UK Security Firm Builds Network Immune Systems to Prevent Data Loss
The difference between the Enterprise Immune System and intrusion detection systems is that it doesn't flood the security staff with thousands of false positives, which is what you find with most intrusion detection and prevention systems. Instead, it simply watches the events as they happen and only flags those that are not part of the normal operation of the network. One example of how this works happened with a major power generation facility in the UK. This facility is under constant attack from outside sources apparently seeking to gain intellectual property about the company's biomass power systems. While the installation already had the full set of security solutions implemented, the value of the biomass project is such that finding out about a leak after the fact was problematic. The company installed the DarkTrace appliance on a trial basis, and almost immediately found a flood of DNS traffic exiting the network, aimed at a foreign server. Because the server sending out the DNS packets had no reason to be doing such a thing, the security staff knew that someone was embedding the critical data in those packets. The server was shut down immediately so that the data leak could be remediated. As France noted to me, the problem wasn't to analyze the source of the attack, but rather to keep the data from being taken.Because the Enterprise Immune System looks for abnormal activity, regardless of the source, it picks up activity that other types of security miss. What's better is that it is able to adapt to a changing network. As France explained, if someone transfers to a new work location or gets new roles within the organization, the immune system will flag the change and the IT staff can then confirm that the change in activity is OK. But it also means that when Fred in Sales decides to go to work for your competitor and sends the complete customer list to his new company, you'll find out as soon as he starts trying to transfer the data and you'll be able to put a stop to it. Ultimately, stopping data loss is the real goal. What matters to your company is not losing the critical information it needs to stay in business. You can update the security software and hardware later, after your critical information is secure.
France pointed out that the DarkTrace approach doesn't rule out continued existing security applications, but rather is aimed at finding intrusions that somehow make it past existing security measures. Then what matters is that the leak be found and prevented. Later, the anti-intrusion products can catch up and eliminate whatever was getting into the network.