1 Introduction

Balabit is an international information security vendor headquartered in Luxembourg. Founded in 2000 in Hungary, the company still maintains their research and development centers there; however, with multiple sales offices in Europe, US and Russia and a large partner network it has a strong global market presence. The company is widely known for their flagship product syslog-ng, a de-facto standard syslog server for various Unix-like platforms, which is used in over a million installations around the world. This impressive user base allows the company to expand into other areas of security intelligence with products like Shell Control Box, an activity monitoring appliance for controlling and recording privileged access to remote IT systems, and Blindspotter, a privileged user behavior analytics product.

With the number of mobile devices growing exponentially, increased adoption of managed services in the cloud and, of course, a broad number of new communications channels with business partners, external contractors and even customers emerging within the new connected enterprise, the traditional notion of corporate network perimeter is eroding. The focus of information security is thus from perimeter protection towards detection and defense against threats within corporate networks.

The number of external and internal attacks has also increased significantly. These attacks usually combine technical attack surfaces like vulnerability exploits with social engineering, and thus are completely invisible to traditional perimeter security tools. Arguably, user identities have now become the most critical component of a corporate security infrastructure. For the vast majority of recent high-profile data breaches, privileged user credentials have been the primary reason for data loss. Even more than accounts hijacked by hackers, legitimate privileged users such as IT administrators abusing their privileges can cause immense damage and then cover up their tracks by manipulating server logs.

Although Balabit, like a number of their competitors, offers several products to address these challenges, by now it should be clear that standalone solutions often cannot provide adequately quick detection and reliable mitigation for Advanced Persistent Threats, which usually involve multiple attack vectors and consist of several covert stages. An integrated platform capable of collecting intelligence information from multiple sources and then correlating both real-time and historical data is needed to withstand modern APT attacks. Such a platform must utilize Big Data and machine learning algorithms to reduce a huge number of detected security events to a small number of actionable alerts clearly ranked by their risk level.

KuppingerCole has been writing about this paradigm shift for years using the term “Real Time Security Intelligence” . Balabit has named their approach Contextual Security Intelligence (CSI), defined as a concept, which states that additional levels of security controls restricting business performance should be avoided and replaced with more efficient monitoring tools.

Both the concept and the company’s implementation of it in the form of Balabit CSI Platform align very strongly with KuppingerCole’s vision of the next-generation of security analytics solutions.