Darktrace: Cybersecurity of the Future?

The cutting edge of cybersecurity comes from AI being able to recognize any behavior that falls outside “normal”.

In 2013, a group of mathematicians and intelligence experts from the UK got together in Cambridge and envisioned a new way of dealing with the quickly rising and changing cybersecurity threats. They included Alan Wade, former CIO of the CIA and Lord Evans of Weardale KCB, former head of the British internal intelligence service MI5. These individuals went on to create a company called Darktrace which is headquartered in Cambridge and San Francisco. A large portion of the board came from HP autonomy.

Darktrace is a company that uses artificial intelligence to detect and combat cyber security threats. Their most interesting suite of products are the Enterprise and Industrial Immune Systems. They are aptly named, as just like the immune system in living organisms, they recognize threats by identifying “outlier” behaviors. To do this, the system learns normal behavioral patterns over varied metrics. When it notices significant deviation from the regular behavior, it flags the threat and responds to it. Since it is a continuously learning system, it adjusts the definition of outlier behaviors based on the changing system usage trend. The industrial variant does the same for cyber-physical systems and is hence able to detect and respond to potential industrial accidents before they happen.

What really sets Darktrace apart is the fact that it does not need periodic threat signature updates unlike most other cyber security systems. Rather than learning to identify abnormal behavior, it learns to identify normal behavior. Hence the lack of need for downloading signatures. It classifies anything outside normal behavior as a potential threat and lets system operators decide on how to respond to it. This makes it capable of addressing a wider array of threats. This also enables it to address novel threats before they can cause quantifiable damage. The system relies on no prior knowledge of threats as it does not look for threats in a conventional manner.

The other part of their suite of services is the response which is called Antigena. Antigena is the first ever Autonomous Response system that handles threats detected by the Enterprise Immune System. It does so by slowing down or stopping any services or network connections that have been displaying behavior outside of what is classified as “normal”. Their users are especially happy with the proactive nature of the platform and how little it requires in the way of human intervention. The main form of human intervention required by Darktrace’s platform is in the “Threat Visualizer” which allows the system administrators to look at all the threats to the system and describes the normal behavior in the network. When the WannaCry ransomware wreaked havoc across the world, Darktrace clients were protected from massive damages as its behavior fell outside the pre-determined “normal” assessed by the Immune System.

In 2019, Darktrace introduced the Cyber AI analyst which not only assisted in detection and response to threats but also their investigation and reporting which would earlier have consumed too many valuable man hours. It can correlate multiple seemingly dissociated security events to a single incident and help teams reduce triage time by over 90%.

This adaptability and scalability and scalability of their offering is what will help them capture value and the rapid growth in cyber threats is what will create value for them. They are fairly unique as the majority of their value is created from without and not within. But that value creation is guaranteed as it is a byproduct of other entities’, government or private, necessary value creation. They can expand their value capture over time by collecting more training data and adding more capabilities to capture more value in the cyber security space.

An interesting article on the future of cyber security can be found here: Darktrace CEO: the Future of Cybersecurity is A.I. vs. A.I. | Fortune

The work done by the folks at Darktrace could very well go to define the future of cyber security. This is because conventional cybersecurity methods just cannot handle the scale and diversity of the upcoming cyber threats. Their need to be supervised in their detection and response makes them near impossible to scale. The unsupervised learning provided by Darktrace and companies like it, which are bound to pop up, makes it possible for a system to recognize a threat by itself and respond to it. This is backed by the fact that Darktrace now has over 4,700 clients and currently employees over 1,500 people across the world.

The company seems to have great faith in the value they bring to the market as they have recently filed for an IPO on the London Stock Exchange. It remains to see what the free market values the company at considering how specialized their offering is.

Next:

An Algorithm…with a Record Deal?

Student comments on Darktrace: Cybersecurity of the Future?

  1. The Darktrace value proposition is really interesting. In particular, I’d love to understand how “turnkey” the solution, vs. having to be trained on what is normal behavior for each and every individual client. Similar to our discussion about DeepMap, their may be clients who don’t want to have their data used to train up an algorithm that benefits other companies, but Darktrace would certainly benefit from training across clients to increase their sample size. It’s also interesting to thing about the sensitivity and specificity of their technology; the benefit of the technology dims if there are a lot of false positives, but the cost of a false negative can be so high that Darktrace has to really walk a thin line.

    1. Exactly my question as well (on the first point)! How much bespoke model training is necessary to determine what is normal based on company, industry, geography, etc. This seems non-trivial, but I’d love to learn more.

      1. The solution is not completely turnkey as it has to be modified for each company’s systems. But as far as the bespoke element is concerned, the solution would unique to each client as it only learns from their system. This also addresses the problem of using one clients data to train another’s model as the system trains on what is normal for each client uniquely.

  2. This is really interesting Vikram! It seems like these solutions are geared more towards companies, but does Darktrace have an offering for individuals? My boyfriend and I have been increasingly worried about our online security (more so than online privacy) and have been trying to take steps to be more secure. However, I just had another friend who had his identity stolen the other day and how he is an extensive process to try to fix it. Given how much our lives reside online, we are definitely willing to pay to increase our personal online security.

    1. I think currently these offerings are available only to companies as they need a large dataset of logs to determine normal behavior. But taking from an earlier comment, it could be possible to design systems like this for most average internet users. But in this case users should be willing to let their data and behavior train the system for others. It does have some issues too where bad actors could set up server farms and train the system to “normalize” any behavior as any large enough group of computers could define the limits of what is normal.

  3. Great blog post, Vikram! Thanks for sharing. How much does it cost for a company to buy these products? Is this suite of products considered a substitute or a supplement to anti-virus softwares like Kapersky or Norton?

    1. The cost depends on the depth and breadth of a particular usecase but it can ideally completely replace an anti-virus software.

  4. Very interesting article Vikram! What is the company trtying to do through its IPO, the obvious would be improving their technology or scaling their presence. Curious to know what is the next steps for them are.

    1. I would assume their goal with the IPO is to generate more funds and increase valuation. it could also be to reward their investors. Another obvious one I can think of is scaling like you mentioned

  5. Thanks for this article Vikram. Darktrace’s value proposition and approach to fighting threats seem really innovative, especially the fact that it doesn’t require a lot of human intervention. I wonder however if, in the long term, hackers will also be increasingly sophisticated and will be able to build AI-powered malware that could potentially mimic a “normal behavior” in order to bypass these systems. Maybe it’s a real threat! Or maybe I’ve just watched too many sci-fi movies…

    1. Absolutely love this question because I thought of this for quite a while when I was writing this post the best answer I could only come up with was fairly ironic. A malware could potentially penetrate the system by mimicking “normal” behavior. Funny thing though is that when it starts its actual attack, it would immediately be quarantined. So even though the system can be penetrated, it can never be attacked. It was a pretty fun thought experiment to come up with this

  6. I think this is the first application I’ve seen where AI is trained by anomalies so this is super interesting, and the immune system analogy is a compelling one. Do you think there are risks in removing the human element from assessing such nuance when the financial risk for an error can be so large for example in the industrial accident scenario?

Leave a comment