Traditional IT security products and techniques utilize some form of patternbased technology to prevent, detect, and stop attacks. These tools, whether preventive security products like anti-virus software or monitoring solutions like IDS and SIEM solutions, provide some form of built-in knowledge of attack vectors, sometimes extended with simple heuristics. These patterns either supplied by the vendor or created by the IT security team. However, in both cases the products can only detect events or attacks that they recognize. While heuristics can extend the capabilities of these security tools to detect polymorphic viruses or previously unseen attacks using similar patterns, it cannot address previously unknown attack techniques as it is not feasible or simply not possible to create heuristics, or “universal” patterns, for such cases.
"By 2018, organizations that monitor and analyze a broad spectrum of employee activities will experience 50% fewer insider data breaches than organizations that monitor internal communications only."
Source: Gartner - Market Guide for Employee-Monitoring Products and Services (25/02/2015)
By utilizing different machine learning algorithms, Blindspotter detects unusual behavior, anomalies which have been previously unknown. Machine learning algorithms work autonomously and learn about user behavior. This way they can cover the blind spots of legacy technologies and not just identify anomalies, but also provide intelligence and reasoning why a spotted activity is considered an anomaly. Blindspotter collects user related events and user session activity in real-time or near real-time, it then compares each and every action to the corresponding baseline of users and their peers to spot anomalies in their behavior. Malicious user activity can appear completely normal when investigated from a certain point of view. Detecting the anomaly might require a particular point of view. By utilizing multiple algorithms, Blindspotter can view actions from many different perspectives and detect otherwise hidden anomalies.
Once an unusual activity or anomaly is detected, Blindspotter can automatically react. Automatic reaction is important to provide both a real-time response and to automate and support the investigation process. Automated responses can also significantly reduce the time a malicious attacker has before any counter measure is taken. In most attack scenarios, the high-impact event is preceded by a reconnaissance phase. Detection and response during this phase is critical to preventing any further high-impact activity. Unusual activity can be confirmed with users: the account owner is notified and requested to confirm the activity. This method could be used to increase the speed and accuracy of detecting identity theft.
"The mean time to identify a data breach is 206 days. This number is even higher, 256 days, at those data breaches which was caused by malicious or criminal attack."
Source: Ponemon Institute 2015 Cost of Data Breach Study
To gain a better understanding on what is going on in the IT system and to help focus security team’s attention on important information, Blindspotter provides a prioritized list of activities ranking the most interesting/risky activity at the top. This way, security personnel can spend their time on investigating the real important events instead of being overloaded with notifications and alarms.
This unusual activity by risky users is the most important. Of course, unusual activity of lower risk users may be worth investigating but only after higher risk activity. Likewise, being aware of less unusual activity of high risk users is also valuable. This “risk-aware” scoring yields a unified importance score for each activity, providing a comparison of all activity on a large-scale.