actor groups,” Webster-Jacobsen said. “GroupSense’s ransomware negotiation training service combines knowledge and practice across both disciplines, building a better foundation for participants to conduct future ransomware negotiations.”
GroupSense has launched a new ransomware negotiation training service offering. During the three-day, in-person training, participants will learn the proper strategies to combat the negative consequences of an attack from negotiation experts at both GroupSense and Max Negotiating.
As a result of the training, participants will be able to help their client organizations identify threat actors, learn key cyber negotiation principles and strategies, protect brand reputation, avoid unnecessary business losses and stay ahead of emerging threats. Participants will discover the ins and outs of ransomware attacks, the intricacies of threat actor engagement, discern their role in a ransomware negotiation and master a proactive ransomware response strategy.
As part of the three-day training, GroupSense and Max Negotiating design a case simulation according to the structure of the client’s organization, putting the client’s response team through a fire drill to consolidate their strengths and highlight vulnerabilities, and prepare the team for worst-case scenarios.
The training agenda includes:
Day 1 – participants begin by learning the anatomy of a ransomware attack, including how they are conducted, the roles involved and the ransomware ecosystem. Next, the GroupSense and Max Negotiating team provides a framework for conducting ransomware negotiations and delves into core principles as they apply to cybercrime and ransomware.
Day 2 – the framework is then put to the test in a multi-party simulation of a ransomware attack. The simulation is recorded for future review and coaching on the third day.
Day 3 – the team provides feedback as participants review recordings of the previous day’s negotiation simulation. The team leads participants in exercises to strengthen the vulnerabilities identified in the simulation. The training is then concluded by building out a team response plan.
Bryce Webster-Jacobsen is director of intelligence operations at GroupSense.
“Our ransomware negotiation training service is directed at law firms, cyber insurance companies, incident responders and other organizations who may be called on to lead ransomware negotiations on behalf of their clients,” he said. “Some of our existing partners fall into those broad categories and will find value in GroupSense’s new training offering.”
After the training program, client organizations will have access to the video recordings as well as the Max Negotiating digital toolkit. They will also have the opportunity to engage in additional ransomware negotiation training and coaching opportunities from both GroupSense and Max Negotiating.
“Ransomware and other cyber threat negotiations require knowledge of both traditional negotiation principles and the understanding of complex, sophisticated cyber threat actor groups,” Webster-Jacobsen said. “GroupSense’s ransomware negotiation training service combines knowledge and practice across both disciplines, building a better foundation for participants to conduct future ransomware negotiations.”
Exabeam has more tools to offer partners to better compete in the market and more ways for them to solve their customers’ most challenging pain points.
Exabeam’s Ted Plumis
That’s according to Ted Plumis, Exabeam’s senior vice president of channels and strategic GTM alliances. The new tools were unveiled during this week’s Exabeam Spotlight22 conference in New York City.
Exabeam unveiled a cloud-native portfolio of products. Its New-Scale Security Information and Event Management (SIEM) combines cloud-scale security log management, behavioral analytics, and an automated investigation experience.
Built on the cloud-native Exabeam Security Operations Platform, the New-Scale SIEM product portfolio helps security teams defeat adversaries with advanced threat detection, investigation and response (TDIR).
More Options for Exabeam Partners
We spoke with Plumis about the new tools and more opportunities for Exabeam partners.
Channel Futures: Will these new tools create additional opportunities for Exabeam partners? If so, how?
Ted Plumis: New-Scale SIEM provides a lot more opportunities in a few different ways. We were a behavioral analytics company with our advanced analytics and security intelligence platform. And then we had our Fusion SIEM, which included data lake response and our analytics. What we’ve done is not just make the New-Scale platform running on Google Cloud with the million events per second (EPS) plus, but we’ve actually broken it out now into five distinct products. Now we give the customers the ability to buy for what their use case is.
So for me, the big difference for partners is we now have a security log management product … and then we have our SIEM product. So our partners can now provide [customers] with those tools with the New-Scale SIEM platform while we still have all of those behavioral analytics tools in our security investigation piece and our remediation tools. And then you can still combine all of those into Exabeam Fusion, so the rapid collection, the correlation rules, the dashboarding, and the analytics and automated response. Where our partners used to have to pick and choose, now you can start just from collecting data. You can start just from doing the analytics. You can augment this SIEM like we’ve always done. But you have more choices and options now to sell to a customer.
Scroll through our slideshow above for more from Exabeam and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like