RSI Security partnered with Darktrace to host a workshop on the cybersecurity applications and benefits of Darktrace’s threat hunting AI technology. Eileen opened by introducing the panelists:
- Samuel Purpose, a Senior Cybersecurity Account Executive at Darktrace, works with leading organizations across industries to deploy cutting-edge technologies.
- Tom Glazer, RSI Security’s Information Security Practice Lead, has experience in information security consulting, system auditing, and technical leadership.
Sam started his presentation by introducing Darktrace.
Founded in 2013, Darktrace initially conducted unsupervised machine learning research alongside intelligence agencies such as the British Intelligence and CIA. Darktrace has since gone public, rapidly expanded, and launched several strategic partnerships.
Darktrace’s Autonomous Cyber AI Platform
Sam introduced Darktrace’s autonomous cyber AI platform as a threat mitigation tool that doesn’t simply define threats as good or bad, as most others do. Instead, it leverages symbiotic threat mitigation across three AI modules, including:
- Enterprise Immune System – Instead of relying on defined threat signatures, Darktrace seeks to understand what normal activity looks like for all users and devices across the organization—via pattern-of-life analysis—which streamlines:
- Identification of novel ransomware strains
- Faster real-time detection of threats (e.g., insider threats, phishing)
- Darktrace Antigena – Darktrace’s technology responds to threats by triggering robust real-time mitigation responses for any detected ransomware or insider threats.
- Cyber AI Analyst – Based on the experience of over 120 analysts triaging events within the Darktrace threat visualizer, the Cyber AI analyst was built to:
- Reduce time to meaning and alert fatigue
- Provide actionable insight into threat events
- Streamlines threat response decision-making
Sam mentioned that Darktrace is cloud-native but runs across any digital real estate, combining the Enterprise Immune System, Darktrace Antigena, and Cyber AI Analyst—all irrespective of factors such as asset type, location, or deployment.
Sam also pointed out other key benefits of the Darktrace platform, emphasizing its capability to:
- Support hybrid physical and virtual environments
- Pick up all the IoT devices on which agents are not typically deployed, including:
- Smart cameras
- Smart appliances
- Identify attack vectors across multiple asset types, including IoT devices
- Extend to industrial control systems (ICS) environments, including:
- Utility grids
- Refrigeration systems
Darktrace’s platform helps strengthen overall cybersecurity across the digital environment, maintaining business continuity even during an attack scenario.
Darktrace’s AI Platform And Your Security Ecosystem
Sam led into the next section by posing a question: How does Darktarce fit into the broader ecosystem of your cybersecurity posture? The simple answer is that Darktrace is an open API.
What that means in practice, however, is that Darktrace can:
- Natively integrate with your current solutions to secure endpoints, including:
- Microsoft 365 Suite and email applications
- Software-as-a-Service (SaaS) services
- Endpoints such as operating systems (e.g., macOS, Windows)
- Augment existing solutions, including:
- Firewall integrations
- Security Information and Event Monitoring (SIEM) solutions
- Prioritize information in your current systems
- Exist as a primary workflow, with integrated:
- Alerting, reporting, and ticketing for events
- Mobile applications to provide 24/7 security coverage
Darktrace enhances your threat detection integrations and improves overall security visibility.
Demo of the Darktrace Threat Visualizer
Sam conducted a demo of Darktrace’s Threat Visualizer tool to highlight the robustness of the Enterprise Immune System, Darktrace Antigena, and Cyber AI Analyst capabilities.
At the start of the demo, he emphasized that Darktrace is scalable—ranging anywhere from 200 users for smaller companies to tens of thousands of devices for multinational corporations.
Sam also pointed out that each workflow is similar, regardless of specific scale and deployment.
Key Takeaways from the Threat Visualizer Demo
The most pertinent aspects of the Darktrace Threat Visualizer demo included:
- Cubes on the map represent global Darktrace tool deployment (i.e., subnets or groups of subnets)
- Everything is heat-mapped, with brighter colors representing more anomalous activity while cooler colors represent normal activity.
- Device action and traffic can be observed across the map, with metadata including:
- Type of device
- Hostname of device
- IP of device
- Every single unique connection observed by Darktrace throughout deployment is documented, including:
- Device-to-device connections
- Device-to-server connections
- Server-to-server connections
- A threat tray contains bucketed alerts and breach logs that indicate attributes of threat events.
Darktrace’s software reduces the noise around a breach incident to isolate:
- Potential threat actor metadata (i.e., device from which the threat originates)
- Different clients and servers to which the threat actor was connected
- Realtime data of all events surrounding the threat incident, collated in an event log
Once the affected device is isolated, Darktrace responds to an incident by enforcing a pattern-of-life to:
- Maintain business continuity by shutting down any anomalous activity from the affected device while maintaining normal activity, all in real-time
- Minimizing device interruption for the affected user, preventing any compromise to critical business activities
- Conduct root-cause analysis to prevent the spread of coordinated attacks, especially for email applications
In the example Sam used for the demo, a Chief Financial Officer (CFO) of a company clicked on a malicious link and downloaded ransomware, which was spread throughout the organization through the mail server. Sam summarized the threat mitigation strategy for such an incident as:
- Shutting down the threat on the network in real-time
- Conducting a root cause analysis to identify the malicious email
- Initiating appropriate action to prevent further spread of ransomware.
He concluded by mentioning that Darktrace has used this process to prevent multiple breaches dating back to the 2017 WannaCry attack in the United Kingdom. Sam then passed it back to Eileen, who mentioned a question from the audience about how scalable Darktrace is.
Sam responded that it is highly scalable to any size. Seeking clarification, Sam asked if the audience meant scalability to multiple devices or locations around the globe. Regardless, he mentioned that Darktrace can be scaled to any size but depends on the specific situation.
The audience member clarified, asking whether Darktrace can be scaled to multiple networks globally, and Sam responded that scaling to multiple sites or networks requires a master appliance (physical or virtual) connected to probe appliances at different sites with a connection back to the master. For larger deployments, a unified viewer with multiple masters can work.
Quick Poll Question for the Audience
Before transitioning to the next speaker, Eileen opened the floor to a poll:
What do you think your organization’s biggest cybersecurity program challenge is?
- Strategy, planning, and accountability
- Employee security awareness and training
- Budget, tools, and technology
- A combination of two or more of the above
The majority of respondents chose the last option, indicating their challenges comprise some combination of strategy, awareness, and resource allocation.
RSI Security’s Partnership with Darktrace
Eileen passed it off to Tom to talk about RSI Security’s work with Darktrace, security challenges observed with clients, and how Darktrace fits into a robust cybersecurity program.
Tom started by agreeing with Sam and emphasizing that his 20 years of information security experience have taught him the benefits of working with the best tools and people. As a consultant for RSI, which is vendor-agnostic, it is critical to choose tools that best support and meet clients’ needs. Tom mentioned that he is glad RSI leadership supports end-to-end solutions customized to fit clients’ needs.
Tom also mentioned that chasing after threat signatures isn’t feasible—one has to always think of worst-case scenarios, especially as an auditor. In a breach scenario, organization leadership must deal with a confidence crisis, respond quickly, and address stakeholder concerns.
There is a need to accurately define:
- Security normalcy
- What happened during the threat incident
- Mitigating steps to address the confidence crisis
With Darktrace, you can:
- Understand what the normal state is
- Define the anomalous behavior
- Respond to stakeholders (e.g., customers, leadership)
Tom concluded by emphasizing the need to find the best tools and people to best address existing threats.
Questions from the Audience
Next, Eileen opened up the Q&A session, centering the following questions from the audience and the discussion they sparked:
Are you a SOC? Are you showing us what you see in your building? Is that a demo of your endpoint isolation capabilities?
Sam mentioned that Darktrace is not a “system on a chip” (SOC). Darktrace has a service layer on top of the platform deployment—which can have a SOC layer and assist with high-fidelity threat mitigation and reporting—but is not positioned as a SOC proper.
Sam asked for clarification on whether “seeing what’s in your building” meant internal traffic between employees. Assuming this is what the question meant, he mentioned that they see all the traffic and connections between users, devices, and servers.
He added that Darktrace can isolate endpoints (such as in ransomware), but the autonomous response technology is activated immediately and is an agentless approach. Sam emphasized that it’s not always about quarantining threats. Threat mitigation requires surgical port-to-port isolation and not isolation.
How much time and staff are required to maintain the Darktrace AI?
Sam explained that it depends on the needs of specific teams. For example, in some organizations, Darktrace is one of 30 tools and requires the presence of three dedicated analysts.
Other organizations have smaller IT teams (e.g., a Director of IT and a sysadmin), which requires less time or staff resources.
Is Darktrace a downloadable app with a trial period for those that are studying?
Sam responded that trials do not apply to individual study purposes and referred to the Darktrace Proof of Value. Organizations can download Darktrace from the AWS store. Darktrace also offers free trials for organizations but not individuals.
How does Darktrace interface with other tools (e.g., AlienVault, Jira, Eset, WAFs)?
Sam mentioned that it depends on specific situations, such as the type of workflow. While Darktrace offers native integrations with some tools, the success of integration depends on:
- Open APIs that can integrate with Darktrace
- Accommodating Darktrace into your integrated workflow
What is the required training to capacitate the information security specialist on Darktrace?
Sam first asked if the question referred to how long it would take to train an individual on Darktrace if an organization adopted the platform. If so, he mentioned that the process involves:
- A complimentary 30-day Proof of Value, where organizations can deploy Darktrace into either an entire network or a portion of the network
- Darktrace holding three comprehensive training sessions with the organization
By the end of the Proof of Value sessions, the company usually has a better understanding of Darktrace.
Beyond the Proof of Value sessions, Darktrace offers further training in the customer portal on a case-by-case basis, including private training and certification.
Tom added that Darktrace provides valuable support to help customers use the threat mitigation tool. Sam also added that ongoing relationships with clients, especially new ones, help the clients obtain a more useful experience.
Is Darktrace an enterprise-level cybersecurity tool, and does it come with enterprise pricing or packages for small businesses or individuals?
Adding to this question, Eileen also asked if Sam could provide additional information about Darktrace not catering to individuals.
Sam reiterated that Darktrace is scalable and best-suited for companies as small as 50 employees to those managing tens of thousands of employees. He added that there are no tiers to the packages. Although Darktrace deployment varies across companies, functionality is the same.
Pricing is tiered based on organization size, with a package costing less per IP if there are more individuals for the deployment. Darktrace also has for-purpose models for the needs of non-profit organizations and schools.
Does Darktrace have built-in reports for compliance such as PCI DSS, HIPAA, ISO?
Sam emphasized that Darktrace is primarily a security tool—compliance is not a primary focus.
He mentioned that, for the latter, organizations should defer to RSI Security, which focuses on addressing compliance issues. However, Darktrace can help map security requirements to compliance frameworks (e.g., NIST, CMMC, and similar frameworks).
Tom added that the capabilities and diagnostics of Darktrace can and do help to satisfy some compliance requirements. He also emphasized the usefulness of Darktrace in critical worst-case scenarios involving cybersecurity threats.
At the end of the Q&A session, Eileen thanked everyone for attending and closed the webinar.
Optimize Your Threat Assessment and Mitigation
RSI Security partners with companies such as Darktrace to help organizations optimize threat and vulnerability management. Our team of experts will advise on tools to optimize your security posture, such as compliance best practices and threat mitigation.
To rethink your security posture and prevent cyber threats, contact RSI Security today.