BluVector is a developer of a cyber-threat detection and hunting platform. The company provides threat detection and cyber hunting that defends enterprises against evolving security threats. It delivers fast, scalable, and integrated detection of malicious software targeting enterprise networks to help security teams stay ahead of advanced threats and protect against data breaches and theft. BluVector's intrusion detection for advanced threats uses a self-adapting form of machine learning, which works to deliver threat detection before a malicious software or bad actor has infected a host.
BluVector's industry partners include IBM Security, Carbon Black, Endace, Garland Technology, Gigamon, Cisco, Splunk, and Dell. The company has been awarded various awards or recognitions for its work in network security.
The company's threat detection for cybersecurity and network security, BluVector Advanced Threat Detection, is developed using machine learning to help security teams detect, triage, and respond to security events. This includes threats such as ransomware, fileless malware, and zero-day malware, all in real time.
The company suggests the benefits of the platform include complete coverage, such that it can be deployed with flexible coverage and deployment options based on an organization's needs, with integration options that allow organizations to operationalize the knowledge of the platform via STIX/TAXII or with solutions including Splunk, Carbon Black, Symanetc, IBM QRadar, and CrowdStrike. The performance is intended to be scalable, using modular hardware for on-premise designs or with flexible virtual machine deployments for remote offices. The company suggests the platform offers increased network visibility and context for analysts to understand malicious events and to decrease the amount of false positive alerts which can occupy and distract security teams.
The BluVector Advanced Threat Detection platform includes a variety of features:
- Advanced threat detection
- Probabilistic scoring
- Targeted logging and search
- Hunt process automation
- Low false positive/negative rates
- SMTP, HTTP, FTP, and SMB support
- Cloud email support
- Support for IPv4 and IPv6 environments
- An OpenAPI for ease of integration
Introduction to BluVector Advanced Threat Detection
The technology that works to develop the BluVector Advanced Threat Detection platform includes the company's Machine Learning Engine (MLE) and Speculative Code Execution (SCE) engine paired with analytics, Zeek, and STIX/TAXII.
BluVector was issued the patent for the company's supervised machine learning (US Patent 9,665,713) in 2017. The resulting MLE works with pre-trained algorithms to identify malicious content embedded within common file formats like Microsoft Office documents, archives, executables, .pdf, and system updates, with what the company calls a 99.1 percent or higher detection accuracy on installation.
The MLE has more than thirty-five file classifiers and places all files on a probability continuum that spans from "benign" to "unknown" to "malicious." The MLE works to intercept and analyze files at the point of network delivery and detect file-based malware in milliseconds on the network, regardless of if the malware has been detected before. This is done through MLE investigating the content of a file itself for a combination of characteristics that can represent good or malicious software.
Through BluVector's Speculative Code Execution (SCE) Engine, the platform is capable of fileless malware detection on a given network. The SCE works to detect threats of JavaScript-, VBScript-, and PowerShell-based attacks. This is based also on the spike in "invisible" or "memory-based" cyberattacks on enterprises. Examples of such attack vectors include "Petya," "NotPetya," and "WannaCry," which have targeted the financial industry and financial institutions.
The SCE engine emulates how code will behave when executed in memory and to what extent those behaviors initiate a security breach. This focuses on execution chains and the malicious capacity rather than malicious behavior, and works to reduce the number of execution environments that need to be investigated. BluVector suggests the SCE engine achieves 99 percent fileless malware detection of what are considered "invisible" threats.
Through the automated collection and centralization of disparate data for threat investigations, BluVector offers hunt scores based on the correlated results from the engines and integrated intelligence, as well as network and file metadata surrounding an event, and integrations with threat lookup services like VirusTotal. These are used as part of the analytics behind the company's platform, which works to provide quality threat indicators. This is a based on a broad detection software stack, which includes supervised machine learning, speculative code execution, Suricata, Yara, and ClamAV integrated with the ETpro ruleset, AlienVault OTX, and a curated ClamAV feed—all of which runs on top of Zeek.
BluVector works to increase workflow efficiencies and save time for security analysts by presenting the dataflow in the platform within the context of an event, which are then correlated to the events and scored. This is intended to help analysts understand where they should focus, rather than work through the data to find that out, while also offering additional data to provide a wider context to a security event. The network metadata and information provided includes active directory user information, results from an embedded sandbox, hex detail for fileless attacks, and content payload.
While many organizations rely on Zeek, formerly known as Bro, and a widely used open source network security logging system, which delivers detailed metadata about network flows over protocols including HTTP, SMB, FTP, DNS, and SNMP, BluVector suggests the company is using their systems to increase what Zeek can do. The original Zeek performs file carving from protocols that support file transfer, is extensible using Zeek's custom scripting language, and offers a framework for analysts to look for cyber indicators of compromise.
BluVector works to offer context to the reporting that Zeek provides with additional tools and analytics. This context can be for what, why, when, and how threats are operating within a given network. This includes using BluVector's Targeted Logging feature to automatically correlate detection events with Zeek metadata before and after threat detection, in order to help analysts to understand the network context surrounding the threat detection.
BluVector offers a variety of features through their use of Zeek and related data:
- Zeek metadata
- Support custom Zeek scripts
- Intelligence-based threat detection
- File extraction
- Streaming metadata export
- LDAP support
- Central appliance management
- Commercial support
- File-based threat detection
- Fileless threat detection
- Detailed threat analytics
- Automated threat event and metadata correlation
- Threat scoring
- Central threat Visibility
- SoC analyst workflows
- Historic network analysis
- Email threat detection
BluVector's platform adheres to the STIX (Structured Threat Information eXpression) language to provide threat intelligence within the indicator object type and offer an easy integration for users of TAXII (Trusted Automated eXchange of Indicator of Information). The TAXII services and messages exchanges are used to enhance information about cyber threats across an organization, and BluVector works to integrate their machine learning threat knowledge into these threat workflows.
For organizations formulating event messaging in STIX, BluVector offers a short installation timeframe. The company suggests the platform is capable of communication by generating a hash for any file-based threat the machine learning engine has decided is malicious, and creating a URI for any fileless threat detected by the Speculative Code Execution engine offered by BluVector.
