What are the limitations of traditional/legacy security approaches?
Despite the introduction of enhanced security measures and the sharing of industry best practises, insider threats remain an unsolved problem that seriously threatens many businesses.
Outside attackers will typically obtain and then use the authorised access credentials of an employee, to avoid tripping perimeter alarms. This makes it extremely difficult to distinguish authorised activity from a threat actor. Attackers use this cloak of legitimacy to disguise themselves amid the normal interactions of that user and the day-to-day activities within the network. By masquerading and securing recognition as a legitimate user at the point of entry, the network considers the attacker to be 'trusted' and an undetected breach occurs. The challenge of infiltrating the enterprise to find and siphon data or manipulate systems then becomes easier.
Networks today are too complex, people too variable and data too dynamic to rely on legacy - perimeter and rule-based - approaches. When boundaries fail, the definition of the 'insider' loses its relevance. Hence, whether from inside or outside, threat actors are becoming harder to spot because, one way or another, they are realising new ways to successfully act from within.
Moreover, in an age where many new threats emerge on a daily basis, analysing, updating and patching for yesterday's Heartbleed or Carbanak provides no guarantee of protection against tomorrow's adversaries. Today's attackers are constantly adapting their techniques and strategies to bypass traditional security stacks and achieve longevity within systems.
How does the new Enterprise Immune System approach address those limitations?
Based on advanced machine learning and probabilistic mathematics developed at the University of Cambridge, Darktrace's Enterprise Immune System is a new category of cyber technology that passively observes all network interactions and self-learns to build 'pattern of life' models for every network entity (user and machine). It consists of more than 300 dimensions, such as reboots, protocol changes and external connections. As more information is gathered and contexts change, these models adapt to each new set of circumstances and are continually updated.
For example: If a HR employee logs on to the network from an unknown overseas IP address, Darktrace will make a judgment about the user and the device. It knows that it is unusual for this particular staff member to log on remotely. The device in question is also an external laptop, which rarely logs on from outside the enterprise. Darktrace would attribute a higher threat level to this activity than if it were a legal advisor or a c-level executive with a regional remit, for whom travel was usual and mobile device use common.
The power of this approach lies in its rejection of the binary rules and signatures of traditional models. The Darktrace appliance does not need to make a rule for every possible transgression that might catch an attacker. Instead, it understands the changeable nature of human and machine behaviour, and detects subtle anomalies that are truly indicative of threat.
Sign up for Computerworld eNewsletters.