Darktrace: Cybersecurity's AI Counterpuncher

How can we protect against the cyber threats of today and prepare for the threats of tomorrow? Darktrace are a rapidly growing tech company based out of San Francisco and Cambridge, UK who are getting well deserved attention with their novel approaches to both AI and cybersecurity. Founded through a collision of academic mathematicians and members of the security services who had been tackling state level attacks, Darktrace takes a very different approach to how cyber-attacks can be defended against. Speaking to Darktrace CMO Emily Orton, we got some insight into the challenges facing enterprises in todays interconnected world.

Darktrace is taking 21st century cyber approaches to defend enterprise infrastructure.

New advances in cyber-security are realistically legacy approaches whereby they rely on knowing who we’re protecting against and defending the perimeter from them. Orton highlighted that this approach is the same as building a moat around a Tuscan Castle: it’s not sufficient to protect us against modern techniques of infiltration. The issue today is that networks are too large and interconnected – there’s simply too many in-roads into a network for the ‘walled off’ style approach to be sustainable – as such, Darktrace are trying something different. The standard dogma of cybersecurity is that threats can be kept outside of the network. This has meant that the bulk of effort in the security sector and the IT industry at large, is based on the simplistic idea that we can just keep the bad guys out. However, this worldview historically hasn’t adjusted for defence against actors within the network itself.

Darktrace, while grounded in the heady mathematics of Machine Learning and Bayesian Probability Theory has taken inspiration from the Life Sciences. Specifically, in the way the Immune System operates. Our surface barrier, the skin, protects us from pathogens and foreign bodies. The ability to venture out into the world without fear of contracting an infection through simple contact is not something many are concerned about, and this is down to the efficacy of this barrier. However, the skin on its own is insufficient to produce a robust defence of the host – internal security mechanisms must be active. So, with this ‘bioinspiration’, Darktrace aims to catch anomalies from within the network, in what they term the ‘Enterprise Immune System’.

Machine Learning allows an enterprise to be alerted to unusual behaviour that would have previously gone unnoticed such as an insider syphoning off files, especially if that user isn’t already on some comprehensive watchlist. But Darktrace aren’t typically bumping up against malicious agents infiltrating some enterprise, interestingly much of their work in this context has to do with a technological naivety found in employees and their regard for basic data security. Orton pointed to a few groan-worthy examples of everyday behaviour that would stump security in the traditional paradigm: “We had a user sending massive files using iMessage because he couldn’t get them out. His company was so locked down. From what we could see he wasn’t malicious, he just wanted to get his work done. We’ve had game developers sending source code back on their Gmail accounts, these aren’t people that are trying to take the company down, again they’re just trying to do their work. Sometimes people just make mistakes, we’re seeing ransomware cases every week, and that’s always someone who clicked on links. And those phishing attacks are getting better and better”

There’s a general resignation in cybersecurity that as the creation of new threats occurs, awareness of those threats lags significantly. Orton noted that threats like polymorphic malware, are particularly problematic because they won’t appear in the security blogs until the malware has already undergone several ‘iterations’. The importance of automation now comes to the fore: action has to be taken in real time. The days of pushing software patches on the order of months after an infiltration are over.

It’s not simply in the defence of the network that Darktrace is applying their knowhow. Darktrace has proven to be an effective counter-puncher and bring to life the Immune System analogy with the company’s Antigena. This is an algorithm based counterstrike service that can intercept malicious actions before they can damage your core infrastructure and data. The cool thing about this is that, in essence, it’s the first time machine learning is responding to threats as opposed to just passive detection.  As Orton intimated, “We now have a portion of our customers that love the machine learning so much, and have seen it in practice, that they trust that machine to take action on their behalf.” This highlights a larger point that there’s simply too many threats, and even with a 24/7 security team – there’s a capacity to what humans can deal with, and the volume of threats becomes an unmanageable problem when it comes to protecting your assets. She touched on the idea that automated cyber warfare is a likely reality, with automated hackers, tackling AI defence systems. But there’s an advantage to being on the defensive side, being proactive and assuming there will be attempts at infiltration: by learning everything you can about your network, you know the battlefield better than any attacker.

Darktrace customers discuss the Enterprise Immune System's unique approach to cyber defense.

Machine Learning and Bayesian Stats are nothing new, so why has it taken so long for the likes of Darktrace to come along? Processing power certainly has a hand in that. But again, the scale of the networks and sheer difference between the network architecture of one enterprise to another makes this an unusual and previously intractable challenge: if you’re at a media agency, Facebook may be whitelisted; walk into a bank and these sites will be firmly on the blacklist. Additionally, you can include remote working and freelancing to the complexity.

In order to handle the variability in the threats, various algorithms are employed which are then filtered for performance. Darktrace are tracking many events, with automation allowing them to probe hundreds of metrics of behavior. These could include the login time stamps, volume of data transfer, and the frequency of data transfer. Perhaps a user logs into their computer at 2am, this may be unusual, but not something that would pass the threshold in order to be flagged to the security personnel. However, if they also see the connection was to somewhere in Ukraine, a pattern of behaviour not previously seen in the user history, and perhaps the volume of data being transferred far exceeded your typical usage, then that would be flagged. The enterprise itself makes the decision on how sensitive they are to these flags – a financial institution will have a lower threat tolerance than another for example.

All users, the devices they use, and the network as a whole are all modelled, and as such Darktrace are learning what’s normal for that user, that device, that network. However, this data set is not producing a static baseline of events, the system Darktrace is deploying is calculating probabilities based on evolving evidence.

After all, if the threats are constantly innovating, surely our defence should be too?