Sergey Nivens - Fotolia
Blindspotter, unveiled in October 2014, is a real-time user behaviour analytics monitoring tool designed to identify any malicious activity throughout IT systems and help speed up teh investigation of any suspicious activity.
The tool collects and analyses user-related events and user session activity in real time or near real time, comparing every action to a baseline of activity by users and their peers to spot anomalous behaviour.
It also tracks and visualises user activity to provide organisations with a better understanding of what is happening on their network.
Blindspotter is even capable of detecting abnormality on the level of issued commands. This means if a system administrator uses a command different from the generally used command set Blindspotter will alert the security team.
According to Balabit’s Hungary-based developers, Blindspotter integrates a variety of contextual information in addition to standard log data and processes them using a unique set of algorithms.
This means Blindspotter is able to detect hijacked user accounts because the activities of an attacker who has compromised a legitimate account will differ significantly from a normal user’s activity.
External attackers will typically try to map the IT system by accessing various servers to probe for available services or download a large amount of data, which would be of value to them. Blindspotter is able to detect and alert security analysts to deviations of this kind.
But Balabit has designed the tool to offer a wide range of outputs to enable automatic interventions to limit the impact of threats, as well as issue warnings or alerts.
Read more about behaviour analysis
- Behavioural analysis could have prevented Salesforce.com employee inadvertently handing over access to customer database.
- There is a growing trend in the industry towards merging big data and security.
- Many logs are generated and then ignored as resources to review and analyse them in a timely and useful manner are lacking.
- Deploying a successful network behavioural analysis project begins with co-operation and involvement from many teams in your organisation.
The tool is also able to detect if a user with high-privilege rights has attempted to steal company data to copy or modify sensitive company data that is not role-related. In this way a data breach can be prevented.
Blindspotter can detect deviations from automated system accounts. Automated system accounts are typically created by administrators to repeat regular tasks such as backing up the database or restarting certain services overnight. Automated system accounts increase the efficiency of administrators' jobs, but in many cases they take the risk of using their own credentials. This is a security risk because in the event that the script is hacked, the attacker also all the system administrator's access rights. Blindspotter is designed to make it possible to distinguish between accounts used by automated jobs and those used by administrators.
While Blindspotter is a standalone tool, it can be used in conjunction with Balabit’s Premium Edition syslog-ng log management software and Shell Control Box privileged activity monitoring appliance. These programs can then analyse screen content, including issued commands and applied software or any textual data that appears on the screen. This enables the detection of any anomalies, which are the obvious signs of an APT attack or a serious misuse of privilege.
Another key aim of the tool is to help organisations cut the processing and storage costs associated with handling the logs being produced by the IT infrastructure. It does this by prioritising the logs to allow IT security teams to optimise the use of their resources.
“The reality for most organisations is that security threats already lurk inside their perimeter, whether it’s a sophisticated external attacker who has gained access to an internal account or a malicious insider attempting to steal data,” said Zoltán Györkő, chief executive of Balabit.
“In the past, spotting attacks from within the perimeter has been notoriously difficult. Blindspotter is designed to close this security gap and protect critical data without slowing down a business’s day-to-day operations,” he said.
Blindspotter adds behaviour analytics to log management and privileged user monitoring to round out Balabit’s portfolio in line with the company’s contextual security intelligence concept. This is aimed at enabling companies to use real-time analysed monitoring information in security decisions to increase business efficiency, instead of over-controlling its users.
BalaBit was founded in 2000 and has long track record as the developer of syslog-ng, an open source log management tool with more than a million corporate users worldwide. BalaBit’s product development, including Blindspotter, has accelerated since the London-based C5 Capital invested $8m in the company in June 2014.