Users in an IT environment leave digital footprints in the system. Blindspotter collects these footprints from different sources to build up a behavior profile. After having the data it uses special data science algorithms to add more value to the information, to transform this mass of data into actionable intelligence. To achieve this, it does not rely on a single algorithm rather utilizes several different ones to look at the data from different angles and combines their results to create the continuously adjusted user behavior profiles.Schedule a call
Blindspotter doesn’t require setting up and maintaining patterns of "known bad" behavior. What's more, it also does not require any additional probes or agents to be deployed, it uses data that is already available and is already being collected. Blindspotter identifies "normal" behavior and detects deviations from that normal baseline by using various machine learning algorithms.
Blindspotter is analyzing the fetched data in real-time by the implemented machine learning algorithms. Using the gathered data it establishes a profile for all users and starts comparing activities to that baseline immediately and continuously.
Blindspotter categorizes events and highlights the most suspicious ones where both the risk factor of the user and the deviation level are high. It provides a dashboard and an analytic UI to alert security analysts about these suspicious activities and also to allow them to investigate the issues in more details. This prioritization helps them to reduce the noise of security alerts.
Blindspotter not only analyzes the gathered data and alert the security team if something strange happens, but it is able to implement automated reactions if it is needed, such as blocking the connection of the user, or by involving human intelligence for a more detailed assessment.
Blindspotter uses data that is already available and is already being collected in the system, including data of log management systems, SIEMs, PAM solutions, LDAP or Active Directory. Due to its pluggable architecture it is easy to integrate any kind of additional, custom data sources if that’s where the most relevant information can be found, such as special financial or CRM software.
Blindspotter increases the effectiveness of security teams, allowing them to see malicious activity happening "under the radar." It perfectly cooperates with SIEM solutions, able to use the logs collected by them and prioritize the security alerts based on the user behavior profiles.
"While security information and event management (SIEM) supports activity monitoring with user context, UBA technologies augment SIEM by enabling more effective exception monitoring"
Source: Market Guide for User Behavior Analytics, Gartner, 25 August 2014
"The mean time to identify a data breach is 206, while the mean time to contain is 69 days."
Source: 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2015
Blindspotter significantly speeds up the investigation of any suspicious activity, as it shows not only the user details, but the full context of the alert as well, including why Blindspotter does think the activity is unusual and suspicious. This way Blindspotter significantly decreases the burden of false positive alerts for security analysts.
As Blindspotter is able to ingest data not only from logs, but from various other sources as well, it provides much deeper, unmatched insight about the operation of the enterprises' IT infrastructure, than existing SIEM solutions. In cooperation with Shell Control Box - the activity monitoring appliance of Balabit - it is able to analyse the screen content of the monitored users, including the issued commands and applied software or virtually any textual data that appears on the screen. Blindspotter enriches the behavior profiles of the users with this unique information. This way Screen Content Analysis significantly facilitates the detection of anomalies, which are the obvious signals of an APT-attack or a serious misuse of privilege.
"2014 had an all-time high of 24 discovered zero-day vulnerabilities. Attackers moved in to exploit these vulnerabilities much faster than vendors could create and roll out patches. The top five zero-days of 2014 were actively used by attackers for a combined 295 days before patches were available."
Source: Symantec, Internet Security Threat Report, April 2015, Volume 20
Today's traditional security solutions are unable to provide effective defense against APTs and 0-day threats. Blindspotter was designed to detect anomalies in an IT system, which can be the best signals of such an attack. Based on the continuously adjusted user behavior profiles, Blindspotter immediately perceives a strange activity and alerts the security analysts who would otherwise miss the attack.