the enterprise immune system: using machine learning for next-generation cyber defense. - hayley...

PowerPoint Presentation

Hayley TurnerCyber Security Senior Account Manager

The Enterprise Immune System

Using Machine Learning forNext-Generation Cyber Defence

PERSONAL INTRODUCTION[introduce yourself]- Thank you for the opportunity to present to you.- Ill be talking to you about a new approach to cyber defence, known as the Enterprise Immune System.- Then we will bring it to life with a live demonstration of the product.1

Agenda

Background & Growth

Evolving Threat Landscape

Enterprise Immune System

Live Demonstration of the 3D Threat Visualizer

Real-World Use Cases

Q & A

Andrew:

Here is a brief outline of what we will be discussing during the webinar

Darktraces company background

The expansion of the network- increasing use of cloud and SaaS platforms and the challenges that creates

The Enterprise Immune System approach to cyber defense, specifically how we apply it to the cloud and virtual environments

Real-World Use Cases how the EIS approach has worked incidents involving threat agents external to the network and insider threats accross sectors

Q & A we will aim to address all your questions and look forward to hearing them, the Q&A will commence around 15:352

Founded by world-leading mathematicians, from the University of Cambridge, and cyber operations expertsFundamental technology innovationPowered by machine learning and mathematics2,000+ deployments worldwide 600% year-on-year growthHQs in San Francisco, and Cambridge, UKBackground & GrowthDarktrace detects threats without having to define the activity in advance CIO, City of Las VegasDarktraces technology is uniqueCISO, Telstra

Simon:

Darktrace was founded by mathematicians and machine learning specialists from the University of Cambridge, and weve been able to bring a fundamentally new approach to cyber security.

We now have over 2,000 customer installations, with dual headquarters in Cambridge, UK and San Francisco.

Weve expanded to 23 global offices, including locations in Singapore, New York City, and London.

We have been recognised with numerous awards including 2017 Info Security Global Excellence and 2016 Stevie winner.

3

Over 2,000 Deployments From SMEs to Global Banks

CUSTOMERS

All verticals: from retail, media, and hospitality, to healthcare, financial services, and energy and utilities.

We can also scale up to any size business. Our smallest customer is a two person hedge fund in New York, and our largest is one of the top 3 global banks with 400,000 employees and 1 million devices.

4

Outsourced IT, SaaS, cloud, virtual, supply chainIts not just data breaches & defaced websitesInsider threat is constant whether malicious or non-malicious Trust attacks are silent and stealthyIntegrity of data is at riskEmergence of artificial intelligence attacks is leading to highly customised campaigns

Evolving Threats in aNew Business LandscapeLegacy controls are constantly outpaced

EVOLVING THREATS IN A NEW BUSINESS LANDSCAPE

Every day we are seeing attacks on the networks of our hundreds of customers around the world, and there are a couple of key trends which we see developing.

Firstly, the threat landscape is extremely challenging advanced and moving incredibly fast.

We read about data breaches and exfiltration in the news all the time. But it isnt these headline-making attacks that are the most dangerous.

Were starting to see much more complex, even machine learning based attacks, which use artificial intelligence to hide and move.

Secondly, we are seeing a rise in trust attacks attacks that are aimed at damaging a companys reputation or credibility by undermining the integrity of their data.

Often very stealthy, the attackers objective appears to be to change data slowly and over time.

They can remain in the network for hundreds of days before any damage is done.

In a bank or a hospital, these subtle changes over time can have a catastrophic effect on confidence in the data.

Insider threat is also a major concern. Anyone with access to your network is a potential insider from employees, to contractors, to customers and suppliers.

All this is against a backdrop of increasing business complexity, where the security industry is struggling to keep up with the threats posed by cloud and virtual environments, mobility, IoT, SaaS, and the simple fact of a network without traditional boundaries.

5

DARKTRACE APPROACH THE IMMUNE SYSTEM

So its clear that the legacy approach of rules and signatures or defending the perimeter is not sufficient.

Darktraces approach is different.

Its inspired by the biological principles of the human immune system, and is designed to embrace the challenges weve just talked about.

We call it the Enterprise Immune System.

Our bodies are attacked all the time by new viruses and bacteria.

Of course, skin protects us to a certain extent. But the immune system is essential.

The immune system understands what self is it is continually learning what is part of me and what is not part of me and can identify abnormal behaviours and take action against them.

It expects intrusion, and responds routinely.

Darktrace works in a similar way. Like the human immune system, it is a self-learning system that is continually evolving and adapting to understand normal activity inside the network.

It can detect and stop threats before they do damage.

Our approach is underpinned by unsupervised machine learning and mathematics.

We typically take a hardware appliance and plug it in to the core of your network, where we configure a SPAN port from a core switch and passively ingest as much raw network traffic as possible.

We analyse 350 different dimensions for every user and device on your network and from those metrics we create behavioural models.

We call this a pattern of life. It is essentially a complex behavioural model for every person and device on your network.

From these highly detailed models of normal, the machine learning is able to detect even the most subtle behavioural shifts, and do this in real time.

We can display the most anomalous or threatening behaviours on our intuitive three-dimensional Threat Visualizer which I will demonstrate in a moment.

And this gives unprecedented visibility into the behaviours deep in the core of the network.

6

The Enterprise Immune System: Proven to WorkLearns self in real timeFor every individual user, device and network, using unsupervised machine learningFinds the threats that get throughDetects both insider and sophisticated external threats, from within the network100% visibilityVisualises entire network, including traditional and non-traditional IT, allows for investigationsScalableLargest deployment has over 1 million usersAll networks & devicesWorks on physical and virtual networks, cloud, ICS

ENTERPRISE IMMUNE SYSTEM: PROVEN TO WORK

So, to briefly recap, we detect threats in real time, which go unnoticed by other security tools.

We work not only with corporate networks, but also with virtualized environments and industrial control systems.

Because of our unique mathematical approach, we are able to create these pattern of life models for any device on the network, not just traditional IT.

Every day we are spotting threats on biometric controls, video conferencing facilities, CCTV, and a range of non-traditional infrastructure which is increasingly acting as an attack vector for threat actors.

Its also worth mentioning again here that this approach is entirely scalable, our largest deployment has well over a million end points.

Finally, this is our powerful Threat Visualizer, which provides you visibility of whats going on it your network.

Im going to demonstrate in a moment.

7

No two networks are alike needs to work in every networkOn-premise, virtualized, Cloud, SaaS, segmentedNeeds to work without customer configuration or tuning of modelsNeeds to support teams with varying security & maths skillsMust deliver value immediately, but keep learning and adapting as it goesMust have linear scalability Cannot rely on training sets of data

Machine Learning is Hard to Get Right

MACHINE LEARNING IS HARD TO GET RIGHT

So, the fundamental basis of Darktraces technology is unsupervised machine learning.

The reality is that machine learning is very difficult to implement in practice.

There are several reasons for that:

Every network is different it needs to work across all types and sizes of network

A security solution cannot rely on sets of training data. [Networks are too complicated, and threats are constantly evolving.]

It has to scale.

It needs to deliver value immediately

What Darktrace has been able to do uniquely is to apply unsupervised machine learning in the real world.

Indeed, it has been proven time and time again to work across all types of network, with data moving at different frequencies, and it detects the threats that are quite simply going unnoticed by other approaches.

Critically our machine learning adapts, grows, and evolves with your business.

It is constantly calculating new probabilities based on evolving evidence.

[further questions may be referred to a later conversation delighted to set up a call with our technical and mathematics teams if youd like more information]

8

Darktrace 3D Threat Visualizer

VALIDATION & CONFIDENCE this is what your audience should TAKE AWAY from the presentation

So let me summarize.

We are seeing an arms race being played out on the networks of our customers, with attackers starting to take advantage of complex artificial intelligence attacks, and malware that can do damage at a pace beyond our ability to defend.

Rules and signatures are simply not good enough in todays environment.

They cant cope with the complexity of an increasingly diverse business environment, and an increasingly complex threat landscape.

Likewise, the threat is now able to move at a pace that defeats the humans ability to respond, no matter how big our security team might be.

Darktraces Enterprise Immune System is a fundamentally new approach to combatting these evolving cyber threats.

Powered by unsupervised machine learning and mathematics, it understands whats normal for devices, users, and the network as a whole, without prior knowledge, making it possible to detect threats as they emerge, without rules or signatures.

The best way to test this approach is with a free Proof of Value, allowing you to apply our powerful technology to your network and business.

Let me show you our award-winning Threat Visualizer now, and really bring to life some of the concepts weve been discussing.

9

Over 27,000 in-progress threats detected, including:Exfiltration of sensitive data by insidersHacked IoT devices, including HVAC, video conferencingThird-party contractor vulnerabilitiesPolymorphic & metamorphic malware that blend inIrregular VPN access from remote users & sitesCompromises of industrial control systemsIndiscriminate worms, Trojans, ransomwareAttacks on physical security, such as biometric scanners & badge readers

Immune System Technology Finds Threats That Go Undetected

DARKTRACE FINDS THREATS THAT GO UNDETECTED

Darktrace has detected over 27,000 serious, in-progress threats to date, that have bypassed traditional security defences.

These threats and attacks come from a multitude of vectors everything from polymorphic malware to data manipulation to insider threat, both malicious and non-malicious.

We are seeing increasing numbers of attacks hitting networks via the non-traditional IT we spoke about earlier.

For example, weve seen attacks which exploited vulnerabilities in biometric readers, air conditioning units, physical access control systems, and even a coffee machine!

[Deliver your own threat anecdote at this point]

10

Compromise of Biometric Scanner

Industry: ManufacturingPoint of Entry: Fingerprint scannerApparent Objective: Alter biometric access keysGLOBAL THREAT CASE STUDY

Attacker successfully exploited known software vulnerabilities in fingerprint scannerAble to control information sent to and from the fingerprint scannerWent unnoticed by traditional anti-malware solutionsDarktrace detected unusual connections to and from the biometric scannerIf undetected, malicious actors would have gained access to physical machinery

COMPROMISE OF A BIOMETRIC (FINGERPRINT) SCANNER [Threat Anecdotes and Use Cases Script number 1]

So let me give you an example:

In this case, to protect its physical assets, a manufacturing company had installed biometric fingerprint scanners to access machinery.

In this instance, the close association of physical and network resources led to a hacker successfully exploiting a fingerprint scanner.

Not only did this attacker gain access to the fingerprint records stored by the system, but they were also able to add new records in order to gain unauthorized physical access to the company premises.

Now because this abnormal activity didnt correspond to any known attack signatures, traditional anti-malware solutions failed to detect the subtle and discrete operations that caused the compromise.

But Darktrace was able to detect the attackers movement using machine learning, because it had learnt what was normal behaviour for the scanner, and recognized that it had started behaving abnormally.

So, we were able to alert the company before any serious damage was caused.

11

Video Conferencing Camera HackVideo conferencing camera was transmitting data outside the networkCamera had been compromised by a remote attackerAttacker was aiming to either:Steal corporate informationTake remote control of the device to launch a DDoS attack on another networkWould not have been detected through signature-based defences the activity was not inherently malicious

Industry: RetailPoint of Entry: Video conference cameraApparent Objective: Transmit mass amounts of data out of host network

GLOBAL THREAT CASE STUDY

DATA EXFILTRATION FROM HACKED VIDEO CONFERENCING CAMERA [Threat Anecdotes and Use Cases Script number 3]

In this example, Darktrace found a hacked IoT device that was a dangerous vulnerability on a companys network

We detected unusual behaviour from a video conferencing camera in a companys network it was transmitting much larger volumes of data outside the network compared to similar devices.

The camera had been compromised by a remote attacker and was sending data possibly videos and photos outside of the network.

It was also connecting to other computers as the attacker explored the network and attempted to locate Point of Sale devices.

Darktrace detected this threat after the device initiated a very large upload to rare external IPs, and communicated with internal computers that it never usually talked to.

A back-door Trojan had been uploaded to the device before Darktrace was installed, allowing it be remotely accessed from outside the network.

The attacker was likely aiming to either:steal corporate information, including highly invasive audio and video feed data, or take remote control of the device to launch a DDoS attack on another network.

Either of these would have been a serious security risk to the company.

Once Darktrace flagged this behaviour, the company immediately disconnected the camera, and started a detailed review of their systems.

This would not have been detected through signature-based defences, as this activity was not inherently malicious.12

The battlefield is now inside corporate networks

Rules and signatures dont work

No security team, no matter how large, can keep up with new era of machine threats

Darktrace Enterprise Immune System is a fundamental new approach

30-day Proof of Value in your network

Conclusion










Let me show you our award-winning Threat Visualizer now, and really bring to life some of the concepts weve been discussing. 13

Thank You










Let me show you our award-winning Threat Visualizer now, and really bring to life some of the concepts weve been discussing.

14