In the world of enterprise computing, there is perhaps no greater disruptive force than the onslaught of new cyber threats that form a cyber defense challenge. AI offers the possibility of keeping pace with an ever-evolving threat landscape that is simply not possible for traditional cyber security and human intervention.
On this episode of The Disruptive Enterprise Podcast, host Gregory J. Turner, CRO/CIO at MTM Technologies, and guest with Justin Fier, Director of Cyber Intelligence and Analytics at Darktrace, discuss how artificial intelligence is changing the landscape of cyber security.
Who’s ready to talk about cybersecurity?
Cybersecurity: Creating a Stronger Enterprise Security Posture
By Gregory J. Turner, CRO/CIO for MTM Technologies, with Justin Fier, Director of Cyber Intelligence and Analytics at Darktrace
Gregory Turner: Welcome to our continuing podcast series at The Disruptive Enterprise. In the world of enterprise computing, there are any number of disruptive Technologies and business models, from cloud computing to XaaS (Anything-as-a-Service.) However, there is perhaps no greater disruptive force than the onslaught of cyber threats that form a cyber defense challenge. Today on The Disruptive Enterprise podcast, we will discuss the nature of both the threats and some of the innovative defenses.
Gregory Turner: I’m pleased to have with me for this discussion our partner, Darktrace. Darktrace is recognized as the world’s leading AI company for cyber security and is the creator of autonomous response technology. Darktrace’s pioneering technology, the Enterprise Immune System, applies AI to the cyber defense challenge and has proven itself successful in detecting cyber threats that existing legacy systems cannot.
Gregory Turner: Joining me today on The Disruptive Enterprise podcast is Justin Fier. Justin is the Director of Cyber Intelligence and Analytics at Darktrace. He’s one of the US’s leading cyber intelligence experts with over 10 years of experience in cyber defense. Justin has supported various elements in the US intelligence community holding mission critical security roles with Lockheed Martin, Northrop Grumman mission systems, and Abraxas. Justin is also a highly skilled technical specialist and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning. Welcome to The Disruptive Enterprise, Justin.
Justin Fier: Thanks, Greg.
Gregory Turner: It’s great to have you here. So, we’re going to talk a lot about how artificial intelligence is really changing the landscape of cyber security. Applying artificial intelligence to the challenge of cyber security has marked a fundamental shift in the enterprises organization’s ability to protect their critical data systems and digital infrastructure. AI offers the possibility to keep pace with an ever-evolving threat landscape that is simply not possible for traditional cyber security and human intervention. Justin, could you maybe outline the Darktrace cyber AI platform and how its engineered to provide that protection?
Justin Fier: Yeah, absolutely. So, the cyber AI platform is made up of two main parts. And the first part is what we call the Enterprise Immune System. And it’s just that. It’s an immune system for your network. It’s utilizing various forms of machine learning to watch every device and user on the network and spot anomalies, unusual patterns in the device’s behavior or the user’s behavior. So, that’s the Enterprise Immune System.
Justin Fier: That’s the detection piece. And after having a lot of success in the industry, we realized detection is not enough. And so, what we added was the second piece, which is Antigena. And that is the automated response piece. Still utilizing various forms of machine learning and working in conjunction with the Enterprise Immune System, it’s able to take very surgical responses to anomalies that might occur on the network.
Gregory Turner: That’s very neat. So, maybe you could describe kind of the components of the AI model is. And I’m assuming they’re machine learning, but are there other methods within AI that are being used by Darktrace?
Justin Fier: Yeah. And I think especially right now where AI is really becoming a force multiplier in many different industries outside of cybersecurity, it’s important to define what it is when we say AI. We’re talking about narrow AI. AI used to solve a very specific problem. But ultimately, what all of us that are doing narrow AI in the industry are doing is using various forms of machine learning. And that’s exactly what Darktrace is doing. We’re using a combination of unsupervised machine learning, supervised machine learning, and even some deep learning back in our AI labs for very specific problem sets.
Gregory Turner: That’s awesome. And when you’re doing the learning, so this will create a recipe, if you will, for the remediation process or quarantine process?
Justin Fier: Yeah. Absolutely. I think the best way to describe it is contextualizing the action. It’s not just a black or white shut the node down or kick the device off the subnet. It’s contextualizing the data that it’s seeing, the anomaly that it’s seeing, and it’s taking an appropriate action based on what it’s seeing. So, think a smart surgical IPS with context.
Gregory Turner: Yes. Yeah. What’s interesting to me and there are a lot of great tools out there, a lot of great monitoring and detection tools that maybe more traditional programming models that have been created. And the CSOs and the CSO organizations will have human analysts that are looking at those screens and monitoring things and responding to alerts or breach detections, or incident alert notifications.
Gregory Turner: And I always think of the example of, I’ve got my computer screen, I’ve got multiple monitors, maybe two or three monitors going, and I’m looking, and I’m seeing something, and all of a sudden, my mobile phone goes off, and it’s my daughter. And she’s just been in a car accident. She’s safe, but she’s all upset. I’m going to take my eyes off that monitor and I’m going to deal with a very family emergency. And I’m going to help my daughter through that situation.
Gregory Turner: In the meantime, threats don’t care and they’re going to create a breach in the system and probably remain undetected because it was only a human that was tracking it. So, one of the things that I heard that you guys have done is you’ve launched the Cyber AI Analyst, a new technology that emulates the human thought process to continually investigate cyber threats, but at machine speed. How has that helped your clients?
Justin Fier: Yeah, absolutely. So, a little bit of background about the project. It’s been in the makings for the last four years. We have some of the best analysts in the industry, I’m proud to say, spread out across the globe, across our three different operation centers, and all have varying degrees of skill sets and experience in the industry. And what we do is we studied them for the last four years.
Justin Fier: And we found that regardless of where you are as an analyst, all analysts do similar things. And analysts in my professional opinion is really nothing more than a storyteller. They look at the data. They ask questions of the data they’re presented with. Those answers form decision trees. And eventually, they’ve got this massive decision tree that gets them to the hypothesis of what they think actually happened. A good analyst can get very close to what happened based off the data that’s presented. So, we were able to take this data and train our system to think as a human analyst would.
Justin Fier: Now, I will be very quick to say we are not trying to replace the human sock. This is meant to work alongside and in parallel to the human team. So, the AI Analyst is running 24 hours a day looking at all of the Enterprise Immune System and cyber AI platform alerts, and it’s picking out the most interesting ones. And then, based off of the data that it’s seeing, it’s asking the questions, it’s building decision trees, and it’s actually writing out a full report, a triage of the series of events that it researched. And in some cases, it’ll actually make remediation recommendations. And all of this is done with zero human intervention at all.
Gregory Turner: Wow, that’s pretty impressive. And now, I can go back to the phone call with my daughter. That sounds great.
Justin Fier: Yeah.
Gregory Turner: So, you’re saying it doesn’t eliminate the need for the traditional human analysis, but it’s providing recommendations and with the human ultimately making the decision on how to proceed. Is that correct?
Justin Fier: Yes and no. I mean, teamed up with Antigena, the human might not need to do anything. Antigena can actually stop parts of that process throughout the way. So, the AI Analyst could also do a post-mortem investigation. And part of that report might even say, “I spotted this unusual activity. I took the following action against it for this period of time and this is what happened after that.” So, it really is a full life cycle report.
Gregory Turner: And is there a process for this Cyber AI analyst to learn from its mistakes and improve on its investigation?
Justin Fier: We’re working on that right now. We are continuing to collect data from our human analysts. And this is of course our first generation and really the first in the industry to contextualize the automation process. It’s not just a black or white playbook, but it’s more of a multi-dimensional dynamic automation process. So, I think we will definitely get there, and I can’t give away too much about what we’re already working on for next generations of it.
Gregory Turner: Yeah. No, that’s fine. I totally understand. What types of threats might be detected by the AI Analyst, Darktrace Antigena solution that a traditional cyber security, say, a Trend Micro or some sort of malware protection routine would miss?
Justin Fier: Sure. So, first and foremost, we have to keep telling ourselves, Darktrace is not here to tell you the difference between good or bad, or malicious or non-malicious. Tools that do that are typically using legacy rules and signatures approaches to the problem. Darktrace is doing anomaly detection and really what that is in its simplest form is telling you the difference between unusual and usual. So, when you’re doing anomaly detection, you’re casting a much wider net throughout your digital ecosystem.
Justin Fier: You’re catching insider threats, you’re catching misconfigurations, whether it’s at the server level or the application Level, you’re catching rogue shadow IT, rogue devices. And then, of course, because Darktrace is agentless, the rule of thumb is anything with an IP address gets mauled. So, right now, I’m going to give you visibility into all of your IoT infrastructure and tell you when a thermostat is operating differently than the other thermostats it’s being compared to. So, it really does cast a much wider net to the more binary good or bad scenario.
Gregory Turner: That’s very interesting. But then, wouldn’t the AI Analyst of Darktrace then really take a look at, “This is an unusual activity, but is it a threat?”.
Justin Fier: Yeah. And so, of course, Darktrace doesn’t have context into the business workings and the actual business processes of our customers. However, that being said, the AI analyst is stringing together a series of weak indicators. And chances are if it’s past enough of the tests and been determined by AI Analyst to be unusual enough to warrant investigation, at a minimum, you’d want to put human eyes on. That’s not to say that it actually was a malicious event or bad event. In our industry, there isn’t really any such thing as a false positive. There’s only positive positives and unknown unknowns.
Gregory Turner: Got it. So, one of our other partners, Cisco often says that there are two kinds of organizations. Those that have been breached and those who don’t know they’ve been breached. A, do you believe that? And B, how can Darktrace help to reduce the uncertainty of knowing whether or not you’ve been breached?
Justin Fier: So, I think first and foremost, we need to change our thought process. Let’s stop focusing so much on the perimeter. I mean, to be honest with you, I don’t even know where the perimeter is anymore. It seems like the goal post keeps moving further and further out. I think we just need to start adopting new types of security, such as utilization of AI and machine learning. I think utilizing things like AI Analyst are going to be an absolute force multiplier in any organizations considering the fact that we just have an absolute lack of human resources in our industry.
Gregory Turner: Yeah. No. And I should fully disclose to our listeners, MTM is a partner with Darktrace, but we’re also a customer. And we use Darktrace to help in our environment to detect these anomalies. And I can honestly say that the solution does allow us to keep a lean workforce within the security area because it does really provide that level of protection of helping us to identify those things that we should be interested in and we should be doing more work on, instead of every alert that comes across our desk. And so, I think there’s a lot of merit to what you’re saying. And I really appreciate the information that you’ve been sharing with us today, Justin.
Justin Fier: Sure. Absolutely.
Gregory Turner: Is there any other major points that you’d like to raise in terms of the way Darktrace works or how it can be very easily put in place at a client?
Justin Fier: Yeah. Absolutely. So, the Cyber AI platform, in my professional opinion, one of the most fascinating parts about it is not even the highly advanced math being run on the background or the AI Analyst, but it’s the fact that it covers your entire digital ecosystem. We are not just looking at your network traffic. We’re looking at your network traffic plus your cloud and SAS traffic, your IoT and operational technology traffic, such as your SCADAs and industrial equipment. And then, of course, we can also apply these same core concepts to your email ecosystem. So, we truly are watching over your entire digital environment, especially during this time of digital transformation where data is quickly being moved to various different places in the organization and be reorganized.
Gregory Turner: Yeah. So, it doesn’t really matter to you whether your data is hosted in a cloud, say AWS or Azure or whether you’ve created some kind of virtual private cloud on-prem, your solution can cover that entire ecosystem.
Justin Fier: Yeah. We are agnostic. It’s not enough to just focus on one piece to the puzzle. We need to focus on all the different moving parts. And I’m sure most of our listeners will agree, our networks are getting highly complex with new protocols, new devices, new architectures changing every few weeks at this point. So, Darktrace can either deploy in one hour as an on-prem solution or deploy in five minutes in any of the various cloud environments that you mentioned. And like I said before, it doesn’t stop with just that, SAS is a big part of our business life these days. And Darktrace has various SAS connectors to actually look over some of your different SAS offerings that you’re working with. So, we really do have to start looking at the entire puzzle and that’s why we’re here.
Gregory Turner: Yeah. That’s awesome. And I think one of the things we started out this conversation, talking about the world of enterprise computing and how there are a number of disruptive technologies and business models from cloud computing to platform-as-a-service, software-as-a-service, security-as-a-service, and it creates this very nebulous diagram of trying to create what is your ecosystem and what is your network diagram. And having a solution like Darktrace in place with MTM to help provide the services around that really is a great comfort, I think, to our CIOs in the world today.
Justin Fier: Absolutely.
Gregory Turner: Justin, this has been an amazing conversation and I have learned a lot. And even being a customer, I’m going to be asking about the AI Analyst to see if I have that released for my product. And I really do want to thank you so much for spending time with us today.
Justin Fier: Absolutely. Thank you.
Gregory Turner: And thank you to our audience for listening. I hope you found this as helpful as I did. For any questions, comments or feedback, please feel free to send an email to email@example.com. For more about The Disruptive Enterprise, visit mtm.com. At The Disruptive Enterprise, this is Greg Turner. Thank you and have a great day.
Outro: The Disruptive Enterprise is brought to you by MTM Technologies, a disruption solutions provider operating in the US with technical expertise and IT experience working with clients as a trusted advisor for over 30 years.