BluVector and UMBC Partner to Advance Cyber Threat Detection and Response in University Environments

Partnership Introduces Students to the Latest Network Intrusion Detection System Technology and Supports the University’s Initiatives to Develop the Next Generation of Cybersecurity Talent

October 30, 2017 - Arlington, VA - BluVector, a leader in machine learning-based network intrusion detection, is partnering with the University of Maryland, Baltimore County (UMBC) to help build the newest generation of cybersecurity analysts. A team of students within the College of Engineering and Information Technology will now be using a version of BluVector to analyze the university’s network traffic in real time. The goal is to better understand how to find, confirm and contain cyber threats using advanced analytics, including supervised machine learning, speculative emulation and behavioral heuristics.

Cyber threat detection and response within an academic environment is challenging as IT departments often have less rigid control over devices on the network yet are tasked with supporting a vast variety of endpoints. By utilizing BluVector's network intrusion system, students participating in the UMBC program will gain real world experience using deep analysis and detection to triage malicious events for either automated response actions or higher-level human investigation. It’s experience that will make them perfectly suited to operate as Level 1 analysts and highly sought after by future employers.

"At BluVector, learning is in the DNA of our team and our product," said Robert Thompson, BluVector’s liaison to UMBC and a recent graduate of the Cyber Scholars program at the University. "A partnership with UMBC enables hands-on learning for students and we hope we can, in turn, learn from the students as they observe BluVector in a specialized environment."

"We’re pleased to incorporate BluVector into the ecosystem UMBC has built to develop the next generation of cybersecurity talent," said Dr. Charles Nicholas, professor of computer science and electrical engineering, UMBC and faculty advisor for UMBC’s Cyber Dawgs, its 2017 National Collegiate Cyber Defense Championship winning Cyber Defense Team. "We hope exposure to analytics driven advanced threat detection solutions both sparks curiosity in data science and underscores the value of machine learning among our students as they enter the workforce to tackle the emerging and dynamic cyber threats we all face."

New Video: Virginia Highlights BluVector in State Government

Last week, the BluVector crew opened the doors to its new HQ. Leadership flew the remote employees in to celebrate and meet up with their Arlington, VA-based peers. To up the stakes, we invited Terry McAuliffe (Virginia's Governor), Karen Jackson (Virginia's Secretary of IT) and Jay Fisette (Chair for the Arlington County Board) to celebrate with us.

Why'd they show up? Because the Commonwealth of Virginia has helped BluVector incubate and grow quickly. Or as Secretary Jackson best said it around 8:54 [in the video below], "We still have BluVector in our network... The BluVector tool, during its incubation and now, has been a part of catching some of the vulnerabilities that the other tools that we have didn't catch. So you come highly referenced by my security guys. It's has been a great opportunity of us. Government doesn't always get to be creative and innovative. And this is one time where it just worked."

To get a look at the event and a sneak peek into our office, take a few moments to check out the event.

Washington Business Journal Honors Kris Lovejoy in its Women Who Mean Business List

On Thursday, Sept. 28, the Washington Business Journal announced its list of Women Who Mean Business 2017 honorees and we were not surprised to see Kris Lovejoy, BluVector's CEO, listed among the chosen.

While, first and foremost, we'd like to congratulate Kris on the award, we'd also like to honor the other 24 business leaders who continue to inspire both women and men through their focus, strength and success.

Take a moment to read Kris Lovejoy's profile to get insight into what keeps her nervous, why she loves startups and how she instills her sense of culture on BluVector's employees.


BluVector Opens New Office Headquarters in Arlington

Virginia Gov. Terry McAuliffe joins several state and local officials at ribbon-cutting ceremony in Arlington’s unofficial “Cyber Corridor”

Arlington, VA (September 20, 2017) – Today, BluVector – a leader in network security monitoring and analytics – opened its doors to a new state-of-the-art office space in Arlington, Virginia. The occasion was marked by Virginia Governor Terry McAuliffe who gave remarks at the ribbon-cutting event, along with Virginia’s Secretary of Technology, Karen Jackson, and Arlington County Board Chair, Jay Fisette who presented BluVector with a “Key to the County” during the event. Over 100 guests from the cyber industry, government, partners and media also attended.

The company – which delivers a revolutionary, machine-learning based advanced cyber threat detection and analytics solution – was established in January 2017 with technology incubated under Northrop Grumman. Built to accommodate its growing team, BluVector’s new office headquarters joins a community of several other cyber and information security companies in Arlington’s unofficial “cyber corridor” neighborhood.

“Today’s ribbon-cutting event is a milestone for us,” said Kris Lovejoy, CEO of BluVector and one of the few female CEOs in the cybersecurity industry. “BluVector has grown from a handful of staff to more than 70 employees in just six months. I am proud of the solutions we are delivering to make public and private sector entities more secure.”

In her remarks at the event, Lovejoy acknowledged key clients, including the Virginia Information Technologies Agency (VITA). “The Commonwealth of Virginia has helped foster this company’s success by acquiring the BluVector technology very early in its lifecycle,” said Lovejoy. “That initial support – along with the support of local Arlington economic initiatives – made today possible, and of course, demonstrates this is a great place to do business.”

Of the event, Governor McAuliffe commented, “We live in an age where cyberattacks on our critical infrastructure are a real threat. But we are proud to have Virginia-based companies like BluVector leading the way to detect – and confront – evolving threats with technological solutions that can be applied here, nationally, and even around the world. I offer my congratulations to BluVector on the opening of its new home to meet its drastic growth in 2017.”

Why Energy Providers Are So Vulnerable to Zero-Day Threats

From the Stuxnet and WannaCry hacks to the BlackEnergy and Flame malware, prominent energy provider threats have entailed exploits of zero-day vulnerabilities. Zero-day use illustrates how valuable hackers view energy networks.

Energy provider hackers, often nation-states, appear to be motivated primarily by espionage, as in the 2017 hack of Ireland’s EirGrid, or destruction, as in the 2015 and 2016 Ukraine grid hacks.

We frequently speak of detecting and blocking threats on the network edge. This prevents hackers from gaining entry and then moving laterally across networks, as well as establishing persistent access by which to conduct multiple exploits. Yet, edge detection is as important as it is difficult in the energy sector, given the unique networks often involved.

Many energy companies, from electric power utilities to oil refineries, employ three distinct layers of infrastructure:

  1. Traditional enterprise IT – Includes standard Windows and Linux systems, servers and devices.
  2. Operational Technologies (OT) – Control physical infrastructure components, such as circuit breakers in substations and valves in pipelines.
  3. Industrial Control Systems (ICS) – Usually placed between IT and OT architecturally, monitor and control OT.

The Stuxnet and Ukraine hacks caused physical damage not via IT systems, although IT was the beachhead, but by compromising ICS and then using the ICS to control OT – physical centrifuges in Stuxnet and remote terminal units in Ukraine.

Years ago, ICS and OT were analog and isolated from public networks. To remotely exploit, hackers first had to compromise traditional IT and then jump to "air-gapped" ICS/OT networks. In addition to IT, hackers had to know obscure ICS/OT. Traditional IT experts are usually not trained in ICS/OT, and until the internet, documentation could be difficult to find. The segmentation and obscurity of ICS/OT provided a degree of security.

Today, four factors have changed everything:

  1. ICS/OT modernization – Most visible in the power sector, the digitization of OT components introduces new vulnerabilities, including remotely exploitable zero days.
  2. Smart grid – The essential premise is bi-directional communication between ICS and OT, as well as remote control of OT. Increasingly, engineers use the internet and standard IP/TCP protocols.
  3. ICS/OT firmware – ICS/OT developers rarely emphasize security, so products are now accessible via the internet and exploitable via firmware vulnerabilities.
  4. Availability of ICS/OT documentation – Complete doc sets for the ICS components hacked in Stuxnet and Ukraine were available online before the attacks.

Security from isolation and obscurity is no longer adequate. Hackers now enjoy increased attack vectors across traditional IT to digitized OT – many riddled with known and unknown vulnerabilities. One researcher recently found vulnerabilities in solar panel components.

Along with more vulnerable targets, hackers find networks remotely accessible via public networks with direct communications links from centralized IT and ICS to geographically dispersed OT (e.g., electric distribution substations) – and vice versa. While these hacks are not trivial, they are getting easier.

Edge detection in energy networks is as important as ever. Contact us today to learn how supervised machine learning helps to prevent even zero-day exploits at the network edge.

Healthcare's Dilemma: Uptime Versus Upkeep

While computers aren’t new to doctors’ offices, their use for tracking patient records has been both controversial and challenging. Paper records don’t require electricity, aren’t susceptible to malware threats and don’t need servers. Yet, as other aspects of patient care become computerized, from ordering bloodwork to prescriptions, electronic health records (EHRs) offer access to records that can significantly improve patient care with better information. With EHRs being more mission critical for medical staff access, they demand as much uptime as needed. And yet, they need to balance that access with often required upkeep that ensures security.

Combined with an increase in hardware reliability and cost-effective cloud backup or access, the adoption of EHR is drastically increasing. For healthcare providers in catchup mode or the early adoption phases of EHR, IT teams are often concerned with not only who accesses what records but how to prevent malware from entering their networks.

Yet they need to calibrate the right balance between the ease and efficiency of data being available in on-demand locations (mobile nurses stations, doctor iPads/laptops), integrated IoT devices (medication dispensers, medical equipment), connected imagining devices (x-ray, sonograms, CAT scans) and all the while keeping them secured and restricted. These benefits come at a cost as they open up new attack vectors that can become difficult to manage and maintain.

Smaller organizations with less mature IT practices are often at great risk. And with security updates arriving on a more frequent basis, healthcare IT teams need to balance that risk. If systems are taken offline, healthcare professionals may be unable to update a patent’s records, get the latest in care notations and potentially not deliver best of service. Yet, if systems aren't maintained and updated, their risk for unauthorized access may increase.

A May 2016 study by the Ponemon Institute found that nearly 90% of healthcare practices have been compromised with at least one malware within the past two years. The problem is that healthcare records are 50% more valuable than credit cards numbers on the black market. So there’s been a rapid evolution of malware that not only better targets healthcare providers, they feature ways of avoiding detection by understanding the thresholds that many malware threat detection.

Given that nearly 85% of modern healthcare don’t have a single qualified security person on staff, organizations are at significant risk. Better security these evolved threats means that teams need either a better solution to detect threats or the ability to allocate significantly more time for hunting down threats.

Curious what's bypassing your existing network defenses?

BluVector’s supervised machine learning gives healthcare teams access to information that can help them analyze potential threats earlier and faster than ever. Unlike other solutions, BluVector works with human analysts to present them with potential threats and allows analysts to teach the system what they view as threats. So analysts don’t create a signature, they confirm suspicious content based on their knowledge of good and bad software.

Don’t know if your current malware detection is working? Sign up for a free network threat assessment where we show you your risks and how BluVector can lower them in the future.

WannaCry Attack on Healthcare Shows Need for Better Detection

As May 12, 2017 dawned, healthcare staff and patients began arriving at the U.K.'s National Health System (NHS) facilities for what many expected to be a routine day of medical treatments for conditions ranging from common colds to serious surgeries.

But by mid-morning, NHS was in a state of "chaos." Major IT systems and some networked medical devices were unusable. Patients were turned away from pre-scheduled procedures, and only the most dire of cases could be admitted to emergency rooms for treatment. Medical staff resorted to pens and paper to record notes on patients' symptoms, diagnoses and treatments.

The NHS had become one of 300,000 victim systems across 95 countries infected by WannaCry, the largest ransomware attack to date.

WannaCry has become a real-life case study for what security researchers had warned for years is possible in healthcare networks, which pose unique challenges for security professionals. In a previous post, we outlined the scale, scope and current state of the challenge.

In some ways, WannaCry represents a unique case of ransomware. For instance, the breadth of WannaCry's spread was enabled by its exploit of a recently disclosed zero-day vulnerability in Server Message Block (SMB) version 1 (included in Microsoft Windows), a protocol that allows networked devices to share local resources, such as printers. WannaCry was especially virulent because it self-propagated across networks, much like a computer worm. The worm-like trait of WannaCry, which allowed its rapid spread, can be distinguished from other ransomware strains, which have relied on human error to initially infect and continue spreading.

In other ways, WannaCry is like many everyday malware threats to healthcare environments. For instance, as one of tens of thousands of brand-new ransomware strains in recent years, signature-based antivirus solutions did not initially detect WannaCry because no signature existed before it was released in the wild. Microsoft issued a security patch for the SMB vulnerability in March, but many victims had failed to implement it, an all-too-frequent occurrence. And WannaCry was similar to other ransomware in effect: Medical staff and systems were paralyzed in providing patient care and services.

Certainly, "defense-in-depth" architectures employing traditional security technologies can help to secure healthcare networks from some threats. But what repeated ransomware incidents have demonstrated is that some attacks require a different approach to detection and prevention.

Healthcare environments are particularly well-suited to newer security technologies, such as supervised machine learning used at the network edge to analyze content. BluVector's supervised machine learning detects malware threats like WannaCry at its initial breach, based on malicious traits that make it both similar to and different from previous ransomware.

Ransomware Increasingly Attacking Healthcare Industry

Despite billions of dollars and operational continuity in the healthcare at risk, the industry is stymied by both a lack of answers and resources required to adequately defend themselves. Per a May 2016 study from Ponemon Institute, nearly 90% of healthcare organizations have been compromised by at least one malware infection in the past two years. Further the cost of data breaches has now climbed to $4 million Ponemon finds, only half of healthcare organizations feel adequately prepared to prevent the next attack. According to a report done by Health and Human Services, 76% of business leaders likened cyber risk to a natural disaster they were powerless to predict or control.

There are a number of reasons for this reality.

First, healthcare providers offer a rich target for cyber criminals. They rely on up to date information from patient records in order to provide critical client care; without quick access to drug histories, surgery directives, other information, patient care can get delayed or halted.

Further, hospital networks are rarely offline. As a mechanism for enabling operation of connected medical devices including insulin pumps, MRI machines, X-rays, CT/CAT scans, ventilators, pacemakers, defibrillators and microscopes, healthcare providers can ill-afford downtime. This reality means the industry is more likely to pay a ransom rather than impede patient care.

The healthcare industry has lagged behind in its approach to cyber security compared to other network intensive industries like financial services. There are bevy of reasons as to why:

  • 85% of modern healthcare deliverers don’t have a single qualified security person on staff. The industry faces a severe security talent shortage. Moreover, limited education and awareness programs for health care professionals further diminishes the opportunity to enroll “front line” workers in the fight.
  • 82% of healthcare organizations were found to be running on windows legacy versions, with 76% running on Windows 7. HHS Cybersecurity Task Force Report to Congress (May 2017)
  • 40% of all IoT devices are health related devices, which often can’t be patched or managed, and are therefore – like legacy devices –extremely vulnerable to attack.
  • Less than 6% average of information technology budget expenditures on security, according to the survey from HIMSS Analytics. In contrast, the federal government, financial and banking institutions spend 16% of IT budget on security.Personal health information is 50 times more valuable on the black market than financial information, according to the HIMSS survey.

We're Here for a Second Opinion
BluVector is a revolutionary early warning system system that uses a unique form of self-adapting machine learning to find and contain advanced cyber threats, at the network edge, in real time. Unlike other machine learning based advanced threat systems which are focused on finding bad actors AFTER they have gotten inside the network, BluVector’s patented Machine Learning Engine makes it possible to analyze 100% of your traffic, at the network edge, in milliseconds. To learn how machine learning can help, request a free 14-day Network Threat Assessment.

What Is Destructive Malware?

Destructive malware sounds redundant, like "serious crisis" or "end result." In fact, it is the latest advancement in malware that takes the already cunning ways in which polymorphic malware enters and hides within a computing device and then downloads a payload that will destroy your network and data with military-like precision. So, what is it?

US-CERT (United States Computer Emergency Readiness Team) describes destructive malware as having: the capability to target a large scope of systems, and... potentially execute across multiple systems throughout a network. As a result, it is important for an organization to assess its environment for atypical channels for potential malware delivery and/or propagation throughout their systems.

Shamoon, the first version of destructive malware that can be broadly applied to civilian environments, was first spotted in the wild in 2012, when nation-state perpetrators, allegedly Iran, destroyed 35,000 Saudi Aramco workstations and put the energy company’s supply of 10 percent of the world’s oil in jeopardy. US-CERT described Shamoon as "an information-stealing malware that also includes a destructive module... render[ing] infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data. Once overwritten, the data are not recoverable."

The original Shamoon malware was made up of three primary functional components that set up the general template that later strains of destructive malware would follow:


Newer versions of destructive malware provide functional improvements over the original Shamoon malware. Shamoon 2.0, first reported in November 2016, reused 90 percent of the code of the original Shamoon, but it also comes with "a fully functional ransomware module, in addition to its common wiping functionality," and installs a legitimate-looking driver that changes the infected computer’s system date to a random one between August 1–20, 2012 to “fool the driver’s license checks and evaluation period."

StoneDrill, another type of destructive malware that was discovered around the same time as Shamoon 2.0, stylistically is similar to Shamoon 2.0, particularly its "heavy use of anti-emulation techniques in the malware, which prevents the automated analysis by emulators or sandboxes." However, StoneDrill’s code is different, and it has even more dangerous properties than Shamoon 2.0, including:

According to Kaspersky Lab, StoneDrill has attacked several energy targets in Saudi Arabia and one target in Europe, but information about its impact on these targets has yet to be made public. The Shamoon 2.0 campaigns have reportedly broadened their scope to target other parts of Saudi Arabia’s infrastructure, including financial services and the public sector along with the energy sector. The scale of the campaign, which comprise multiple waves of attacks, suggested that it was the comprehensive operation of a nation-state that disrupted another nation using a coordinated attack.

Looking to understand how the latest in destructive malware is evolving to hide against other defenses? Read more about them in Cyber Threats on a Path to Destruction, our free, comprehensive guide for understanding those threats and how supervised machine learning is the key to detecting future threats.

BluVector Recognized on 2017 Emerging Vendors List By CRN

Company’s Supervised Machine Learning-based Platform Moves Threat Detection Back to the Network Edge

Arlington, VA July 24, 2017 – BluVector, a leader in network security monitoring and analytics, today announced that CRN®, a brand of The Channel Company, has named BluVector to its 2017 Emerging Vendors list in the security category.

This list recognizes recently founded, up-and-coming technology suppliers that are shaping the future of the IT channel through unique technological innovations. In addition to celebrating these standout companies, the Emerging Vendors list serves as a valuable resource for solution providers looking to expand their portfolios with cutting-edge technology. This year, for the first time, the list is divided into seven categories: Cloud, Data Center, Security, Big Data, Networking/VoIP, Internet of Things and Storage.

BluVector is transforming the way organizations protect critical data and infrastructure from the most sophisticated and fast-moving cyber threats. BluVector’s patented supervised machine learning models analyze files and software in milliseconds, right as they enter the network. The company recently announced its latest version of BluVector that offers the benefits of network sandboxing capabilities but performs analysis in real-time at the network edge.

“This impressive group of technology supplier startups is already disrupting the status quo, aggressively creating and innovating to meet the ever-changing demands of the IT market,” said Robert Faletra, CEO of The Channel Company. “CRN’s 2017 Emerging Vendors represent the next generation of IT change agents, producing a wide range of leading-edge products that solution providers should keep an eye on in the coming year and beyond.”

“We are excited to be named as an Emerging Vendor in the security category by CRN,” said Jason Moore, vice president of global sales at BluVector. “BluVector is setting the course for the future when it comes to leveraging machine learning to detect advanced threats today before they become a breach tomorrow. We recognize the critical role that our channel partners play in solving real customer challenges, and we look forward to continuing to provide our channel partners with the most innovative solutions.”

This latest recognition reflects the strong momentum BluVector is experiencing due to its well-designed and patented approach to threat detection—an approach that has landed the company a slew of accolades. Most recently, BluVector was selected to Momentum Partners’ Watch List and named a winner of Red Herring’s Top 100 North America award.

The Emerging Vendors: Security list will be featured online at