Darktrace – Using Machine Learning for Cyber Security.

DarkTrace is a UK-based start-up that is improving cyber-security through the use of machine learning and artificial intelligence to develop an ‘Enterprise Immune System’

We have all heard of the multiple recent news regarding cyber security, ranging from Yahoo’s hacking  of 1 billion accounts (which almost led to the failure of the Yahoo-Verizon deal) to the alleged Russian hacking of the DNC during the presidential election. In a world where cyber threats are getting more and more sophisticated and can cost companies a lot of money, DarkTrace is a start-up that is trying to improve cyber-security through the use of machine learning and artificial intelligence.

Backed by KKR, Summit Partners, Softbank and Mike Lynch, Darktrace is a UK-based start-up created in 2013 by mathematicians from the University of Cambridge and uses Artifical Intelligence algorithms to protect enterprise networks from attacks.

A traditional cyber-security system searches for intruding pre-defined threats within the enterprise network’s firewalls, using a database of ‘signatures’ of all known threats. That is why we have to ‘update’ our antivirus software frequently so that our database of signatures is up to date with recent threats. This approach has however its limits: If a threat or attack has never been seen before, the cyber-defense system does not work (these types of attacks are called zero-day attacks). The approach also does not work when the attack is coming for insiders, for example when an employee of the enterprise is leaking information (either intentionally or not).

Darktrace’s solution, called ‘Enterprise Immune System’, functions differently. Darktrace uses machine learning algorithms to ‘learn’ what is the ‘normal behavior’ of the network by analyzing data on the activity on the network at the device and employee level. The machine learning algorithms are ‘trained’ using data on the network’s behavior, and learn how the network behaves over time, reaching 80% of its intelligence after a month and peaking after 1 year. This results in a specifically tailored Enterprise Immune System for that particular enterprises’ network, where it has learned to identify any communication on the network that is not ‘normal’. The Enterprise Immune System identifies threats that would have been overlooked with the previous approaches, such as insider and human threats as well as enterprise data integrity breaches. The solution includes a visualization tool that shows the network topology and help visualize current status of the networks and identified threats.

One of the key challenges faced by Darktrace lays in marketing strategy. The company has to deal with complex purchasing processes at large enterprises, which creates long and costly sale cycles. The sensitivity of the cyber security topic creates an additional challenge for a small start-up to stand out against large established competitors.  Finally, the complexity of the product and technology creates an additional challenge to clearly , communicate the solution’s differentiating features, especially as “artificial intelligence” is a buzz-word that is used by multiple companies, creating confusion on customers minds.

Sources:

https://www.darktrace.com/

Darktrace white paper: “The Enterprise Immune System”

https://www.crunchbase.com/organization/darktrace

http://www.wired.co.uk/article/darktrace-machine-learning-security

Previous:

Legendary Pictures: Using Data to Make and Market Movies

Next:

Big Data for Music Festivals

Student comments on Darktrace – Using Machine Learning for Cyber Security.

  1. Hi. Great post! Darktrace appears to be a very interesting company. I wonder how the Darktrace algorithms differentiate between a network breach or an attack and a planned surge in network activity. For e.g. when a company is launching a promotion, there might be a surge on the network because of increased website hits or other reasons. This surge might be quite similar in profile to a hacker attack. Do you know how the firm tries to get around this problem?

    1. Hi Bipul – thanks for your comment. The way the service works is that it identifies potential threats that it puts to categories depending on the probability that it is a genuine attack (high, medium, low, etc) and a human needs to review these alerts and take action if necessary. Also, I am not familiar with the details of how the algorithms work but I would argue that if the models are trained appropriately, then they should be able to identify a promotion.

Leave a comment