Xiologix Blog

Protection From the Unknown

In the ongoing arms race of network security, threats can be broken down into three broad categories: the things you know, the things you know you don’t know, and the things you don’t know that you don’t know.

We know about things like ransomware, trojans, botnets, phishing emails, cryptomining hijacking, etc., and we have a pretty good idea of how to protect our networks against these threats – although we also know that no protection scheme is perfect, and we’re always vulnerable to a user clicking on the wrong thing.

We also know that we don’t know when the next ransomware variant will emerge, or what its primary delivery vector will be. Likewise, we know that there will be another zero-day vulnerability, but we don’t know when, or what it will look like. Still, we have some idea of what kind of protection measures to put in place.

Arguably, the most difficult threats to protect against are the things you don’t know you don’t know – those things that you don’t even know you should be concerned about: the personal laptop that someone brought in and connected to your network; the unauthorized – and unsecured – wireless access point that someone plugged in under their desk; and the rapidly proliferating Internet of Things. All kinds of IoT devices are being connected to our networks: security cameras, HVAC control systems, building entry systems, lighting systems, medical devices in healthcare institutions, and things that may have never even crossed your mind as potential threats. For many – if not most – of these devices, there is no way to install endpoint protection software, or even a SIEM monitoring agent, on the device.

Case in point #1: A water park, which will remain anonymous, installed some lockers for their guests to use to store their valuables while enjoying the park. These lockers were connected to the corporate network. They were also configured to “phone home” to the manufacturer via the public Internet to obtain software updates. This update function, by default, was unsecured and unencrypted. An attacker was able to use this update function to gain control of one of the lockers and use it to launch a “low and slow” attack on the network.

Case in point #2: A casino had a large fish tank, with automated sensors to monitor water temperature, salinity, oxygen content, feeding schedules, etc. These sensors connected to the network via Wi-Fi. Even though they attempted to isolate the tank on a separate VPN, an attacker was able to gain control of the fish tank and begin using it to exfiltrate data.

How are you supposed to protect against threats like these, when you probably had no idea such attacks were even possible?

The answer is Darktrace – and, fortunately, both the water park and the casino were Darktrace customers.

Last week, Darktrace and Xiologix held seminars in Seattle and Portland. Attendees from the local business communities learned how Darktrace was able to protect against these threats and many more.

Darktrace was founded in 2013 by mathematicians from the University of Cambridge and government cyber intelligence experts in the U.S. and the U.K. Today, it has grown to more than 30 offices globally, with more than 700 employees and more than 7,000 deployments in businesses of all sizes, including some of the largest and most prestigious companies in the world.

In it’s simplest configuration, Darktrace is a cloud-based service that uses an appliance – provided as part of the service – that is connected to your core network switch. Using the port mirroring function of the switch, the Darktrace appliance is able to see all of the traffic on your network. Over a period of a couple of weeks, using autonomous machine learning, Darktrace learns what normal behavior looks like for every single device and user on your network. Then, when abnormal behavior is detected, it can respond within seconds to surgically block the suspect traffic and isolate the threat, while still allowing normal traffic on your network to be unimpeded, thus buying precious time for your security team to respond to the detected threat.

In case #1, Darktrace detected the attempt of one locker to access server data that it had never tried to access before and that no other locker had tried to access. Darktrace blocked the connection attempt, and alerted IT staff to the threat…and probably saved the water park from joining the long list of companies who have made front-page news by losing large amounts of sensitive customer data. In case #2, it was not unusual for the fish tank to occasionally communicate with other computers on the corporate network, but it *was* unusual for it to be transferring data to an external location that turned out to be somewhere in Finland. Again, Darktrace was able to alert IT staff to the threat in time to prevent the potential loss of a large amount of data.

Darktrace can also protect against more typical threats, such as a user who suddenly tries to access or download an unusual amount of data that the user has not typically accessed in the past, or a workstation that unexpectedly begins transferring data to an external location, or the characteristic pattern of malware trying to move laterally across the network from an infected machine to infect other systems or encrypt network shares.

Darktrace’s protection can be extended to your cloud and SaaS applications as well, giving you unprecedented visibility of what’s happening across your enterprise. As one customer put it, “When we activated Darktrace Cloud, it was like flipping on a switch in a dark room.”

If this sounds interesting to you, we would be happy to set up a Proof of Value at no cost or obligation to you. We’ll arrange for a Darktrace appliance to be brought out and connected to your network. It takes about an hour to set it up, and a couple of weeks for it to learn enough about your environment to produce a report so you can see for yourself the value that Darktrace can bring to your organization. Just give us a call or send us an email, and we’ll take care of it.