Darktrace hopes to be a leader in the move to automated cyber security to free up security professionals to focus on business risk and innovation
The company aims to a leader in the move into this new era of information security, and is already working on the next phase of its self-learning security system to enable automatic defence.
Darktrace is recognised as one of the UK’s most successful security startups, with founders including senior members of the UK government’s cyber community from MI5 and GCHQ.
The company also has close links to the maths department at Cambridge University, with Darktrace’s threat-detection and machine-learning capabilities based entirely on mathematical models.
This mathematical base is core to Darktrace’s ability to detect threats without any prior knowledge of what it is looking for and without any need for rules or attack signatures. The company believes that this is what distinguishes Darktrace from traditional security systems and other behavioural analytics systems that rely on mathematical extrapolations of past attacks or analysis of big data collected from various logging systems.
Darktrace’s Enterprise Immune System is modelled on the human immune system and is designed to address the challenge of insider threat and advanced cyber attacks through detecting previously unidentified threats in real time, as manifested in the emerging behaviour of a specific organisation’s network, people and devices, including mobile devices and internet of things (IoT) devices.
“We believe we are the only ones at the moment who focus only on learning from the behaviours of people and systems within the business rather than on algorithms that look for known types of attacks,” said Darktrace co-founder and director of technology Dave Palmer.
“We believe in a continuous security approach because there will always be risks, and organisations need to have the capability to deal with them and bring that risk down to a manageable level all the time – rather than having a roller-coaster situation,” he told Computer Weekly.
Darktrace uses a human immune system analogy, said Palmer, because security needs to be working all the time to ensure the right managers and the board are aware of the risks. This is so they can manage it down to an acceptable level by learning and understanding more about how the business works than an attacker ever could.
“The system is based on the conviction that if you want to do this right, you have got to focus on what your people and devices really do and then be able to look for what is unusual, different or strange, which makes the system unique to the organisation in which it is deployed,” he said.
Firms unaware of cyber risk
According to Palmer, who oversees the mathematics and engineering teams at Darktrace, organisations are typically not aware of all the latent cyber risk in their business operations, which is illustrated by the fact that in 100% of organisations where Darktrace has been implemented, the system has identified previously unknown risks.
“Most organisations do not recognise the true breadth of the digital business, but this can be accurately established and visualised using machine learning and mathematical analysis to find everything that makes up the digital business and what it is communicating with,” he said.
At one company, for example, Darktrace detected that a fingerprint sensor used for access to the building was connecting to the internet in an unexpected way.
An investigation revealed that attackers had established a link to the sensor that was connected to the internet in a way that it should not have been. The attackers were exploiting a published security vulnerability in the fingerprint sensor to upload data that would have given the attackers physical access to building if the exploit had remained undetected. The attacker had also installed malware on the system that they planned to use to establish a foothold in the organisation’s IT network.
“Rather than focussing on any particular kind of attack or behaviour, the Darktrace system monitors everything that is going on in a digital enterprise and looks for the unexpected, such as the fingerprint sensor’s communication over the internet and a firmware update,” said Palmer.
To keep the false positives to an absolute minimum, Darktrace uses a combination of 12 different machine-learning algorithms that are monitored by a supervisory mathematical model that uses probability theory and to assess how well these algorithms are working and Bayesian modelling to learn and adapt the system’s output.
Self-learning system
According to Palmer, the system uses up to one year of data to look at everything happening in the context of what has happened before.
“This is proving to be enormously powerful in advancing machine learning in ways that were not possible before now,” he said.
And because the system is self-learning, Palmer said the system is not constrained by pre-conceived human thinking.