Increasing automation, based on big data analytics, is the future of security, claims Darktrace

In future, organisations will have no choice but to tear down their perimeters - and keep a watchful eye on network traffic instead, argues Darktrace's Sam Alderman-Miller

Organisations need to take down their perimeter defences and take a different approach to security based on intelligent, real-time analytics if they want to prosper in the future.

That's the message of Sam Alderman-Miller, an account manager at security company Darktrace, speaking at Computing's Big Data Summit 2016 in London this week. "The perimeter is no longer this well-defined entity. Borders are a lot more fluid these days," said Alderman-Miller.

"We believe that the future of security is very much in self-learning behavioural analysis."

Instead of trying to keep attackers out, Alderman-Miller claims that, increasingly, organisations will have to be more open, profiling users and traffic in order to identify potentially threatening activity. And this process can only be performed based on real-time analytics, rather than security staff poring through log files.

"We can't easily and adequately entertain the nature of their [attackers] outlook, be it hacktivist, nation state or simply because they don't like your company. Organisations don't have the time to do the leg work, or the resources, to adequately manage that risk. We just need to know exactly what threat they pose and what activity they are trying to perform on our corporate networks," he said. "We feel that the future is looking at behaviours."

What technology such as Darktrace does, he said, is use big data technologies to analyse network traffic in order to build a picture of normal behaviour, alerting the organisation's security function when behaviours deviates from the norm.

"Darktrace gets really good at understanding and learning what is normal across the environment and is able to spot subtle deviations and movements away from that learned normal - deviations that are indicative of threat," said Alderman-Miller.

At the core of the technology - unsurprisingly for a company in which Autonomy founder Mike Lynch has invested - is "unsupervised machine learning".

He added: "We were able to make these advances due to developments in probability theory, machine learning and digital signal processing."

He continued: "The first element [of the technology] is the unsupervised machine learning. What that enabled us to do is to create a 'pattern of life' or mathematical model for every IP address, user, subnet on the network. We estimated that we are able to pull something like 350-odd parameters out of any given IP address, which is an incredibly rich dataset upon which to be making inferences on.

"Darktrace is very good at spotting those weak indicators. So we can pull all those data points together, look at what we know about a particular device and its learned behaviours and make that heuristic judgement and inference about how threatening or anomalous it may be.

"The second element is mathematics. We use a mathematical technique called 'recursive Bayesian estimation'. This is the means by which we consistently re-assess probabilities, based on probabilities of things that we have already analysed. Essentially, it sits over those machine learning models. It's like having an army of analysts overseeing and analysing all of this data.

"Once we've learnt all these behaviours and have these patterns of life up and running and constantly evolving, there'll obviously be a lot of anomalous behaviour there - networks are very messy places - there needs to be an intuitive and quick way for users to interact with all of that and sort the wheat from the chaff.

"And that's what Darktrace does. It analyses all that anomalous behaviour and asks: What's the most weird and unusual behaviour? What's most indicative of threat? It takes that and puts it into a user interface, including a threat visualiser that was originally designed at GCHQ. Designed by gamers, it was a design choice from the start that it shouldn't require a PhD in mathematics in order to be able to use it - you need to be able to use it with your existing resources," said Alderman-Miller.

Not surprisingly, customers are typically reluctant to talk about their investment in Darktrace, but are typically organisations that might fear security incursions. One of the company's most recent new customers, said Alderman-Miller, is a nuclear power plant operator.

The approach expounded by Alderman-Miller and Darktrace is similar to that taken at the Met Office, which is developing its own NoSQL-based security analytics system.

Darktrace's Sam Alderman-Miller was speaking at Computing's Big Data Summit 2016. For more information about forthcoming Computing summits, web seminars, awards and other events, please see our events website.

Next week, Computing will be running the online seminar "Anti-Virus Software Has Had Its Day - How Can You Protect Against Advanced Threats?" - register free

Computing's next big conference will be the Internet of Things Business Summit in London on 12 May 2016. Attendance is free to qualifying end users, so register early