Blindspotter Uses Machine Learning to Find Suspicious Network Activity

NEWS ANALYSIS: The use of machine learning to identify suspicious online activity is a new and important capability in securing the network, but privileged users were the weak point until now.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Breach Detection

BUDAPEST—There is a consistent factor that will often be discovered in the aftermath of many of today's data breaches and network breach attempts. It's the first phase of the attacks that few notice, because it starts as a phishing email that attempts to get the login credentials for a privileged network user.

In many cases, the attack proceeds deliberately, perhaps hitting an employee who has access to information needed to get credentials with higher privileges. This continues until the hackers behind the phishing attack gain what they're really after, the credentials for someone with complete access to the network.

These initial attacks may proceed slowly so that the people behind them can make sure that they’re getting the access they want without being detected. In many cases, those hackers work for governments, but they may also work for organized criminals. Patiently, they wait until they have the keys they want, then they quietly strike.

In most networks, even those with excellent perimeter defenses and with well-configured intrusion detection systems, the first stages are missed because they operate at such a low level.

When they finally get the access they need, the hackers are careful so they don't arouse suspicion. Eventually they are able to insert the malware or other means of getting the data that they want, at which point they can sit back and let it flow to them.

But if something interrupts the patient attempts to gain access, then the whole attack plan may be terminated because once the security staff knows what's up, they'll stop it. This is the role that European network security newcomer Balabit performs with a pair of products that work together to gather even the most subtle data and then analyze it for unexpected behavior.

The idea behind Balabit's Blindspotter and Shell Control Box is that if you gather enough data and subject it to analysis comparing activity that's expected with actual activity on an active network, it's possible to tell if someone is using a person's credentials who shouldn't be or whether a privileged user is abusing their access rights.

The Balabit Shell Control Box is an appliance that monitors all network activity and records the activity of users, including all privileged users, right down to every keystroke and mouse movement. Because privileged users such as network administrators are a key target for breaches it can pay special attention to them.

The Blindspotter software sifts through the data collected by the Shell Control Box and looks for anything out of the ordinary. In addition to spotting things like a user coming into the network from a strange IP address or at an unusual time of day—something that other security software can do—Blindspotter is able to analyze what's happening with each user, but is able to spot what is not happening, in other words deviations from normal behavior.

For example, when a user who has been carrying out a specific set of tasks over time suddenly starts doing something else there's cause for an alert.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...