Darktrace Cybersecurity Solutions

Darktrace Cybersecurity Solutions: Comparisons, Review, Benefits, Use Cases, Pros & Cons

Author: Netify Research Team

If you have questions about Darktrace and how their capability is aligned to your needs, email the Netify research team. UK: uk@netify.co.uk North America: northamerica@netify.com 

(Please use the UK email for ROW - Rest of the World - questions or enquiries)

Netify Review

Darktrace specialize in advanced machine learning and AI solutions that are designed to complement an existing comprehensive cybersecurity perimeter. Their Self-Learning technology is predicted to offer a high return on investment, due to it’s ability to become increasingly efficient with each threat exposure. However, although based on machine learning and AI, the solution is not a complete replacement for client’s security teams - instead the solution complements existing IT teams. As such, this solution should be utilized by enterprises in industries that face a high threat level of sophisticated cyberattacks or regular and frequent “en mass” attacks. 

What are Darktrace's Solutions?

• Cyber AI Analyst: AI investigation technology that can autonomously investigate threats to operational technologies, SaaS and cloud. 
• Darktrace Antigena: A range of products powered by Darktrace’s Autonomous Response solution, designed to take action against cyber threats in applications, the cloud, email, the corporate network and endpoints. Works with network providers such as Check Point, Cisco, Palo Alto and Fortinet. Also compatible with cloud providers such as Google Cloud, Azure and AWS. Works with SaaS applications such as Zoom, Microsoft 365 Microsoft Outlook, Teams and Sharepoint and endpoints such Apple IOS, Windows and Linux. Compatible email environments include Exchange, Microsoft 365 and Google Workspace. 
• Enterprise Immune System: Locates randomly occurring cyber-threats by learning normal device behavior. Visibility is maintained across the dynamic workforce, from endpoints, the corporate network and the cloud. The solution leverages Self-Learning AI. 
• Industrial Immune System: Designed for complex cyber-physical ecosystems, the Industrial Immune System detects vulnerabilities and threats whilst providing protection from attacks.
• Darktrace Inoculation: Detects and responds to cyber-threats in real-time (includes zero-days and stealth attacks) powered by unsupervised machine learning. Designed to predict cyber-attacks before they hit a client’s systems and infrastructure and includes Global Threat Notifications and Industry Trend Reports. 

Darktrace Self-Learning AI

Darktrace is best known for their AI technologies. Self-Learning AI was developed in Cambridge in 2013 and powers a majority of Darktrace’s solutions. The technology can be applied to any business system (such as email or in the cloud), removing the need for data migration. It works by creating a deep understanding of all business environments - the more complex, the better as data collected from a variety of users, devices and environments can be used to create a deeper understanding. Self-Learning AI is also able to implement autonomous response, with the ability to react to and interrupt cyber attacks in less than a minute. In some instances, the technology is capable of reacting to threats without requiring the need for human intervention. 

What Autonomous Solution is Supported by Darktrace?

Darktrace Autonomous Response is powered by Self-Learning AI. The solution is designed to automatically know what action to take in the event of an attack in order to contain it. A variety of environments can be secured, including cloud, SaaS, email and the corporate network. 

Darktrace Self-Learning AI powers Autonomous Response by constantly updating it’s knowledge of a company’s digital infrastructure to improve response precision, enforcing ‘pattern of life’ on infected devices/entities. The solution contains a variety of ransomware technologies:

• Email: Darktrace is able to contain emails, lock malicious links and convert or strip attachments, using the least aggressive action possible to avoid disrupting the business. 
• Lateral Movement: Lateral Movement and even ‘living off the land’ techniques are blocked by Darktrace. The solution detects chains of subtle anomalies such as possible SMB/RDP sessions and network scans. This prevents attacks from progressing by blocking connections. 
• Establish Foothold and Beaconing (C2):  Darktrace is able to detect anomalous connections and suspicious file downloads in order to prevent attackers attempting remote control. It does this by implementing ‘pattern of life’ and blocking specific connections. 
• Data Encryption: Encryption is stopped without impacting normal business operations using Autonomous Response. 
• Data Exfiltration: Autonomous Response stops attacks such as double extortion ransomware from exfiltrating sensitive data by blocking any unusual data transfers which fall outside a device’s ‘pattern of life’. 

What Intelligence Augmentation Solution is Supported by Darktrace?

Darktrace Intelligence Augmentation is designed to complement a human IT security team by investigating facets of attacks. The technology mimics human intuition by combining multiple information sources in order to prioritize workloads whilst carrying out threat investigations in real-time. The solution was developed over three years by studying the way security analysts react to output from Darktrace’s Self-Learning AI, in order to understand how security experts follow leads and create hypotheses. 

Darktrace Intelligence Augmentation sits on top of Self-Learning AI and provides a second layer of AI leveraging supervised machine learning to assess the output of the findings. These findings can be presented in any language as required using Natural Language Processing to summarize key information which reduces time to meaning and time to response. 

AI Process of Investigation:

1). A lead is generated - this could be a single alert or event. 

2). The lead kickstarts the investigation and the AI generates hypotheses to understand the nature of the possible threat and underlying cause. 

3). Data is queried in an attempt to refine, confirm or deny the hypotheses using custom algorithms. 

4). The process repeats until an in-depth and accurate as possible description is generated of the nature and root cause of the incident. 

How Does Darktrace Deliver Cloud Security?

Darktrace for Cloud is Darktrace’s cloud security solution. Leveraging Self-Learning AI for hybrid and multi-cloud environments, the technology is compatible with Azure, AWS and Google Cloud providers. The solution learns ‘patterns of life’ for users, devices, instances and containers from the start, which allows it to respond efficiently to random and unknown cyber attacks. 

The solution is agnostic to different data forms and continuously revises it’s understanding of normal behaviors across multiple cloud workloads in real-time. Response times are quick, offering efficient targeted action whilst leveraging the Darktrace Immune System for protection across all business environments (cloud, email, SaaS, endpoints, the corporate network, OT and IoT). An example of how this is deployed in Cloud Security is that AI can match up suspicious activity on a user’s Office 365 account with a linked AWS login - Darktrace will understand that an account takeover has occurred and begin automatically remedying the situation. 

Darktrace is commonly used to detect:

• Anomalous device connections
• Anomalous user access
• Unusual resource deletion, modification and movement 
• Unusual permission changes
• Anomalous activity around compliance-related data or devices
• Brute force attempts
• Unusual login source or time 
• Unusual user behavior (such as rule changes or password resets)
• Malicious insiders (sensitive file access, resource modification, role changes and adding or deleting users)

How Does Darktrace Support Remote Users?

Darktrace supports remote users with their Cyber AI solution. Powered by Self-Learning AI, the technology makes use of triage services and Autonomous Response to continuously update whilst on the job, offering 100% visibility across cloud, email and the corporate network. The solution is able to spot compromised credentials in applications such as Salesforce, Microsoft 365, Box, Google Workspace and more. A number of threats can be prevented using Darktrace, such as data loss (when a user steals, manipulates or leaks critical data), email attacks (spear phishing, social engineering and novel strains of ransomware) and admin abuse (sensitive file access or data destruction).

What is the Darktrace Managed, Co-managed and DIY Services Solution?

Darktrace solely offer managed services, offering two different service types both run by Darktrace’s Cyber Analysts and Darktrace Certified Partners. Suitability for each service is chosen based on company size and fit. Further, clients can become part of the ‘Darktrace Community’. This allows them to access intelligence and support from the Cyber Analyst Team. 

24/7 Proactive Threat Notification: 

Leverages Security Operations Centers (SOCs) in Cambridge, San Francisco and Singapore, run by Darktrace Cyber Analysts to offer information to help client’s take action as threats occur. This provides constant coverage of significant incidents identified within the client’s ecosystem as flagged by whatever Darktrace solution is deployed. If an attack is detected, it is labeled as a Proactive Threat Notification (PTN) which ensures that all high-fidelity incidents (warning signs that an attack is currently in progress) are forwarded to a Darktrace SOC. This service is updated constantly to ensure that all high-priority breaches are detected with accuracy and speed. PTN alerts will be triaged if they are deemed to be highly indicative of attack - the decision to triage a PTN is made by a Darktrace Global Cyber Analyst, or, for more complex cases, a senior Level 3 analyst will be required to assess and understand wether the client’s organization is under an immediate attack. If an attack is detected during triage, the client’s team will need to be contacted immediately and offered information on how best to remedy the situation. All fully triaged alerts will be encrypted using a shared key which is emailed to a name distribution list within the client’s organization. Automated telephone calls and/or SMS messages may also be received should a PTN email alert be issued. 

24/7 Ask the Expert:

24/7 Ask the Expert (ATE) can be accessed from the Darktrace Threat Visualizer and the Customer Portal. The feature allows clients to send queries direct to a Darktrace Cyber Analyst for expert advice during a real-time threat investigation. Accessible via the Threat Visualizer, clients can drag and drop graphics and traffic flow data into queries. From here, answers to queries are accessible via Help-> View Questions in the drop down menu, allowing client security teams to collaborate with Darktrace Analysts. 

Clients can create an unlimited amount of queries via ATE. Sometimes queries will be redirected to internal training or technical operations teams if the query is less analytical and more about software functionality. Although ATE is not a direct chat feature, clients will receive priority access to the SOC if they are facing a real-time attack. The services can be constantly accessed by a standard Call Home connection from a master appliance to the Darktrace Management Center in Cambridge, UK. 

What Reporting and Management is Available Via the Darktrace Portal?

Clients can benefit from Darktrace’s Customer Portal, which is an online platform offering clients information about their security environments and allowing them to access product updates and resources from Darktrace security teams. The Portal also includes expert commentary from the Darktrace team of Cyber Analysts which highlight threat trends, case studies and product functionality from the Darktrace community. In the Customer Portal, clients can configure SOC contacts and messaging delivery methods and raise software and hardware support questions and feature requests. Further, user guides, educational videos and FAQs are available and can be accessed within the Portal.