skip to Main Content

In response to a tide of interest in our technology solution Darktrace, we have compiled the following list of “Frequently Asked Questions” (Darktace FAQ’s) and their answers, which we hope will help broaden your knowledge.

We are particularly pleased to see a wide variety of questions being asked of Cyberseer’s Threat Analysts who are recognised for their expert capabilities in research, monitoring and in-depth investigations. They use insight from Darktrace’s ‘Enterprise Immune System’ approach to provide comprehensive support for our customers and combat targeted threats.

To help you find the answers you are looking for more easily, we have listed the questions here. Just click on the question and it will take you to the answer. If your question isn’t listed, please send it to our Threat Analysts team.

Where can I put Darktrace?
What data can Darktrace ingest?
How much resource do I need to run Darktrace?
What is Cyberseer’s Managed Service?
Is my data sent anywhere else?
Is the Darktrace Platform easy to scale?
But, what is the threat visualiser?
How comprehensive are the algorithms?
What benefits does the Darktrace Enterprise Immune System and the Threat Visualiser offer?
What type of anomalies does Darktrace detect?
What if I get an infection before we start? What if my network is already compromised?
What happens if all network traffic is encrypted and Darktrace is deployed?
Can Darktrace support virtualised environments and cloud services?

Where can I put Darktrace?

Darktrace Cyber Intelligence Platform - https://www.cyberseer.net/cyber-security-solutions/technology/darktrace-cyber-intelligence-platform/

The Darktrace Enterprise Immune System is delivered as a single appliance that takes up 2U of rack space and can be installed, configured and tested in less than three hours. All user interfaces are accessed by web browser, including the 3D Threat Visualizer and a management portal.

What data can Darktrace ingest?

Dakrtrace virtually accepts every data format and typically works with core internal network traffic, collected by one of the following methods:

  • Port spanning the organisations existing network equipment.
  • Inserting or re-using an in-line network tap.
  • Accessing any existing repositories of network data.

How much resource do I need to run Darktrace?

The Darktrace platform can easily be integrated into your existing detection and incident response processes as an additional, high integrity source of alerting. Alternatively we can do it for you. Cyberseer’s threat detection and analysis service turns insight into actionable intelligence.

What is Cyberseer’s Managed Service?

Cyberseer Threat Analytics Managed ServiceCyberseer runs a cyber threat detection and analysis service which leverages expert human analysis to provide real-time, accurate and actionable intelligence about threats identified in the enterprise environment.

Cyberseer’s Analysts are experts in defence, intelligence and interpreting suspicious activities around probable threats and recommending mitigation’s appropriate and suitable for you. This process includes analysing traffic entering, leaving and inside the enterprise network. Threat analysis of this kind is often like finding a needle in a hay stack and requires skills and understanding far beyond the normal abilities of most security professionals. No automated technology can achieve the accuracy and insight achieved by expert threat analysts depth of knowledge and understanding.

Our manual threat intelligence service involves analysing the results from behavioural modelling technology and proactively investigate the severity of anomalies that may be indicative of threat. For every incident detected, our analysts draw on their expertise, external sources of intelligence and the context of the network before presenting an informed and considered explanation of the threats faced. Investigative work is collated into a comprehensive threat report of discovered threats classified and scored in terms of severity and confidence, in conjunction to recommended actions.

Is my data sent anywhere else?

All data is processed by Darktrace’s Cyber Intelligence Platform (DCIP) and all outputs remain within an organisations datacentre. No data is ever sent to the cloud or shared with a wider user community outside of Cyberseer’s Analyst department. A VPN connection installation is recommended to enable full support from Darktrace’s Cyber Security Specialists.

Should you wish to not progress beyond the Proof of Concept (PoC) stage, all data is securely destroyed and removed from discs on completion of the PoC.

Is the Darktrace Platform easy to scale?

A single DCIP appliance can take multiple inputs of network traffic and cover up to tens of thousands of individual machines, depending on peak traffic volumes. Multiple DCIP appliances can cluster to cover geographically distributed networks, without the need to move large volumes of data around your network.

The Darktrace appliance is sized on throughput in gigabytes, and it scales linearly.

But, what is the threat visualiser?

Darktrace monitor pc and laptopThe Darktrace Enterprise Immune System is complemented by the Threat Visualiser, a graphical and interactive 3D interface designed to specifically enable analysts to visualise behaviours and investigate anomalies.

The Threat Visualiser provides a real time operational indication of the threat level an organisation faces at any given time.

These visual insights provides the organisations Threat Analysts or the Cyberseer forensic team with a representation of the data flows across the business network historically and in real time, both external and internal and between all machines and users. The Threat Visualiser is a high level interface that can be used by Threat Analysts with minimal training. Using Bayesian algorithms, it identifies top threats that are genuinely anomalous, allowing organisations to focus their attention and expertise proportionately, on areas of considerable risk.

Should an anomaly emerge, the Threat Visualiser will show the events leading up to and during the anomaly and contextually expose the factors that are, according to Darktrace, out of the ordinary.

How comprehensive are the algorithms?

Darktrace ingests raw network traffic and then extracts over 300 sources of information (metrics) from it, modelling every device, user and the enterprise. Its algorithms were developed at Cambridge University, the world’s premium centre for machine learning.

But what benefits does the Darktrace Enterprise Immune System and the Threat Visualiser offer?

  • Single world-wide view of the enterprise.
  • Flexible dashboard.
  • Designed for Threat Analysts.
  • Global threat monitoring in real time using sophisticated self-learning mathematics.
  • Signature-free mathematical approaches allow detection of new emerging attacks that have not been seen before.
  • Capability to replay historical data.
  • Manually create rules and heuristics.
  • Network appliance plugs directly into infrastructure.

The Darktrace Threat Visualiser allows corporate policy to be enforced and users can be monitored in accordance to defined criteria’s. The Threat Visualiser is powered by the Darktrace Platform and helps organisations to identify key assets and intellectual property. It allows threat levels to be monitored as they evolve and enable preventative actions to be made to protect an organisation and ultimately interrupt the cyber kill chain.

What type of anomalies does Darktrace detect?

The range of anomalies Darktrace detects is very broad, because it sits at the heart of an organisations network. Darktrace finds anomalies that bypass other security tools, due to the Enterprise Immune System’s unique ability to detect threats without reliance on rules, signatures or any prior knowledge of what it is looking for. The variety of anomalies is very broad because the principle of our software is that it has visibility of all the traffic as it flows inside and outside the organisation. This allows us to see compliance issues, poor configuration, management/housekeeping and malicious attacks without signatures. Darktrace also detects threats from targeted and non-targeted campaigns, and we have detected the unusual behaviors of privileged and super-users within an organisation.

What if I get an infection before we start?
What if my network is already compromised?

Perfect data is not needed. Darktrace leverages two different approaches to detecting anomalies: comparing each device’s behaviour to its own history, and comparing devices to their peers. This peer comparison allows us to avoid learning existing bad behaviour as normal because compromised devices will exhibit behaviour different to their immediate peers.

So if your network was compromised before work commenced, a pre-existing intrusion would be discovered as anomalous in comparison to the normal behaviour of similar devices.

What happens if all network traffic is encrypted and Darktrace is deployed?

Encrypted traffic, regardless of whether it is decrypted within Darktrace, provides very valuable information. The time of day, source, destination, size of transfer, and even the existence of encrypted data is all available without decryption. This traffic is considered ‘information-rich’. Encrypted data is a normal part of enterprise networks and Darktrace will operate successfully ‘out of the box’ without the customer needing to decrypt SSL/SSH communications or provide private keys.

Can Darktrace support virtualised environments and cloud services?

Yes, Darktrace’s vSensor allows you to extend visibility into your virtual environment to include this traffic between virtual devices. The vSensor installs into the hardware server as another virtual machine. Once configured with the VM manager and provided with network traffic, the vSensor spans traffic from a virtual switch and will send data to the master Darktrace appliance. The vSensor can only be used in conjunction with a physical Darktrace appliance. If it is not possible to span a virtual switch, the vSensor also supports the ingestion of traffic from multiple OS-Sensors. The OS-Sensor is installed on each virtual device that is to be monitored, and it captures all of the network traffic to/from that device, sending it to the vSensor for analysis. The vSensor plus OS-Sensor setup is suitable for cloud infrastructure like AWS, where you may not be able to span from a virtual switch. The OS-Sensor provides network visibility of devices it is installed on.

CYBERSEER – The Vision To Protect

Learn more about Darktrace Managed Services or Read White Paper – Detecting Insider Threat

Book a Demo or Learn more about running a PoC

Review our threat detection and analytics service or Cyberseer security technologies listed below or see a full overview of our cyber security solutions.

Cyberseer Managed Services
Exabeam User Entity Behaviour Analytics
Resilient Systems Automated Incident Response Management
Digital Shadows the cyber threat intelligence service that delivers "beyond the boundary" security for safer digital business.
GIGAMON PROVIDES ACTIVE VISIBILITY INTO PHYSICAL AND VIRTUAL NETWORK TRAFFIC, ENABLING STRONGER SECURITY AND SUPERIOR PERFORMANCE.
Search