ActiveCyber Interview with Kris Lovejoy – CEO of BluVector, Inc.

Kris Lovejoy discusses how BluVector’s patented machine learning technology is applied to detect zero day threats in real-time. Find out how your incident response team can accelerate time from detection to resolution by deploying BluVector into your network architecture in the interview below with ActiveCyber.net.

One of the themes I have been harping on in this blog is the need for speed, specifically speeding up the cyber OODA loop. So when I bumped into Kris – one of my previous bosses – at the recent RSA conference and learned about how BluVector was accelerating the OODA loop at wire speed and with high detection accuracy, well, I was excited. I asked Kris for an interview on the spot and, as usual, she graciously accepted. Learn about how machine learning and turbo-charged Bro engines can accelerate your incident response activities into a high octane version of active cyber defense in the interview below.

Spotlight on Kris Lovejoy, CEO BluVector, Inc.

» Title: CEO BluVector, Inc.
» Website: https://bluvector.io/
» Linkedin: https://www.linkedin.com/in/klovejoy
Read her bio below.

March 15, 2017

Chris Daly, ActiveCyber: Can you provide an overview of BluVector and its product – its main features, capacity, and performance? What is the main focus of the patents behind the technology? What is your key differentiator in the market?

Ms. Kris Lovejoy, BluVector: BluVector helps incident response teams detect and analyze advanced threats quickly, in some cases reducing the mean time to resolution by up to 80 percent. Our technology leverages supervised machine learning to detect and prioritize advanced threats – like destructive malware – at the network gateway. These prioritized events are further surrounded with context from targeted logs and metadata before and after the event. This helps shorten the time to resolution by automating the centralization of threat hunting data used in the incident analysis process.

BluVector’s key differentiators fall into the categories of detection and analysis. We’ve provided operators with a patented, real-time machine learning-based detection engine that rides on top of a customized, high-performance version of the Bro network forensics stack. This allows organizations to monitor high bandwidth, globally dispersed networks for advanced threats that are consistently evading traditional security infrastructures.

ActiveCyber: What is meant by “supervised machine learning?” What type of learning algorithms are applied? What types of feature reduction options are available for managing dimensionality? How do you adjust for the trade-off for bias versus variance?

Lovejoy, BluVector: Using algorithms that learn from exposure to data, called training instances, machine learning allows computers to find hidden insights without being programmed where to look. “Supervised,” unlike “Unsupervised,” machine learning indicates that data is “labeled.” Labeled means that a data scientist has assigned a category of interest to each training instance. Because labeling can be a difficult, expensive and time-consuming process to attain enough training instances of each label to produce highly accurate machine learning models, special terms are used to describe the two scenarios:

• When labeled training instances are used for learning, the process is said to be supervised
• If no label instances are used, the process is said to be unsupervised.

One way to think about supervised learning is that during the learning process, a “teacher” is available that will tell the algorithm when it’s predicting labels correctly and when it’s making mistakes. That teacher is the subject matter expert or experts who labeled all the training instances used by the machine learning algorithm. The machine uses the teacher to make more accurate predictions.

ActiveCyber: How long or how much data does it take to train the appliance? How is the local threat environment accommodated in the training of the appliance? What is the false positive rate being experienced by your customers?

Lovejoy, BluVector: BluVector is a supervised machine learning solution, and comes ready “out of the box” with models developed by our data science team. Typically, we’re installed, configured and detecting within 30 minutes. Once active at a customer’s site, localized data is used to adapt the local environment, improving detection accuracy and creating a “moving defense.” In terms of detection accuracy, we’re routinely seeing a 99.1 percent detection rate – before localization is applied. We continue to spend a great amount of time and effort working on the fidelity of detection to reduce the noise and assure our customers are responding to incidents in a rapid and organized fashion.

ActiveCyber: Can it leverage threat intelligence feeds to accelerate learning or retraining? Can it handle STIX/CybOX-formatted threat data? What traffic flow engines does it support? What sandbox technology does it support?

Lovejoy, BluVector: BluVector uses threat intelligence data to match/correlate with live data “on the wire,” as opposed to just matching in the SIEM on alerts that were already sent from other tools. We have a robust integration strategy with SIEM vendors, threat intelligence providers, sandboxes and endpoint providers. We’ve completed integrations with Splunk, QRadar, Carbon Black, Cuckoo, ThreatQuotient, Phantom and Gigamon to name just a few. What makes us unique in the market is we’re not a black box; we’re an open platform looking to leverage – and complement – the best of our customers’ previous security investments.

ActiveCyber: What types of use cases is BluVector best suited? What types of threats is it best able to detect? How does it handle low and slow attacks? How does it accelerate the OODA loop to make cyber defenses more effective?

Lovejoy, BluVector: BluVector is best suited for organizations, with a dedicated incident response team, that are seeking to improve productivity of staff – assuring they’re focused on investigating and resolving the most important events and not “hunting and pecking” between disparate tools and data sets. From a detection and prioritization perspective, we particularly excel in identification of zero-day and polymorphic malware. Shamoon 2 is a good example. At one customer site we detected the event, fed the data to Splunk, and enabled the customer to brick and remove the affected hosts from the network within five minutes. In the past, without rapid detection and automation, that same process could have taken hours or days – likely resulting in significant client-side damage.

ActiveCyber: How is the appliance deployed in the data center? In the cloud? Does if come in a virtual form factor?

Lovejoy, BluVector: BluVector can be deployed on-premise or in hybrid, private and public cloud environments. For the customer base we engage with most, the ability to monitor the hybrid infrastructure (mix of cloud and traditional IT) tends to be the most popular. Our form factors include both physical and virtual appliances.

ActiveCyber: How have you adapted your technology and market strategy since you entered the market? What market segment are you receiving the greatest support and what is your outlook for 2017?

Lovejoy, BluVector: In January, we announced the spin out of BluVector by LLR from Northrop Grumman. Now that we’re a standalone commercial entity, we’re seeing significant interest from all market segments including financial, retail, healthcare, utility and public sector.

Thanks Kris for introducing my audience to BluVector. I am excited about what you have accomplished so far and look forward to following BluVector as it moves forward as a commercial entity.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.