Predict and Stop Abnormal User Behavior Associated with Sabotage, Data Theft or Misuse
The Insider Threat is a major cyber security challenge for many organizations. Insiders are already within the perimeter, past the firewalls and remote access controls, which makes them much harder to detect and prevent. Worse, a malicious insider already knows exactly where to find the most valuable information, so they can access the organization’s most sensitive data with little risk of being stopped or caught.
Gurucul Predicts, Detects, and Stops Insider Threats in Real-Time
The most effective way to detect insider threats, without generating high volumes of false positive alerts, is to create time-based behavioral baselines and continuously learn what is acceptable behavior in order to detect anomalies. This requires monitoring and analyzing massive amounts of data from a myriad of sources using advanced machine learning models and data science to pinpoint privilege abuse. This is what Gurucul does, in real time, with exceptional accuracy.
Gurucul provides a comprehensive view of user/entity behaviors and detects risky outliers using a library of advanced machine learning models and identity-centric data science. Gurucul uniquely pairs User and Entity Behavior Analytics with Identity Analytics to pinpoint threats from malicious insiders or external intruders using compromised credentials. The platform analyzes who or what is on the network, what they are doing, what they have access to, and what they are doing with that access. Anomaly detection and predictive risk-scoring algorithms identify the abnormal behaviors and activities associated with potential sabotage, data theft, or misuse.
Gurucul Insider Threat Solution Highlights / Key Differentiators
- Identity-centric Risk Modeling
- Flexible Entity Model
- User Behavior Analytics
- Peer-group Analytics
- Big Data Architecture
- Data Linking and Enrichment
- Risk Response Automation
- Model Driven Security Controls
Over 10 Years of Success
Gurucul has spent the last decade helping organizations globally to deter, predict, detect, and remediate insider threats. Insider threats include sabotage, espionage, fraud, competitive advantage, and are often carried out through abusing access and mishandling physical devices. When you think about insider risk, don’t just be thinking about employees, contractors, third parties, and visitors; be thinking about outsiders who are impersonating an insider. Those are risks you need to detect as well.
Machine Learning on Big Data
Gurucul offers the largest library of pre-packaged machine learning models (2000+) including unsupervised, supervised, and deep learning algorithms. The models are pre-tuned to predict and detect insider threats aligned with specific use cases (e.g. privileged access abuse) and vertical industries. Gurucul gives security teams a contextual view, linking behavior baselines from disparate systems including HR records, accounts, activity, events, access repositories, and security alerts. Gurucul creates a baseline for the user and their dynamic peer groups, and new activities are compared to the baseline behaviors. If the behavior deviates from the baseline, it’s considered an outlier.
Behavior Analytics + Identity Analytics
Gurucul runs behavior and identity analytics on users because there are millions of combinations to be examined. Think about identity – what access users have. Think about identity – what access users have. You should consider taking that access away periodically, cleaning it up, and getting down to providing information on a “need to know” basis. By doing that, you reduce the attack surface. In this way you’re not just monitoring users after-the-fact to detect if somebody’s trying to abuse their privileges. You’re actually controlling who has the keys to the kingdom.
The sentiment part is especially important for insider threats. People are being furloughed, layoffs are happening, and wages are being reduced. When you think about insider risk, you want to think about sentiment analysis, because that plays a very important role. Why did somebody want to peek at that? Why did somebody want to steal the data or exfiltrate confidential information? Gurucul unifies data feeds from HR applications, social media, emails, website visits, and more to profile a user’s sentiment – to ascertain indicators of discontent prior to departing the organization or attempting to steal data / IP.
Gurucul’s platform leverages a comprehensive risk engine which performs continuous risk scoring providing real time risk prioritized alerts for incident analysis. Gurucul uses a robust and flexible risk scoring framework which rolls up risk scores from multiple contributing elements and derives a normalized user and entity risk score. Risk scores depict the relative risk of a user and entity and associated activity in real-time. As a result, high risk insiders and attackers using compromised credentials are quickly spotted and prioritized for manual review or automated action.
There is one capability that Gurucul uniquely provides for insider threat and detection and deterrence: the self-audit. Users are provided a self-audit much like a credit card statement to view their own risk-ranked anomalous activities, identities, access, devices and other key data points in an easy to use web portal. Developed with a customer CISO and now gaining popularity with other CISOs, it co-opts users into a collaborative relationship to monitor and protect their identities. When users detect an anomaly, the false positive rate is very low, and the context provided is richer and faster than IT can provide.
Open Analytics on Open Choice of Big Data
The Gurucul Risk Analytics (GRA) platform features Gurucul STUDIO™, an open analytics tool which allows organizations to easily customize machine learning models or build their own without having to write code. GRA also provides a centralized analytics platform and SDKs for data scientists to build/import their own custom models. In addition, Gurucul supports an open choice of big data, which enables customers to use existing data lakes to reduce processing time, data replication and costs. Alternative solutions force customers to use their data stores.
Real World Examples
Malicious Insiders Exfiltrating Intellectual Property. Gurucul detected developers sending sensitive documents to an illegitimate corporate webpage. A group of developers built a webpage, made it public, and were uploading sensitive documents to a domain which appeared to be legitimate – as it was hosted on the corporate domain. Gurucul detected the URL as a data exfiltration attempt. Five of the same users were constantly visiting that webpage. All five users belonged to the same department. Gurucul linked users to the exfiltrated documents across three context sources:
- Shared document names
- The enormous volume of bytes downloaded
- The download location – they were all in the same geography
Gurucul found this unknown unknown within a week of deployment. The company investigated the anomaly and quickly shut down the website. The data exfiltration had been going on for weeks before Gurucul was implemented.
Account Compromise: A manufacturing company was doing a Gurucul Risk Analytics proof of concept. They fed their SAP information along with some network and firewall logs to our behavior based security analytics platform. Our analytics determined that their product bill of materials had been accessed by a foreign nation. It had been compromised for more than 18 months without them knowing. We were able to reveal this account compromise scenario in a couple of hours. We later learned their share price dropped by 25% due to a lower priced competitive product. We also discovered fraud in their call centers, and have been used to bust credit card theft rings at this particular company.
Gurucul has resources to help your organization understand how our technology combats the Insider Threat:
Practical Advice to Uplevel your Insider Threat Program Today
Read the 2021 Insider Threat Report
Uncover Insider Threats through Predictive Security Analytics
Read the Blog: Famous Insider Threat Cases