Security Analytics is not a SIEM

A lot of analysts in our space are saying that security analytics products are second generation SIEMs. We disagree. A Security Analytics product can do a lot of what a SIEM can do, but it does a whole lot more. It not only looks at activities, it also looks at access. It has the ability to help facilitate risk based orchestration within an organization. It applies different levels of controls and provides risk scores and other opportunities to make business decisions.

Our competitors are touting their platforms as “next generation SIEMs”. Some are going as far as saying they are the next Splunk. What we’re hearing from our customers and our advisory board is “We don’t need another SIEM. We have a SIEM. It’s not adding the value we need. We want an analytics product.”

Gurucul is laser focused on behavior based security analytics. When you hear our messaging, you’ll hear us talking more and more about security analytics and behavior analytics. We are purposely not positioning our product as a SIEM – to the dismay of some analysts.

We think it’s important to understand the differences between a SIEM and a Security Analytics product. There are many…

Rules vs. Machine Learning Algorithms

When we think about a SIEM, we think about a product that allows companies to write rules and queries to go out and get specific data. You have to know what you’re looking for. What about the unknowns?

Our analytics is powered by over 1000 robust machine learning models built by data scientists. Our competitors use signatures, patterns, rules and policies which can only detect known behavior patterns. Our models go beyond detecting known or common patterns, so you can detect unknown threats. Rules don’t find the deviation in patterns.

Statistics vs. UEBA

SIEMs tend to be based on statistics and correlations of information. Gurucul does User and Entity Behavior Analytics as well as access intelligence for users and entities. So, not only do we know who you are and what you’re doing, we also understand what you are able to access. That’s certainly important because as your access expands, the threat plane expands within the organization and your risk goes up. The more things that people have access to, the more things that are exposed if their account is compromised or credentials misused.

Manual Threat Hunting vs. Actionable Intelligence

SIEMs help facilitate manual threat hunting. There are no people in this world that can respond fast enough to mitigate today’s sophisticated cyber-attacks. You need to be able to move at machine speed and that is why Gurucul offers model driven security. We give you a machine-based reaction time to critical threats. We provide both user intelligence and entity intelligence, looking at both access as well as activity.

Gurucul Risk Analytics generates a single risk score for every user and entity in your organization using behavior analytics. Why is that important? It’s important because you can focus on the highest risk areas in your organization. This enables you to automatically orchestrate downstream actions and apply automated risk-based controls.

Transactional Alerting vs. Prioritized Risk Ranking

SEIMs generate alerts on everything that happens. Telling you what’s happening is not helpful. Telling you when something bad is happening is the Gurucul difference. That’s information you can act on.

We provide prioritized risk ranking on everything. Every single user and every single entity in your organization – if we have statistics on it, we provide a risk score for it. This is unique to Gurucul. It gives you the ability then, based on those risk scores, to apply different controls to different users and entities within your organization.

Short Term Analysis vs. Historical Real-Time Analysis

SIEMS are based on short term analysis. They can’t store long term data. They talk about being a compliance platform but if you need to go back 4 or 5 years, it’s very difficult to be able to search that data online with a SIEM. With Gurucul, you have access to all your data in real-time. We use historical data to deliver context to our behavior analytics. This is how we train our machine learning models.

Siloed Context vs. Linked Context

SIEM context is siloed. There’s no linkage between user identities, their access and their activities. There’s no linkage across applications being used over time and behavior patterns. Gurucul Risk AnalyticsTM ingests huge volumes of data generated by user activity from disparate, even obscure and unstructured sets of data. Machine Learning is then applied simultaneously to hundreds of thousands of discrete events from multiple data sets to identify relationships that span time, place and actions. Gurucul’s artificial intelligence features link and analyze these relationships to derive “meaning” from behaviors and provide early warning detection, prediction and prevention.

Proprietary Data Lake vs. Open Choice of Big Data

Traditional SIEMs use a closed database. “Next-gen” SIEMs talk about having a data lake but the problem is their data lakes are proprietary. So, if you want to install a second generation SIEM, you have to use their data lake. And, you have to use their version of their data lake. You don’t have a choice. If you have your own data lake, that’s too bad – you still have to install the data lake that goes with the SIEM. So now you have a mish-mash of technologies.

With Gurucul, we offer you open choice of big data. We don’t care what kind of data lake you have – Hadoop, Cloudera, Hortonworks, whatever. We can set our analytics right on top of your data and start running our analytics. If you don’t have a data lake, we’ll give you Hadoop for free. It’s that easy.

Black Box Analytics vs. Open Analytics

If SIEMs have analytics, they are lightweight “black box” analytics. They are proprietary analytics completely hidden from the customer’s view. You’ll never be able to understand what’s going on and this can lead to real problems if the algorithms are not properly vetted.

We offer open analytics. With Gurucul STUDIOTM, you can actually build and develop your own machine learning models. Further, if you have data scientists in your organization, they can leverage our Software Development Kit to build their own machine learning models and import them into Gurucul Risk AnalyticsTM. We’ve opened up our analytics because we have sophisticated customers who have asked for these capabilities.

Data Driven EPS License vs. Users/Entities Monitored License

SIEMs charge based on Events Per Second (EPS). This gets very expensive very quickly as you well know if you’re a SIEM user. Gurucul charges for risk scoring. We don’t charge based on data that we consume. We want to consume large quantities of data.

Experience the difference yourself. Request a demo of Gurucul Risk AnalyticsTM today.

The post Security Analytics is not a SIEM appeared first on Gurucul.

*** This is a Security Bloggers Network syndicated blog from Blog – Gurucul authored by Jane Grafton. Read the original post at: