Blindspotter Uses Machine Learning to Find Suspicious Network Activity

By Wayne Rash  |  Posted 2016-06-29 Print this article Print
Breach Detection

Likewise, if a user that's been doing administrative tasks starts sending large files to an outside IP address, that's another alert.

But with the machine learning in Blindspotter even seemingly minor things can raise the alarm. Suppose, for example, an administrator performs a series of tasks in the same order ever day which might be normal. But suppose those tasks are carried out exactly the same way at exactly the same time every day, which is something a person wouldn't do because people normally aren't that exact. Then again it's a reason to raise an alarm.

But it can go even deeper. It turns out that a person's mouse and keyboard use have certain patterns and rhythms, which can be detected and analyzed by Blindspotter and stored by Shell Control Box. If someone suddenly exhibits a different manner of mouse or keyboard use, then it's time to issue an alert to the security staff who may want to check the user out.

Sometimes, of course, the problem isn't an unauthorized user, but rather a trusted user doing things they shouldn't. Then, the keystrokes, mouse movements and data flow that caused suspicion can be played back, just as if they were recorded on tape, so that the security staff can see what a user who triggered an alert was actually up to. This is the way that you might detect a sales person downloading the company customer list before going to work for a competitor.

What's important is that with the machine learning in Blindspotter, it's now possible to detect the activities of fraudulent users after privileged accounts have been hijacked, or when privileged users take advantage of their position. This has been difficult to impossible to accomplish with earlier security products, leaving companies open to attacks through the conduits they need to operate.

And there's another capability that can help companies trying to stay free from breaches. Because the Shell Control Box works as a proxy and router, it can prevent the movement of data outside the network, effectively acting as a default-deny router.

For most organizations, the ability to get an alert when something unexpected is going on, especially with privileged users, is a powerful security tool. Couple that with the ability to play back suspicious access sessions and it's now possible to see when a privileged user is doing something wrong or when the user's account has been taken over by an intruder.

By filtering out extraneous information, the end result is that network managers can have the ability to spot the beginnings of a breach in its earliest stages and stop it in its tracks.

This alone could have prevented some of the most serious recent attacks ranging from data breaches at the Target retail chain to the U.S. Office of Personnel Management. It's a capability that should exist in one way in enterprises that may be attacked, which we can safely assume is all of them.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel