Darktrace’s ‘pattern-of-life’ defense

Darktrace is touting a new approach to cyber-security that leverages Bayesian probabilities for early detection of cyber threats and insider threats.​

The company’s solution, dubbed the Enterprise Immune System, detects threats, particularly those that can evade conventional pattern-matching defense systems, without reliance on rules and signatures or any prior knowledge of what it is looking for.

The Enterprise Immune System appliance is deployed in a network tap or span. The appliance comes without rules built in. “Within one week of installation in the network, the box forms an adaptive ‘pattern of life’ for the machines, networks and users within the environment, which is used to spot previously unidentified anomalies, in real time,” says Sanjay Aurora, managing director of Asia Pacific at Darktrace. The box tracks the evolving patterns of life and continuously learns from information that flows through the network.

Based on advanced machine learning and Bayesian mathematics developed at the University of Cambridge, the appliance captures network and user behavior data and extracts some 300 measurements that help to distinguish an abnormal event that is benign from one that is a high-level alert.

Darktrace’s aim is analogous to preventing a thief who holds the key to a stolen car and yet cannot drive off with it because he is unable to emulate the normal behavior and preferences of the car’s owner.  

“Based on the applied dimensions, you are able to create a very accurate behavioral pattern of life,” says Aurora. “The threat actors can have the super passwords and admin rights but they cannot ensure everything they do is behaviorally normal. Any anomaly gets called out. So, our approach aims at early detection and the ability to find the unknown in real time.”

Darktrace calculates the probability of threat based on the detection of behavioral anomalies. This has led to the discovery of malware-enabled anomalous data transfers, unauthorized use of administrator credentials, illegitimate access to a database server for transfer of financial information, and password compromises, among others.

Darktrace has also launched the Industrial Immune System to detect emerging cyber-threats within industrial control systems, including supervisory control and data acquisition (SCADA) used by power stations, factories and other parts of critical infrastructure. Leveraging Enterprise Immune System technology, the Industrial Immune System provides critical infrastructure providers with a holistic, visual overview of their production environments and alerts them to potential threats before they develop into full-blown cyber-attacks.

European energy leader Drax, which has implemented Darktrace’s self-learning appliance within its corporate IT network, has also rolled out the Industrial Immune System to extend threat visibility into their SCADA systems.

“Nothing is fool-proof in the modern-day challenge of cyber security, especially when it comes to protecting complex SCADA systems,” says Peter Emery, group operations director at Drax. “Darktrace has transformed our ability to preempt threats, by shining a light into our production environments and helping us focus our investigations. With Darktrace, we now have visibility of both our corporate and production environments, enhancing our ability to anticipate potential issues early, wherever they originate.”

Darktrace, which is ramping up operations in Asia Pacific, raised US$18 million early this year from investors including Invoke Capital, Talis Capital, Hoxton Ventures and private individuals, valuing the company at $80 million. It was formed in 2013 and shipped its first product in 2014. It now serves about 70 customers, including UK rail operator Virgin Trains; Norwegian insurance company DNK; and BT.