I understand that most of you reading this have never worked in a Security Operations Center or SOC for short, but you’ve all seen them in movies..
Sterile, brightly lit rooms of computer screens. All showing spreadsheets or charts or static maps of the world. I yawn even thinking of it.
And yet the men and women working this environment 24/7 are responsible for detecting that one little anomaly or sorting out the REAL bad traffic patterns from among the thousands of False Positive bad traffic patterns that show up on their screens hourly.
Little wonder the poor Security Analysts over at Target missed the evidence in front of them. The sheer enormity and chaos of data that assaults them in the course of their workday is stressful and overwhelming. All the screens look the same, tables and columns, and rows of information about network and security events collected and forwarded by every device on the network. Then hundred or thousands of rules process them to try to find deviations from “normal traffic“. Like any network has “normal traffic“. Right…
I know. I’ve worked in or around these systems for the past two decades. I’ve seen the tools appear, mature, merge, morph, and become “fairly” useable. But the false positives are still rampant, and low and slow “Advanced Persistent Threats” are under the radar and typically don’t show up here.
So when an upstart Security Analytics company called me late in 2013 to show me what they’ve been working on, well… I could care less. Really… They tried hard to influence me with their Pedigree: Harking from the minds ex-MI5 Security Intelligence employees, and funded by Autonomy founder Mike Lynch. But all big software stands on the shoulders of giants, right?
Then a few months ago, a friend of mine convinced me to come out to a public demo of their system.
So let me take a second to say that the basis of their tools revolves around some very propeller head complex math that us mere mortals could never comprehend. They do not rely on rules or signatures or feeds from your network devices. Yes… they DO require network span or tap at critical aggregation points in your network, but they are able to watch, analyze, identify, and correlate your traffic over a period of time, and through machine learning techniques, develop and understanding of “normal traffic” within several contexts.
Darktrace touts themselves to be your “Enterprise Immune System“, in that like the human body’s immune system, which has an understanding of “self” or what belongs or is normal versus contaminants like bacteria or viruses. After a period of mapping your environment’s traffic patterns: Source/Destination/Port/Protocol/Time of day/Day of year/etc… Darktrace will use it’s learning algorithms to alert on traffic patterns that are NOT normal, and therefore should be looked at. It learns what “normal” or “self” is for each device on your network. The difference here is the heuristic learning. Not rules, made be people who think they know the system.
All very impressive… BUT… that’s not really what caught my eye. Sorry Darktrace guys, but the person or people you can never let leave your company are the ones who wrote that AWESOMELY FUTURISTIC HUMAN INTERFACE!!! Oh My God!
Remember up top where I said how sterile and drab and monotonous staring at a gazillion screens full of spreadsheets was? Well… now picture having the tools from Minority Report! Yeah, you know the ones!
The screen in front of me started off with a wireframe globe. Little pins of light would show up, intensify, dim… whatever.. I’ve seen this before. But… Our presenter took the mouse, spun the globe a few degrees, and zoomed in “just like in the movies”.
I got the feeling at first that this was canned video footage. But then the presenter selected one of those intensifying lights. Zoomed in, and as he zoomed, images of network devices started showing up. Lines between them glowing as well, in various intensities and colors. They then portrayed a communication session initiated from a desktop to a webserver. a faint white line… Then immediately more light from that webserver back to another device that turned out to be an associated database server… AND more illuminated lines back to the network storage array… That one transaction, a web page request I would imagine, allowed me to visualize *VISUALIZE* connectivity to the various sub components of the web applications infrastructure.
Before anyone had a chance to ask about those red glowing devices and lines, the presenter clicked one and detailed how THIS was not typical traffic from that particular device at this time of day, nor from the area of the network being connected. Anomalous behavior. VISIBLE in real time.
Darktrace: Enterprise Immune System
Darktrace: Recursive Bayesian Estimation
Darktrace CEO Joins Prime Minister David Cameron on Official Cyber Security Visit to Washington D.C.
Former MI5 chief advises Darktrace
GCHQ Defence chief to head cyber security start-up Darktrace
ZDNet: Darktrace: What happens when Bayesian analysis is turned on intruders
Deloitte: The ‘Immune System’ of Enterprise IT?
How Threats Disguise Their Network Traffic
TrendMicro: Network Detection Evasion Methods
What is “Normal Traffic” Anyway? (by Chris Greer)
MI5: UK Security Intelligence