rvlsoft - Fotolia

UK's Darktrace aims to lead the way to automatic cyber security

Darktrace hopes to be a leader in the move to automated cyber security to free up security professionals to focus on business risk and innovation

Cyber security will be mainly automated based on artificial intelligence (AI) in future, predicts UK information security startup Darktrace.

The company aims to a leader in the move into this new era of information security, and is already working on the next phase of its self-learning security system to enable automatic defence.

Darktrace is recognised as one of the UK’s most successful security startups, with founders including senior members of the UK government’s cyber community from MI5 and GCHQ.

The company also has close links to the maths department at Cambridge University, with Darktrace’s threat-detection and machine-learning capabilities based entirely on mathematical models.

This mathematical base is core to Darktrace’s ability to detect threats without any prior knowledge of what it is looking for and without any need for rules or attack signatures. The company believes that this is what distinguishes Darktrace from traditional security systems and other behavioural analytics systems that rely on mathematical extrapolations of past attacks or analysis of big data collected from various logging systems.

Darktrace’s Enterprise Immune System is modelled on the human immune system and is designed to address the challenge of insider threat and advanced cyber attacks through detecting previously unidentified threats in real time, as manifested in the emerging behaviour of a specific organisation’s network, people and devices, including mobile devices and internet of things (IoT) devices.

“We believe we are the only ones at the moment who focus only on learning from the behaviours of people and systems within the business rather than on algorithms that look for known types of attacks,” said Darktrace co-founder and director of technology Dave Palmer.

“We believe in a continuous security approach because there will always be risks, and organisations need to have the capability to deal with them and bring that risk down to a manageable level all the time – rather than having a roller-coaster situation,” he told Computer Weekly.

Darktrace uses a human immune system analogy, said Palmer, because security needs to be working all the time to ensure the right managers and the board are aware of the risks. This is so they can manage it down to an acceptable level by learning and understanding more about how the business works than an attacker ever could.  

“The system is based on the conviction that if you want to do this right, you have got to focus on what your people and devices really do and then be able to look for what is unusual, different or strange, which makes the system unique to the organisation in which it is deployed,” he said.

Firms unaware of cyber risk

According to Palmer,  who oversees the mathematics and engineering teams at Darktrace, organisations are typically not aware of all the latent cyber risk in their business operations, which is illustrated by the fact that in 100% of organisations where Darktrace has been implemented, the system has identified previously unknown risks.

“Most organisations do not recognise the true breadth of the digital business, but this can be accurately established and visualised using machine learning and mathematical analysis to find everything that makes up the digital business and what it is communicating with,” he said.

At one company, for example, Darktrace detected that a fingerprint sensor used for access to the building was connecting to the internet in an unexpected way.

An investigation revealed that attackers had established a link to the sensor that was connected to the internet in a way that it should not have been. The attackers were exploiting a published security vulnerability in the fingerprint sensor to upload data that would have given the attackers physical access to building if the exploit had remained undetected. The attacker had also installed malware on the system that they planned to use to establish a foothold in the organisation’s IT network.

“Rather than focussing on any particular kind of attack or behaviour, the Darktrace system monitors everything that is going on in a digital enterprise and looks for the unexpected, such as the fingerprint sensor’s communication over the internet and a firmware update,” said Palmer.

To keep the false positives to an absolute minimum, Darktrace uses a combination of 12 different machine-learning algorithms that are monitored by a supervisory mathematical model that uses probability theory and to assess how well these algorithms are working and Bayesian modelling to learn and adapt the system’s output.

Self-learning system

According to Palmer, the system uses up to one year of data to look at everything happening in the context of what has happened before.

“This is proving to be enormously powerful in advancing machine learning in ways that were not possible before now,” he said.

And because the system is self-learning, Palmer said the system is not constrained by pre-conceived human thinking.

Read more about artificial intelligence

“The system is tuning itself based on what is actually happening. In the past, security systems were heavily influenced by the beliefs of those who designed and operated them, but self-learning systems typically challenge those assumptions and can recognise the significance of things that fall outside those expectations, enabling organisations to assess the effectiveness of their more traditional security systems,” he said.

The Darktrace system is designed to direct those responsible for information security towards unusual activity that needs further investigation, whether it is a multi-national bank or a hedge fund employing just 12 people, which is currently Darktrace’s smallest customer organisation.

This is enabled by a brief explanation of why the system has raised and alert and by providing the ability to play back a sequence of events to show what happened before, during and after the suspicious activity and to see data flows in context.

“In designing the system, we wanted to ensure that users did not have to be experienced security analysts or have a PhD in statistics,” said Palmer.

Big benefit to medium-sized organisations

Any organisation interested in seeing how Darktrace would work in their environment can sign up for a short proof of concept trial.

According to Palmer, the system can be installed within an hour because the system is genuinely self-learning and does not require any tuning or configuration, and a trial can be completed in as little as four weeks without the need for any Darktrace engineers to be on site.  

Darktrace believes that maths-based machine learning will be a key component of all information security in future, but the biggest benefit today is likely to be felt by medium-sized organisations that have all the security basics, but lack the people and money of the larger organisations to go a step further.

“In a couple of years’ time, any cyber security business that is not seriously moving into mathematically-oriented self-learning approaches is simply not going to survive because the complexity is just getting too great. We are way past the point where you can rely of things like lists of bad IP addresses and stuff like that,” said Palmer, who oversees product strategy at Darktrace.

He believes the next generation of intrusion detection and prevention systems will become more mathematical as AI technologies such as machine learning mature.

Darktrace’s goal is to lead the way and the company is already conducting beta trials of its new automatic defence technology that it plans to bring to market by the end of 2016.

Darktrace Antigena

Continuing the human immune system analogy, Darktrace Antigena is designed to replicate the function of antibodies that identify and neutralise bacteria and viruses. As the Darktrace Enterprise Immune System detects a threat, the new Antigena modules are designed to act as an additional defence capability that automatically neutralises those threats without requiring human intervention.

Antigena is designed to enable the Darktrace system to prevent, slow or disrupt activity automatically without any disruption to business activities and without involving those responsible for information security, freeing them up to focus on more important and strategic problems, said Palmer.

“This means that security can be more about real business risk management, supporting the goals of the business and enabling innovation rather than about security technology and things like configuring systems, firewall rules and dealing with other low level issues or manual tasks,” he said.

Antigena includes modules for automatically regulating user and machine access to the internet and beyond, regulating email, chat and other messaging protocols, and regulating machine and network connectivity and user access permissions.

“Essentially this is layering more mathematics and AI on top of the Enterprise Immune System to enable automated response and risk reduction,” said Palmer.

“This can be introduced at companies as a decision support technology, but it once they become comfortable with the way it works and its accuracy, the company can opt to allow the system to respond automatically to new threats,” he added.

Thinking even further ahead, Darktrace is researching how information security teams respond to situations with a view to enabling the system to not only learn what they do, but also predict what they will do and then use that information to offer better support information.

“This is the kind of thing that really interests us and the kind of envelope-pushing, self-learning, machine-learning, AI-type stuff that we really want to get into,” said Palmer.

“An entirely AI security operations centre [SOC] is not an unreasonable objective for us to have as researchers, and is certainly one of our goals, especially considering how quickly technology is moving in areas such as self-driving cars, which not long ago were considered to be pure fiction.”

To help ensure the research continues, Darktrace has announced that it has secured $65m in new equity growth funding, led by KKR, a leading global investment firm.

Stephen Shanley, principal on KKR’s technology growth equity team, said advancements in cyber security is one of KKR’s core investment themes.

“Darktrace has established a strong leadership position in the space due to the differentiation of its product – which can detect threats that other cyber solutions fail to identify,” he said.

Read more on Hackers and cybercrime prevention