When you hear cybersecurity firm Darktrace’s customers talk about their experience with the company, they will tell you about ‘the box’ from Darktrace they installed. The idea behind the box is that it allows you to see malicious network traffic and coordinate to the cloud directly so you can react quickly.
The main customer feedback is that the box was pretty and showed them lots of nice graphics—beautiful network maps, gorgeous matrixes, pipe diagrams. There’s no denying that the Darktrace interface is the Mona Lisa of the industry.
But do you know what Darktrace’s customers don’t mention as much as the pretty graphics? They don’t talk about how well the Darktrace box protects them from cyberattacks.
Because it’s unclear how the Darktrace box (which reminds me of another well-known piece of hardware) actually identifies, stops, or blocks attacks in progress in the customer’s systems at critical points like during execution. Oh, Darktrace has white papers talking about how to block ransomware, the problem is, they aren’t stopping ransomware from encrypting files just potentially from being downloaded through networks.
Sure, there’s artistry in beautiful interfaces and snappy visuals. But aren’t they just vain and self-indulgent when you don’t need them to get the job done? And, in the end, isn’t protecting your environment effectively the whole point?
Visibility into the network doesn’t stop attacks at their source
Seeing network traffic is only a tiny part of the way an attack should be discovered and blocked. The box will tell you when things are moving around your network, which is fine, but not very helpful when it comes to stopping ransomware. When ransomware runs, it makes changes to the file system—things you can’t block from the network. The only question that matters is: are you stopping ransomware from running? Killing it at the source is the only solution at that stage, everything before it isn’t ransomware it’s just attack behavior.
Giving IT analysts a box that features widgets and spiderweb-looking graphics to interpret and act on in the middle of an attack is nonsense (or if I’m pulling punches, at least not practically applicable in such a situation). While this kind of visibility may appear valuable during a product demonstration, during an incident it’s distracting and eats up precious response time for your IT team.
Sifting data wastes response time
It’s a truism that the more information you give a responder that they must parse, the more time gets wasted (to avoid this outcome, see my colleague’s post on creating alerts that are actually relevant). How many false positives, for example, are being sent to your IT people to interpret and potentially act on?
While your team is staring at pretty graphics, trying to make sense of them, you remain fundamentally in the dark as to how or whether the machine learning models inside and outside that box are getting better, more specific, and actually blocking an attack. That interface—the Antigena system—doesn’t block new forms of attack at the source, leaving your systems vulnerable. You need to know that the machine is acting on your behalf.
Fighting one-on-one with a hacker
Imagine a real-world scenario: a one-on-one fight with an attacker. How does the box perform?
Time is critical. The more information you force your team to deal with—such as starting with an image or trying to understand a diagram—the more time is wasted.
You need to block the threat, but it isn’t easy to see your assets in the cloud and have a clear picture of what’s going on. And it’s unhelpful to give an analyst visibility without a clear path of action.
The clock is ticking as this adversary tries to burrow into your system, but because you’re not learning how the box’s machine learning models are getting smarter, you don’t know the false-positive rates. How many attacks are coming your way? From which vectors?
Perhaps you can understand how installing a box on a network is no way to stop an actual attack.
Function Over Form
It’s true—we aren’t as flashy as an interface like Darktrace. We might even be a little ‘ugly’ compared to them. Sure, we could provide beautiful graphics. We could give our clients 3D visuals of process trees, network graphics, strike sprocket diagrams, baseball cards of attackers, threat intelligence 3D spinning animations (we have all of this to show), and any other fancy visualization you can think of… We could do that.
But, truth be told, when our customers get hit with ransomware, they’re thankful that we’re too busy being focused on defending them to worry that we’re ugly.
If there is an attack, we’ll block it—our customers don’t need to worry about or participate in that. We’re doing our job when our data scientists and security engineers shield you from the need to do raw data analysis during a time-sensitive situation. Our track record speaks for itself.
We add value by constantly improving machine learning models, lowering false-positive detection rates, and stopping attacks more often. Consider that we have under two false positives across our entire customer base in any given month—an impressive metric in contrast to other tools that emphasize visibility and visualization but which yield far higher false-positive rates. Something competitors can’t say about their products or service.
Where we do need our customers to focus is on hardening their systems against attack. That’s where we are prescriptive and specific about the IT changes that our customers are well-equipped to make. With this combined focus—us on the attacks and customers on the systems—we can ensure higher velocity to improve security and make systems more resilient so you withstand the next cyberattack.
If anything does evade the machine learning or the threat hunter, it can’t get far because of the way we’ve helped you set up your network. When you talk to organizations who’ve been hit by cyberattacks, they know that the IT hygiene advice we give is invaluable to stopping the spread. We know our formula is effective – we can block attacks at the source and in progress, and contain their spread. So don’t waste your time by falling in love with a shiny box with a pretty interface that leaves you vulnerable in the end.
But you don’t have to take our word for it. Check out our white paper on how you can harden your cloud and read case studies from some of our clients to see the proof for yourself.