The program coordinator at the Catholic Charities of Santa Clara County in California never suspected that an email she received earlier this year contained anything more than the corporate invoice it claimed. But as soon as she opened the attachment, malware began to encrypt data on her computer. The breach threatened to expose far more than just her personal files: In order to provide its customers with health care, immigration assistance, and other social services, Catholic Charities handles the medical and financial records of more than 54,000 people each year. Of all the cybersecurity systems—including firewalls and antivirus software—that the nonprofit had in place to shield those sensitive documents, only one flagged the intrusion.
The security breach was detected by the flagship product created by Darktrace, a U.K.-based cybersecurity company founded in 2013. Just days before the malware attack, Catholic Charities had begun testing Darktrace’s pioneering new technology, the enterprise immune system (EIS).
Modeled after the human body’s immune system, the EIS embeds in a computer network and learns what behavior is considered normal for that system. It can then spot suspicious activity and even work to slow an attack, just as the human immune system releases antibodies at the first sign of invasive cells.
Darktrace’s immunity approach represents a compelling new take on cybersecurity. The $75 billion industry is under mounting pressure to evolve beyond traditional methods as dated systems have failed to prevent high-profile hacks on major businesses. With attackers increasingly relying on fast-moving algorithms to carry out highly sophisticated security breaches—such as those that have recently compromised major universities and hospitals—Darktrace is responding in kind, creating complex formulas that allow machines to continuously scan entire networks and register anomalies that other advanced systems may overlook. Its technology, built in part by former members of the British Intelligence Agencies MI5 and GCHQ, is intended to support—and enhance—existing systems.
Where most cybersecurity companies focus on teaching their technology to recognize the digital footprints of malware (which can quickly become outdated as new attacks emerge) or building firewalls to block intruders, Darktrace takes a more hands-off approach. Rather than rely on humans to feed them specific examples of suspicious behavior, its algorithms train themselves to find abnormalities—a technique that’s known as unsupervised machine learning.
“The concept of Darktrace says that [as attacks become more sophisticated], you’re not going to be able to keep the bad stuff out,” says Vanessa Colomar, a member of Darktrace’s board of directors. It’s far more effective to figure out how to stop attackers once they’re in. CEO Nicole Eagan says the EIS has been deployed in more than 1,000 networks worldwide, with clients ranging from a two-person hedge fund to a global bank. Once the hour-long installation is complete, the EIS searches for new threats while also examining the network for existing breaches. “Within the first and second weeks, we find things out of the ordinary in about 80% of the Fortune 500s we’re deployed in,” says Eagan. “It’s things their legacy tools totally missed.”
That success has helped accelerate the three-year-old company’s growth. Of the companies that have registered for its 30-day free trial, about two-thirds have become paying customers. The company, valued at $400 million, now has 20 offices, including outposts in New York; Hong Kong; Warsaw, Poland; and Milan.
Darktrace’s use of unsupervised machine learning comes with certain benefits: Since there are no assumed rules about what a hack looks like, attackers can’t simply tweak their code to dupe the system. And since the EIS operates as an observer, there’s no barrier that hackers could try to disable.
“What we’re really passionate about is that there’s no one algorithm that rules them all,” says Dave Palmer, Darktrace’s director of technology. “We’ve got a dozen different machine-learning techniques, all fighting to be the best representation for your specific setup.”
Not everyone agrees that unsupervised machine learning is the best approach to cybersecurity. Supervised learning—the technique used by anti-spam filters, in which algorithms are taught to discern between junk mail and the real thing—can help eliminate false positives that sometimes result when an unsupervised system reacts to a routine change within a network. (For example, an algorithm might notice that data is suddenly being transferred to Dropbox and flag it as a security violation, when in fact the company just added Dropbox as an official storage tool.)
Avoiding such confusion is why some security companies take a hybrid approach of supervised and unsupervised machine learning. PatternEx, which launched in February, uses unsupervised learning to scan for abnormalities, then presents its data to a human analyst to distinguish true attacks from false positives. In a recent study, researchers from PatternEx and MIT found the system caught 85% of attacks, while delivering fewer false alarms than unsupervised learning alone. There hasn’t been a similar lab study completed on Darktrace, though Eagan says her system—despite being totally unsupervised—typically generates five to 10 alerts per client per week.
Eric Ogren, a senior analyst at IT advisory firm 451 Research, says that most businesses will likely opt for the headache of false positives if it means a more secure network. “What’s the bigger risk, that you chase down a false positive, or that someone makes off with your customer data?” he asks. “I think that within five years, unsupervised machine learning is going to be driving security architecture.”