Darktrace's software studies a network's pattern of life
It could have taken months for the systems administrators at a large bank in Rome to figure out that one of their servers was talking to Facebook, a red flag given that networks in banks don't need to know how many "likes" they've received. And they might not have noticed the streams of data the server then sent to an array of unknown computers. This kind of threat—coming from inside the network, not from outside its firewall—is difficult to detect. According to IT researcher Gartner, it can take an average 229 days for a business to figure out it's been compromised this way.
What tipped off the bank's IT department was a little black box containing software from Darktrace, a U.K. startup founded in 2013 by a group of former British spooks and Cambridge University Ph.D.s. After two minutes, the software issued a preliminary alert, color-coded amber. After three minutes, as it became more confident something was seriously amiss, it switched to red.
Guarding a network's perimeter or scanning for known varieties of malware—the two buckets into which almost all cybersecurity programs can be lumped—doesn't cut it anymore, says Nicole Eagan, Darktrace's chief executive officer. Hackers have become increasingly sophisticated, changing just enough of an attack's code to elude established defenses. Cybercriminals are also increasingly using "spear phishing"—e-mails that seem to come from trusted sources but contain malicious links—to worm into networks. Says Eagan, "No matter how good you think your firewall is, attackers are still getting in."
Dave Palmer, Darktrace's director of technology, says his company's approach to cybersecurity was inspired by the way spies conduct surveillance. He should know: Palmer once guarded the networks of MI5, the U.K.'s domestic spying agency, and General Communications Headquarters, the equivalent of the U.S. National Security Agency. Darktrace's software employs more than a dozen machine-learning techniques to study a network's so-called pattern of life—everything from the devices that usually talk to one another to what sort of data they normally transmit to whom and when. Once a baseline has been established, the program alerts systems administrators to irregularities, color-coding each alert depending on how serious a threat it might pose. Amber means the company's IT chief should probably be informed, Palmer says. Red means it's time to wake up the CEO.
Martin Whitworth, a security analyst at Forrester Research, says the behavioral analytics honed by Darktrace and rivals such as Anomali and Deep Instinct are necessary because IT executives are drowning in data, with lots of potential for false alarms. That was the case at Drax Power, a U.K. utility that installed Darktrace's software in 2013. "It very quickly got rid of that noise and helped us understand what exactly was happening—what was getting through our firewall, how it was getting through, how it was defeating our antivirus," says Martin Sloan, Drax's security chief.
Darktrace has more than 200 customers, about a quarter of them in financial services and the rest in sectors including energy, retail, and travel. The monthly subscription starts at $10,000. The startup is backed by more than $50 million in venture capital. Among its biggest supporters is Invoke Capital, a $1 billion venture fund headed by Mike Lynch, the onetime CEO of Autonomy, a U.K. software firm bought in 2011 by HP for $11 billion. Lynch and HP are embroiled in a legal battle over allegations that Autonomy's management inflated the company's revenue, which Lynch has denied.
Installing Darktrace takes about an hour, Palmer says. The self-learning system reaches 80 percent of its capabilities within one month and continues to improve gradually.
In early March, Darktrace released an add-on called Antigena that automates many of the responses to a breach that once required humans, such as isolating a server from the Internet. That's in part to address a manpower shortage. In the U.S. alone, there are 260,000 openings for cyberthreat analysts. Says Eagan, "There are not enough people trained to deal with all the major breaches."
As an investigation found out, the attack on the Italian bank wasn't particularly sophisticated. A systems administrator had accidentally downloaded the malware that enslaved the bank's server in a botnet—an army of infected machines controlled by hackers—used to mine bitcoin. The Facebook page was where the botnet's zombie machines went to get their instructions.
In the past year, Darktrace has encountered far more ominous threats—hackers using machine learning to penetrate networks. At a conference in London in January, Lynch painted a chilling scenario of cybersecurity's future: One artificially intelligent piece of software silently trying to outwit and infiltrate another.