Think you know what's going on your network? You probably don't, warns Darktrace's Steve Soar
Organisations need to proactively monitor network activity, rather than looking at server logs
Organisations are out-of-touch over the level of activity on their networks, both in terms of the end points and other devices connected to it, as well as potentially malicious activity that could be indicative of an attack or other unauthorised access.
That is the message of Steve Soar, cyber security executive at Darktrace, the security appliance vendor whose tools use the kind of Bayesian mathematical intelligence developed at Cambridge University and popularised by Mike Lynch, founder of Autonomy.
"What the maths does when we install the box is that it starts to learn the organisation. It doesn't matter how large the network is - our smallest customer has about 20 members of staff and our largest customer has hundreds of thousands of members of staff," said Soar, presenting at Computing's Enterprise Security and Risk Management Summit 2015. "The maths inside the box is exactly the same."
Darktrace's appliances are connected to the network and passively examine devices and their network traffic. "We start to learn what we call a 'pattern of life' for every device, be it a laptop, telephone, server, desktop, or person that we see on the network. We capture raw packets across the network and we process those raw packets in such a way so that, for every device, we can see somewhere between a few hundred and a thousand of different variables every second."
In a matter of weeks, the appliance learns patterns of behaviour for all the various devices that it has logged - and can then send alerts when something out of the ordinary occurs.
Furthermore, adds Soar, at every organisation that his company has connected a Darktrace appliance - the company will provide a box free for a month to prospective customers - various anomalies and other unexpected behaviours have always been uncovered.
"If there are 10,000 laptops on the network, Darktrace can say, 'these 50 laptops kind-of work in the same way', so I'm going to peer-group these devices together. The reason we do that is because we take for granted that there is already something malicious running on pretty much every network that we connect the Darktrace box too," warned Soar.
By examining the devices on the network and their behaviours, a pattern can be established. "We can then create an inside-out view of the network," he added, "and start to create some really clever alerting."
While this can initially create a lot of noise, this is where the Bayesian mathematics comes in, winnowing out the anomalies that are probably nothing to be concerned about from the anomalies that portend potential problems - in many respects, prioritising security work.
"We never put our box onto a network and don't show you something. I've been involved in many deployments now and it's extremely rare we put one of our appliances onto a network and don't show the chief information security officer, the CIO or the security guy something interesting happening on their network within the first week or two," said Soar.