WASHINGTON, D.C.—It was impossible to escape the feeling as I joined the folks from DarkTrace for lunch at the Blue Duck Tavern here in Washington, D.C., that I was seated next to George Smiley, author John LeCarre’s legendary spymaster.
While Andrew France, formerly of the UK’s Government Communications Headquarters (GCHQ), doesn’t claim to be a spymaster, he was awarded the Order of the British Empire for his work with British Intelligence and the Ministry of Defence in 2005.
We discussed some of the IT security challenges that I’ve written about many times and that he’s confronted on a daily basis for decades. Security, he pointed out, is an impossible task. The Bad Guys keep trying to break into networks by outguessing your antivirus, anti-malware and intrusion detection systems.
However, the problem is warding off all network intrusion attempts requires you to correctly out-guess every would-be intruder. The intruder only needs to be right once.
And that fact underscores the difficulty of enterprise security. It’s made worse because it’s not just the Bad Guys who threaten your networks. It’s also the Good Guys, whether it’s employees who write their passwords on Post-It notes stuck to monitors, or the person who downloads credit card info to his iPad, there are many times that insiders present the biggest threat to an organization.
These factors don’t even take into account the insiders who steal data for their own nefarious purposes, whether it’s to sell it to criminals or to feather their nest at the next job.
Also sitting next to me was another person who has many years experience working with IT security. Jasper Graham, who left the National Security Agency to join DarkTrace, spent his working life tracking how the Bad Guys penetrate networks. Now he’s using that knowledge to help create a new approach to protecting your organization’s data—an enterprise immune system.
The idea of an immune system for the enterprise is something new. Since you can’t keep out every hacker, every piece of malware, every insider looking to make a buck or every member of the Chinese Army trying to steal trade secrets, how about if you simply kept them from getting information if they manage to penetrate your network defenses?
That’s the idea behind DarkTrace. The company’s security appliance works by developing a mathematical model of the complete enterprise network and then monitors changes.
As time goes on, the appliance fills in the details about the enterprise and in the process develops an enterprise immune system. But when it sees significant changes, the system sends out an alert to the security staff so they can check it out.
UK Security Firm Builds Network Immune Systems to Prevent Data Loss
The difference between the Enterprise Immune System and intrusion detection systems is that it doesn’t flood the security staff with thousands of false positives, which is what you find with most intrusion detection and prevention systems. Instead, it simply watches the events as they happen and only flags those that are not part of the normal operation of the network.
One example of how this works happened with a major power generation facility in the UK. This facility is under constant attack from outside sources apparently seeking to gain intellectual property about the company’s biomass power systems. While the installation already had the full set of security solutions implemented, the value of the biomass project is such that finding out about a leak after the fact was problematic.
The company installed the DarkTrace appliance on a trial basis, and almost immediately found a flood of DNS traffic exiting the network, aimed at a foreign server. Because the server sending out the DNS packets had no reason to be doing such a thing, the security staff knew that someone was embedding the critical data in those packets.
The server was shut down immediately so that the data leak could be remediated. As France noted to me, the problem wasn’t to analyze the source of the attack, but rather to keep the data from being taken.
France pointed out that the DarkTrace approach doesn’t rule out continued existing security applications, but rather is aimed at finding intrusions that somehow make it past existing security measures. Then what matters is that the leak be found and prevented. Later, the anti-intrusion products can catch up and eliminate whatever was getting into the network.
Because the Enterprise Immune System looks for abnormal activity, regardless of the source, it picks up activity that other types of security miss. What’s better is that it is able to adapt to a changing network. As France explained, if someone transfers to a new work location or gets new roles within the organization, the immune system will flag the change and the IT staff can then confirm that the change in activity is OK.
But it also means that when Fred in Sales decides to go to work for your competitor and sends the complete customer list to his new company, you’ll find out as soon as he starts trying to transfer the data and you’ll be able to put a stop to it.
Ultimately, stopping data loss is the real goal. What matters to your company is not losing the critical information it needs to stay in business. You can update the security software and hardware later, after your critical information is secure.