Gurucul User and Entity Behavior Analytics (UEBA) uses machine learning models on open choice big data to detect unknown threats early in the kill chain. UEBA provides the most realistically effective approach to comprehensively manage and monitor user and entity centric risks. UEBA quickly identifies anomalous activity, thereby maximizing timely incident or automated risk response. The range of Gurucul UEBA use cases is what makes the solution extensible and valuable. It focuses on the detection of risks and threats beyond the capabilities of signatures, rules and patterns.
Using big data, Gurucul provides risk-based behavior analytics delivering actionable intelligence for security teams with low false positives. Gurucul leads the market in demonstrating UEBA results where others cannot. We consume the most data sources out-of-the-box and leverage the largest machine learning library. Additionally, we deliver a single unified prioritized risk score per user and entity. Find threats – unknown unknowns – quickly with no manual threat hunting and no configuration. Get immediate results without writing queries, rules or signatures.
Gurucul UEBA Use Cases
Insider Threat Detection and Deterrence
Identify high-risk profiles with risk-based analytics, data mining, anomaly and behavior detection. Help security teams by creating a baseline using profiling attributes from HR records, events, access repository, log management solutions and more. This enables you to easily detect and predict abnormal user behavior associated with potential sabotage, data theft or misuse.
Account Compromise, Hijacking and Sharing
Detect attacks using machine learning algorithms tuned to inspect various parameters like timestamp, location, IP address, device, transaction patterns, high-risk event codes and network packets. Identify any deviation from the normal behavior of an account and corresponding transactions.
Privileged Access Abuse
Monitor privileged accounts with contextual information around who accesses your IP and regulated data. Provide risk-based alerting of anomalous behavior and the ability to prevent and deter a threat before it occurs.
Data Exfiltration, DLP and IP Protection
Identify data exfiltration and protect intellectual property by ingesting data sources such as DLP and data classification to uncover important data locations, access and application activity. Risk scoring DLP alerts is a primary benefit of UEBA machine learning because it significantly reduces alert fatigue and prioritizes ‘find-fix’ resources.
Leverage the UEBA risk score of a user or entity to dynamically determine the levels of authentication for access. A low-risk score may result in a simple password challenge while a high-risk score may result in multiple authentication challenges (e.g., password, MFA access code and answering questions). The solution supports bidirectional integration with industry standard adaptive authentication solutions by using ready-to-use connectors and API interfaces.
SIEM and DLP Risk Intelligence
Eliminate alert fatigue issue of SIEM and DLP solutions by aggregating the risk scores at the user and entity level, rather than generating a huge number of alerts at the transaction or event level. This use case employs bidirectional integration via APIs enabling SIEM and DLP data ingestion into UEBA as it provides risk scores back to these systems to allocate ‘find-fix’ resources.
Self-Audit and ID Theft Detection
Deputize users into a collaborative relationship with security analysts to provide context and relevance not available to SOC teams. This multiplier of ‘eyes on glass’ applies to employees, business partners and suppliers, agents in hub-spoke organizations, and in some cases, customers. All these parties have one or more accounts with access entitlements to critical applications and data. A frequently issued (usually weekly) self-audit report provides visibility for access, devices, locations and risk-scored anomalous behavior providing both detection and deterrence for end users.
Cyber Fraud Detection and Deterrence
Provide a flexible data model open to attributes from commercial or homegrown treasury and accounting systems to be considered for behavioral analytics from machine learning models. Ingest access and activity data from treasury, accounting and payment systems to detect anomalies with predictive risk scoring. UEBA allows organizations to integrate their cyber fraud models and risk frameworks. This provides an additional benefit of leveraging existing investments and security models in alignment with business context.
Trusted Host and Entity Compromise
Detect advanced persistent threat (APT) attacks and attack vectors and predict data exfiltration by performing entity-centric anomaly detection. In addition to monitoring anomalous user behavior with UEBA, it is critical for organizations to monitor closely all the endpoints (devices and hosts) connected to the network. UEBA correlates a wide range of parameters associated with an entity, including: endpoint security alerts, vulnerability scan results, risk levels of users and accounts used, targets accessed, packet level inspection of the requested payloads, and more. This correlation facilitates detection of any anomalous activities or events to determine predictive risk scores.
Stateful Session Tracking
Provide greater visibility into user activities across multiple resources or applications with stateful session tracking. UEBA builds and tracks the user session state, even when a user navigates across heterogeneous resources or applications using different accounts and devices at different times. Leveraging machine learning, UEBA dynamically builds session correlation attributes used to build session context in order to link any subsequent activities based on a confidence factor. This enables the identification of valid IP switching due to transitions between wired and wireless networks, a workstation and a handheld/mobile device, or accessing enterprise resources from various onsite locations or remotely over VPN. UEBA’s ability to track user sessions across these various parameters ensures a significant reduction in false positives while simultaneously delivering greater visibility into the sequence of events.
Anomalous Behavior and Watch Lists
Address anomalous behavior with watch lists to quickly profile and maintain an eye on unknowns and apply escalating predictive risk scores. Machine learning behavior models are designed to deliver feedback on false positives and negatives and then update self-learning and self-training models to adapt to time-based norms and conditions unique to each customer deployment. Watch lists come pre-defined within UEBA for common high-risk groups like new hires, departing users, terminated users, and high-risk users. These groups are easily accessed in dashboard drop-down menus to analyze risk scores, anomalies, accounts, access, activity and timelines.
Provide UEBA platforms for both on-premises and cloud applications. Remove the need for any big data transfers between environments. These transfers can be expensive and impede the use of important data for advanced security analytics. UEBA runs on-premises. The cloud security analytics portion is an API-based cloud access security broker (CASB). The CASB API architecture enables direct data collection from cloud data sources while providing users a transparent access experience from any location. UEBA and cloud security analytics share combined processes and models to provide 360-degree visibility for users and entities in hybrid environments.
Gurucul UEBA Benefits
Results are the most important benefit. We are not threat hunters, we are threat finders. We’ve done all the hunting for you.
Empowered Security Capabilities and Quality
The mature capabilities of UEBA provide robust and optimal advanced security analytics. It applies across a range of on-premises and hybrid environments, scoring the gray areas of unknowns and minimizing false positives. The result is improving the focus of ‘find-fix’ resources and optimizing the time of security analysts, efficiency in the SOC, and making operations and people more productive.
Extended and Optimized, Discovery, Monitoring and Visibility
View the full context of a user’s access and activities, both legitimate and anomalous. Obtain a combined 360-degree view for identity, and risk-scored behavior anomalies driven by machine learning.
Improved Productivity and Cost Savings
Provide risk-ranked alerts with contextual visibility for the security team to shorten the prevention, detection, investigation, and remediation cycle of risks and threats. Deliver a manageable number of true positives that allows businesses to combat threats effectively. By having holistic visibility across all environments, users and devices, SOC teams’ efficiencies are maximized. In addition, as enterprises migrate to cloud applications, the ability to expand platforms without adoption of additional solutions helps to minimize costs.
“Gurucul really stood out because the analytics engine was the most powerful. The machine learning algorithms are the strongest. We saw results very, very quickly. There’s an amazing value for this type of solution.“
– William Scandrett, CISO, Allina Health