August Newsletter 2018


Quote of the Month

“Best, most detailed demo I’ve ever seen.”

– Fran Howarth, Security Practice Leader, Bloor

The Backstory

We talk to a lot of analysts. We do briefings and demonstrations on a pretty regular basis because it’s important for us to deliver our messaging directly to the analysts. On this day, we presented to Fran Howarth, Security Practice Leader for Bloor.

Security Analytics is Not a SIEM

A lot of analysts in our space are saying that security analytics products are second generation SIEMs. We disagree, as does Fran Howarth. She’s written a report on The Ongoing Evolution of SIEM which you should read.

A Security Analytics product can do a lot of what a SIEM can do, but it does a whole lot more. It not only looks at activities, it also looks at access. It has the ability to help facilitate risk based orchestration within an organization. It applies different levels of controls and provides risk scores and other opportunities to make business decisions.

Our competitors are touting their platforms as “next generation SIEMs”. Some are going as far as saying they are the next Splunk. What we’re hearing from our customers and our advisory board is “We don’t need another SIEM. We have a SIEM. It’s not adding the value we need. We want an analytics product.”

Gurucul is laser focused on security analytics. When you hear our messaging, you’ll hear us talking more and more about security analytics and behavior analytics. We are purposely not positioning our product as a SIEM – to the dismay of some analysts.

We think it’s important to understand the differences between a SIEM and a Security Analytics product. There are many…

Rules vs. Machine Learning Algorithms

When we think about a SIEM, we think about a product that allows companies to write rules and queries to go out and get specific data. You have to know what you’re looking for. What about the unknowns?

Our analytics is powered by over 1000 robust machine learning models built by data scientists. Our competitors use signatures, patterns, rules and policies which can only detect known behavior patterns. Our models go beyond detecting known or common patterns, so you can detect unknown threats. Rules don’t find the deviation in patterns.

Statistics vs. UEBA

SIEMs tend to be based on statistics and correlations of information. Gurucul does User and Entity Behavior Analytics as well as access intelligence for users and entities. So, not only do we know who you are and what you’re doing, we also understand what you are able to access. That’s certainly important because as your access expands, the threat plane expands within the organization and your risk goes up. The more things that people have access to, the more things that are exposed if their account is compromised or credentials misused.

Manual Threat Hunting vs. Actionable Intelligence

SIEMs help facilitate manual threat hunting. There are no people in this world that can respond fast enough to mitigate today’s sophisticated cyber-attacks. You need to be able to move at machine speed and that is why Gurucul offers model driven security. We give you a machine-based reaction time to critical threats. We provide both user intelligence and entity intelligence, looking at both access as well as activity.

We generate a single risk score for every user and entity in your organization using behavior analytics. Why is that important? It’s important because you can focus on the highest risk areas in your organization. This enables you to automatically orchestrate downstream actions and apply automated risk-based controls.

Transactional Alerting vs. Prioritized Risk Ranking

SEIMs generate alerts on everything that happens. Telling you what’s happening is not helpful. Telling you when something bad is happening is the Gurucul difference. That’s information you can act on.

We provide prioritized risk ranking on everything. Every single user and every single entity in your organization – if we have statistics on it, we provide a risk score for it. This is unique to Gurucul. It gives you the ability then, based on those risk scores, to apply different controls to different users and entities within your organization.

Short Term Analysis vs. Historical Real-Time Analysis

SIEMS are based on short term analysis. They can’t store long term data. They talk about being a compliance platform but if you need to go back 4 or 5 years, it’s very difficult to be able to search that data online with a SIEM. With Gurucul, you have access to all your data in real-time. We use historical data to deliver context to our behavior analytics. This is how we train our machine learning models.

Siloed Context vs. Linked Context

SIEM context is siloed. There’s no linkage between user identities, their access and their activities. There’s no linkage across applications being used over time and behavior patterns. Gurucul Risk AnalyticsTM ingests huge volumes of data generated by user activity from disparate, even obscure and unstructured sets of data. Machine Learning is then applied simultaneously to hundreds of thousands of discrete events from multiple data sets to identify relationships that span time, place and actions. Gurucul’s artificial intelligence features link and analyze these relationships to derive “meaning” from behaviors and provide early warning detection, prediction and prevention.

Proprietary Data Lake vs. Open Choice of Big Data

Traditional SIEMs use a closed database. “Next-gen” SIEMs talk about having a data lake but the problem is their data lakes are proprietary. So, if you want to install a second generation SIEM, you have to use their data lake. And, you have to use their version of their data lake. You don’t have a choice. If you have your own data lake, that’s too bad – you still have to install the data lake that goes with the SIEM. So now you have a mish-mash of technologies.

With Gurucul, we offer you open choice of big data. We don’t care what kind of data lake you have – Hadoop, Cloudera, Hortonworks, whatever. We can set our analytics right on top of your data and start running our analytics. If you don’t have a data lake, we’ll give you Hadoop for free. It’s that easy.

Black Box Analytics vs. Open Analytics

If SIEMs have analytics, they are lightweight “black box” analytics. They are proprietary analytics completely hidden from the customer’s view. You’ll never be able to understand what’s going on and this can lead to real problems if the algorithms are not properly vetted.

We offer open analytics. With Gurucul STUDIOTM, you can actually build and develop your own machine learning models. Further, if you have data scientists in your organization, they can leverage our Software Development Kit to build their own machine learning models and import them into Gurucul Risk AnalyticsTM. We’ve opened up our analytics because we have sophisticated customers who have asked for these capabilities.

Data Driven EPS License vs. Users/Entities Monitored License

SIEMs charge based on Events Per Second (EPS). This gets very expensive very quickly as you well know if you’re a SIEM user. Gurucul charges for risk scoring. We don’t charge based on data that we consume. We want to consume large quantities of data.

Didn’t You Say Something About a Demo?

During our briefing with Fran Howarth, we started with a presentation, followed by a demonstration of our behavior based security analytics platform. We talked about all the points mentioned here and then showed Fran how it works in practice.

That’s when she said ours was the, “best, most detailed demo I’ve ever seen. It’s usually just a cursory 10 minute walk through that doesn’t really show you that much. This is really good.”

What can we say? We give good demo. Request yours today!

request a demo gurucul

Machine Learning Madness

A Tour of Gurucul’s Machine Learning Models


At Black Hat USA this year, Gurucul shared details of our most popular Machine Learning Models. Every hour at Black Hat we revealed a new Machine Learning Model. It was fun. It was successful. It was #MachineLearningMadness!

Over the course of 2 days, we presented 14 different Machine Learning Models. Please check our blog regularly over the next few months for in depth details on how each of these models work. Click below to view the list of models.

machine learning models

Gurucul Labs

Guaranteed Discovery of Unknown Unknowns

Gurucul Labs provides Gurucul customers a turn-key service offering to detect unknown unknowns using the Gurucul Risk Analytics (GRA) platform. GRA is available for customers in the cloud as SaaS, and on-premises as an appliance or software.

Gurucul Labs helps operationalize your investment in behavior based security analytics by seamlessly combining Gurucul’s award-winning Gurucul Risk Analytics platform with professionals from Gurucul Labs, to provide a near real-time, value-driven service, while skills and resources are at a premium.

Gurucul Labs consists of a unique mix of people, process and technology. Gurucul Labs will continuously monitor your Gurucul Risk Analytics environment to make sure it is healthy, and manage your security analytics to ensure the highest level of value is derived from your Gurucul investment. The service is designed to leverage GRA advanced analytics capabilities in the most effective and efficient manner, to align with customer-specific priorities.

learn more gurucul labs

Product Review: Gurucul Risk Analytics

A Cybersecurity Insiders Product Review


It is estimated that a whopping 81% of hacking-related breaches use either stolen and/or weak passwords making identity a core issue of modern threats. Organizations with IT resources that span the data center and cloud are especially prone to struggle to detect and prevent unauthorized data transfer and user privilege abuse across their hybrid IT infrastructures, whether they have hybrid cloud and/or hybrid data center environments.

Today we are reviewing Gurucul Risk Analytics (GRA), a security analytics solution that helps organizations protect themselves against insider threats, account compromise, IP and data theft, external attacks, and data exfiltration. One of GRA’s unique capabilities is that the solution spans on-premise and the cloud, and supports open choice of big data repositories.

GRA’s security intelligence and analytics technology incorporates machine learning, anomaly detection and predictive risk-scoring algorithms to reduce the attack surface for accounts, unnecessary access rights and privileges, and to identify, predict and prevent breaches. GRA monitors user behaviors using machine learning algorithms to detect threats that appear as “normal” activity to traditional security products, such as hackers using login credentials stolen from authorized users, as well as malicious insiders, employees and contractors.

gurucul product review

What’s New

BLOG: A Q&A With Our CEO About Insider Threats. Saryu Nayyar, our CEO, was contacted by a reporter to provide comments on an Insider Threat story. The reporter sent Ms. Nayyar a list of questions on insider threats. Here are her responses to some of those questions. Read More.
Detect Insider Threats With “Email Fuzzy Logic”. This is the first of 14 Machine Learning Models we presented at the Black Hat conference. How does the Email Fuzzy Logic machine learning model work, what does it do? This model will sniff its way through company email systems to detect whether a user is sending emails to his or her own personal email address, or to other non-company email addresses. Read More.


Join Us

Gartner Security & Risk Management Summit – India. August 30​-31​, 2018​. Renaissance Mumbai Convention Centre Hotel, Powai Mumbai. Get the latest information on new threats as well as insights to help you prepare for emerging technologies such as artificial intelligence (AI), machine learning, advanced analytics and blockchain. Meet our local sales and support team at our booth.

SecTor Canada. October 1​-3​, 2018​. Toronto, Ontario. Gurucul is pleased to be sponsoring the premier IT Security conference in Canada.

FS-ISAC Fall Summit. November 11​-14​, 2018​. Chicago, IL. The Financial Services Information Sharing and Analysis Center (FS-ISAC) is the global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing.

Share this page: