Gurucul’s UEBA is Ready to Pick Up Where SIEMs Left Off

User and entity behavioral analytics (UEBA) emerged as another promising technology set to adapt to the changing cybersecurity landscape. UEBA is designed to provide a unique behavioral monitoring approach and differs from traditional security information and event management (SIEM), as it applies machine learning (ML) to detect the unknown threat. Gurucul is a prominent company that utilizes UEBA, and won several awards throughout the years; most recently, the CDM INFOSEC, the SINET award, and the GSN Homeland Security Award for Cyber Excellence in 2016. Additionally, Gurucul received the Best UBA Solution Award from CDM at RSA 2017.

As one of the leading players in the UEBA market, Gurucul specializes in detecting what traditional SIEM vendors often miss: the unknown threat. Companies can no longer only rely on obsolete signature-based threat detection systems; they need to be aware of what transpires within their servers. UEBA uses both supervised and unsupervised algorithms to constantly monitor behavior across the enterprise, report abnormalities, and attempt to rectify anything that seems abnormal. This is referred to as anomaly detection, and it is steadily finding its way to the core of modern cybersecurity research and detection endeavors.

Gurucul went through a significant transformation since 2009, developing its own risk analytics models, self-auditing, intelligent role models, and a big data and cloud analytics platform (with the latter bringing in a few more awards, as well). One of its signature technologies, and perhaps its strongest point, is the dynamic peer groups detection. This allows for the comparison of users against larger user groups or departments, which, in statistical terms, is like searching for outliers in a normal distribution. These outliers are then investigated further to detect any actual threats or system compromise. For example, this could involve a sales executive passing on more information than necessary to external sources, or an IT analyst accessing seemingly random servers at suspicious times. Evidently, UEBA is a powerful detection tool for another elusive problem: the insider threat. This can be achieved by comparing individual behavioral patterns against other organizational groups for signs of deviation and then acting upon these insights if there is a high enough probability of fraudulent behavior.

False positive ratio (FPR) is the arch nemesis of ML in cybersecurity. Most lower-tier companies try to tackle this issue by lowering FPR to advertise their solution, which is vastly superior to traditional AV systems. On average, most ML implementations currently stand between a 15% to 20% false positive rate—classic AV might exceed 80% in certain instances—while mid- to top-tier vendors using ML or deep learning boast less than 5%. UEBA attempts to address this challenge by using behavioral analysis to create additional insightful patterns regarding what might or might not constitute an actual threat.

In turn, in its effort to minimize false positive rates, Gurucul strives to collect an abundance of data from multiple data sources including identity management platforms (e.g., Oracle, RSA, CA, SailPoint), privileged access management (Dell, Centrify, CyberArk), SIEMs (McAfee, IBM, Splunk), etc., while also attempting to limit user access and privileges to decrease overall threat surface. Holistically, this identity-based behavioral anomaly engine is algorithmically equipped to not only detect and predict anomalous behavior and threat patterns, but soon, it could also be upgraded to anticipate incoming threat agents when utilized alongside a powerful SIEM solution.