We here at Gurucul have every confidence we are using the right kind of technology in our SIEM to detect genuine threats. But it’s even better when a customer tells us we are doing it right, and that other SIEM providers just can’t compete with our offering.
We recently had a long discussion with our customer, Bob Vail, CISO at Citrine Informatics. Bob just undertook a comprehensive search for a new SIEM solution to implement at Citrine. Prior to his search, he had two different implementations of SIEM. The first one simply failed, he says, because “the vendor wasn’t very good at what they were doing.” Ouch. Bob says the second SIEM is technically still in use for just one of their customers, but he plans to replace it soon. Bob has chosen Gurucul as the sole SIEM solution going forward.
A Thorough Search Led to Gurucul
Bob was very thorough in his search for a new SIEM—he considered 16 different products. Most were eliminated fairly quickly because they don’t offer the most important requirement on Citrine’s list: that the SIEM incorporate data-driven analytics, machine learning, and anomaly detection in inspecting log data for threats.
Citrine’s CISO knows the value of using ML in lieu of rules when dealing with vast amounts of data. Citrine Informatics’ own product is a SaaS platform that utilizes artificial intelligence to help customers improve product development and optimization. So, Bob knows a thing or two about sequential machine learning and data-driven analytics—technology in Citrine’s platform and the essential technology he insisted on having in his SIEM. “Gurucul stood out primarily because of the technology,” Bob says. “It’s precisely what I was looking for.”
The importance of true ML is that you don’t have to know what you are looking for ahead of time. Traditional SIEM solutions that use rules, and even the ones that use “flow chart-based” ML, force you to anticipate what you expect to find. When something new or unexpected comes along – like maybe a zero-day vulnerability – there is no rule or flow to detect it.
Side note: Let me explain what I mean by “flow chart-based” ML. Some vendors who claim to use ML in their SIEM product are fudging the definition of machine learning. In their analytics engine, they still use flow charts or rule-based analysis rather than true learning models to look for anomalous and potentially malicious behaviors and activity. This is little better than looking at static signatures. Their interpretation of “machine learning” is that the system is learning about the data being taken in, but not really from that data. There is no adjustment of the learning system based on the new data observations.
True ML (such as that utilized by Gurucul) uses a complex set of algorithms to evaluate and learn from vast amounts of data fed into the SIEM from a variety of sources. Similar to human learning, where each new observation teaches us something and updates our perspective, an automated ML system has the ability to observe a new data pattern – perhaps a new attack technique – and learn from it. This new information is compared to historical information, and if it proves to be anomalous, an alert is raised. The historical information is simply a baseline of your environment’s normal and acceptable activity patterns.
Everyone Wants Automated Remediation
Gurucul’s customers have the advantage of our technology automatically finding anomalies in the data that is fed into the analytics engine. Those anomalies trigger an alert. More importantly, however, they also can trigger automated remediation. When you have a system like Gurucul’s SIEM that can describe your anomalies properly, you can then address what those things actually are. With an automated solution, you get machines talking to machines to remediate issues before they become bigger problems. This is artificial intelligence at work.
Bob Vail sums it up nicely when he says, “Ultimately, the idea here is to take the huge amount of data that you’re dumping into this tool and discover information that is meaningful. If you know what to ask, you can only get so far because you never learn about the things you didn’t think to ask. When you put a machine in place that can discover the things you didn’t think to ask, your visibility and your understanding of your own environment increases exponentially.”
“True machine learning,” he adds, “is the future of understanding what is happening in your organization.”
More Than Great Technology — Great People Too
As for how it has been working with Gurucul, I’m going to let Bob say it in his own words.
“What sets Gurucul apart from the rest are really two major things. One is that it feels like a collaboration and not a privilege to be a customer. And the other is that there are numerous solutions out there that are just simply economically unfeasible. And the contract that we have signed with Gurucul is not only reasonable, but it also gets us what we’re hoping to get and in a way that is sustainable as our company continues to grow.”
“’The extra mile’ is a great phrase. I like that because we are all trying to get a system in place, and that means a number of configuration items and planning and a bunch of other steps. The extra mile in a SIEM means that the people that you are sending logs to and are going to eventually help you to understand what all that means, actively participate in your understanding and succeeding at getting that work done. My experience with Gurucul has been that they are really proactive people, actively reaching out to us to help us solve issues. I’ve had executives from C-level and below say to me, ‘Is there anything we can do to help?’ And when the chief operating officer says to me, ‘Is there anything we can do to get you up and running?’ I know I’m working with the right people.”
So are we, Bob, so are we.