Darktrace – Leveraging AI in Cybersecurity

Artificial intelligence is being increasingly utilized by cyber criminals to mount sophisticated attacks on both enterprises and individuals. As companies continue to digitize their services and platforms and consumers’ data and communications continue to be propagated through IoT devices onto the cloud, the nodes of attack available to cyber criminals will increase. Darktrace is at the vanguard of companies bridging the gap between the A.I forwardness of cyber criminals and enterprises.

Founded in 2013, Darktrace is an artificial intelligence-based cyber security company headquartered in Cambridge, United Kingdom. The company leverages A.I innovations in a proactive approach to identify, investigate, and remediate cyber-security threats in real-time. The market has rewarded this approach with the company’s IPO valuation in 2021 being £1.5 billion ($2.4 billion) and presently serving ~8,800 customers in 110 countries.

Value Creation through AI in the Cybersecurity Industry

 Darktrace’s machine learning models deviate from traditional supervised learning models that utilize encounters with threats in the past to learn and predict threats in the future. Its models instead “self-learn” in real-time by monitoring user, device, and connection behavior to then define normal vs. anomalous activity, the latter of which it then identifies as being threats or not.

The first dimension of differentiation and mode of value creation that Darktrace provides to its customers is a proactive as opposed to a reactive approach to cybersecurity. Cybersecurity solutions are predominantly reactive: a threat has attacked a system or device and remediation is taken to eliminate the threat. The solutions then aggregate learnings from attacks in the past to prevent the same or similar attacks in the future. While elimination of a attack is a considerable value add, the successful attack itself can be debilitating to an organization with loss of revenue, potential breach in customer data, and loss of customer confidence. Organizations and individuals want to be in a place where attacks rarely if ever happen. With their real-time monitoring system, Darktrace can identify threats early in the attack sequence through identification of the subtlest deviation with normal user and network behavior.  From there, the system begins to take remedial steps to eliminate the threat before it propagates through the system. Other advantages of this proactive approach are the use of the business data for relevance in detecting anomalies instead of large data lakes, data remains with the company instead of being piped through a public cloud, and the ability to protect against targeted AI attacks.

 The second dimension of differentiation and mode of value creation that Darktrace provides to its customers is an autonomous and automatic cybersecurity suite. Darktrace doesn’t require human definition of attack signatures. This is advantageous in that human definition of attack signatures have a time-lag with respect to the latest cybersecurity threats, i.e., human definitions are based on known attacks, whereas, signatures of future attacks might be unknown. The ability of Darktrace to autonomously determine these attack signatures and automatically take remedial action increases protection efficacy and reduces system downtime from an attack that successfully propagates through the system waiting for human intervention. To speak to these advantages, Darktrace reports a 95.83% reduction in the time to identify potential threats in the real estate industry, an average response time of 2.5 minutes in the manufacturing industry and 90% reduction in the time to identify and prioritize threats in the healthcare industry.

Value Capture

Darktrace captures value through four product offerings: Darktrace PREVENT, DETECT, RESPOND, and HEAL. Customers purchasing all four products benefit from Darktrace’s Cyber AI Loop with end-to-end protection.

Darktrace PREVENT acts as the proactive first line of defense that continuously monitors the system in real time and simulates attacks to gauge the networks vulnerable nodes to provide the customer with key trends and metrics on the evolution of their risk profile, attack path modeling and scenario analysis. Darktrace DETECT, focuses on detecting emerging threats within the customers’ cloud, app, and email platforms, endpoints, and networks to be fed to the Darktrace RESPOND which disarms the threat. Darktrace HEAL then restores the business’s assets to an operational state.

Challenges

 A significant challenge that I believe Darktrace’s self-learning real-time models face is the determination of false positives and false negatives and the ramifications of falling into either. It seems to me that the company should probably skew their algorithms to prevent false negatives (not detecting a genuine cyber threat), but they should also mitigate the potential downside of acting on a false positive. A key area of curiosity for me here is whether their PREVENT, DETECT, RESPOND, and HEAL staging would amplify or attenuate false negatives and positives as the algorithm’s analysis propagates from one stage to the next. Another challenge that I think the company faces is navigating the myriad of regulatory environments in the 110 countries that they operate in.

Sources:

“Products.” Darktrace, December 3, 2023, https://darktrace.com/products.

“Darktrace, The Future of Cyber Security.” Devoteam, 3 Dec. 2023, https://www.devoteam.com/expert-view/darktrace-the-future-of-cyber-security/

“Cyber AI | One on One Security | Darktrace.” Darktrace, 5 Dec. 2023, https://darktrace.com/cyber-ai

“Darktrace shares soar 43% in London IPO as investors shrug off Deliveroo flop.” CNBC, 30 Apr. 2021, https://www.cnbc.com/2021/04/30/darktrace-ipo-dark-stock-skyrockets-43percent-in-london-debut.html.