ABCs of UEBA: G is for Gurucul

Gurucul was developing User and Entity Behavior Analytics technology long before Gartner coined the term “UBA” in 2014 and then updated it to “UEBA” in 2015. You could say – and you’d be right – that Gurucul invented UEBA. Let’s look at the history…

Gurucul Was Founded in 2010

Gurucul was established in 2010. The company was founded by seasoned entrepreneurs with a proven track record of introducing industry-changing enterprise security solutions. Gurucul pioneered the concept of user behavior analytics and has been researching, developing and deploying the Gurucul Risk Analytics platform successfully since 2010. Gurucul spends over 50% of its annual revenue on Research & Development, and this has allowed for a significant investment in machine learning user behavior algorithms and big data.

Gurucul’s mission is to help organizations protect their intellectual property, regulated information, and brand reputation from insider threats and sophisticated external intrusions.  In addition, Gurucul is backed by an advisory board comprised of Fortune 500 CISOs, and world-renowned experts in government intelligence and cyber security.

Gurucul Protects Valuable Assets

The company is a global cyber security company that is changing the way organizations protect their most valuable assets, data and information from insider and external threats both on-premises and in the cloud. Gurucul’s real-time behavior based security analytics and intelligence technology combines machine learning behavior profiling with predictive risk-scoring algorithms to predict, prevent and detect breaches, insider threats, privileged access abuse, fraud and more. Gurucul technology is used by Global 1000 companies and government agencies to fight cyber fraud, IP theft and account compromise.

Gurucul is a Leader in User Behavior Based Security Analytics

We like to say, “You can steal an identity, but you can’t steal behavior.”  You might compromise my credentials, but you don’t know when I typically login, what applications I normally run, or who I send emails to. Behavior is the leading threat indicator. Gurucul uniquely delivers 360-degree views of behavior by tracking both access and activity. By combining UEBA with Identity Analytics, we are able to track not only what users and entities are doing (their activities), but also with what entitlements (their access).

Gurucul takes unlimited data feeds from structured and unstructured security sources – SIEMs, firewalls, Identity and Access Management systems, AD/LDAP, IGA, Intrusion Detection Systems, NetFlow and more. We can also gather context from your business applications – like SAP, EPIC, Salesforce or even your own proprietary applications on virtually any platform. All we need are transaction logs. It’s that simple.

We aggregate, correlate and analyze that data using our enterprise risk engine, providing a 360-degree view of users and entities: what they’re doing, where, when, and with what entitlements.

We generate a single risk score for every user and entity in your organization using behavior analytics. Why is that important? It’s important because you can focus on the highest risk areas in your organization. Therefore, enabling you to automatically orchestrate downstream actions and apply automated risk-based controls.

Gurucul Delivers Customer Success

Our success is only as good as our customers’ success. Gurucul has the most customers who have been recognized by their peers for security projects that have created outstanding business value and thought leadership for their companies – CSO50 Award recipients. We are so proud to have happy, successful customers that are willing to state publicly that Gurucul technology has improved their security stature. Hear directly from some of our customers in this 2:54 minute testimonial video:

Gurucul Award Recognition

Gurucul’s innovation and thought leadership has been recognized with many prestigious industry awards, including:

To view the full list of Gurucul awards, click here.

Gurucul Competitive Differentiation

Gurucul’s behavior based security analytics and intelligence platform answers the question: Is anomalous behavior risky? This is what Gurucul does and why we’re different than everyone else in this space. We don’t waste your time with alerts on anomalous user behavior activity that isn’t risky. We use context to determine whether user behavior is risky. Context is critical.

Telling you what’s happening is not helpful. Telling you when something bad is happening is the Gurucul difference. That’s information you can act on. We deliver actionable intelligence for security teams with low false positives. This is extremely hard to do without our technology. Instead of getting 30,000 SIEM alerts of unknown context you cannot possibly investigate, we give you 30 true positives. That’s a manageable number your security team can process.

So, how do we do it?

Big Data Lake Agnostic

We are big data lake agnostic – we work on your choice big data platform: Hadoop, Hortonworks, Cloudera, Amazon EMR, etc. If you don’t have a data lake, we will give you ours for free: Hadoop. None of our competitors offer open choice of big data.

Largest Machine Learning Library

We have the largest machine learning library on the planet – over 2000 machine learning models. More behavior models equal better coverage. We provide essential value with out-of-the-box algorithms that learn anomalous user behaviors immediately upon deployment. With Gurucul, you’ll see results as soon as we’re deployed. Our customers have been able to find compromised accounts on day 1, which is why they move forward with us. Gurucul delivers results.


We are the only security analytics company to enable you to customize our machine learning models or quickly build your own with Gurucul STUDIOTM – no coding required. Create custom machine learning models without coding and minimal knowledge of data science. In the same vein, Gurucul STUDIOTM provides a step-by-step graphical interface to select attributes, train models, create baselines, set prediction thresholds and define feedback loops. STUDIOTM as part of Gurucul Risk Analytics (GRA) supports an open choice for big data and a flex data connector to ingest any on-premises or cloud data source for desired attributes. Step outside the black box and create custom models for your own predictive security analytics needs.

Enterprise Risk Engine

Our Enterprise Risk Engine is our “secret sauce”. It consumes all your data out-of-the-box. We can ingest data from any source – SIEMs, CRMs, Electronic Medical Records, Identity and Access Management systems, end points – you name it, we ingest it into our enterprise risk engine. In addition, if you have proprietary business applications – we can take that data and aggregate it with your other data sources to give you the most accurate 360-degree view of a user’s (or entity’s) behavior.

Our Enterprise Risk Engine ingests all your data feeds in real-time and generates a single risk score for every user and entity in your environment. We provide intelligent prioritized risk scores based on user and entity behavior – so you can make smart decisions quickly. So, all you have to do is investigate high risk users and entities. And, yes, it’s really that easy.

Pure Play User Behavior Analytics

We are a pure play analytics vendor. We don’t deliver light-weight, siloed analytics on point data feeds like privileged access management products and SIEMs. Most importantly our analytics is powered by robust machine learning models built by data scientists. Our competitors use signatures, patterns, rules and policies which can only detect known behavior patterns. What about the unknowns? Our models go beyond detecting known or common patterns, so you can detect unknown threats.

Gurucul MinerTM

Investigate incidents quickly with Gurucul MinerTM. Only Gurucul offers natural language contextual search using big data to mine linked users, accounts, entitlements, structured and unstructured data, along with risk score and peer group analytics. From a single console, you can use any query you like to investigate incidents and correlate data across channels. So, you can save and export results for reporting and compliance purposes. Our contextual search reduces case resolution time by 67%.

Unlike traditional threat hunting tools and SIEMs, Gurucul MinerTM uses artificial intelligence capabilities to uncover all user and entity behavior patterns and data relationships that map to the search profile. It conducts natural language searches across any combination of structured and unstructured data to provide a 360-degree view of user and entity behaviors based on HR/profile attributes, events, accounts, access permissions, devices, cases/tickets and anomalies.

For example, when Gurucul Risk Analytics detects high risk user activity typically associated with an account compromise attack, SOC analysts can use MinerTM to gain a universal view of all user behavior or entity activity that exposes relationships with HR systems, accounts, access, company owned and BYOD devices across data center and cloud, as well as links to security alerts, user behavior anomalies and cases. MinerTM also provides a pivot function on any of these elements to achieve a deeper understanding of risky behavior patterns, relevant data relationships and predictive insight.

Cost Effective

Our platform is cost effective. We don’t charge you for data, period. On the other hand, one of the issues with competitive solutions and SIEMs is that these vendors charge based on the volume of data analyzed. We want you to build your behavior based security analytics as big as possible. You need to be able to bring in lots of different kinds of data. Certainly, you need to partner with a vendor like Gurucul that does not charge based on the quantity of data. This is one of the reasons enterprises choose Gurucul. We want to ingest at much data as possible to give you a 360-degree view of all your users and entities. We’ll run our analytics engine on your data lake or ours – whichever you prefer.

Gurucul Software Today

In conclusion, Gurucul software today includes almost 2000 Machine Learning models to detect insider threats, access misuse and fraud with a deep focus on enterprise and cloud. The company is headquartered in Los Angeles, CA and has development and support operations in Pune, India. To learn more about Gurucul’s User Behavior Analytics, visit and follow us on LinkedIn and Twitter.

Prev: ABCs of UEBA: F is for Fraud Next: ABCs of UEBA: H is for Hijacking