Darktrace_ What Happens When Bayesian Analysis is Turned on Intruders _ ZDNet

8/13/2019 Darktrace_ What Happens When Bayesian Analysis is Turned on Intruders _ ZDNet

1/4

12/3/13 Darktrace: What happens when Bayesian analysis is turned on intruders | ZDNet

www.zdnet.com/darktrace-what-happens-when-bayesian-analysis-is-turned-on-intruders-7000023836/ 1/4

Darktrace: funded by Autonomy founder Mike Lynch, with an ex-MI5 director-general on its

advisory board.

Darktrace: What happens when Bayesian analysis is

tu rned on intruders Summary: Conventional information security falls down when it comes to spotting fishy activities insidethe system. That's why it will eventually be replaced by real-time big-data technology, says machine-learningirm Darktrace.

By Toby Wolpe | December 3, 2013 -- 15:03 GMT (07:03 PST)

For the moment, monitoring threats using big-data technology complements traditional perimeter defences.

But ultimate ly it will replace measures s uch as a ntivirus and firew alls, according the head of machine-learningsecurity company Darktrace (http://www.darktrace.com/) .

Stephen Huxter, managing director at the Cambridge UK firm, which has a formerMI5 head (http://www.prnewswire.com/news-releases/sir-jonathan-evans-joins -darktrace-advis ory-board-223875741.html) on its advisory board, argues tha t wha t he calls the"old Tuscan walled town" IT security method of locks a nd gates to ke ep people outis increasingly ineff ective.

"The benefit of that approach is on the decline. In the future there's a questionmark over whether we 'll have very much of that a t all," Huxter said.

He believes using machine learning to model normal netw ork behaviour in real timeto detect anomalous activities complements conventional techniques but only forthe moment.

"It's pa rt of a completely new era tha t we 're setting out on now in cyber defence, which is more abo utass uming that you can't keep people out and even if you wante d to, you wouldn't be able to a nd you couldn'tafford it," he said.

Behavioral Cyber DefenseIn Se ptember, Mike Lynch, founder o f UK software firm Autonomy bought by Hewlett-Pack ard(http ://www.zdnet.com/autono my-faces-fresh-he at-over-pre-hp-a ccounts-7000011122/) two years a go for 7.1bn($11bn), invested between $10m and $20m in Darktrace (http://www.ft.com/cms/s/0/07ae 26ce-1ede -11e3-9636-00144feab7de.html#axzz2m KgCE5Fp) .

By applying the techniques of recursive Bayes ian mathematics develope d at Cambridge University, Darktracesays its softwa re, which it calls Behavioral Cyber Defence (http://www.darktrace.com/#bcd) (BCD), can model thenormal state of an organisation's systems by examining human and network activity.

"It's a machine-learning system that figures out what's normal and therefore what's not normal at all,"Huxter said.
http://www.ft.com/cms/s/0/07ae26ce-1ede-11e3-9636-00144feab7de.html#axzz2mKgCE5Fphttp://www.prnewswire.com/news-releases/sir-jonathan-evans-joins-darktrace-advisory-board-223875741.htmlhttp://www.prnewswire.com/news-releases/sir-jonathan-evans-joins-darktrace-advisory-board-223875741.htmlhttp://www.prnewswire.com/news-releases/sir-jonathan-evans-joins-darktrace-advisory-board-223875741.htmlhttp://www.prnewswire.com/news-releases/sir-jonathan-evans-joins-darktrace-advisory-board-223875741.htmlhttp://www.prnewswire.com/news-releases/sir-jonathan-evans-joins-darktrace-advisory-board-223875741.htmlhttp://www.darktrace.com/http://www.zdnet.com/topic-it-security-in-the-snowden-era/http://www.zdnet.com/topic-it-security-in-the-snowden-era/http://www.zdnet.com/topic-it-security-in-the-snowden-era/http://www.zdnet.com/topic-it-security-in-the-snowden-era/http://www.darktrace.com/#bcdhttp://www.ft.com/cms/s/0/07ae26ce-1ede-11e3-9636-00144feab7de.html#axzz2mKgCE5Fphttp://www.zdnet.com/autonomy-faces-fresh-heat-over-pre-hp-accounts-7000011122/http://www.prnewswire.com/news-releases/sir-jonathan-evans-joins-darktrace-advisory-board-223875741.htmlhttp://www.darktrace.com/http://www.zdnet.com/meet-the-team/uk/toby-wolpe/http://www.zdnet.com/topic-it-security-in-the-snowden-era/


2/4



"It's part of acompletely newera that we'resetting out on nowin cyber defence,

which is moreabout assumingthat you can't keep

eople out and even if you wanted to, you wouldn't beable to and youcouldn't afford it."

Stephen Huxter, D of Darktrace

"Once you've modelled that a nd with no prior know ledge so no knowledge o f yesterday's attacks and signatures you can then w ork out wha t's abnormal andtake s ome action."

The sophisticated mathematics developed by university academics over many yearshas been applied to the complex environment of a large organisation, with lots of people, connections and data, according to Huxter.

The software conducts pass ive collection a t the ne twork layer to create a picture of all the pa ckets flow ing around the system.

"We get a view a cross the w hole organisation and then in real time the coremathematical algorithms go to w ork on tha t and compare today versus the normalmodel that it has derived for the ne twork over time," he said.

"Because we 're focused on how thes e attackers operate in real time, we can see[their activities] across a number of our customers and the n upda te a nd tune oursoftware to keep it up to date."

The MI5 connectionAlso in September, Darktrace revealed tha t Sir Jonatha n Evans, w ho ha d s teppeddow n as director-gene ral of UK domestic counter-intelligence agency MI5 fivemonths earlier, is now on the company's advisory board.

Huxter says Evans ha s brought e xpertise in the threats facing organisations and government, developing theconcept set out in the UK's national cybersecurity strategy of a new type of cooperation betwe en sta tedepartments and the private se ctor.

"Wha t the government areas can really add is they take a view on risk across the who le piece and the y reallyhave a good insight into how s ome of these a ttackers are operating. Those kinds of relationships and tha t

insight are going to be valuable," Huxter said.

With attacks coming in from nation states and lone criminals as well as from well-resourced gangs andhacktivists, not only have the threats be come more diverse but their approaches have be come moresophisticated.

"They're willing to be much more pa tient, they're much cleverer, and lots of them are w illing to stay under theradar as we ll," Huxter sa id.

In that context, conventional perimeter defences are inadequate and even rules-based technologies such aslogs are "all about closing the stable door once the horse has bo lted".

For example, a suspicious behaviour by system administrators might be repeatedly rebooting a particularmachine to a llow them to load unauthorised technology.

"So let's put a rule in to flag things when they do it more than 50 times. But if you're inside, you can see thatand then you'll just say, 'Well, tomorrow I'll do it 40 times'. It's that basic assumption that needs to change,"Huxter said.

On-premise serverThe Darktrace product is located o n a server at a customer's site, positioned for the best view across thewho le organisation. Depending on the ne twork topography, in so me s ituations that could mean plugging it


3/4



Read more

Read this

IT Security and RiskManagement: Anoverview

into, say, a spam port in a central datacentre. In others scenarios it might sited at tw o o r three locations.

"It sits off to the side and there's abs olutely no interference w ith their currentnetwork. It's a one-way feed out to our box," Huxter said.

Darktrace can provide s enior manage ment w ith a threat visualiser as w ell as anoperations room real-time dashbo ard of e xisting threats.

Because o f the assumption tha t intruders a re already in the system, Darktrace alsoadopts a more active a pproach in addition to the pa ssive information gathe ring.

"We can create false bits of information honeypots, if you like which help uswith our es timation of whether there's an attack going on," Huxter said.

"If you've created a completely new pa rt of the ne twork with some very sensitivebut false material there, if you see that on the move, then it gives you a muchstronger indication tha t probably bad things are happening."

He says the technology world will only grow more complicated with more employeedevices us ed in the workplace and the growth of the internet of things.

"In one sens e tha t's really good for organisations. It will enable them to w ork differently and probably havesome cost advantages. But again, if you're a n attacker, that gives you more o pportunities to get in and makethe boundary of the organisation even more porous ," Huxter said.

Topics: IT Security in the Snow den Era , Security

About Toby WolpeToby Wolpe is a s enior reporter at ZDNet in London. He started in technology

journa lism when the Apple II was state of the a rt.
http://www.zdnet.com/meet-the-team/uk/toby-wolpe/http://www.zdnet.com/it-security-and-risk-management-an-overview-7000022659/http://www.zdnet.com/meet-the-team/uk/toby-wolpe/http://www.zdnet.com/topic-security/http://www.zdnet.com/topic-it-security-in-the-snowden-era/http://www.zdnet.com/it-security-and-risk-management-an-overview-7000022659/http://www.zdnet.com/it-security-and-risk-management-an-overview-7000022659/


4/4



Talkback

Darktrace_ What Happens When Bayesian Analysis is Turned on Intruders _ ZDNet

Documents

Transcript of Darktrace_ What Happens When Bayesian Analysis is Turned on Intruders _ ZDNet