Darktrace deals with breach identification, breach remediation and insider threats by automatically alerting you to anomalies within your environment and allowing you to play events back through a threat visualiser.
Identifying a breach can take a very long time - one study measured this as an average of 146 days! Once identified you then have the additional time needed to discover what the attacker/insider has compromised and what damage has been done. Often attackers will move through an environment to give themselves multiple areas for re-entry in case of a detection and to get access to more data/accounts.
It’s often very difficult to cut through the noise that event management and SIEM technologies create to get the information you need.
Darktrace automates breach identification and remediation through network and machine learning. The tool discovers what normal user and machine behaviour looks like and then alerts your team (or the SSS team) to any anomalies within your environment. In addition it will allow your team (or ours) to play the event back through a visualiser that shows the threat through a 3D interface of your network topology.
Below is a summary of the six core elements of the Darktrace solution set:
Physical Appliance similar to a SIEM or TRIM solution but it is cutting a lot of the ‘noise’ down that Customers have to pay attention to.
Darktrace (Core) is the Enterprise Immune System’s flagship threat detection and defense capability, based on unsupervised machine learning and probabilistic mathematics.
Powered by advanced machine learning, together with a new branch of Bayesian probability theory, developed by mathematicians from the University of Cambridge, Darktrace is the only genuinely self-learning cyber defense technology proved to work at scale. It is capable of detecting cyber-threats and anomalous behaviors that bypass traditional security tools, without prior knowledge of specific threats, or using rules or signatures.
Darktrace works by analyzing raw network data, creating unique behavioral models for every user and device, and for the relationships between them.
Adaptive – evolves with your organization
Self-learning – constantly refines its understanding of normal
Probabilistic – works out likelihood of serious threat
Real-time – spots threats as they emerge
Works from day one – delivers instant value
Low false positives – correlation of weak indicators
Data agnostic – ingests all data sources
Highly accurate – models human, device and enterprise behaviour
Installs in 1 hour – no configuration
The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.
Using cutting-edge visualisation techniques, the Threat Visualizer user interface automatically alerts analysts to significant incidents and threats within their environments, enabling analysts to proactively investigate specific areas of the infrastructure.
3D visualisation of entire network topology
Real-time global overview of enterprise threat level
Intelligently clusters anomalies
Pan-spectrum viewing – higher-order network topology; specific clusters, subnets, and host events
Searchable logs and events
Replay of historical data
Concise summary of overall behaviour for device and external IPs
Designed for business executives and security analysts
Industrial Control Systems & SCADA
Darktrace ICS, also known as the Industrial Immune System, is a fundamental innovation that implements a real-time ‘immune system’ for operational technologies, such as SCADA, and enables a fundamental shift in the approach to cyber defense.
Darktrace ICS retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioural understanding of the ‘self’ for each user and device within the network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behaviour.
Unprecedented visibility into ICS activity
Protects against insider threat, including operators and privileged users
Detects threats in real time
Coverage of both IT and OT environments
Correlates actions over time, for refined understanding of ‘normal’
4. Darktrace Antigena - This is their remediation and protection module.
The machine fights back
When the human immune system is faced with a new threat, not only can it detect it, but it produces antibodies that bind to it, and ultimately neutralise it. Darktrace Antigena replicates this function of the human immune system, by creating ‘digital antibodies’ in response to in-progress threats.
Antigena acts automatically to restrain or contain threats quickly enough to allow humans to catch up. It could only take 20 minutes for a major threat, such as a ransomware attack, to evolve into a crisis – Antigena’s automated action slows, or stops threats in a targeted fashion, to provide security teams with a vital time window in which to take mitigating action.
Antigena’s response capability allows organisations to directly fight back, and networks to self-defend against specific threats, without disrupting your organisation.
Darktrace Antigena modules are deployed as physical appliances, complementing the core Darktrace appliance. They can also interface with Software Defined Networks (SDNs) and Active Directory, and are fully configurable.
Antigena Internet – Regulates user and machine access to the internet and beyond
Antigena Network – Regulates machine and network connectivity and user access permissions
Antigena Email – Regulates email, chat and other messaging protocols
Directly inoculates against a full range of threats
Prevents, slows, or disrupts activity in real time
Self-defends and self-improves
Stops threats before they spread
Darktrace vSensors are lightweight software components that extend Darktrace’s visibility in virtualized environments. It provides the Enterprise Immune System with comprehensive visibility of today’s distributed infrastructures.
vSensor software is installed as a ‘virtual appliance’ configured to receive a SPAN from the virtual network switch. This allows it to capture all inter-VM traffic, without a single packet being lost or dropped by the system. It stores the packet captures on a rolling basis, optimising the disk space and I/O performance and ensuring that there is minimal impact on the performance of the server. Only one vSensor needs to be installed on each hardware server, allowing for scalability.
Darktrace OS-Sensors are lightweight, host-based server agents that extend Darktrace’s visibility into third-party cloud environments, including Amazon AWS, Rackspace, and Microsoft Azure.
OS-Sensors intelligently extract single copies of network traffic for analysis by the master Darktrace appliance. They are easily installed onto virtual machines in the cloud and capable of dynamically configuring themselves to avoid data duplication and streamline bandwidth use. Working in conjunction with vSensors, data is aggregated and fed back to the master appliance, via a secure connection.
Ingests virtual traffic from a limited set of IPs
Sends data efficiently and securely to the Darktrace master appliance
Sends approximately 1% of the original raw network data ingested to the master appliance
Works with third-party clouds
Extending self-learning detection to rich user data in SaaS platforms
As organisations embrace cloud applications, significant blind spots have developed beyond the traditional enterprise network. Valuable enterprise data and rich user interactions within SaaS applications contain critical security insights, but are not always accessible to IT security teams.
Darktrace SaaS Connectors provide coverage of these rich datasets, extending the power of Enterprise Immune System technology into previously-unseen areas of your infrastructure, including:
Complete visibility of user interactions within SaaS applications
Easy install — less than an hour
Early-stage threat detection