The art and science of detecting emerging threats

In this interview, Stephen Huxter, COO at Darktrace, talks about the challenges involved in detecting emerging threats, Recursive Bayesian Estimation, the evolution of AI, and more.

What are the most substantial stumbling blocks when it comes to detecting emerging threats?
Detecting threats as they develop is not easy, because you are dealing with uncertainty. In today’s threat landscape, we face the risk of extremely sophisticated intruders, who constantly change and refine their methods in order to perpetrate their mission, as well as insiders who abuse legitimate access rights to manipulate data.

These kinds of attacks are very difficult to spot because there is no rulebook that tells us how they will behave. A clever intruder may lie low within an organization for weeks or months, and conceal their movements within the noise of a busy network. An insider is extremely difficult to spot because a lot of what they do may be legitimate, while a small but significant part of their activity is threatening.

The information security industry does a decent job of finding the threats that have already been identified and classified, but struggles with detecting unprecedented threats. We have seen example after example of damaging cyber-attacks against large, ostensibly well-defended companies, carried out by sophisticated threat actors that successfully bypass traditional security defences. The question is, how do you find something when you don’t know what you are looking for?

We are seeing a transition in the industry now, where we are abandoning the illusion of 100% network security – the perimeter has almost become a notional concept in today’s large, complex and global networks. Instead, the challenge is to understand what is happening within the firewall, evaluate the degree of risk that we face at any one time and prioritize top-level threats over low-level incidents, in order to protect our information networks in a proportionate, intelligence-led manner.

How can Recursive Bayesian Estimation help strengthen IT security?
By embracing the probability-based approach that Recursive Bayesian Estimation mathematics enables, organisations can enhance their ability to detect threats that are in progress within their internal systems and operate in a dynamic and covert manner.

This branch of mathematics has been developed by world-class mathematicians at the University of Cambridge, and applied to the cyber security challenge to deliver the first Enterprise Immune System. The math uses an unsupervised learning approach, which means that it statistically works out patterns of activity and classifies its learnings without any prior knowledge or assumptions. Within a corporate network, it monitors and analyzes information, continually calculating probabilities of anomalous behaviours based on changing evidence.

The key word is probability – we are not talking about certainties, but about establishing the best possible, evidence-based understanding of ever-changing threats within complex information environments. Ultimately, this innovation lets IT security focus on mitigating threats in a proactive way and respond to top-level incidents, instead of getting stuck in a reactive mode and dealing with floods of false positives. Without prior knowledge of how a threat may manifest itself, Recursive Bayesian Estimation powers an immune system that constantly refines its understanding of normality and abnormality in real time. It therefore evolves in step with the organisation to find only relevant and highly anomalous behaviours that require timely intervention of some kind.

Are we still many years away from a radical evolution of AI that will bring information security to a new level?
New advances in machine learning and mathematicians are now transforming our ability to defend against very complex, fast-moving threats, but we are only at the beginning of that transition. We are starting to see the Enterprise Immune System become a core component of today’s security strategies, whereby the machine understands what is going on in the network and spots threats, and the human does the high-value work of responding to top-level threats.

It is important to remember that cyber security is a very difficult problem to solve – and may be unsolvable. However, in the future, we will undoubtedly see further development and application of machine learning methods that will bring information security to ever new levels of sophistication and enhance our ability to defend our core information assets.

What are the essential features of a powerful threat detection solution?
As we make the transition to a new phase of cyber defense that takes into account the de facto vulnerability of our networks and inevitability of intrusions, threat detection tools have been forced to evolve too. The most serious and dangerous attackers do not use the same methodology twice – they use the full force of their resources and intelligence to maneuver themselves around their target’s environments without triggering concern.

For this reason, threat detection tools need to be able to spot more than just known threats, based on threat intelligence garnered from previous attack methodologies. If we want to do more than just react to cyber-attacks, these solutions must also detect threatening behaviours that have not previously been seen before.

Essential features of this immune system-style approach include the ability to self-learn, to operate in real time and to constantly adapt to an evolving business context and environment. Furthermore, they need a sufficient level of visibility into the network that allows them to spot very weak indicators which, when combined, may paint a compelling and dangerous picture.

The core value in next-generation cyber solutions lies in this ability to understand and calculate different likelihoods – or probabilities – to work out when a certain behavior constitutes abnormal and potentially threatening activity. Only by embracing uncertainty can IT security departments regain the advantage against their adversaries and manage risk in an effective and pragmatic way.