EP 11 — Exabeam’s Kevin Kirkwood on Advanced Attack Detection with UEBA

The cybersecurity landscape is entering an AI arms race, and Kevin Kirkwood, CISO at Exabeam, is on the frontlines building defenses that can match the speed of machine-powered threats. As Exabeam's "Customer Zero," Kevin shares candid insights from transitioning through three platform generations in three years, reflecting on how each migration exposed previously undetected attack patterns in Microsoft environments. 

His experience leading the rapid adoption of 700+ UEBA rules simultaneously (against recommended practice) offers valuable lessons for security leaders pushing the boundaries of detection capabilities. Kevin envisions a future where AI-assisted systems can propose new detection rules for zero-days within minutes, while grappling with immediate challenges — like the day Microsoft Edge suddenly claimed his company had authorized Copilot without CISO approval — highlighting the complex reality of managing AI tool permissions in enterprise environments.

Topics discussed:

• The strategic shift from total log collection to intelligent edge filtering, rethinking the "collect everything" approach while maintaining forensic capabilities through AI-powered agents at the edge.
• Specific examples of Microsoft Copilot attempting wholesale access to contact lists and email histories, and tactical approaches to implementing granular controls.
• Implementing UEBA at scale, including transitioning from basic logging to behavior analytics capable of detecting subtle "living off the land" attacks that manipulate normal business functions.
• How reframing "security vulnerabilities" as "security defects" fundamentally changed developer engagement.
• Technical insights into how attackers are using GenAI to transform sophisticated exploits across programming languages, and defensive approaches to match this velocity.
• Managing bimodal security architecture and balancing edge-based detection with centralized analysis, including specific identity management challenges in the context of AI tool adoption.
• A detailed framework for embedding security professionals within development teams while maintaining the balance between velocity and control.
• Technical requirements for near real-time zero-day detection and the evolution toward AI-assisted rule generation.