Scroll Top

Detect Insider Threats with “Email Fuzzy Logic”

At Black Hat USA this year, Gurucul shared details of our most popular Machine Learning Models. Every hour at Black Hat we revealed a new Machine Learning Model. It was fun, successful and #MachineLearningMadness!

This is the first of 14 Machine Learning Models we presented at the Black Hat conference. Visit our blog regularly over the next few weeks as we will be discussing all 14 models.

Gurucul Machine Learning Model: Email Fuzzy Logic

How does the Email Fuzzy Logic machine learning model work, what does it do?  This model will sniff its way through company email systems to detect whether a user is sending emails to his or her own personal email address, or to other non-company email addresses.

For example, let’s say Fred Harrisburg sends emails from his company email address, including attachments containing sensitive information to the address That’s likely his personal email account. Or, Fred Harrisburg sends similar emails to That’s likely a family member. Why would Fred be sending sensitive company information to his personal email account, or to a relative? Maybe, the relative works for a competitor?

Email Fuzzy Logic delivers the probability of a percentage match of company emails being sent to a personal email address. This helps you focus your investigation on users whose risk scores rise above a certain threshold.

In short, this machine learning model collects and attributes multiple email accounts to users. For instance, if the Email Fuzzy Logic model detects an unknown email account being used or information being sent to unknown email accounts, we can link that receiver to a known sender.  We can pair another machine learning model, a link analysis algorithm, to identify where documents attached to emails containing company or personally sensitive data may be exfiltrated via those emails.

Use Case: Detecting Insider Threats

Email Fuzzy Logic is one of many machine learning models we can use to detect insider threats.

So, here’s the deal. Malicious insiders will send emails to their personal accounts containing sensitive company information.  Similarly, a departing sales rep will email himself a list of customer contacts from the company’s CRM. You know it happens. Gurucul Risk Analytics predicts it and stops the actions of this bad actor in his tracks.

You may believe you’ve already got this covered. Yet, likely, not.  Your existing DLP systems deliver a ton of alerts, mostly false positives, as they can flag all emails going out as anomalous. Moving beyond DLP, Gurucul Risk Analytics can sniff through DLP logs. Then, prioritize DLP alerts to focus your attention on problematic emails an employee is sending to their personal email addresses, or other suspect addresses (read that as competitors email addresses!). Therefore,  you’re not chasing 1000 alerts. You’re focusing on and investigating the critical few.

What are the Benefits of Email Fuzzy Logic?

The benefits of machine learning are obvious and valuable to any company. Detecting and preventing rogue emails, which may also contain sensitive company data, is priceless. To clarify, no tools on existing platforms can block problematic email situations that Gurucul Risk Analytics is able to find. With machine learning, we’re moving beyond rules and patterns. Subsequently, we’re rooting out bad behavior from multiple different angles. Therefore, Insider threats be gone!

Gurucul Risk Analytics sifts through millions of behavioral indicators and signal events that create a profile which represents the typical activity of users. So, where anomalous online activities are in detection, Gurucul Risk Analytics can immediately block those problematic outgoing emails from users!

During an actual Proof of Concept performed on a prospective customer’s existing data, Gurucul Risk Analytics detected behavioral actions indicating that an employee was about to hand in his termination notice. Powerful machine learning models within Gurucul Risk Analytics, including Email Fuzzy Logic, were able to prevent this employee from taking company data with him. Above all, it prevents the employee from sending sensitive company data out of the company via email to suspect email addresses.

Share this page: