Last month 12 UK-based security firms travelled with Prime Minister David Cameron in his cyber riddled trip to the White House.
Among that number was Darktrace, a company who I met a few weeks later from briefing the PM on current issues. At the time, Darktrace CEO Nicole Eagan, said that there is a global demand for Darktrace’s Enterprise Immune System approach to address the increasing challenges faced by companies.”
Naturally the company said that “traditional methods of security are no longer enough” and it was time for a new machine learning approach that can identify cyber incidents in real time before they turn into a crisis. The company has won major customers and partners, including consultancy CNS Group, as part of its expansion.
Meeting with Dave Palmer, director of technology at Darktrace, said that the Cameron opportunity came as one “to change the way we think about security as prevention alone is not enough”.
The company’s offering is its Darktrace Cyber Intelligence Platform (DCIP), which analyses all information inside the network and adaptively learns the normal patterns for every user, each device and the enterprise as a whole.
This gives it the capability to detect behavioural anomalies, such as activity on a data-sensitive area of the network or unexpected decryption, which have not previously been recognised, in real time. Palmer said that you can have a system built to deal with complexity and know what is normal, and what it is offering is not a new idea, but the change in the threat environment has made the need for this to work in the past few years.
“We need to make it work and need a new system based on power and mathematics,” he said. “It comes from a maths and machine learning perspective. Data is ingested in one second and the immune system doesn’t know what good or bad behaviour is, but it should work in every environment.”
Founded at Christ College at the University of Cambridge, Darktrace has three key groups – the group at the university, a group with experience in enterprise software and a group with experience of intelligence from GCHQ, MI5, NSA and FBI. Palmer said: “Security is not a widget to solve everything, it should be about enabling people.
“Look at SIEM technology, you get it working in a week but it takes years of roll out before you feel the benefit. With the instant adding of tens of thousands of device, there is a need for visibility of an immune system that doesn’t care about anti-virus or mobile device management.”
He explained that DCIP is a SaaS product in appliance form that is “dropped into the right places on a network” that runs locally. “When I am out of the office, I don’t need to send huge volumes of data around, I just send a fingerprint to the place where I currently am,” he said. “You don’t need a giant database, but get it from where it is. The data does stay local but it learns what normal is at a level of detail.”
DCIP works by identifying characteristics on a user, and Palmer said that visibility has been a huge issue for the company and its customers as one company thought that they had 5,000 connected devices, but an audit revealed it to be 25,000.
I wanted to understand more about the concept of maths being used in this technology. Palmer said that it is completely anomaly based that it is unexpected to verify what is going on in the business, and have insight into what is not normal.
He said: “We talk a lot about changing and the reason is effectively our proposition is enterprises are getting too complex where you cannot have support. What we need is decision support and with the level of complexity we are talking about, it is huge.
“If you have 100,000 people in an organisation, we say estimate five devices per person so there is 500,000 machines and 100,000 people and that 600,000 things you need to worry about – and they are all doing something different. I don’t care how big your security team is, it is like trying to paint the Forth Bridge if you want to work through all the rules and compliance.
“So you have got to rely on the maths and machine learning to get into it and that is starting to get into our everyday life now. We take 350 behaviours from the network communications that come through and that is 350 attributes for everything and some are completely factual and some are completely inferred, but there are some clues and some things count and you learn the patterns of the sequences of actions.”
Palmer said that with the characteristics some are good for people and some good for machines, but both have weaknesses too, so what makes DCIP work is the individual learning of what works and it can flag what is a genuine concern. “We don’t get false positives with anti-virus and firewalls, this isn’t a ‘it was bad but we stopped it’, no matter the alert it is the matter of the ecosystem,” he said.
The company, formed in 2012 and pushing products for 18 months now, are growing steadily with around 60 full time employees. Palmer said that as a new company it has plenty to do, and on top of its core offering it is “not finished” and it “wants to be on the cutting edge” and its expansion will rely on the concept of new types of data that it can learn and react to.
Dave Palmer, director of technology at Darktrace, was talking to Dan Raywood