PowerPoint Presentation
The Enterprise Immune SystemMachine Learning for Cyber Threat
DefenceApurva JainCyber Security Manager
PERSONAL INTRODUCTION
[introduce yourself]
Thank you for the opportunity to present to you.
Ill be talking to you about a new approach to cyber defense,
known as the ENTERPRISE IMMUNE SYSTEM1
Company BackgroundFounded in 2013 in Cambridge, UKStarted by
mathematicians and government intelligence specialistsTechnology
based on machine learning & mathematicsHQs in Cambridge, UK
& San Francisco Over 2000 customer installations23 global
locations600% year-on-year growthDarktrace is a game-changer Virgin
Trains
The Queens Awards for Enterprise Innovation 2016Bloomberg
Business Innovator 2016Security Company of the Year at Info
Security Global Excellence Awards 2016Best Insider Threat Detection
and Solutions at Network Products Guide IT World AwardsGartner Cool
Vendor 2015World Economic Forum Technology Pioneer 2015
VALIDATION
Founded in Cambridge by MATHEMATICIANS AND MACHINE LEARNING
specialists, from the UNIVERSITY OF CAMBRIDGE
Over 750 CUSTOMER INSTALLATIONS across 20 COUNTRIES
Headquarters in Cambridge UK and San Francisco US [APAC:
Singapore]
Widely recognized in the industry, by a variety of award
bodies.
2
CUSTOMERS
Darktrace has customers across ALL INDUSTRY VERTICALS financial
services, healthcare, retail, energy, transportation, non-profit
etc.
Here are some of the organizations that we work with.
3
Evolving Threats in a New Business LandscapeOutsourced IT, SaaS,
cloud, virtual, supply chainIts not just data breaches &
defaced websitesEmergence of artificial intelligence attacks is
leading to highly customised campaignsTrust attacks are silent and
stealthyIntegrity of data is at riskInsider threat is constant
whether malicious or non-malicious
Legacy controls are constantly outpaced
EVOLVING THREATS IN A NEW BUSINESS LANDSCAPE
Every day we are seeing attacks on the networks of our hundreds
of customers around the world, and there are a couple of key trends
which we see developing.
Firstly, the threat landscape is extremely challenging advanced
and moving incredibly fast.
We read about data breaches and exfiltration in the news all the
time. But it isnt these headline-making attacks that are the most
dangerous.
Were starting to see much more complex, even machine learning
based attacks, which use artificial intelligence to hide and
move.
Secondly, we are seeing a rise in trust attacks attacks that are
aimed at damaging a companys reputation or credibility by
undermining the integrity of their data.
Often very stealthy, the attackers objective appears to be to
change data slowly and over time.
They can remain in the network for hundreds of days before any
damage is done.
In a bank or a hospital, these subtle changes over time can have
a catastrophic effect on confidence in the data.
Insider threat is also a major concern. Anyone with access to
your network is a potential insider from employees, to contractors,
to customers and suppliers.
All this is against a backdrop of increasing business
complexity, where the security industry is struggling to keep up
with the threats posed by cloud and virtual environments, mobility,
IoT, SaaS, and the simple fact of a network without traditional
boundaries.
they have over a million devices.4
DARKTRACE APPROACH THE IMMUNE SYSTEM
Darktraces approach is different. This is a piece of DNA.
The DNA of our bodies is attacked all the time. Our bodies are
continually confronted with new viruses and bacteria that must deal
with.
Of course, skin protects us to a certain extent. But the
critical piece of kit that we use for day-to-day is the IMMUNE
SYSTEM the human immune system is one of the most complex systems
in the biological world.
The immune system is intelligent, because it knows WHAT SELF IS
in other words, it recognizes WHAT IS PART OF ME AND WHAT IS NOT
PART OF ME and can identify ABNORMAL BEHAVIORS and take action
against them. It is also changing and adapting to new
environments.
Darktrace works in a similar way. Like the human immune system,
it is a SELF-LEARNING SYSTEM, that CONTINUALLY EVOLVES AND ADAPTS
to understand normal activity, and stop threats BEFORE THEY
DEVELOP.The idea is not just to look for malicious actions but
anomalies which could be as simple as may be a configuration
problem but can develop into malicious activity if not addressed.
There are lot of other things which can be very bad without it
being malicious in nature. The EIS detects the subtle changes or
movements as symptoms. Malaria symptom example
5
The Enterprise Immune System: Proven To WorkLearns self in real
timeFor every individual user, device and network, using
unsupervised machine learning
Finds the threats that get throughDetects both insider and
sophisticated external threats, from within the network
100% visibilityVisualises entire network, including traditional
and non-traditional IT, allows for investigations
ScalableLargest deployment has over 1 million users
All networks & devicesWorks on physical and virtual
networks, cloud, ICS
ENTERPRISE IMMUNE SYSTEM
Darktrace technology is known as the Enterprise Immune System
for its ability to replicate this self-learning capability of the
immune system.
Its powered by machine learning and mathematics which uniquely
model every user, device and the network as a whole.
Using these models, Darktrace determines an understanding of an
organizations pattern of life.
This evolving pattern of life allows us to detect threats that
get past legacy tools precisely because we are not relying on
rules, signatures or assumptions of what bad is.
And it works in real time
Darktrace also provides 100% visibility of your network through
our Threat Visualizer interface we will automatically visually map
your network to give you a real-time overview of all user, device,
network behaviours.
[And because we are correlating events and activity over time,
you have a long view of network activity, and can replay historic
events for investigation.]
Darktrace will also pick up things like IoT devices, activity in
your cloud, and ICS environments, as well as your traditional
IT
And it also scales up easilyour largest deployment is one of the
top three banks in the world, and they have over a million
devices.6
How Does Darktrace Work? Delivered as an appliance Passive tap
into your networkAutomatically learns normal for all devices, users
and the networkInterface accessed via web browserResults from day
oneNo set-up
Installs in just 1 hour
INSTALLATION
PASSIVE TAP into your network
AUTOMATICALLY LEARNS nomal and abnormal behavior of your
devices, users and network as a whole
RESULTS FROM DAY ONE
INSTALL IN ONE HOURIt doesnt rely on agents which saves the time
otherwise required for installation and maintenance. And detects
20-30% more devoces than admins would expect7
How Does Darktrace Work? Delivered as an appliance Passive tap
into your networkAutomatically learns normal for all devices, users
and the networkInterface accessed via web browserResults from day
oneNo set-up Installs in just 1 hour
INSTALLATION
PASSIVE TAP into your network
AUTOMATICALLY LEARNS nomal and abnormal behavior of your
devices, users and network as a whole
RESULTS FROM DAY ONE
INSTALL IN ONE HOURIt doesnt rely on agents which saves the time
otherwise required for installation and maintenance. And detects
20-30% more devoces than admins would expect8
Technology Architecture
ARCHITECTURE
So, what does the Darktrace immune system process look like?
Darktrace takes RAW NETWORK TRAFFIC
From that network data, we extract only RELEVANT METADATA using
our proprietary DARKFLOW technique.
[Unlike sampling technologies, Darkflow infers and analyzes data
from every packet captured, identifying crucial pieces of
information needed for analyzing threats, e.g. initiators of
machine connections, or the length of connections, etc.]
That data is then modelled, to understand the PATTERN OF LIFE
for every USER, DEVICE AND NETWORK AS A WHOLE.
The THREAT CLASSIFIER does the job of classifying and FILTERING
OUT FALSE POSITIVES, using Recursive Bayesian Estimation
techniques.
THREAT NOTIFICATIONS AND NETWORK ACTIVITY are made visible to
users via our interface, the THREAT VISUALIZER.
In addition, we also have a MODEL EDITOR, that allows you to
create your own policies and rules, if required. Darktrace can also
be fully INTEGRATED with existing outputs and dashboards.9
Machine Learning is Hard to Get Right
No two networks are alike needs to work in every
networkOn-premise, virtualized, Cloud, SaaS, segmentedNeeds to work
without customer configuration or tuning of modelsNeeds to support
teams with varying security & maths skillsMust deliver value
immediately, but keep learning and adapting as it goesMust have
linear scalability Cannot rely on training sets of data
MATHEMATICS AND MACHINE LEARNING
Enterprise Immune System technology is underpinned by MACHINE
LEARNING AND MATHEMATICS, which are fundamental to the difference
of our approach.
Darktrace is based on a branch of BAYESIAN MATHEMATICS this is
based around the idea of CORRELATING WEAK INFORMATION, in order to
evaluate an outcome.
[this is Reverend Thomas Bayes, an English church cleric and
mathematicians, who developed Bayes Theorem in an attempt to prove
the existence of God]
RECURSIVE BAYESIAN ESTIMATION is a branch of Bayesian theory,
developed by mathematicians from the UNIVERSITY OF CAMBRIDGE
It allows Darktrace to CONTINUALLY CALCULATE PROBABILITIES BASED
ON EVOLVING EVIDENCE Darktraces understanding is constantly being
revised and updated through new observations.
Critically, this approach DOES NOT REQUIRE PRIOR ASSUMPTIONS OR
KNOWLEDGE of what is good or bad.
[further questions may be referred to a later conversation
delighted to set up a call with our technical and mathematics teams
if youd like more information]
MACHINE LEARNING IS HARD TO GET RIGHT
So, the fundamental basis of Darktraces technology is
unsupervised machine learning.
The reality is that machine learning is very difficult to
implement in practice.
There are several reasons for that:
Every network is different it needs to work across all types and
sizes of network
A security solution cannot rely on sets of training data.
[Networks are too complicated, and threats are constantly
evolving.]
It has to scale.
It needs to deliver value immediately
What Darktrace has been able to do uniquely is to apply
unsupervised machine learning in the real world.
Indeed, it has been proven time and time again to work across
all types of network, with data moving at different frequencies,
and it detects the threats that are quite simply going unnoticed by
other approaches.
Critically our machine learning adapts, grows, and evolves with
your business.
It is constantly calculating new probabilities based on evolving
evidence.
[further questions may be referred to a later conversation
delighted to set up a call with our technical and mathematics teams
if youd like more information]
10
Immune System Technology Finds Threats That Go UndetectedOver
27,000 in-progress threats detected, including:Exfiltration of
sensitive data by insidersHacked IoT devices, including HVAC, video
conferencingThird-party contractor vulnerabilitiesPolymorphic &
metamorphic malware that blend inIrregular VPN access from remote
users & sitesCompromises of industrial control
systemsIndiscriminate worms, Trojans, ransomwareAttacks on physical
security, such as biometric scanners & badge readers
11
Compromise of Biometric Scanner
Industry: ManufacturingPoint of Entry: Fingerprint
scannerApparent Objective: Alter biometric access keysGLOBAL THREAT
CASE STUDY
Attacker successfully exploited known software vulnerabilities
in fingerprint scannerAble to control information sent to and from
the fingerprint scannerWent unnoticed by traditional anti-malware
solutionsDarktrace detected unusual connections to and from the
biometric scannerIf undetected, malicious actors would have gained
access to physical machinery
COMPROMISE OF A BIOMETRIC (FINGERPRINT) SCANNER [Threat
Anecdotes and Use Cases Script number 1]
So let me give you an example:
In this case, to protect its physical assets, a manufacturing
company had installed biometric fingerprint scanners to access
machinery.
In this instance, the close association of physical and network
resources led to a hacker successfully exploiting a fingerprint
scanner.
Not only did this attacker gain access to the fingerprint
records stored by the system, but they were also able to add new
records in order to gain unauthorized physical access to the
company premises.
Now because this abnormal activity didnt correspond to any known
attack signatures, traditional anti-malware solutions failed to
detect the subtle and discrete operations that caused the
compromise.
But Darktrace was able to detect the attackers movement using
machine learning, because it had learnt what was normal behaviour
for the scanner, and recognized that it had started behaving
abnormally.
So, we were able to alert the company before any serious damage
was caused.
12
Video Conferencing Camera HackVideo conferencing camera was
transmitting data outside the networkCamera had been compromised by
a remote attackerAttacker was aiming to either:Steal corporate
informationTake remote control of the device to launch a DDoS
attack on another networkWould not have been detected through
signature-based defences the activity was not inherently
malicious
Industry: RetailPoint of Entry: Video conference cameraApparent
Objective: Transmit mass amounts of data out of host network
GLOBAL THREAT CASE STUDY
DATA EXFILTRATION FROM HACKED VIDEO CONFERENCING CAMERA [Threat
Anecdotes and Use Cases Script number 3]
In this example, Darktrace found a hacked IoT device that was a
dangerous vulnerability on a companys network
We detected unusual behaviour from a video conferencing camera
in a companys network it was transmitting much larger volumes of
data outside the network compared to similar devices.
The camera had been compromised by a remote attacker and was
sending data possibly videos and photos outside of the network.
It was also connecting to other computers as the attacker
explored the network and attempted to locate Point of Sale
devices.
Darktrace detected this threat after the device initiated a very
large upload to rare external IPs, and communicated with internal
computers that it never usually talked to.
A back-door Trojan had been uploaded to the device before
Darktrace was installed, allowing it be remotely accessed from
outside the network.
The attacker was likely aiming to either:steal corporate
information, including highly invasive audio and video feed data,
or take remote control of the device to launch a DDoS attack on
another network.
Either of these would have been a serious security risk to the
company.
Once Darktrace flagged this behaviour, the company immediately
disconnected the camera, and started a detailed review of their
systems.
This would not have been detected through signature-based
defences, as this activity was not inherently malicious.13
ConclusionThe battlefield is now inside corporate networks
Rules and signatures dont work
No security team, no matter how large, can keep up with new era
of machine threats
Darktrace Enterprise Immune System is a fundamental new
approach
30-day Proof of Value in your network
VALIDATION & CONFIDENCE this is what your audience should
TAKE AWAY from the presentation
THE ENTERPRISE IMMUNE SYSTEM is a UNIQUE APPROACH POWERED BY
MACHINE LEARNING & MATHEMATICS
IT UNDERSTANDS WHATS NORMAL FOR DEVICES, USERS AND THE
NETWORK.
IT DETECTS THREATS AS THEY EMERGE
NO RULES, NO SIGNATURES
EASY TO INSTALL JUST ONE HOUR.
WE OFFER A PROOF OF VALUE (POV) where you can try the technology
for a period of 4 weeks. 14
Thank you
Thank you for your time. [Discuss next steps]15
