How BalaBit adapted machine learning to secure privileged account 'blind spot'

24.06.2016
In an unassuming building on the outskirts of Budapest engineers working for small Hungarian security firm BalaBit have spent the last three years working on technology its makers are convinced can contain one of cybersecurity's most intractable woes.

In 2014 the relatively unknown firm launched a system called Blindspotter which, as its name suggests, gives its customers mostly in finance and telco sector buyers the ability to see things most networks barely acknowledge as existing let alone attempt to look for.

Blindspotter is designed to watch what network users are doing in a lot of detail, a boon for organisations that worry about user credentials being abused, either deliberately from within by attackers who've somehow pilfered them. When used in conjunction with the firm's network proxy appliance, Shell Control Box (SCB), organisations suddenly have the ability to monitor their whole infrastructure using measurements of user behaviour rather than packets, ports and protocols.

The system's real intrigue isn't what it does - cybersecurity is already chock full of network monitoring in different forms - so much as how it does it. Most systems model known attacks modus operandi and then try and spot them from within large amounts of innocent traffic but Blindspotter is designed to look at patterns of behaviour associated with individual network accounts.

The platform's machine learning algorithms establish a baseline of behaviour for the accounts associated with each user over a training period from which anomalies should stand out while minimising the risk of false positives.

Significantly, all this happens in real time, with odd patterns scored and correlated as new actions are detected from that point onwards. This monitoring never stops. If an admin is alerted to a user suddenly accessing an unusual server over a protocol they've never used before, at a time of the day they should be asleep, that fact generates an alert to both an admin and, in theory, the user themselves using a direct message.

What about the reliability of admin accounts themselves These are particularly dangerous in the wrong hands and yet figuring out when the credentials are being abused is haphazard today. A clutch of technologies exists to put the brakes on privilege abuse such as centralised least client-based privilege systems from companies such as Avecto and BeyondTrust (which can also limit admins) as well as more involved policy-based designs from CyberArk.

BalaBit's deceptively simple answer is to proxy everything through a network server, the Shell Control Box, which focusses on key protocols such as SSH and RDP, recording sessions in a way that creates an audit trail complete with 'movie-like' video replay of console screens including every command executed. As well as aiding forensic investigation after the event, SCB is ideal for companies that must offer access to their networks for external third-parties.

Even with two-factor authentication, monitoring such privileged accounts is critical - ask Target or Home Depot what to meant to simply trust an account because it had been accessed using the correct credentials.

What marks BalaBit's design out from rivals is the idea that networks must move from a system of control based on static access approved by authentication events to one in which users - including admins themselves - can be kicked off if their actions breach certain thresholds. It's as if users are constantly authenticating themselves without ever achieving unconditional trust.

If this is the future, then it will be a world that comes with new complications of its own. Using behavioural monitoring and proxies offers the ability to monitor accounts in a global way rather than through the fragmented mess of systems used today. It still represents a major cultural change and requires admins to set the thresholds that won't generate an overload of false positives. There also has to be a model for response, be that termination of a user account or an immediate forensic investigation. Not everyone will find that easy to build into network control because it implies a lot of hands-on review.

Blindspotter is another example of the way machine learning is finding its way into more and more security products, usually to detect classes of anomaly that humans would either not be able to spot or would simply take too long to notice.

It also stands as a model of networks in which network users can never really be trusted at face value, no matter how much authentication is in place. Even the best authentication can be fooled but behaviour will always a final line of defence, the last moment before something changes from normal to abnormal. This is the world organisations must now adapt to or face the risk of becoming the next Target.

(www.computerworlduk.com)

By John E Dunn

Zur Startseite