In response to a tide of interest in our technology solution Darktrace, we have compiled the following list of “Frequently Asked Questions” (Darktace FAQ’s) and their answers, which we hope will help broaden your knowledge.
We are particularly pleased to see a wide variety of questions being asked of Cyberseer’s Threat Analysts who are recognised for their expert capabilities in research, monitoring and in-depth investigations. They use insight from Darktrace’s ‘Enterprise Immune System’ approach to providing comprehensive support for our customers and combat targeted threats.
To help you find the answers you are looking for more easily, we have listed the questions here. Just click on the question and it will take you to the answer. If your question isn’t listed, please send it to our Threat Analysts team or schedule a call.
- Where can I put Darktrace?
- What data can Darktrace ingest?
- How much resource do I need to run Darktrace?
- What is Cyberseer’s SOC Service for Darktrace?
- Is my data sent anywhere else?
- Is the Darktrace Platform easy to scale?
- But, what is the threat visualiser?
- But what benefits do Darktrace and the Threat Visualiser offer?
- What type of anomalies does Darktrace detect?
- What if I get an infection before we start? What if my network is already compromised?
- What happens if all network traffic is encrypted and Darktrace is deployed?
- Can Darktrace support virtualised environments and cloud services?
- What is the difference between Darktrace Detect, Darktrace Prevent, Darktrace Respond and Darktrace Email?
- What is the Darktrace cSensor (Darktrace DETECT & RESPOND/Endpoint)?
- How do you manage response times with Darktrace?
- How does Darktrace prevent phishing?
- How does Darktrace monitor specific SaaS apps for detection and response?
Have More Questions?
Book a call with Tom Lauder to discuss further.
SOC Services for Darktrace
Where can I put Darktrace?
The Darktrace System is delivered as a single appliance that takes up 2U of rack space and can be installed, configured and tested in less than three hours. All user interfaces are accessed by a web browser, including the 3D Threat Visualizer and a management portal.
What data can Darktrace ingest?
Dakrtrace virtually accepts every data format and typically works with core internal network traffic, collected by one of the following methods:
- Port spanning the organisations existing network equipment.
- Inserting or re-using an in-line network tap.
- Accessing any existing repositories of network data.
How much resource do I need to run Darktrace?
The Darktrace platform can easily be integrated into your existing detection and incident response processes as an additional, high integrity source of alerting. Alternatively, we can do it for you. Cyberseer’s threat detection and analysis managed security service turns insight into actionable intelligence.
What is Cyberseer’s SOC Service for Darktrace?
Cyberseer offers SOC Services for Darktrace which leverages expert human analysis to provide real-time, accurate and actionable intelligence about threats identified in the enterprise environment.
Cyberseer’s Analysts are experts in defence, intelligence and interpreting suspicious activities around probable threats and recommending mitigation’s appropriate and suitable for you. This process includes analysing traffic entering, leaving and inside the enterprise network.
Threat analysis of this kind is often like finding a needle in a haystack and requires skills and understanding far beyond the normal abilities of most security professionals. No automated technology can achieve the accuracy and insight achieved by expert threat analysts depth of knowledge and understanding.
Our manual threat intelligence service involves analysing the results from behavioural modelling technology and proactively investigate the severity of anomalies that may be indicative of threat. For every incident detected, our analysts draw on their expertise, external sources of intelligence and the context of the network before presenting an informed and considered explanation of the threats faced.
Investigative work is collated into a comprehensive threat report of discovered threats classified and scored in terms of severity and confidence, in conjunction with recommended actions.
Is my data sent anywhere else?
All data is processed by Darktrace’s platform and all outputs remain within an organisation’s data centre. No data is ever sent to the cloud or shared with a wider user community outside of Cyberseer’s Analyst department. A VPN connection installation is recommended to enable full support from Darktrace’s Cyber Security Specialists.
Should you wish to not progress beyond the Proof of Concept (PoC) stage, all data is securely destroyed and removed from discs on completion of the PoC.
Is the Darktrace Platform easy to scale?
A single Darktrace appliance can take multiple inputs of network traffic and cover up to tens of thousands of individual machines, depending on peak traffic volumes. Multiple Darktrace appliances can cluster to cover geographically distributed networks, without the need to move large volumes of data around your network.
The Darktrace appliance is sized on throughput in gigabytes, and it scales linearly.
But, what is the threat visualiser?
The Darktrace Enterprise Immune System is complemented by the Threat Visualiser, a graphical and interactive 3D interface designed to specifically enable analysts to visualise behaviours and investigate anomalies. The Threat Visualiser provides a real-time operational indication of the threat level an organisation faces at any given time.
These visual insights provide the organisation’s Threat Analysts or the Cyberseer forensic team with a representation of the data flows across the business network historically and in real-time, both external and internal and between all machines and users. The Threat Visualiser is a high-level interface that can be used by Threat Analysts with minimal training.
Using Bayesian algorithms, it identifies top threats that are genuinely anomalous, allowing organisations to focus their attention and expertise proportionately, on areas of considerable risk.
Should an anomaly emerge, the Threat Visualiser will show the events leading up to and during the anomaly and contextually expose the factors that are considered out of the ordinary.
But what benefits do Darktrace and the Threat Visualiser offer?
- A single worldwide view of the enterprise.
- Flexible dashboard.
- Learns on the job & understands your entire business.
- Designed for Threat Analysts.
- Global threat monitoring in real-time using sophisticated self-learning mathematics.
- Signature-free mathematical approaches allow the detection of new emerging attacks that have not been seen before.
- Capability to replay historical data and fight back in real-time.
- Manually create rules and heuristics.
- Network appliance plugs directly into infrastructure and installs in one hour.
The Darktrace Threat Visualiser allows the corporate policy to be enforced and users can be monitored in accordance with defined criteria. The Threat Visualiser is powered by the Darktrace Platform and helps organisations to identify key assets and intellectual property. It allows threat levels to be monitored as they evolve and enable preventative actions to be made to protect an organisation and ultimately interrupt the cyber kill chain.
What type of anomalies does Darktrace detect?
The range of anomalies Darktrace detects is very broad, because it sits at the heart of an organisation’s network. Darktrace finds anomalies that bypass other security tools, due to its unique ability to detect threats without relying on rules, signatures or any prior knowledge of what it is looking for.
The variety of anomalies is vast because the principle of the software is that it has visibility of all the traffic as it flows inside and outside the organisation.
This allows us to see compliance issues, poor configuration, management/housekeeping and malicious attacks without signatures. Darktrace is not constrained by pre-defined categories of threat types or malware families – Darktrace can detect anything from ransomware to bitcoin mining, to Advanced Persistent Threats, and more.
What if I get an infection before we start? What if my network is already compromised?
Perfect data is not needed. Darktrace leverages two different approaches to detecting anomalies: comparing each device’s behaviour to its own history and comparing devices to their peers. This peer comparison allows us to avoid learning existing bad behaviour as normal because compromised devices will exhibit behaviour different from their immediate peers.
So if your network was compromised before work commenced, a pre-existing intrusion would be discovered as anomalous in comparison to the normal behaviour of similar devices.
What happens if all network traffic is encrypted and Darktrace is deployed?
Encrypted traffic, regardless of whether it is decrypted within Darktrace, provides very valuable information. The time of day, source, destination, size of the transfer, and even the existence of encrypted data are all available without decryption. This traffic is considered ‘information-rich’.
Encrypted data is a normal part of enterprise networks and Darktrace will operate successfully ‘out of the box’ without the customer needing to decrypt SSL/SSH communications or provide private keys.
Can Darktrace support virtualised environments and cloud services?
Yes, Darktrace’s vSensor allows you to extend visibility into your virtual environment to include this traffic between virtual devices. The vSensor installs into the hardware server as another virtual machine. Once configured with the VM manager and provided with network traffic, the vSensor spans traffic from a virtual switch and will send data to the master Darktrace appliance.
The vSensor can only be used in conjunction with a physical Darktrace appliance. If it is not possible to span a virtual switch, the vSensor also supports the ingestion of traffic from multiple OS-Sensors. The OS-Sensor is installed on each virtual device that is to be monitored, and it captures all of the network traffic to/from that device, sending it to the vSensor for analysis.
The vSensor plus OS-Sensor setup is suitable for cloud infrastructure like AWS, where you may not be able to span from a virtual switch. The OS-Sensor provides network visibility of the devices it is installed on.
What is the difference between Darktrace Detect, Darktrace Respond, Darktrace Prevent and Darktrace Email?
Darktrace Detect – formerly Darktrace’s flagship AI cyber defence solution, the enterprise immune system. It combines real-time threat detection, network visualisation and advanced investigation capabilities in a single unified system that is fast and easy to install. Darktrace Detect provides visibility and detection into, on-premise, IaaS, SaaS, IoT & ICS.
Darktrace Industrial is a part of Darktrace Detect and providers cyber defence AI technology that is specifically developed to detect cyber threats and latent vulnerabilities in both OT environments, such as SCADA systems and IT networks.
Darktrace Response – Formerly Antigena, powered by Darktrace’s multi-award-winning AI. Darktrace Response is an autonomous response solution that takes surgical action against in-progress cyber threats, limiting damage and stopping their spread in real time.
Darktrace Prevent – There are two modules that makeup Darktrace Prevent. Attack Surface Management (ASM) and End-2-End.
ASM – uses AI to understand what makes an external asset yours, searching beyond known servers, networks, and IPs, typically surfacing 30% – 50% more assets than an organisation realises it has.
End-2-End – Proactively prevents cyber-attacks before they occur. Identifies and prioritises high-value targets and pathways to secure vital internal systems and assets. Augment your pen-test strategy with real-time attack path modelling.
Darktrace Email – Formerly Antigena Email, forms a key component of Darktrace Detect and Response by integrating into the enterprise inbox. This module of the Darktrace platform uses AI to learn your ‘normal’ pattern of life for the inbox to provide an extra layer of defence to email threat vectors.
What is the Darktrace cSensor (Darktrace DETECT & RESPOND/Endpoint)?
Darktrace DETECT & RESPOND/Endpoint extends the visibility of the Darktrace Cyber AI Platform and the reach of Darktrace RESPOND autonomous response to remote devices. Coverage is provided via Darktrace Client Sensor (“cSensor”) agents installed directly on the endpoint to monitor and control network activity. Unlike the osSensor, it requires no connected vSensor and performs data analysis on-agent.
The cSensor is designed to extend coverage, visibility and Darktrace RESPOND autonomous response over a dynamic workforce. Deployment in virtualised networks is not the primary deployment scenario. It is ideally used in combination with other Darktrace virtual sensors and deployment options to achieve a combination of greater and simpler visibility.
How do you manage response times with Darktrace?
For some use cases such as ransomware, we find Darktrace Autonomous Repose decision-making is perfect for acting quickly and responding to those disruptive and sophisticated cyber-attacks. Other use cases require human expertise and contextual analysis. Context allows our Analysts to understand the threats and trends that may not instantly affect your organisation and do not require an immediate response taking place. Cyberseers’ SOC works closely with customers to gain an in-depth understanding of their environment and organisation, thus understanding the true context of a threat in your environment. View more information on SOC Services for Darktrace.
How does Darktrace prevent phishing?
Darktrace Email is a self-learning AI solution for the inbox, which operates by learning the normal ‘pattern of life’ for every user and correspondent. The technology builds an evolving understanding of the ‘human’ within email communications. By treating recipients as dynamic individuals and peers, Darktrace Email uniquely spots subtle deviations from ‘the norm’ that reveal seemingly benign e-mails to be unmistakably malicious.
Darktrace Email can also stop a full range of attacks including social engineering and impersonation, business email compromise, supply chain account takeover, external data loss and novel unknown malware.
How does Darktrace monitor specific SaaS apps for detection and response?
Darktrace can protect the hybrid workforce from attacks that evade static and siloed defences, such as insider threats, compromised credentials, and accidental data loss. Darktrace can easily adapt through self-learning AI to monitor corporate cloud accounts and collaboration tools as organisations evolve. Within minutes you can be notified of account breaches and stop attacks, all whilst your business continues to operate as usual.