Ex-spies find a home for their skills with a Bri­tish cy­ber­sleuth

Dark­trace’s soft­ware stud­ies a net­work’s pat­tern of life It “helped us un­der­stand what ex­actly was hap­pen­ing”

Bloomberg Businessweek (Asia) - - CONTENTS - Edited by Cristina Lind­blad Bloomberg.com −Jeremy Kahn

It could have taken months for the sys­tems ad­min­is­tra­tors at a large bank in Rome to fig­ure out that one of their servers was talk­ing to Face­book, a red flag given that net­works in banks don’t need to know how many “likes” they’ve re­ceived. And they might not have no­ticed the streams of data the server then sent to an ar­ray of un­known com­put­ers. This kind of threat—com­ing from in­side the net­work, not from out­side its fire­wall—is dif­fi­cult to de­tect. Ac­cord­ing to IT re­searcher Gart­ner, it can take an av­er­age 229 days for a busi­ness to fig­ure out it’s been com­pro­mised this way.

What tipped off the bank’sk’s IT depart­ment was a lit­tle black­ack box con­tain­ing soft­ware from­rom Dark­trace, a U.K. startup founded in 2013 by a groupp of for­mer Bri­tish spooks and Cam­bridge Univer­sity Ph.D.s. Af­ter two min­utes, the soft­ware is­sued a pre­lim­i­nary alert, color-coded am­ber. Af­ter three min­utes, as it be­came more con­fi­dent some­thing was se­ri­ously amiss, it switched to red.

Guard­ing a net­work’s perime­ter or scan­ning for known va­ri­eties of mal­ware—the two buck­ets into which al­most all cy­ber­se­cu­rity pro­grams can be lumped—doesn’t cut it any­more, says Ni­cole Ea­gan, Dark­trace’s chief ex­ec­u­tive of­fi­cer. Hack­ers have be­come in­creas­ingly so­phis­ti­cated, chang­ing just enough of an at­tack’s code to elude es­tab­lished de­fenses. Cy­ber­crim­i­nals are also in­creas­ingly us­ing “spear phish­ing”—e-mails that seem to come from trusted sources but con­tain ma­li­cious links—to worm into net­works. Says Ea­gan, “No mat­ter how good you think your fire­wall is, at­tack­ers are still get­ting in.”

Dave Palmer, Dark­trace’s di­rec­tor of tech­nol­ogy, says his com­pany’s ap­proach to cy­ber­se­cu­rity was in­spired by the way spies con­duct sur­veil­lance. He should know: Palmer once guarded the net­works of MI5, the U.K.’s do­mes­tic spy­ing agency, and Gen­eral Com­mu­ni­ca­tions Head­quar­ters, the equiv­a­lent of the U.S. Na­tional Se­cu­rity Agency. Dark­trace’s soft­ware em­ploys more than a dozen ma­chine-learn­ing tech­niques to study a net­work’s so­called pat­tern of life—ev­ery­thing from the devices that usu­ally talk to one an­other to what sort of data they nor­mally trans­mit to whom and when. Once a base­line has been es­tab­lished, the pro­gram alerts sys­tems ad­min­is­tra­tors to ir­reg­u­lar­i­ties, color-cod­ing each alert de­pend­ing on how se­ri­ous a threat it might pose. Am­ber means the com­pany’s IT chief should prob­a­bly be in­formed, Palmer says. Red means it’s time to wake up the CEO.

Martin Whit­worth, a se­cu­rity an­a­lyst at For­rester Re­search, says the be­hav­ioral an­a­lyt­ics honed by Dark­trace and ri­vals such as Ano­mali and Deep In­stinct are nec­es­sary be­cause IT ex­ec­u­tives are drown­ing in data, w with lots of po­ten­tial for false alar alarms. That was the case at Dr Drax Power, a U.K. util­ity that in in­stalled Dark­trace’s soft­ware in 2013. “It very quickly got r rid of that noise and helped u us un­der­stand what ex­actly was hap­pen­ing—what was get­ting through our fire­wall, how it was get­ting through, how it was de­feat­ing our an­tivirus,” says Martin Sloan, Drax’s se­cu­rity chief.

Dark­trace has more than 200 cus­tomers, about a quar­ter of them in fi­nan­cial ser­vices and the rest in sec­tors in­clud­ing en­ergy, retail, and travel. The monthly sub­scrip­tion starts at $10,000. The startup is backed by more than $50 mil­lion in ven­ture cap­i­tal. Among its big­gest sup­port­ers is In­voke Cap­i­tal, a $1 bil­lion ven­ture fund headed by Mike Lynch, the one­time CEO of Au­ton­omy, a U.K. soft­ware firm bought in 2011 by HP for $11 bil­lion. Lynch and HP are em­broiled in a le­gal bat­tle over al­le­ga­tions that Au­ton­omy’s man­age­ment in­flated the com­pany’s rev­enue, which Lynch has de­nied.

In­stalling Dark­trace takes about an hour, Palmer says. The self-learn­ing sys­tem reaches 80 per­cent of its ca­pa­bil­i­ties within one month and con­tin­ues to im­prove grad­u­ally.

In early March, Dark­trace re­leased an add-on called Anti­gena that au­to­mates many of the re­sponses to a breach that once re­quired hu­mans, such as iso­lat­ing a server from the In­ter­net. That’s in part to ad­dress a man­power short­age. In the U.S. alone, there are 260,000 open­ings for cy­berthreat an­a­lysts. Says Ea­gan, “There are not enough peo­ple trained to deal with all the ma­jor breaches.”

As an in­ves­ti­ga­tion found out, the at­tack on the Ital­ian bank wasn’t par­tic­u­larly so­phis­ti­cated. A sys­tems ad­min­is­tra­tor had ac­ci­den­tally down­loaded the mal­ware that en­slaved the bank’s server in a bot­net—an army of in­fected ma­chines con­trolled by hack­ers—used to mine bit­coin. The Face­book page was where the bot­net’s zom­bie ma­chines went to get their in­struc­tions.

In the past year, Dark­trace has en­coun­tered far more omi­nous threats—hack­ers us­ing ma­chine learn­ing to pen­e­trate net­works. At a con­fer­ence in Lon­don in Jan­uary, Lynch painted a chill­ing sce­nario of cy­ber­se­cu­rity’s fu­ture: One ar­ti­fi­cially in­tel­li­gent piece of soft­ware silently try­ing to out­wit and in­fil­trate an­other.

The bot­tom line A U.K. startup run in part by ex-spies is us­ing ar­ti­fi­cial in­tel­li­gence to guard against net­work breaches.


Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.