Gurucul Next Gen SIEM Reviews

For the majority of our use cases on the firewall, we are looking at the Ria website and multiple denials on the firewall. We'll also look at some C&C communication being initiated from multiple systems. That is one use case we are looking at. 

We have integrated the perimeter and internal application firewalls, along with endpoint protection, through cloud API integration. We have also integrated the vulnerability analysis and SIEM solution through API.

Initially, we implemented the McAfee SIEM. It was useful mainly for analysis. We moved away from that one due to analysis fatigue, and we went into a managed service with the SolarWinds platform, which Atos purchased. Gurucul is a 50 to 60 percent improvement over our previous solutions. Previously, we relied on the provider to perform the cases, but now we can establish whether traffic is growing, alerts are created, and the tuning we have to do. That kind of sophistication gives us great comfort in terms of what we are doing.

We have a low-security network because of the new premium controls we have implemented. We have endpoint protection, network detection and response, and good firewalling and hardening. Because of that, our environment is a low-security SIEM, but whatever we detect helps us understand what is happening in our network and how users behave. It enables us to be aware of what is happening. 

Context-driven risk prioritization is critical because we are also in the tuning process. We want all the security intelligence from different devices to establish the proper context. Based on what we have integrated, we are getting better info based on context, but we are still working with them to improve.

Without Gurucul, integrated threat detection would take five hours. We would work around in the background and not identify the threat. However, we have integrated endpoint protection and network detection, enabling us to see the current threats. The dynamic threats are always identified, but collecting logs to identify the orchestration process and distributed threat wouldn't be possible without Gurucul. It has reduced our mean detection time by about 40 to 50 percent. Gurucul gives us a 360-degree view of each user and resource, reducing the time required to respond by 30 to 40 percent.

We use Gurucul Next Gen SIEM as our security incident and event management system. We are sending logs from our Citrix Informatics platform, which is hosted in AWS, for continuous monitoring of events.

The organization is ISO 27001 certified, and continuous monitoring is one of the requirements for that certification. That is why we started using Gurucul Next Gen SIEM.

We are sending logs over a secure connection to Gurucul's SaaS offering. They perform the analysis and other tasks in their data center, and we consume the results as a SaaS. It is entirely possible to have an on-premises solution like this. I can think of a couple of ways to do it, but I have not bothered to examine them because we are currently a SaaS company and do not operate our own data center. In fact, our entire enterprise is run on SaaS and PaaS.

Gurucul uses a next-generation SIEM system, which is different from a traditional SIEM in several ways. In a traditional SIEM, we send our logs to a collection point database and write rules to tell the system what to do when it sees certain log types. For example, we might write a rule to create an alert when the system sees a log entry for a failed login attempt from an IP address in a country where we don't do business. This approach requires us to know in advance what types of events we want to be alerted to. In other words, we have to write a rule for every type of event that we think might be suspicious. This can be difficult and time-consuming, and it's impossible to anticipate every type of attack that a malicious actor might use. In contrast, a next-generation SIEM like Gurucul uses machine learning to analyze the log stream and establish a normal baseline of activity. This means that the system can identify anomalies, or events that fall outside of the normal baseline, even if it has never seen those events before. For example, if a user from Tokyo normally logs in at nine AM their time, the system will learn this pattern and add it to the normal baseline. If the user then tries to log in from a different IP address or at a different time of day, the system will generate an alert. This approach to security monitoring is much more effective than traditional SIEM because it doesn't require us to know in advance what types of attacks we want to be alerted to. The system will automatically alert us to any suspicious activity, even if it's something that we've never seen before.

Gurucul helps us find threats that we were unaware of. This visibility is like the difference between an invisible intruder and one we have in the spotlight. At the end of the day, we cannot defend against what we don't know. But what we do know, we can make choices about what to do with it. It's that simple. It's what we cannot see that we don't know is happening. A traditional SIEM cannot generate an alert for a zero-day attack, which is a new attack that we may be the first victim of. This is because it doesn't have a rule to say what this new attack looks like. There's no way to generate that rule. In a next-generation SIEM like Gurucul, which analyzes the log stream in real-time, we can see that we have a new event. A human being can then be alerted to this event and analyze it further to determine the attack surface and what the attack is designed to do. We can add threat feeds and other things to our SIEM so that the latest information is pushed into it and we can write new rules. But we're always behind the curve on this. Someone has to see the attack, recognize it, analyze it, write a report about it, and give it to a threat feed. The threat feed then has to distribute this information to all of its customers, who then have to ingest it and write rules for their SIEM. Meanwhile, the attack may have already happened. With a next-generation SIEM, because it's analyzing the stream in real-time, we get an alert for new attacks because that's what the system is designed to do. 

Gurucul helped us reduce our detection time. It will be even better for us soon. We are currently engaging with an additional virtual security operation center provider, which will give us much more staff to look at anomalies. They are giving us the data we need. As we add the additional team of people to this issue, our detection time will realistically be real-time. If there's an anomaly, there should be somebody paying attention to the anomaly alert in the SIEM and reacting to it in real-time as well.

Currently, our MTTR is half an hour. Once we have the expanded team in place, and if we start seeing alerts that indicate that our security may be compromised, having 24/7/365 security operations personnel monitoring the dashboard will mean that it will be their job to pay attention to this all day, every day. This will be as close to real-time monitoring as possible.

We use Gurucul Next Gen SIEM for Security and monitoring against Cyber threats.

Our organization handles a significant amount of sensitive data, and in the current cyber landscape, protecting this data from theft is paramount. While firewalls and other security products are essential, they all have limitations. This is where Gurucul Next Gen SIEM comes in. Firewalls safeguard us against malicious websites and IPs, but hackers sometimes find ways to bypass these protections. This is where SIEM tools come into play. SIEM tools allow us to integrate critical devices for monitoring purposes. Organizations provide us with links to integrate with their SIEM, and logs are then routed through the SIEM. This is where the SOC analyst and team come in. They analyze the logs to identify incidents, block malicious IPs or URLs, and take action against suspicious user activity. SIEM tools can also detect malicious activities within the organization, whether initiated by employees or external actors and take preventive measures.

Gurucul Next Gen SIEM offers a wide range of predefined connectors that enable seamless data ingestion from diverse sources. With over 163 connectors available, Gurucul's flexibility extends to even the latest tools. If a new tool is released and a connector is not yet available, Gurucul's development team will promptly create and integrate the necessary connector. Additionally, Gurucul provides connectors for Azure and AWS, along with a comprehensive list of enterprise-level applications and servers. This ensures that connectors are readily available for a vast array of devices and platforms. In the absence of a predefined connector, Gurucul's commitment to adaptability guarantees prompt development and integration.

Gurucul helps us identify threats that we might not be aware of. It provides additional visibility through alerts and models. We can configure scenarios to customize the system's behavior. Based on these scenarios, we can tailor use cases to specific threats. For instance, we can configure a use case to detect botnet attacks against IoT devices. Since most IoT device attacks are carried out using botnets, this use case would alert us whenever a potential attack is detected. This would allow our SOC analysts to investigate and take appropriate action.

Gurucul's context-driven risk prioritization allows us to establish thresholds upon initial integration. For critical devices, we can define the desired risk score, enabling analytics to prioritize accordingly.

Without Gurucul, we will be unable to effectively detect and mitigate potential risks. This lack of visibility will make it challenging to identify and respond to emerging threats, leaving our systems and data vulnerable. In today's rapidly evolving cyber landscape, new threats emerge constantly, creating a growing pool of potential dangers. Without the protection offered by Gurucul, our systems are susceptible to attacks that could compromise sensitive information and damage our devices.

Our MTTD has been reduced. We have a script that runs on the backend and whatever data comes in the ML, the use cases run and it detects and pops up alerts for any issues detected. The solution will detect 90 percent of the issues automatically with only 10 percent for our SOC team to deal with.