Darktrace Automates Network Security Through Machine Learning
Darktrace co-founder Poppy Gustafsson recently predicted, at TechCrunch Disrupt London, that malicious actors will increasingly use artificial intelligence to create more sophisticated spearphishing attacks.
Criminals are just as capable of using artificial intelligence as those trying to thwart them, according to security vendor ESET‘s 2017 trends report, with “next-gen” security marketers throwing around the buzzwords “machine learning,” “behavioral analysis” and more. That’s making it more difficult for potential customers to sift through all the hype.
It predicts the rise of “jackware” or Internet-of-Things ransomware, such as locking the software in cars until a ransom is paid.
Darktrace has noted IoT security problems in some unexpected places:
- The fingerprint scanner at the warehouse of a luxury goods manufacturer was breached. Not only were all the employees’ fingerprints stolen, hackers uploaded their own fingerprints to gain access to the warehouse.
- A law firm connected employee badges to its networked vending machines, giving workers the ability to set up accounts so they didn’t have to dig for change to buy a snack. They could just swipe their card. But there was a lot of personal information associated with the badges, and the vending company was found to be selling employee data to a marketing firm.
UK-based security vendor Darktrace takes the view that determined hackers will get into your network, so a perimeter-based strategy won’t work. Instead, it’s focused on detecting and mitigating attacks in their earliest stages. It calls its detection piece the Enterprise Immune System, modeled after the human body’s defenses. Using unsupervised machine learning — it doesn’t look for signatures or known examples of malware — without knowing what to look for, it develops a pattern of “normal” for the network, then looks for anomalies.
“My body is like a network — it’s different from yours, it’s constantly changing,” explained Justin Fier, director of cyber intelligence and analysis at Darktrace. “We’re not just looking for malicious actions, we’re looking for anomalies. Anomalies can turn into malicious activity, but it can also be a configuration error or an employee that’s gone rogue. We don’t want to just focus on the malicious arena because there are a lot of other things that can be very bad without it being malware.”
He likens the Enterprise Immune System to the body’s, able to detect subtle changes, such as elevated temperature that could signal the flu.
“If you look at network activity, it’s really just a big data set. The real problem is how do I manipulate and read that data in an efficient manner? That’s where unsupervised machine learning comes in. It’s all about looking at that data, which also is changing every second. It looks for trends; it can cluster and find what objects are acting like others and find obvious deviations and often very subtle deviations,” he said.
“We’re looking at how a device is talking to other internal devices, how it’s talking to the outside world,” Fier added. “Is it acting in a way that it doesn’t normally act based on its pattern of life? Then we’ll say, ‘Show me all the devices that are similar to this device.’ Is it acting in a way that’s anomalous to those?”
Spy Agencies and Math Geeks
Darktrace was founded in 2013, in a collaboration between British intelligence agencies and Cambridge University mathematicians. Its backers include Autonomy founder Mike Lynch. It has raised $104.5 million, including a $64 million Series C in July.
Darktrace boasts 1,500 deployments, including customers such as Toyota, Zappos, PWC and T-Mobile, has a staff of roughly 300.
Its technology is based on Bayesian probabilistic mathematics, which focuses on accumulating knowledge rather than historical frequency, to estimate risk. Using an appliance attached to the network, it analyzes the behavior of every user, device and network element to build models of normality. The appliance takes about an hour to install, Fier said, and though users can employ any of the hundreds of included models, it’s fully configurable to their own networks.
The system does not rely on agents, which saves time that otherwise would be required for installation and maintenance. And it generally detects 20 to 30 percent more devices than network administrators expected, Fier said.
Beyond providing network visibility, network teams have used it to track all the hardware on the network, and a few HR teams have used it to monitor the activity of employees being let go to prevent insider malicious activity.
Visualization is a key differentiator, Fier said. Using its Threat Visualizer interface, a user could watch, for instance, the lateral movement of a piece of ransomware. And it makes the network fully searchable. You can drill down into the activity of a specific device to watch for actions such as calling out to a suspicious region or sending out data.
“Everything in Darktrace is configurable. You can say, ‘show me all breaches [for a specific time frame.]’ You can also say, ‘sort by models’ or ‘sort by devices’ or ‘show me user accounts that are acting funny,’” Fier said.
A slider also allows users to fine-tune the number of alerts. For example, you can set it to show only the top 55 percent most-rare anomalies.
Beyond merely alerting security staff to anomalies, it recently launched Antigena, which can take automated actions against threats in real time.
It can:
- Stop or slow down activity related to a specific threat.
- Quarantine or semi-quarantine people, systems, or devices.
- Mark specific pieces of content, such as email, for further investigation or tracking.
Gartner named Darktrace among “Cool Vendors in Energy and Utilities, 2015,” noting its ability to identify attacks in real time, but in the report written before the launch of Antigena, highlighted the need for an automated response to detected threats.
“It’s not your standard intrusion-detection system, which most admins will tell you tend to break more than they fix — shutting down entire subnets, affecting a lot of business continuity,” Fier said. “Antigena takes a very surgical approach to it. It will only block only very specific communications between the source and destination on a specific port and might not even block it indefinitely. We may tell it to block [the communication] for only a specific period of time. And nine times out of 10, the user will never even know Antigena has kicked in.”
451 Research lauded the addition of Antigena, noting it “can stop the attack, limiting the damage to just a few files. We believe it represents an important step in behavior analytics evolving to an active defense that traditional systems cannot match.”
Feature image via Pixabay.
