Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How BalaBit adapted machine learning to secure privileged account 'blind spot'

John E Dunn | June 27, 2016
How Hungarian newcomer BalaBit is using machine learning to secure risky privileged accounts

In an unassuming building on the outskirts of Budapest engineers working for small Hungarian security firm BalaBit have spent the last three years working on technology its makers are convinced can contain one of cybersecurity's most intractable woes.

In 2014 the relatively unknown firm launched a system called Blindspotter which, as its name suggests, gives its customers mostly in finance and telco sector buyers the ability to see things most networks barely acknowledge as existing let alone attempt to look for.

Blindspotter is designed to watch what network users are doing in a lot of detail, a boon for organisations that worry about user credentials being abused, either deliberately from within by attackers who've somehow pilfered them. When used in conjunction with the firm's network proxy appliance, Shell Control Box (SCB), organisations suddenly have the ability to monitor their whole infrastructure using measurements of user behaviour rather than packets, ports and protocols.

The system's real intrigue isn't what it does - cybersecurity is already chock full of network monitoring in different forms - so much as how it does it. Most systems model known attacks modus operandi and then try and spot them from within large amounts of innocent traffic but Blindspotter is designed to look at patterns of behaviour associated with individual network accounts.

The platform's machine learning algorithms establish a baseline of behaviour for the accounts associated with each user over a training period from which anomalies should stand out while minimising the risk of false positives.

Significantly, all this happens in real time, with odd patterns scored and correlated as new actions are detected from that point onwards. This monitoring never stops. If an admin is alerted to a user suddenly accessing an unusual server over a protocol they've never used before, at a time of the day they should be asleep, that fact generates an alert to both an admin and, in theory, the user themselves using a direct message.

What about the reliability of admin accounts themselves? These are particularly dangerous in the wrong hands and yet figuring out when the credentials are being abused is haphazard today. A clutch of technologies exists to put the brakes on privilege abuse such as centralised least client-based privilege systems from companies such as Avecto and BeyondTrust (which can also limit admins) as well as more involved policy-based designs from CyberArk.

BalaBit's deceptively simple answer is to proxy everything through a network server, the Shell Control Box, which focusses on key protocols such as SSH and RDP, recording sessions in a way that creates an audit trail complete with 'movie-like' video replay of console screens including every command executed. As well as aiding forensic investigation after the event, SCB is ideal for companies that must offer access to their networks for external third-parties.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.