How BalaBit adapted machine learning to secure privileged account 'blind spot'

How Hungarian newcomer BalaBit is using machine learning to secure risky privileged accounts

In an unassuming building on the outskirts of Budapest engineers working for small Hungarian security firm BalaBit have spent the last three years working on technology its makers are convinced can contain one of cybersecurity's most intractable woes.

In 2014 the relatively unknown firm launched a system called Blindspotter which, as its name suggests, gives its customers mostly in finance and telco sector buyers the ability to see things most networks barely acknowledge as existing let alone attempt to look for.

Blindspotter is designed to watch what network users are doing in a lot of detail, a boon for organisations that worry about user credentials being abused, either deliberately from within by attackers who've somehow pilfered them. When used in conjunction with the firm's network proxy appliance, Shell Control Box (SCB), organisations suddenly have the ability to monitor their whole infrastructure using measurements of user behaviour rather than packets, ports and protocols.

The system's real intrigue isn't what it does - cybersecurity is already chock full of network monitoring in different forms - so much as how it does it. Most systems model known attacks modus operandi and then try and spot them from within large amounts of innocent traffic but Blindspotter is designed to look at patterns of behaviour associated with individual network accounts.

The platform's machine learning algorithms establish a baseline of behaviour for the accounts associated with each user over a training period from which anomalies should stand out while minimising the risk of false positives.

Significantly, all this happens in real time, with odd patterns scored and correlated as new actions are detected from that point onwards. This monitoring never stops. If an admin is alerted to a user suddenly accessing an unusual server over a protocol they've never used before, at a time of the day they should be asleep, that fact generates an alert to both an admin and, in theory, the user themselves using a direct message.

What about the reliability of admin accounts themselves? These are particularly dangerous in the wrong hands and yet figuring out when the credentials are being abused is haphazard today. A clutch of technologies exists to put the brakes on privilege abuse such as centralised least client-based privilege systems from companies such as Avecto and BeyondTrust (which can also limit admins) as well as more involved policy-based designs from CyberArk.

BalaBit's deceptively simple answer is to proxy everything through a network server, the Shell Control Box, which focusses on key protocols such as SSH and RDP, recording sessions in a way that creates an audit trail complete with 'movie-like' video replay of console screens including every command executed. As well as aiding forensic investigation after the event, SCB is ideal for companies that must offer access to their networks for external third-parties.

Even with two-factor authentication, monitoring such privileged accounts is critical - ask Target or Home Depot what to meant to simply trust an account because it had been accessed using the correct credentials.

What marks BalaBit's design out from rivals is the idea that networks must move from a system of control based on static access approved by authentication events to one in which users - including admins themselves - can be kicked off if their actions breach certain thresholds. It's as if users are constantly authenticating themselves without ever achieving unconditional trust.

If this is the future, then it will be a world that comes with new complications of its own. Using behavioural monitoring and proxies offers the ability to monitor accounts in a global way rather than through the fragmented mess of systems used today. It still represents a major cultural change and requires admins to set the thresholds that won't generate an overload of false positives. There also has to be a model for response, be that termination of a user account or an immediate forensic investigation. Not everyone will find that easy to build into network control because it implies a lot of hands-on review.

Blindspotter is another example of the way machine learning is finding its way into more and more security products, usually to detect classes of anomaly that humans would either not be able to spot or would simply take too long to notice.

It also stands as a model of networks in which network users can never really be trusted at face value, no matter how much authentication is in place. Even the best authentication can be fooled but behaviour will always a final line of defence, the last moment before something changes from normal to abnormal. This is the world organisations must now adapt to or face the risk of becoming the next Target.

Join the CSO newsletter!

Error: Please check your email address.

More about BeyondTrustCyberArkHome DepotSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts