Blindspotter

Blindspotter is the monitor for detection of suspicious user activity. It is intended for the analysis of behavior of users in real time: collecting data on their actions, a system allows to detect suspicious events in IT systems.

Blindspotter is a key Contextual Security Intelligence (CSI) Suite component. Blindspotter is combined with the system of collecting, storage and processing of text logs (Log Management) and instruments of control and video fixing of actions of privileged users (Privileged User Monitoring). Blindspotter is also capable to process data from SIEM and IAM systems, directories of LDAP/AD, cloud applicaions and other sources of information. Working together with Blindspotter, the solution CSI Suite helps to cut down expenses, submits advantageous offers for check on compliance to the legislation and maintains continuity and stability of business processes from influence of risks of violation of information security.

2016

Blindspotter of version 2016.03

In March, 2016 Balabit, the supplier of technologies of contextual information security famous as the creator of the solutions Syslog-ng and Shell Control Box, at the RSA 2016 conference in San Francisco announced release of Blindspotter of version 2016.03.

This version of an analysis system of behavior of users (User Behavior Analytics) includes several new unique algorithms of machine learning which will help department of information security to recognize quickly cracked accounts or to find out unauthorized transfer of the account that it will allow to avoid large-scale date leaks. Blindspotter not only reveals earlier unknown threats, but also precisely visualizes them, allowing the organizations to reduce considerably time of detection, investigation and response to the internal and external attacks.

"Except the existing set of several difficult algorithms of machine learning, in new release of Blindspotter the functionality of monitoring and the analysis of behavior of users is improved: the feature for determination of the automated actions of personal accounts is added and the biometric analysis of dynamics of clicking of keys of the keyboard and the movement of a mouse of the employee is carried out, Peter Gjoengoeschi, the product manager of Blindspotter of Balabit company notes. — Blindspotter allows Chief information officers and information security specialists to receive complete and unique visualization of the events in IT infrastructure. Better to understand how IT services are used by certain employees or user groups, managers can obtain instant and tangible information for taking measures. In general it is possible to note that Blindspotter improves properties and possibilities of the existing cybersecurity solutions in the company, helping to optimize IT resources and to increase efficiency of business processes".

Key features of Blindspotter of version 2016.03:

• Detection of the system accounts used by the person and the personal accounts used in scripts. System accounts under which employees work the public accounts and personal accounts used in scripts are considered potential as risk of violation of information security in any company. When the malefactor gets access to the credentials used in a script (especially if it is about accounts for administrative tasks), it can lead to large-scale leak or destruction of data. Blindspotter is capable to distinguish actions of the person from the automated transactions and allows Information Security Service to detect abuses of personal or office accounts.
• The analysis of the contents displayed on the screen. Based on opportunities of Balabit Shell Control Box, one of leaders in the market of solutions on control and monitoring of actions of users, Blindspotter it is capable to analyze the commands used in the SSH and Telnet protocols and to find potentially risk transactions. Starting with version 2016.03 the possibility of detecting of risk transactions extends also to users of the operating systems of Windows (ordinary, exclusive or corporate) which are connected to corporate systems through the remote desktop protocol (RDP). On the basis of the analysis of the text which is published in graphic protocols on the screen, the cracked accounts and internal malefactors can be found also in the environment of Windows now.
• Biometric analysis of data entry by the user. How we work on our computers - it is a part of our digital fingerprint, characteristic dynamics of clicking of keys of the keyboard and the movement determine by a mouse us as well as the signature on documents. The latest version of Blindspotter is capable to analyze and compare signatures of our movements by a mouse and clicking keys, detecting cases when the account is used by someone, except the verified user. The biometric analysis provides a new method of authentication: he relies on the one whom exactly is the user, and does not trust only the fact of successful verification of the password from the account. Instead of single authentication of the password at the beginning of the session the continuous analysis of identity of the user throughout his session is provided. New opportunities will help Information Security Service, avoiding large-scale date leaks and observing the legislation, to quickly detect the cracked accounts or to find unauthorized transfer of the account to other person even if hackers managed to go through the first stage — user authentication in a system.

2015

On July 13, 2015 the BalaBit company announced the beginning of sales of the product Blindspotter. The development purpose - to help the organizations to reduce influence of the aimed threats (APT) and to detect harmful internal activity, to accelerate process of investigation of any suspicious actions.

Analysis of actions of the user of Blindspotter, 2014

Blindspotter traces and visually represents activity of the user in real time thanks to what the companies understand better what really happens in network. The solution collects and analyzes the events concerning the user and also his activity in a working session fixed in real time or with the minimum delay. Then it compares each action to the corresponding basic status (typical behavior) of users for detection of anomalies in their behavior — for example, inputs under an account of the administrator in hours, atypical for them.

Blindspotter can detect anomalies at the level of the command different from the standard command set used by the administrator. In this case, the product gives a signal to a security service. In the presence of suspicious factors in work of IT systems Blindspotter can take measures for threat minimization also automatically.

The product is developed taking into account modern key security concerns and can warn the companies about emergence of the following important threats:

• Detection of the cracked accounts of users
  • Actions of the hacker who took control of an account will differ considerably from actions of the normal user; the malefactor who came from the outside will try to create the card of the IT system, addressing the different systems and available services placed on them, or will begin to download large volumes of data which can be useful to him.

• Detection of abuse of privileges
  • Blindspotter can fix attempts of the user with high privileges to steal data of the company or to get access to copying or change of important data of the company which are not necessary to it for work. Thus, information leak can be prevented.

• Detection of abuse in an automated system of accounting
  • the Automated system of accounting is, as a rule, created by administrators for repetition of regular tasks, such as database backup or restart of separate services for the night. The automated system of accounting increases efficiency of administrators, however, they undertake risk, using own accounts for work simplification. In turn, it is big threat for security of the company: if the hacker cracks a script, then he will receive not only data on an account

the system administrator, but also access to all services who is available for it. Blindspotter allows to configure the different accounts used separately by users and for the automated work.

• Analysis of contents of the screen
  • When using in combination with the product Shell Control Box Blindspotter can analyze contents of the screen of the user, including his commands, the used application software and also any text data appearing on the monitor. It does possible detection of any obvious signs of purposeful threats or serious abuse of privileges.

Zoltan Djyorku (Zoltán Györk ő), the CEO of BalaBit, told: "For most the companies of security risk can come not only from the outside. It can be also the experienced hacker who got access to an internal accounting record but also and the malefactor from among employees trying to steal important corporate data. Earlier detection of internal threats was very problematic task. Blindspotter is developed especially for elimination of this space in security and protection of crucial data without reduction in the rate of daily business processes".