Darktrace (Core) is the Enterprise Immune System’s flagship threat detection and defense capability, based on unsupervised machine learning and probabilistic mathematics.
Powered by advanced machine learning, together with a new branch of Bayesian probability theory, developed by mathematicians from the University of Cambridge, Darktrace is the only genuinely self-learning cyber defense technology proved to work at scale. It is capable of detecting cyber-threats and anomalous behaviors that bypass traditional security tools, without prior knowledge of specific threats, or using rules or signatures.
Darktrace works by analyzing raw network data, creating unique behavioral models for every user and device, and for the relationships between them.
Leveraging its unique machine learning algorithms, Darktrace forms an evolving understanding of an organization’s ‘pattern of life’ (or ‘self’), spotting very subtle changes in behaviors, as they occur. These behavioral changes are correlated and filtered, in order to detect emerging threats and anomalies.
Darktrace is delivered as a physical appliance, which is easily and rapidly installed within an hour, at a SPAN or TAP port within the customer network(s). The appliance passively monitors raw network data in real time, without disrupting business operations, and provides instant visibility into all network activity, notifying of in-progress attacks or emerging anomalies.
- Adaptive – evolves with your organization
- Self-learning – constantly refines its understanding of normal
- Probabilistic – works out likelihood of serious threat
- Real-time – spots threats as they emerge
- Works from day one – delivers instant value
- Low false positives – correlation of weak indicators
- Data agnostic – ingests all data sources
- Highly accurate – models human, device and enterprise behavior
- Installs in 1 hour – no configuration
Darktrace Threat Visualizer
The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.
Using cutting-edge visualization techniques, the Threat Visualizer user interface automatically alerts analysts to significant incidents and threats within their environments, enabling analysts to proactively investigate specific areas of the infrastructure.
- 3D visualization of entire network topology
- Real-time global overview of enterprise threat level
- Intelligently clusters anomalies
- Pan-spectrum viewing – higher-order network topology; specific clusters, subnets, and host events
- Searchable logs and events
- Replay of historical data
- Concise summary of overall behavior for device and external IPs
- Designed for business executives and security analysts
Visualization techniques can also be used to provide a high-level overview of a company’s network for business executives, helping to bridge the gap between technical specialists and the boardroom. Executives are given an easy-to-consume oversight of security issues, improving their awareness and understanding of the network environment, and enhancing their ability to make management decisions.
Darktrace ICS, also known as the Industrial Immune System, is a fundamental innovation that implements a real-time ‘immune system’ for operational technologies, such as SCADA, and enables a fundamental shift in the approach to cyber defense.
Darktrace ICS retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioral understanding of the ‘self’ for each user and device within the network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behavior.
Detecting threats across IT and OT
Darktrace ICS is ideally deployed to observe both the ICS and corporate networks, as most ICS compromises occur via an IT network breach.
With Darktrace ICS, organizations with industrial networks are able to detect and respond to emerging threats, even if novel or tailored. They can also detect threats regardless of whether they originate in either the IT or operational domains, or traverse between them. By identifying unexpected anomalies in behavior, defenders can investigate malware compromises and insider risks as they emerge, and through stages of the attack lifecycle.
Darktrace ICS also provides real-time visibility required to make intelligence-based decisions in live situations, while also enabling in-depth investigations into historical activity.
Installed as an appliance, Darktrace ICS passively ingests network data via a SPAN port or network tap. As such, it is able to monitor industrial networks with no disruption to normal functioning of ICS operations, including industrial plants and machinery.
- Unprecedented visibility into ICS activity
- Protects against insider threat, including operators and privileged users
- Detects threats in real time
- Coverage of both IT and OT environments
- Correlates actions over time, for refined understanding of ‘normal’
When the human immune system is faced with a new threat, not only can it detect it, but it produces antibodies that bind to it, and ultimately neutralize it. Darktrace Antigena replicates this function of the human immune system, by creating ‘digital antibodies’ in response to in-progress threats.
Antigena acts automatically to restrain or contain threats quickly enough to allow humans to catch up. It could only take 20 minutes for a major threat, such as a ransomware attack, to evolve into a crisis – Antigena’s automated action slows, or stops threats in a targeted fashion, to provide security teams with a vital time window in which to take mitigating action.
Antigena’s response capability allows organizations to directly fight back, and networks to self-defend against specific threats, without disrupting your organization.
Darktrace Antigena is capable of taking a range of measured, automated actions in the face of confirmed cyber-threats detected in real time by Darktrace. Because Darktrace understands the ‘pattern of life’ of users, devices, and networks, Antigena is able to take action in a highly targeted manner, mitigating threats while avoiding over-reactions.
Antigena works by automatically creating digital antibodies for specific features found in previously unseen cyber-threats. Once Darktrace has identified a potential threat, Antigena has the ability to take a variety of actions, depending on the severity of the anomalous activity. It can:
- Stop or slow down activity related to a specific threat
- Quarantine or semi-quarantine people, systems, or devices
- Mark specific pieces of content, such as email, for further investigation or tracking
Without disrupting business operations or damaging productivity, Antigena essentially enforces the ‘pattern of life’ that Darktrace has learned, without restricting people unnecessarily. It gives security teams time to respond to dangerous cyber-threats as they emerge.
Darktrace Antigena modules
Darktrace Antigena modules are deployed as physical appliances, complementing the core Darktrace appliance. They can also interface with Software Defined Networks (SDNs) and Active Directory, and are fully configurable.
- Antigena Internet – Regulates user and machine access to the internet and beyond
- Antigena Network – Regulates machine and network connectivity and user access permissions
- Antigena Email – Regulates email, chat and other messaging protocols
- Directly inoculates against a full range of threats
- Prevents, slows, or disrupts activity in real time
- Self-defends and self-improves
- Stops threats before they spread
Darktrace vSensors are lightweight software components that extend Darktrace’s visibility in virtualized environments. It provides the Enterprise Immune System with comprehensive visibility of today’s distributed infrastructures.
vSensor software is installed as a ‘virtual appliance’ configured to receive a SPAN from the virtual network switch. This allows it to capture all inter-VM traffic, without a single packet being lost or dropped by the system. It stores the packet captures on a rolling basis, optimizing the disk space and I/O performance and ensuring that there is minimal impact on the performance of the server. Only one vSensor needs to be installed on each hardware server, allowing for scalability.
A vSensor is installed as a virtual appliance configured to receive a SPAN from the virtual network switch.
The vSensor will extract only the relevant metadata using the Darkflow system, sending 1% of the original raw network traffic ingested onto the master appliance efficiently and securely, wherever it is located on the physical network.
Darktrace vSensors are distributed in industry-standard formats, representing a virtual (software) appliance. They have been developed for VMWare, ESXi and any other virtualized environment that supports Open Virtualization Formats (OVF).
- Ingests virtual traffic from a limited set of IPs
- Sends data efficiently and securely to the Darktrace master appliance
- Sends approximately 1% of the original raw network data ingested to the master appliance
- Works with third-party clouds
Darktrace OS-Sensors are lightweight, host-based server agents that extend Darktrace’s visibility into third-party cloud environments, including Amazon AWS, Rackspace, and Microsoft Azure.
OS-Sensors intelligently extract single copies of network traffic for analysis by the master Darktrace appliance. They are easily installed onto virtual machines in the cloud and capable of dynamically configuring themselves to avoid data duplication and streamline bandwidth use. Working in conjunction with vSensors, data is aggregated and fed back to the master appliance, via a secure connection.
Darktrace OS-Sensors are fully configurable, allowing organizations to see all or selected cloud traffic, without requiring access to the hypervisor and with minimal performance impact.
Available for Linux and Windows, Darktrace OS-Sensors are robust and resilient, allowing organizations to enhance visibility and deliver Enterprise Immune System monitoring to cloud environments, wherever they are hosted.
- Complete visibility of third-party clouds
- Fully configurable – you choose cloud traffic that you want to monitor
- Lightweight and non-intrusive – easily installed onto virtual machines, without requiring access to the physical server
- Dynamic configuration – creates only single copies of network traffic, no data duplication
As organizations embrace cloud applications, significant blind spots have developed beyond the traditional enterprise network. Valuable enterprise data and rich user interactions within SaaS applications contain critical security insights, but are not always accessible to IT security teams.
Darktrace SaaS Connectors provide coverage of these rich datasets, extending the power of Enterprise Immune System technology into previously-unseen areas of your infrastructure, including:
- User logins
- Data transfers
- Download data
- Software updates
Anomalous behaviors pertaining to activity within SaaS applications, irrespective of user login location – may be detected, therefore allowing security operators to integrate their insights and threat detection capability across the multiple parts of their infrastructure.
Darktrace SaaS Connectors are available for major SaaS providers, including Salesforce.com, Box.com, G Suite, Dropbox and Microsoft Office 365.
- Complete visibility of user interactions within SaaS applications
- Easy install — less than an hour
- Early-stage threat detection