Blindspotter Uses Machine Learning To Find Suspicious Network Activity

Wayne Rash is senior correspondent for eWEEK and a writer with 30 years of experience. His career includes IT work for the US Air Force.

Follow on: Google +

The use of machine learning to identify suspicious online activity is a new and important capability in securing the network, but privileged users were the weak point until now.

There is a consistent factor that will often be discovered in the aftermath of many of today’s data breaches and network breach attempts.

It’s the first phase of the attacks that few notice, because it starts as a phishing email that attempts to get the login credentials for a privileged network user.

In many cases, the attack proceeds deliberately, perhaps hitting an employee who has access to information needed to get credentials with higher privileges. This continues until the hackers behind the phishing attack gain what they’re really after, the credentials for someone with complete access to the network.

These initial attacks may proceed slowly so that the people behind them can make sure that they’re getting the access they want without being detected. In many cases, those hackers work for governments, but they may also work for organized criminals. Patiently, they wait until they have the keys they want, then they quietly strike.

Analysing attacks

data-breachIn most networks, even those with excellent perimeter defences and with well-configured intrusion detection systems, the first stages are missed because they operate at such a low level.

When they finally get the access they need, the hackers are careful so they don’t arouse suspicion. Eventually they are able to insert the malware or other means of getting the data that they want, at which point they can sit back and let it flow to them.

But if something interrupts the patient attempts to gain access, then the whole attack plan may be terminated because once the security staff knows what’s up, they’ll stop it. This is the role that European network security newcomer Balabit performs with a pair of products that work together to gather even the most subtle data and then analyze it for unexpected behavior.

The idea behind Balabit’s Blindspotter and Shell Control Box is that if you gather enough data and subject it to analysis comparing activity that’s expected with actual activity on an active network, it’s possible to tell if someone is using a person’s credentials who shouldn’t be or whether a privileged user is abusing their access rights.

Network monitoring

The Balabit Shell Control Box is an appliance that monitors all network activity and records the activity of users, including all privileged users, right down to every keystroke and mouse movement. Because privileged users such as network administrators are a key target for breaches it can pay special attention to them.

The Blindspotter software sifts through the data collected by the Shell Control Box and looks for anything out of the ordinary. In addition to spotting things like a user coming into the network from a strange IP address or at an unusual time of day—something that other security software can do—Blindspotter is able to analyze what’s happening with each user, but is able to spot what is not happening, in other words deviations from normal behavior.

For example, when a user who has been carrying out a specific set of tasks over time suddenly starts doing something else there’s cause for an alert.

Quiz: What do you know about cybersecurity in 2016?

Originally published on eWeek