Introduction

BluVector Advanced Threat Detection™ (ATD) is the next-generation Intrusion Detection System that is transforming how security teams manage security events. BluVector ATD™ accurately and efficiently detects, triages, and responds to threats, including ransomware, fileless malware, and zero-day malware, in real time.

BluVector ATD uses artificial intelligence to detect the most elusive and destructive attacks early in the cyber threat kill chain. It leverages machine learning and speculative code execution for advanced threat detection.

The system provides the network visibility and context you need to successfully provide comprehensive threat coverage. With BluVector ATD, you get real answers about real threats, enabling you to operate with full confidence that your data and systems are protected.

You may face additional challenges with cyberattacks that somehow made it past your pre-breach defenses. These threats can range from complex multistage intrusion attempts and the exfiltration of data to expensive ransomware. Security analysts need advanced tools to deal with these threats.

You can meet all of these cybersecurity challenges and protect your network with the full range of BluVector products.

Protecting with BluVector Products

BluVector products are built for analysts and protect networks from both internal and external cyberattacks. The products are based on nearly a decade of developing artificial intelligence solutions for cybersecurity. BluVector products work best with each other; however, they also provide value independently. BluVector products integrate with tools you may already be using. The following two BluVector products are recommended in combination to provide complete threat detection coverage.

BluVector Advanced Threat Detection™ (BluVector ATD) identifies cyberattacks prior to entering your network. It detects pre-breach threats, including zero-day malware that exploits a software vulnerability for which no patch currently exists.

BluVector ATD features include:

• Analysis of network traffic and files in real time.

• Detection of fileless threats through speculative code execution.

• Machine learning that adapts and learns about unique content in your network.

• Enhanced Zeek logs that provide detailed records of all network communications.

• Configurable risk levels, so that you spend your time on real threats.

• Privacy, with no requirement to share your data with BluVector.

Understanding BluVector ATD Benefits

Installing and using BluVector ATD within your organization provides these benefits:

• An efficient environment to assist analysts - see Section: Learning About Efficiency and Customization Benefits

• Highly advanced analysis capabilities - see Section: Learning About Sophisticated Analysis and Machine Learning Benefits

• An open and scalable architecture - see Section: Learning About Scalable, Fast, Modular Components

• Integrations to additional tools - see Section: Learning About Integration Features

Learning About Efficiency and Customization Benefits

BluVector ATD assists analysts through these features:

• Prioritized Actionable Events - Increases analyst efficiency. Analysts are supplied with quality indicators for real threats, and false positive alerts are decreased. BluVector ATD delivers the visibility and context needed to provide comprehensive threat coverage. Hunt process automation increases analyst efficiency with automated incident investigation and confirmation.

• Better Workflow - Improves the most crucial aspects of work. Events are correlated and scored, so analysts can more efficiently understand where they should focus. The available information includes network metadata targeted around the event, geolocation, Active Directory user information, results from an embedded sandbox, hex detail for fileless attacks, and the actual content payload.

• Targeted Logging and Search - Delivers context and visibility to cybersecurity teams by pre–correlating and highlighting log entries associated with security events that are prioritized for analysis, enabling analysts to make decisions faster.

• Adjustable Thresholds - Customizes the flagging of suspicious network content, based on your risk appetite.

• User-Configurable Dashboards and Reports - Provides visibility into network operations.

• Centralized Appliance Management - Delivers a single-pane-of-glass interface to all your BluVector Sensors and BluVector Virtual Machines.

Learning About Sophisticated Analysis and Machine Learning Benefits

BluVector ATD employs these sophisticated analysis features:

• Hunt Scoring - Prioritizes analyst focus, using a series of formulas.

• High Performance, Patented, Supervised Machine Learning Engine - Identifies zero-day and polymorphic malware. Evolve machine learning classifiers using local samples means fewer errors and denies adversaries access to your detection models.

• Speculative code execution engine - Finds fileless malware traversing the network in real time.

• Cloud-based Dynamic Malware Analysis - Provides behavioral analysis of suspicious samples and identification of indicators of compromise.

• Submit to BluVector Feature - Supports automated customer access to the BluVector threat analysis team.

Learning About Scalable, Fast, Modular Components

BluVector ATD offers these efficient, high-performing component features:

• Open Architecture - Combines Zeek (formerly known as Bro), Suricata, machine learning engine, fileless malware detection engine, Yara, ClamAV, and HURI at speeds from 1G up to 20G in a single appliance or a 500MB VM. The modular design of BluVector provides flexibility when needed. BluVector ATD is offered as both a VM, as well as 1U-2U hardware appliances.

• Sensors - Seamlessly integrate with threat intelligence feeds for real-time correlation, dynamic analysis engines for offload sandbox execution, and Security Information and Event Management (SIEM) tools for a rapid incident response.

• File Extraction across Multiple Network Protocols - Detects malicious files at high speeds.

• Fileless Malware Detection - Identifies threats in high volume filetypes, such as HTML and JavaScript.

Learning About Integration Features

BluVector ATD provides these integration features:

• Fully Integrated System - Generates knowledge quickly, either alone or with pre-existing solutions through STIX/TAXII.

• Highly Extensible Ecosystem - Makes it easy to integrate with existing security infrastructure.

• Enhanced Zeek - Offers a variety of associated analytics that includes automated correlation of Zeek threat metadata, configurable analyst workflows, and threat scoring, and a built-in Zeek log search.

• Active Directory - Correlates events with information about host and user activities.

• SMTP, HTTP, FTP and SMB Support - Analyzes traffic across a range of protocols on a single hardware or virtual appliance.

• Cloud Email Support - Supports deployments of Office 365, Google, and similar software-as-a-service (SaaS) email providers.

• Support for IPv4 and IPv6 Environments - Makes it possible to support complex IoT environments.

• ClamAV Signature-Based Malware Detection - Provides defense-in-depth for additional malware context triage.

• Yara Rule Scanning Engine - Identifies and classifies malware variants.

• IOCHunter Engine - Extracts IoCs (such as URLs, email addresses, and IP addresses) from emails and files.

• Suricata Signature-Based Intrusion Detection System - Identifies known bad traffic, including malware command and control.

• Advanced Static Analysis of Portable Executables - Detects and classifies suspicious executables.

• Extraction Capability for Archive Files - Provides sophisticated analysis of embedded content.

• Integration with Threat Intelligence Feeds - Broadens opportunities for correlating network traffic.

• Multiple Ingest Avenues for Analyzing Content - Supports content from network traffic collection, web upload, and BluVector API upload.

• Support for Remote Users via LDAP - Manages users from a central directory server.

• SAML Support - Provides support for Security Assertion Markup Language (SAML) / Single-Sign On (SSO).

• Two-factor Authentication Support - Ensures user identity using multiple factors, including Smart Cards.

• Outputs based on User-Defined Criteria - Provides scalable distribution of event and content information.

Using This Document

This User Manual describes the installation of the BluVector Advanced Threat Detection system, daily operations, and configuration. You can find more information in the following sections:

• Article: System Description

• Article: System Installation

• Article: System Operations

• Article: System Configuration

Accessing Documentation

You may access the latest documentation from the ATD GUI after you log into the system (see Section: Logging into the ATD GUI for instructions on logging in).

Select the question mark icon located at the top of the screen (see Figure: BluVector Documentation Menu Choice). A menu appears with options for the types of documentation that are available.

Fig. 1: BluVector Documentation Menu Choice

The BluVector System documentation includes the following:

• BluVector API documentation covering how to flexibly interact with the system (see Section: Using the REST API for more information)

• An online version of the User Manual

• A PDF version of the User Manual

Contacting Customer Support

For assistance, please:

• Call the BluVector Customer Support Desk at 1-833-BLU-0595, or

• Email: support@bluvector.io