Introduction to BluVector

Overview

BluVector is an AI-powered Network Detection and Response (NDR) platform designed to protect organizations from sophisticated cyber threats. Leveraging advanced machine learning, BluVector detects attacks that evade traditional security tools, including zero-day exploits and fileless malware. The platform provides real-time threat detection and analysis directly from network traffic, enabling organizations to detect, investigate, and eradicate threats before they impact the environment.

Key Features

Real-Time Threat Detection: Identifies threats in network traffic with minimal latency.
Advanced Machine Learning: Utilizes 13 specialized analyzers for comprehensive threat analysis.
Scalability: Proven at enterprise scale with organizations like Comcast.
Centralized Management: BluVector Central Manager provides unified control over all appliances.
Threat Intelligence Integration: Enriches metadata with internal and external threat intelligence feeds.
Compliance Support: Monitors policy violations and unauthorized network usage.

Product History

BluVector originated from the Malware Genome Research Program under Northrop Grumman, addressing the challenge of detecting threats in vast network data. After successful pilot programs, version 1.0 was launched in 2015. Following its proven effectiveness at Comcast, BluVector was acquired to deliver enterprise-grade security to organizations of all sizes.

System Architecture

BluVector employs a modular architecture with 13 specialized analyzers, each contributing to comprehensive threat detection and analysis. The system processes network traffic and files through a combination of signature-based, heuristic-based, and machine learning-driven approaches.

Core Components

BluVector Central Manager
- Centralized control and administration hub for all BluVector appliances.
- Provides a user interface for configuration, monitoring, and reporting.
- Accessible via a web-based dashboard.
Collectors
- Zeek Network Security Monitor:
  - Monitors network traffic for suspicious behaviors, policy violations, and potential threats.
  - Supports compliance monitoring and incident response with detailed forensic data.
  - Uses BluVector’s Zeek script package for real-time analysis.
- Suricata:
  - Intrusion Detection System (IDS) for identifying known malicious network traffic.
  - Configurable to reduce false positives by defining key network segments (e.g., internal IP addresses).
Analyzers
- HECTOR:
  - Machine learning-based analyzer for classifying files as benign or malicious.
  - Provides probabilistic confidence scores (0–100).
  - Configurable thresholds via sliders to align with organizational risk tolerance.
- NEMA:
  - Advanced heuristics-based analyzer for detecting complex threats.
- ClamAV:
  - Open-source, signature-based malware detector.
  - Checks files against a database of hundreds of thousands of malware signatures.
  - Automatically updates signatures for sensors with internet access.
- Extractor:
  - Decompresses archived files and republishes embedded artifacts for further analysis.
- Geolocation:
  - Provides location information based on IP addresses.
- hURI:
  - Machine learning-based analyzer for detecting malicious URIs.
  - Outputs a confidence score (0–100) for URI analysis.
- IntelLookup:
  - Correlates event and file metadata with internal and external threat intelligence sources.
- IOCHunter:
  - Enriches file metadata by extracting indicators such as links, URLs, domains, and email addresses.
- Tag-it:
  - Allows users to add custom tags to event analysis results for enhanced tracking and reporting.
- Yara:
  - Rule-based utility for classifying and identifying malware samples.
  - Supports custom Yara rules added via the UI or API.
- File Reputation:
  - Provides signature-based file analysis to identify known threats.
- Hostinfo:
  - Integrates with Active Directory to enrich host-related metadata.

Deployment Example

A typical BluVector deployment uses a network tap to capture traffic, which is then processed by collectors (Zeek, Suricata) and analyzed by the suite of analyzers. The BluVector Central Manager oversees the entire process, providing a unified view of network security.

Getting Started

Accessing BluVector Central Manager

Log in to the BluVector Central Manager appliance via the web-based interface.
Navigate to the Collectors section:
- Click the Gear Icon in the upper-right corner.
- Select Collectors from the dropdown menu.

Configuring Collectors

Zeek:
- Enable comprehensive visibility into network traffic.
- Configure the Zeek script package to detect suspicious behaviors and policy violations.
Suricata:
- Define key network segments (e.g., internal IP ranges) to optimize detection and reduce false positives.

Configuring Analyzers

HECTOR:
- Adjust maliciousness thresholds using sliders in the configuration page to align with your risk appetite.
ClamAV:
- Ensure sensors have internet access for automatic signature updates.
Yara:
- Add custom rules via the UI or automate rule updates through the BluVector API.
hURI:
- Review confidence scores for URI analysis and adjust detection parameters as needed.

Integration and Customization

API Support: Automate Yara rule updates and other configurations using the BluVector API.
Threat Intelligence Feeds: Integrate with internal and external feeds via IntelLookup for enriched metadata.
Active Directory Integration: Use Hostinfo to correlate network events with user and host data.

Use Cases

Real-Time Threat Detection: Identify zero-day exploits and fileless malware in network traffic.
Incident Response: Leverage forensic data from Zeek for detailed investigations.
Compliance Monitoring: Track policy violations and unauthorized network usage.
Scalable Security: Deploy across small to enterprise-scale environments.

Support

For additional assistance, contact your BluVector account team or visit our support portal.