There are several products that claim to do analytics and a few that claim to do predictive analytics, but this is the first we’ve seen that really gets the job done in a virtual environment. The whole idea of predictive analytics is to produce actionable intelligence and then act on it. “Actionable intelligence” has become a buzz phrase since the hypesters discovered that talking about intelligence really didn’t have much punch. But just because a product hypes actionable intelligence does not mean that it has the capability
Actionable intelligence is useless unless it can accurately and reliably predict events and select the correct response. In order to get real actionable intelligence, the product needs to get serious about the math used to predict and analyze events. It needs to get serious about machine learning, a relatively new concept in practice if not in theory, and it needs to get serious about such functionality as correlation, fuzzy logic and working without signatures. It needs to be able to handle large amounts of data in a Big Data paradigm. Big Data does not, however, just mean lots of data. Big Data is defined classically as high volume, high velocity and high variability – the “three Vs.” All of these capabilities are present in the Risk Analytics platform from Gurucul.
This tool is built around a suite of sophisticated machine-learning algorithms. It is intended – from the ground up – to identify zero-day activities and it is designed to provide both contextual and situational awareness. It is compatible with several third-party intelligence feeds. Everything the system does is based on understanding the identities of those entities accessing your cloud-based data. A big piece of the system’s success is what Gurucul calls “peer group analytics.” What that means, in simple terms, is that your system should not be dramatically different in its behavior than other systems like it.
The analysis cycle starts by normalizing input data. Then that data is correlated and its behavior analyzed. This allows predictive modeling. Data sources can be access to the platform, endpoints, network, storage or applications, among others. The actionable intelligence can take the form of fraud detection, user behavior analysis, insider threat identification and deterrence and security intelligence addressing access to your cloud-based resources.
There is a rather long list of results obtained by Risk Analytics users, but a few of the more interesting ones are data leakage to competitors, compromised account fraud, compromised source code, retired devices still in service (a big problem in virtual environments) and money laundering.
Operationally it was interesting to see how a complex capability under the hood translated to a relatively simple set of dashboards and administrator consoles. The main cloud dashboard – completely customizable, by the way – has everything one needs to see the state of security on a cloud environment at a glance. The “out-of-the-box” dashboard shows the number of users the system has determined to be high risk, the number of high risk resources, the total number of transactions, the total number of data loss prevention alerts, the number of IPs accessed, the number of incidents and the number of documents exfiltrated. From those metrics the system can apply its algorithms and make quite a few calculations that lead to behavioral analysis and predictive analytics.
There also is a simple graph that shows the behavior of various applications sitting in your cloud environment. Additionally, there is a predictive security dashboard and a menu choice that lets users go to the custom dashboards they have created. Drilling down, one can, for example, see the profile of a high risk user. That includes a timeline of their activities, graded as to the degree of risk they represent. Another drill-down and specific activities, such as anomalous sharing of data, can be listed and analyzed with a risk score displayed for each event.
This data can then be shown in the context of the user’s other risky behavior -a graph tracks against a background of such things as critical data download, critical information sharing and abnormal data transfers. These, in turn, play against logins, DHCP address assignments and logouts. The results are combined with other analytics, such as access, activity, resources used and behavior. All of this can be fed to the data modeler for analysis.
Finally, the administrator can create new data models and build or modify policies. The policy engine is about as straightforward as it gets. If you’ve ever created and managed policies in a security tool you’ll feel right at home with this one. One feature we particularly liked was the built-in ticketing system. With this feature users can setup incidents and handle them as one would any trouble ticket on a help desk. With all of this power, we were pleased to find that, along with everything else, this makes a powerful forensic tool.
At a glance
Product Risk Analytics
Price $50,000 per year.
What it does Behavior-based machine learning and predictive analytics.
What we liked This is, hands-down, the most sophisticated example of behavioral analytics we have seen to date. While they are not the only player in this space, their product is well thought-out and it really works well.