Andrew France, who was until last year deputy director for cyber defense operations at GCHQ, the U.K.’s equivalent to the NSA, has taken the top job at Darktrace, an interesting new security outfit that opened its doors late last year.
Last September, Darktrace became the first company to win funding from Invoke Capital, the investment vehicle of controversial former Autonomy boss Mike Lynch. As with subsequent Invoke investments, Darktrace is based in Cambridge, the U.K.’s real hardcore technology hub (sorry, east London).
Darktrace is interesting because of its back-to-front approach to security. The problem with profiling attacks, as pretty much every security firm does, is that attackers constantly modify their methods – and while network defenders have to try to seal every possible vulnerability, all the attackers have to do is get lucky once.
So Darktrace provides an appliance that sits in the network and profiles not possible attack vectors, but the network itself, as well as the devices that connect to the network and the network’s users. It uses Bayesian algorithms to learn the expected behavior in these three layers, and spot when something isn’t quite right — this might be unusual activity showing an attacker probing the network, or a rogue employee trying to steal files.
The appliance then alerts administrators to the unusual behavior and asks them what they want to do next. As such, it’s not a replacement for traditional firewalls and so on, but rather a new, complementary system.
“Other firms talk about analytic behavioral detection, but they’re doing that around a script of things that they’ve seen before that they can check against,” he said. “We don’t do that, we have no prior knowledge. Our device sits there, completely passive.”
Making the leap
France said he had become very frustrated with the vendors that had been trying to sell his department systems that were all about locking everything down.
“It’s unsolvable,” he said. “The approach of trying to secure yourself into an absolutely secure network means you couldn’t connect to anything. You may have the cleanest network in the world, but you may want to talk to other people who don’t. As soon as you do, you put yourself at risk.”
“You can’t just build big walls around networks and not let anything out. [Attackers] can just buy a bigger ladder. The internet is full of people building bigger ladders. Nowadays you can rent a ladder; you can download a ladder… the cost of entry into that market for people who want to do damage is now extremely low.”
The academic algorithmic research behind Darktrace’s system has been quietly underway for years, but commercialization only began late last year.
France said he was introduced to the technology a year ago by his colleague Stephen Huxter, who became Darktrace’s managing director, but of course France was still employed by GCHQ, so he had to embark on a 6-month “cooling off” period before being able to jump across to the private sector. He began there at the start of January, and his involvement is only now public.
Darktrace is now trying to sell its system to enterprise customers and also companies that are at the larger end of the “small-to-medium” scale. “To be honest it’s SMEs that have potential [intellectual property] that’s world-beating, but they haven’t the capital to [protect it],” he said.