Sean Pea, Head of Threat Analysis, Asia Pacific, Darktrace joined the company in 2017 after serving DSO National Laboratories, where he worked as a computer security researcher. Darktrace is the world’s leading cyber AI company and the creator of Autonomous Response technology. Its self-learning AI is modeled on the human immune system and used by over 3,000 organizations to protect against threats to the cloud, email, IoT, networks and industrial systems. This includes insider threat, industrial espionage, IoT compromises, zero-day malware, data loss, supply chain risk and long-term infrastructure vulnerabilities.
The company has over 1,000 employees, 40 offices and its headquarters are in San Francisco and Cambridge, UK. Every 3 seconds, Darktrace AI fights back against a cyber-threat, preventing it from causing damage.
Please tell us about the cybersecurity practices Darktrace follows.
As a leading cyber AI company, Darktrace naturally takes cyber defense and Information Security (IS) practices seriously. There are stringent policies put into place, along with rigorous employee training programs and regular internal security audits to ensure compliance with these policies.
In terms of certification, Darktrace is ISO 27001 certified and maintains the UK’s Cyber Essentials certification. The ISO 27001 certification is one of the most well-known and significant IS accreditations and is globally respected. In order to achieve and retain it, we are audited by an independent third-party against the standard. In our case, this is by BSI (who themselves have an accreditation saying they are competent to do so, from both the UK and US awarding bodies). The audits take multiple on-site days per year, and this level of inspection is why the certification is such a strong statement of our own IS management.
Do you think the current cybersecurity practices would be relevant in the next two years?
Globally, the average cost of a data breach is US$3.92 million in 2019, with the average time taken to identify and contain a breach standing at 279 days – and these figures continue to rise year-on-year.
Beyond simple data theft, recent data breaches have managed to influence our trust in public institutions, and even our energy grids face the threat of cyber-attack. This troubling state of affairs is the product of several fundamental weaknesses with the traditional approach to cyber defense, which relies on rules and signatures to detect threats of the past, at a time when criminals launch never-before-seen attacks on a daily basis. Moreover, modern strains of malware strike at machine speed, meaning that even when legacy security tools do successfully catch a threat, organizations often cannot respond on time. Cybersecurity is quickly becoming an arms race – machines fighting machines on the battleground of corporate networks.
If we continue to rely on legacy cybersecurity practices to defend against modern threats, the reality is that these practices would not be relevant in the next two years. The advanced attacker will always find his way in, and you can’t rely on yesterday’s attack to predict tomorrow’s threat.
Be it today or two years from now, defense strategies must prepare for the threat that gets in – or the insider turned bad. And crucially, it must constantly keep up with the attackers’ changing tactics. Artificial intelligence (AI) is now the fundamental ally to corporations and governments in the fight against the threats that no one can predict–the threat that gets through perimeter defenses, and the threat that is already inside.
When it comes to cloud security, what are the major challenges organizations face?
As the market increasingly moves to the next wave of computing models, over 90 percent of organizations are expected to adopt hybrid infrastructures by 2020. This move to the cloud brings undeniable benefits for most organizations–from start-ups looking for minimal up-front costs to large organizations striving to boost efficiency, scale-on-demand, and to benefit from constant availability of services and increased agility.
Alongside this growth, the challenge of securing critical data in the cloud has taken on a new dimension. Organizations are adopting cloud infrastructures that expand and evolve as needed, but configuring firewalls and other endpoint protections to remain properly positioned can be a daunting challenge. These conventional security tools are designed to defend the digital perimeter—an antiquated strategy given today’s borderless networks.
Internal servers are so commonly affected by malware infections or insider threats that there exists a common misconception that the data stored within the cloud is somehow more secure than the data resting on company file servers. However, this is not necessarily the case – the information stored on cloud infrastructure may be just as unsafe as any other corporate data store.
Moreover, modern developers now have the ability to spin up a cloud instance in minutes, often without having to consult their firm’s security team. As a consequence, the overwhelming majority of organizations lack visibility over their own cloud environments.
Much of this risk comes from the misconception of the network position of cloud servers themselves. Although rented out for use by the company and used every day as part of fundamental business purposes, connections to cloud servers cross the perimeter of the network and traverse the public internet. This means that data uploaded to and from the cloud –if unencrypted–is a prime target for man-in-the-middle attacks, carried out by opportunistic actors hoping to sniff usernames, passwords, and other sensitive details that they could then leverage for direct corporate data theft.
The reality is that while organizations can outsource their IT services, they cannot outsource their security function altogether. In fact, protecting the cloud comes with its own challenges, with most of the existing native security controls and third-party security solutions suffering from significant limitations.
What are the questions organizations need to ask while selecting a cloud security service provider?
The questions to ask are:
- How compatible is the solution across different cloud platforms?
Organizations are adopting cloud infrastructures that expand and evolve as needed, and if their existing cloud provider is not able to service their needs, these organizations will look to move their data and information to another provider. In fact, many organizations rely on several cloud providers at once, so effective security solutions must be able to work equally across these multi-cloud environments.
- Is it cloud-native or does it require a physical appliance to be installed on-premise?
More and more organizations are looking to move to the cloud, either as part of a hybrid deployment or fully to the cloud. With this increased agility, organizations will need to consider if the cloud security service provider is able to fully work in the cloud, or would require a physical appliance to be installed on-premise.
For organizations looking to fully move to the cloud however, the latter option will pose a challenge since the solution is not fully compatible with a full cloud deployment.
- Does the security tool rely on logs or on raw network traffic?
The reality is that security tools that use log-based analytics are rarely robust and unified enough to provide sufficient coverage – both because they continue to encourage a ‘stove-pipe’ approach to security, and because they rely on rules, signatures, or prior assumptions and therefore fail to detect novel threats and subtle insiders before they have time to escalate into a crisis.
- Will the organization have complete visibility over their cloud environment?
Human error on the customer end is inevitable. Today’s threat-actors are increasingly gaining access to cloud services through the front door, necessitating a fundamentally different security approach that can detect when credentialed users behave — even ever so slightly — out of character.
Too often, subtle anomalies are obscured by the cloud or lost in the noise of the network. Traditional security tools tend to have limited visibility of cloud activity, and even then, they only look for known threats. This points to the critical need for an AI solution capable of identifying never-seen-before threats across cloud environments.
What are the key elements in managing and automating security across multiple clouds and applications?
There is no silver bullet when it comes to cyber defense — and that goes double for the cloud. Motivated attackers will inevitably find a way inside the nebulous perimeters of IaaS, PaaS and SaaS environments, whether via insider knowledge, critical misconfigurations, personalized phishing emails, or mechanisms that have yet to be seen. The path forward, then, is to use AI to understand how users behave within those perimeter walls, an understanding that shines a light on the subtle behavioral shifts indicative of a threat.
In order to reduce risk and identify atypical or suspicious behavior, full visibility of all cloud services is critical, as the usage of cloud services can create dangerous blind spots and makes it harder to spot subtle threats that circumvent traditional signature-based tools.
This interview first appeared in the July 2019 issue of CISO MAG. Download and read the issue here.