We are particularly pleased to see a wide variety of questions being asked of Cyberseer’s Threat Analysts who are recognised for their expert capabilities in research, monitoring and in-depth investigations. They use insight from Darktrace’s ‘Enterprise Immune System’ approach to providing comprehensive support for our customers and combat targeted threats.
To help you find the answers you are looking for more easily, we have listed the questions here. Just click on the question and it will take you to the answer. If your question isn’t listed, please send it to our Threat Analysts team.
Where can I put Darktrace?
The Darktrace Enterprise Immune System is delivered as a single appliance that takes up 2U of rack space and can be installed, configured and tested in less than three hours. All user interfaces are accessed by a web browser, including the 3D Threat Visualizer and a management portal.
What data can Darktrace ingest?
Dakrtrace virtually accepts every data format and typically works with core internal network traffic, collected by one of the following methods:
- Port spanning the organisations existing network equipment.
- Inserting or re-using an in-line network tap.
- Accessing any existing repositories of network data.
How much resource do I need to run Darktrace?
The Darktrace platform can easily be integrated into your existing detection and incident response processes as an additional, high integrity source of alerting. Alternatively, we can do it for you. Cyberseer’s threat detection and analysis managed security service turns insight into actionable intelligence.
Cyberseer runs a cyber threat detection and analysis managed security service
which leverages expert human analysis to provide real-time, accurate and actionable intelligence about threats identified in the enterprise environment.
Cyberseer’s Analysts are experts in defence, intelligence and interpreting suspicious activities around probable threats and recommending mitigation’s appropriate and suitable for you. This process includes analysing traffic entering, leaving and inside the enterprise network.
Threat analysis of this kind is often like finding a needle in a haystack and requires skills and understanding far beyond the normal abilities of most security professionals. No automated technology can achieve the accuracy and insight achieved by expert threat analysts depth of knowledge and understanding.
Our manual threat intelligence service involves analysing the results from behavioural modelling technology and proactively investigate the severity of anomalies that may be indicative of threat. For every incident detected, our analysts draw on their expertise, external sources of intelligence and the context of the network before presenting an informed and considered explanation of the threats faced.
Investigative work is collated into a comprehensive threat report of discovered threats classified and scored in terms of severity and confidence, in conjunction with recommended actions.
Is my data sent anywhere else?
All data is processed by Darktrace’s platform and all outputs remain within an organisations datacentre. No data is ever sent to the cloud or shared with a wider user community outside of Cyberseer’s Analyst department. A VPN connection installation is recommended to enable full support from Darktrace’s Cyber Security Specialists.
Should you wish to not progress beyond the Proof of Concept (PoC) stage, all data is securely destroyed and removed from discs on completion of the PoC.
Is the Darktrace Platform easy to scale?
A single Darktrace appliance can take multiple inputs of network traffic and cover up to tens of thousands of individual machines, depending on peak traffic volumes. Multiple Darktrace appliances can cluster to cover geographically distributed networks, without the need to move large volumes of data around your network.
The Darktrace appliance is sized on throughput in gigabytes, and it scales linearly.
But, what is the threat visualiser?
The Darktrace Enterprise Immune System is complemented by the Threat Visualiser, a graphical and interactive 3D interface designed to specifically enable analysts to visualise behaviours and investigate anomalies.
The Threat Visualiser provides a real-time operational indication of the threat level an organisation faces at any given time.
These visual insights provide the organisation’s Threat Analysts or the Cyberseer forensic team with a representation of the data flows across the business network historically and in real time, both external and internal and between all machines and users. The Threat Visualiser is a high-level interface that can be used by Threat Analysts with minimal training.
Using Bayesian algorithms, it identifies top threats that are genuinely anomalous, allowing organisations to focus their attention and expertise proportionately, on areas of considerable risk.
Should an anomaly emerge, the Threat Visualiser will show the events leading up to and during the anomaly and contextually expose the factors that are considered out of the ordinary.
But what benefits does the Darktrace Enterprise Immune System and the Threat Visualiser offer?
- A single worldwide view of the enterprise.
- Flexible dashboard.
- Learns on the job & understands your entire business.
- Designed for Threat Analysts.
- Global threat monitoring in real time using sophisticated self-learning mathematics.
- Signature-free mathematical approaches allow detection of new emerging attacks that have not been seen before.
- Capability to replay historical data and fight back in real time.
- Manually create rules and heuristics.
- Network appliance plugs directly into infrastructure and installs in one hour.
The Darktrace Threat Visualiser allows the corporate policy to be enforced and users can be monitored in accordance with defined criteria’s. The Threat Visualiser is powered by the Darktrace Platform and helps organisations to identify key assets and intellectual property. It allows threat levels to be monitored as they evolve and enable preventative actions to be made to protect an organisation and ultimately interrupt the cyber kill chain.
What type of anomalies does Darktrace detect?
The range of anomalies Darktrace detects is very broad, because it sits at the heart of an organisations network. Darktrace finds anomalies that bypass other security tools, due to its unique ability to detect threats without relying on rules, signatures or any prior knowledge of what it is looking for.
The variety of anomalies is very broad because the principle of the software is that it has visibility of all the traffic as it flows inside and outside the organisation.
This allows us to see compliance issues, poor configuration, management/housekeeping and malicious attacks without signatures. Darktrace is not constrained by pre-defined categories of threat types or malware families – Darktrace can detect anything from ransomware to bitcoin mining, to Advanced Persistent Threats, and more.
What if I get an infection before we start? What if my network is already compromised?
Perfect data is not needed. Darktrace leverages two different approaches to detecting anomalies: comparing each device’s behaviour to its own history and comparing devices to their peers. This peer comparison allows us to avoid learning existing bad behaviour as normal because compromised devices will exhibit behaviour different from their immediate peers.
So if your network was compromised before work commenced, a pre-existing intrusion would be discovered as anomalous in comparison to the normal behaviour of similar devices.
What happens if all network traffic is encrypted and Darktrace is deployed?
Encrypted traffic, regardless of whether it is decrypted within Darktrace, provides very valuable information. The time of day, source, destination, size of the transfer, and even the existence of encrypted data is all available without decryption. This traffic is considered ‘information-rich’.
Encrypted data is a normal part of enterprise networks and Darktrace will operate successfully ‘out of the box’ without the customer needing to decrypt SSL/SSH communications or provide private keys.
Can Darktrace support virtualised environments and cloud services?
Yes, Darktrace’s vSensor allows you to extend visibility into your virtual environment to include this traffic between virtual devices. The vSensor installs into the hardware server as another virtual machine. Once configured with the VM manager and provided with network traffic, the vSensor spans traffic from a virtual switch and will send data to the master Darktrace appliance.
The vSensor can only be used in conjunction with a physical Darktrace appliance. If it is not possible to span a virtual switch, the vSensor also supports the ingestion of traffic from multiple OS-Sensors. The OS-Sensor is installed on each virtual device that is to be monitored, and it captures all of the network traffic to/from that device, sending it to the vSensor for analysis.
The vSensor plus OS-Sensor setup is suitable for cloud infrastructure like AWS, where you may not be able to span from a virtual switch. The OS-Sensor provides network visibility of devices it is installed on.
What is the difference between Darktrace Enterprise, Darktrace Industrial, Darktrace Cloud and Darktrace Antigena?
– Darktrace’s flagship AI cyber defence solution. It combines real-time threat detection, network visualisation, and advanced investigation capabilities in a single unified system that is fast and easy to install.
– Darktrace Industrial is a cyber defence AI technology that is specifically developed to detect cyber-threats and latent vulnerabilities in both OT environments, such as SCADA systems and IT networks.
– Darktrace Cloud delivers Darktrace’s world-leading cyber-threat detection and real-time visibility to the cloud, and is compatible with all major cloud providers, including AWS, Google Cloud Platform, and Microsoft Azure, as well as SaaS applications, such as Dropbox, Salesforce, and Office 365.
– Powered by Darktrace’s multi-award winning AI. Darktrace Antigena is an autonomous response solution that takes surgical action against in-progress cyber-threats, limiting damage and stopping their spread in real time.