Deviation Detection

Show Notes

In this episode, Robby is joined by Maximilian Heinemeyer, Chief Product Officer at Darktrace.

The conversation focuses on Max's perspective on detection engineering and the use of machine learning. He shares his opinion on the limitations of traditional, signature/behaviour-based detection methods and the challenges organisations face when building complex detection engineering systems.

Max contrasts these traditional approaches with the unsupervised machine learning techniques used by Darktrace, and describes the "aha moments" he experienced when seeing this technology work in its early days.

Chapters

• 0:03: Revolutionizing Cybersecurity With AI
• 6:35: AI in Cybersecurity
• 16:34: Enhancing Cybersecurity Detection Accuracy
• 23:21: Responding to Novel Threats With AI
• 35:17: AI vs Best Cybersecurity Platforms

Transcript

Speaker 1: 0:03

From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta, welcome to the Mnemonic Security Podcast. I've grown up in a world where detection engineering means identifying bad behavior, collecting relevant security data and creating detection rules Think CM, edr, ids, ips, etc. And I see that approach work every single day. But I've also heard of it failing, as using that approach can make it hard to detect something that you've never seen before. Along comes a concept and application of so-called unsupervised self-learning AI no reliance on historical data or signatures, no scrambling when the next zero day comes out, just another day at the office, and, as you'll hear for yourself, they learn the threat, we learn the business. And today's guest makes a damn good case for it Max Heinemeyer. Welcome to the podcast.

Speaker 2: 1:15

Rob, thanks for having me.

Speaker 1: 1:16

I was going to ask you how Black Hat was. Then I remembered the golden rule about that place.

Speaker 2: 1:22

I think you mean the golden rule about Vegas, right? Yeah, exactly, it was good as every year.

Speaker 1: 1:26

Let's keep it at that. What happens in Vegas stays in Vegas, unless you're on a podcast, right?

Speaker 2: 1:31

Exactly.

Speaker 1: 1:31

Speaking of Black Hat, they had a very nice intro of you. So Max is a cybersecurity expert with over a decade of experience in the field, specializing in a wide range of areas such as penetration testing, red teaming, CM and SOC consulting and, last but not least, hunting advanced persistent threats. He works in the R&D team at R-Trace, shaping research into new AI innovations and their various defensive and offensive applications, and Max's insights are regularly featured in international media outlets such as the BBC, Forbes and Wired, and I'm sure next year they will have to add the mnemonic security podcast right.

Speaker 1: 2:05

And they have both a bachelor and a master's degree from two different colleges, neither of which I will try to pronounce, but they sound german that is correct. They do sound german, they are true, cool so my first question to you how did you go from pen tester to a chief product officer? Because that's pretty, that's a big jump, it's a journal journey when I was a pen tester.

Speaker 2: 2:25

I really enjoyed my work. Anybody who's done hacking in pentest knows that flush of power and that feeling of wow, I can achieve this with my team and that's amazing. But I noticed then when I came back six months later, maybe a year later, to the same customers the vulnerabilities were still there. They didn't manage to fix or mitigate them or sometimes we want similar vulnerabilities that got missed the first time and new tools got developed or new experts got developed and I really scratch my head and think well, I came into this industry being taught that this type of manual penetration testing and this type of red teaming is necessary and a very important step to secure business. But what I felt like is that it didn't have an impact, that what we did was feeling good and you know it's a well-paid job and everybody says this is the way but it didn't really move the needle is what I felt. So I started to question some of these best practices. I'm not saying pentesting is bad, but I think cyber security is an industry evolving so quickly and is such a young field that we haven't settled in what best practice looks like. So long story short, I got frustrated with not feeling an impact, being a pen tester, of really moving the needle for the industry. So I looked around what other interesting solutions are out there? What other interesting technologies out there? Who's going against the stream? Who's got novel ideas? Who's tackling the problem of cyber from a different angle? And while everybody back in the day said, well, this is the way to create security monitoring, if you want to find hackers, you have to create this big CM system, you have to hire 20 experts in the field, you have to spend three years of tuning. And then you got a chance to do it and I used to be a consultant in that field and, like pen testing, I scratched my head. I thought, well, maybe if you're a big bank or insurance company, you can have an attempt at this. Even there, it's very difficult, just between us and our listeners. But how can a medium or small size company ever aspire to do that right? That's never going to work. So I knew how easy it is to attack and I know how difficult it is to defend. So I looked around found Dark. Found dark trace. Who was back then? That was 2014, 2015.

Speaker 2: 4:27

I joined in 2016 myself this company who were looking at applying machine learning back in the day already to cyber security problems, where they said well, let's not try to define every rule and every threat and every signature and try to anticipate every possible attack. Let's instead learn the business and as soon as a deviation occurs, we can flag that, detect the anomaly, do something with it. So that really intrigued me as a hacker. I thought how would I beat that system? And I looked around and I was interacting a lot with the vendor scape at the time and this struck me as a very unique and different approach, and it still is. I mean, everybody and their grandmother now speaks about ai and is having ai chatbots. But this was revolutionary at the time and it's still very different to many other ai approaches.

Speaker 2: 5:10

So how did I become the cpo? I started there as a senior analyst, so I literally sat in the trench and looked at threats through dark trace. I looked at networks and all kinds of probably what 2 000 organizations, hands on myself and time. I was very invested in this. You can hear me speak full of passion, right? I think this is genuinely something good we do to push for boundaries of technology here. So I got very enthusiastic and wanted to speak about it more and well, work with the big customers and naturally people kept elevating me higher and higher to speak to more people, until eventually, after eight and a half years now, I to speak to more people. Until eventually, after eight and a half years now, I'm the CPO, but I've been in this role for two-ish years now.

Speaker 1: 5:47

I love it. Max, that's an awesome story. Did you have like an aha moment at some point in your career when you were like, okay, this, this, you know that's. One of the things I want to talk about today is just untangling the AI term. I'm not sure if that helps Dark Trace or if it actually has hurt you, because it makes it more confusing about what you're actually doing. But, like when, if you can think back in time like what was the moment where you're like, wow, this is actually a novel, smart way of going about security monitoring.

Speaker 2: 6:15

Did you remember that moment in time? Yes, so there's a bunch of questions in your question, so I'm going to deconstruct that, if that's okay, rob, that's how I speak for something. Sorry, it's perfect. I love it so much. So there were several aha moments. I would say I want to talk about one or two of them in a second and then also touch on that AI washing. Almost that's happening in the industry.

Speaker 2: 6:35

I think about the machine learning applications in cybersecurity in particular, in three big buckets. The first one being, which everybody knows about, the natural language assistance that are popping up everywhere, which is implementing similar LLM slash language models to ChatGPT, and everybody's just voting that on the applications. We're very dubious of how much of benefits this actually brings and how much it's still hype. I think that still has to be proven in the industry. The second big thing is supervised machine learning, which mostly refers to threat detections. When we speak about monitoring, it refers to looking across your customer base, taking threat examples bad phishing layouts, sql injection examples, malware examples could be anything really exploits pushing them into your big cloud system with supervised algorithms and training your system on these historic attacks so in the future your defensive system can find similar attacks. It has that body of knowledge, but it always needs to have retraining. It needs to collect the data. That approach, that supervised threat-based detection, is better than what we had five years ago, which was very manual, static routes and signatures-based. Those two things are not really what we do. We don't have an AI chatbot deductories. We don't use a big cloud system to train all customer threats. We use a third, much more niche application in the industry which is predominantly based on unsupervised machine learning, but also various other components. We call it self-learning, but we do not train on big national leverage data. We do not train on historical tech data. We train on customers business data.

Speaker 2: 8:05

And this comes now, finally, to your question about why aha more. In the first one. What we do actually is we look at a customer's environment. This could be their network environment, could be their cloud, could be their email, be their identity, could be their factory, could be any kind of data dark trace sits in the environment. We do not take the data to a cloud.

Speaker 2: 8:23

The learning happens on-site from scratch. It's like a child that learns to walk and understands for the first time. So the system is not pre-trained to know what one bank looks like to then understand the other bank. It is literally learning from scratch what the groups look like, what normal communications patterns mean, who's interacting with whom, what language is being used, what data is being shifted, what external services are being used, how rare is what? Who behaves singularly? All of these things all of the time, continuously.

Speaker 2: 8:49

And that is what called me, like I explained earlier, to come to Darktrace, and my first aha moments were when I was a senior analyst at Darktrace, when I started seeing my first nation state attackers through our system where we deployed in some random companies sometimes government, sometimes defense, sometimes energy and we plug dark trace in, let it sit there for a week to learn, and then you start seeing this with one desktop that is scanning the network the whole time. It's writing powershare files with a local admin credential that is also used on the domain controller to the domain controller and the malware being used was never seen before. The command and control domains that were used had never been used before in legitimate, compromised websites when they used living off the land was. It's literally the worst case. That is extremely difficult. You, as a practitioner, know how would you predict that? How would you write a rule or malware signature or an edr detection that is not constantly overfiring but pinpoints this.

Speaker 2: 9:44

So my first big aha moments were when I worked as an analyst and I saw these environments and I literally saw nation state level attacks flashing up as anomaly chains, not predefined, not you know, having seen other customers as the most obvious thing that even a junior analyst pick up, understand and action immediately. It's not a silver bullet, right, I speak very passionately about this. No single solution is in the industry, but that approach to turn this on its head is super powerful for reducing alert fatigue because the system keeps learning, for not having to predefine everything, so finding new threats, and also for getting internal context. But I stopped here because I could ramble on for hours, but you asked me about my aha moment and these first ones where I saw this work in practice hands on myself. That just blew my mind completely.

Speaker 1: 10:26

So basically, you saw the anomalies popping up and yeah, and at that time did it like, piece it all together for you, or is that your job as an analyst, still at that time, to sort of okay, that's weird, that's weird.

Speaker 2: 10:41

Yeah, back in the day when I joined, our system was flagging up those anomalies and sometimes combining them. I would see rob's laptop and I could say as well, first thing rob did was, you know, download these weird files from gitlab and then two hours later rob did some weird psx movement to another device. And then rob did some weird beaconing to this german website. So me as an analyst, I would then read that within seconds I know that looks pretty bad and I know the story I dig in and I write a report. Then, actually, we thought about how can we push for boundaries, because what we just discussed, what I explained, is mainly tackling the problem of threat detection. Right, how do I find a novel targeted attack, an insider threat, a supply chain attack, an end day, a zero day, something like this, without pre-defining it? And then we well, we have human analysts who write this up and you know flag it and identify it, and it was rather straightforward, but you still needed some level of human interaction. So we thought about how can we make this easier? How can we replicate what we do as human analysts here in a machine learning system? So when I started, that was literally my job. What I explained, you know, looking at these details and stitching the narrative together, and then we thought could we create an ai analyst? Could we replicate these human intuition, workflows, cognitive efforts, in some level of automated system, using machine learning or other techniques? And what we did is we literally observed our internal analyst team, with their consent, anonymized by using various techniques but also Chrome plugin, that actually looked at how is Max using the system. When Max sees a network scan that is conducted by Rob, does Max first look at the source device and understand what the source device does? Or does Max first look at the ports that are being touched? Or does Max first look at the data transfers? Or does Max look at what happened before this network scan happened? Right, that's the hypothesis for cognitive work that we observed quantitatively for several months around across dozens and dozens of experienced analysts to understand how they actually conduct their workflows. And then we took these learnings and rebuilt that in a system we didn't stop by saying here's an interesting chain of anomalies and go on, figure it out.

Speaker 2: 12:46

We now have a system that is triggered every time an anomaly pops up. That AI analyst that's running locally as well, in real time, and says, like Max would great. That looks like a network scan. What could this be? It builds hypotheses could this be data exfiltration, part of a kill chain, natural movement, legitimate admin activity Then it gathers data based on context and it evaluates that data based on various previous training data and machine learning systems, to come to a conclusion. So we really try to replicate a lot of the level one and two human SOC team workflows.

Speaker 2: 13:16

We do not have to sift through anomalies and triage and put a story together Now, instead of looking at 17 anomalies, in two weeks weeks you might have a single incident which is fully narrated, which tells you exactly what happened, what kill phases were, what the local reasons were and the next steps you should be taking.

Speaker 2: 13:33

Again, nothing is a silver bullet, but this is meant to help you hire different types of people. Right now you don't need to max high nine mile with 15 years of network security forensic analysis, but you could use maybe one or two junior analysts who come out of uni and understand your environment better. So that's the whole goal, right? The whole goal is make this more accessible, lower the barrier to entry, make this more affordable and let's not try to widen the scale gap. But yeah, again, sorry, sort of taking the boomerang back all the way to your question. I guess that was my job, but I think we pushed the boundaries of trying to recreate a lot of that human workflow in machine learning systems GANs you have so many things going on underneath the hood.

Speaker 1: 14:09

So, like one of the things I noticed this week, I was with your colleagues here and also love the team. You have Awesome, awesome time and I realized that there was lots of different definitions and just like there's not like a common understanding of all these different things. So I'm not going to ask you to explain, you know, like all all these different methods, but like what, what? What conversations do you usually have with people that are trying to understand? What do you think are the most useful analogies for them to place this in their head?

Speaker 2: 14:55

Yeah, I love your question there, because I speak about how tech works every single day to big audiences or on a podcast, or to practitioners or machine learning data scientists or CISOs and, honestly, I think one of the tricks is to make it very simple to use, even if you're not a data scientist, right? So while there are sometimes people who need to understand the intricate details like how is this specific beaconing detector working and how can we test it, can we adjust it somehow and is it prone to any model fatigue or any data poisoning A lot of that although it's getting a lot of attention in our industry, like the security of AI systems, it is, in practice, often not relevant for 99% of organizations. So, right, I mean I can go in a second into some of the deep machine learning details, but what's more important often is the outcomes and the applicability and how we can use it in your environment of unsupervised machine learning or a phasometer classifier. They sometimes ask if they have tried to build something like Darktrace themselves and failed after several years with a big team of data scientists, because it's a very, very hard problem, and then they want to see how we tackle the problem. But for most organizations, they need to know can I tool it somehow? Can I apply it? Is it real-time? How precise is it? What does the analyst do? Do I need to be aware of any major tech mappings? It's a small combination of the main knowledge and output and efficiency than knowing exactly how the machine learning works.

Speaker 2: 16:34

The important bit is and the interesting bit, if I think to the supervised machine learning systems that train on historic tech data and say this looks like local privilege escalation, because we have seen a million privilege escalations in other customers and we think this is one in your environment that is a very different story because that is quite prone to misfiring for its positives, because that big model often doesn't quite fit for a specific environment because everybody's different. And then you really need to understand if you want to tune that model. Why did it fire exactly? What parameters went sideways? How can we adjust this? Can we trust it? Can we red team it to test for detection or detection engineer? Whereas we say, right, we turned it around, we don't say we've seen this attack 20 times before. Therefore, we alert your environment. We say, well, rob is using sound communication and data transfer to mega upload, which he normally doesn't do. We can show exactly your normal behavior, your normal data flows, which protocols you use, which cloud systems you use, because that's all in your environment.

Speaker 2: 17:32

So to your question do people need to know? Do they want to know or do they go? It depends on their job and if it impacts their work and it does impact their work actually, as detection engineers, because they need sometimes to adjust the detections, they need to turn some off, they need to create new ones and luckily, because you know we built the system to also use it internally. We live on dark trace and a few other things within our company. In security, everything can be adjusted. So there's no black box ai model that just gives you a score and you have to live or die with it. So I think, um, most people don't need to know a lot of the details, but more the value. But if your job really requires you to do some intricate work, we can usually go down to better detail, I assume.

Speaker 1: 18:11

So One thing I just wanted to touch on there. You said, like those that have failed, I know that big banks out there will have, you know, huge detection engineering teams that will be like looking at individual log sources and making baselines. My question to you is what do they usually fail at? Like where do they usually quit.

Speaker 2: 18:29

They have data richness, real-timeness and also the amount of different machine learning methods they use. And what I mean by that is you often see an existing SecOps team that is struggling with too many alerts or they want to add some anomaly detection afterwards. And there's a lot of systems that naturally cater for that, like Splunk has built-in anomaly detectors for specific metadata or specific net flows and you have to tune it a bit and you have to feed certain things in. But if you want to get to the point where you are extremely precise and you're not false-p all the time, you need to look really at the depth of detail, so you can't just look at metadata or experience.

Speaker 2: 19:09

We want to see the depict and inspect data down towards ila7. If we look at emails, we need to see the content to understand, analyze the language, for example, to understand syntax and grammar and specific intonations and stuff like that. So one reason why many people fail is because they say, okay, I'm going to set up this project where I want to detect beacon anomalies in HTTPS and they only look at net flow data and don't look at lower level data, don't look at, maybe, the types of encryption, because the other problem is the power sits in the chaining of anomalies together. A single anomaly itself might not be very interesting, but a neutral would combine them. So if the project in a company, in a detection team, is just find me an anomaly for beaconing, that is almost doomed to fail, either on the level of data quality and data depth they use, or because they only bolted on on top and don't have all of the surrounding tiny anomalies, because a specific weird beac beacon indicator might be not interesting if that's all that happens. But if there's 15 other anomalies, your data transfer was different. There were two weird admin logins 20 minutes before. There was an unusual websoft defender alert an hour before.

Speaker 2: 20:16

All of a sudden that one beacon anomaly becomes extremely interesting and you need that rituals of context and the level of ability to use meta level classifiers to balance these ones out without overfiring, to make sure you don't swamp your tool with false positives or non-interesting alerts. And then, of course, you often have a dedicated data engineering or data science team that builds these classifiers and engineering systems. But your consumers are soft people, level one to three analysts that need visual tools to pivot around the data, that need this in context of the existing tooling, that don't want yet another screen. So it's not just the data science problem, it's also the applicability and usability of the system. So I would say that's the main reasons why these projects tend to fail, and it's not for lack of, you know, trying a resource. It's just a very hard problem. Yeah.

Speaker 1: 21:03

I'm just thinking like one thing you said. You said you don't use, you don't send the customer data up to the big cloud and does analysis and send it back down. Right, it's all happening in their environment. How do you push all that smartness from the big cloud and like the know-how of these attacks and like things that have been that are known to be weird, because I'm assuming you still kind of have to have that to make, you have to have some understanding of what bad is Not on a level to redetect that.

Speaker 2: 21:31

So that is one of the clever bits right to make all of the things I just described. Do this anomaly chaining that retime detection, that retime learning and understanding of an environment, even if we've never seen it before happen locally, if we need to. Because if you send all of this into the cloud all of the network traffic, all of the emails, do analysis there and send it back down, you create a big supply risk problem, possibly because who wants all of the network traffic going to a third party these days? You might create time bottlenecks in case of ransomware, encryption, data infiltration If that takes even a minute to set all of the data up, do analysis come back down. That's unacceptable, we think, and a few other problems.

Speaker 2: 22:08

So we managed to engineer that down to a level where it does work locally and we do not feed our system with consequent updates of you know this is a new threat, this is a new anomaly. It literally learns from scratch and then puts together these anomalies and, of course, when we go over which MITRE techniques might apply to this or that, this looks like potential DNS tunneling, because it's a significant anomaly in outbound DNS traffic that really strongly deviates. So there is the main context around this, but it's not specifically matching a specific threat, if that makes sense. So we do not need that constant cloud connection. That's why we also run in offline environments on cruise ships, sometimes in government facilities with 100% efficacy, not losing any of our capabilities.

Speaker 1: 22:51

Interesting. So, in regards to use cases, are there certain use cases that are just better suited for your way of doing things compared to others? Like, is signature-based detection better in some things? If you understand the question, I don't even understand the question that. I'm asking anymore. I'm in deep water here, but I'm hoping you can untangle them for me.

Speaker 2: 23:12

As long as your audience takes something away and has it for fun. They listen to you. Hopefully. I'm not saying that. So what's, I guess, benefits or where's the traditional approach better? Should you take one or the other? I don't think there's a specific answer. This is not, you know, binary, where one is always better in this situation, the other is always worse. What I would say is that most companies have quite mature what we call known threat detection stuff that's based on signatures and null threats your antivirus, your Microsoft Defender, your firewall, so you're pretty well covered. But the thing that is causing the disruption is the 1% which is unpredictable, the targeted spear phishing living off the land attack, the stuff that is very, very hard to pinpoint. So we always say you want to have a combination of both approaches. We are Microsoft partner of the year in the UK this year actually, I saw that, yeah, technology partner, you and I. We talk mostly about detecting novel threats, and you said what other use cases are there. I touched on using different machine learning to automate level 1 and 2 analyst roads with an AI analyst.

Speaker 2: 24:14

There's another element which has a lot of impact for our customers, which is not detecting or investigating threats, but responding to threats and there's a trick here that we can do because of the deep understanding of an environment, by not just responding in saying we have to pre-define the response quality in the device or we have to pre-define the response, just let it go because it's a critical business server. We can't. We actually can do context and behavior based reactions and that is a significant, very useful benefit when you want to contain a threat but not drop the missiles. As an example, when LOB4J happened the big vulnerability that everybody knows about we saw a lot of export campaigns a few hours after the news dropped, hitting internet-facing devices of some of our customers. What we did not do is we did not start to scramble to analyze these attacks and, you know, create routes and signatures to stop these attacks.

Speaker 2: 25:10

It was just another day in the office what we saw for Darktrace doing. We saw, as an example, an internet-facing VPN server of one of our customers. Love4j hit it. He wanted to start downloading malware and wanted to scan the network and do Bitcoin mining or whatever Darktrace said. Well, all of a sudden, we've learned that your VPN server is normally receiving SSL connections from a lot of different people and it's downloading updates from, let's say Cisco, and it's getting administered over SSH and port 22. That's kind of what it normally does, based on your environment, based on your device. Now, all of a sudden, it's connecting back to this weird Chinese server all the time and it's trying to reach out to your finance server and it's trying to Bitcoin mine, download files from GitLab.

Speaker 2: 25:51

So Darktrace 8 pointed all of this out. The analyst put it all together in a single incident in real time, saying something is really bad and wrong with your VPN server. It doesn't make any business sense. We didn't say careful with slot4j because nobody knew and had given a name yet right At that point it was an end day.

Speaker 2: 26:06

And now comes the trick. Darkface, in those customers where it's enabled, responded autonomously, not by saying haha, I've seen this 10,000 times. Therefore, I know exactly what to do. It said well, I know your VPN server normally gets a lot of incoming SSL on these ports and is reaching out to Cisco and getting connected into over SSH, but it's never beaking out to this Chinese IP over port 88, which is normally Kerberos internal, not using HTTPS to go to the internet, and it's never trying to upload data to mega upload and it's never trying to Bitcoin mine.

Speaker 2: 26:36

So what Darktrace did is in real time, which means sub-seconds, sub-miniseconds understand the context and the behavior and stop the beaconing of a port 88 because that's super unusual by interrupting via firewall, integration or other means, stopping that potential upload in bitcoin mining via integrations as well, but let and this is the very crucial part the normal business continue right. So it did not shut down the server and nobody could connect back in and you know the whole business grinded to a halt. So you were asking what's, what's the use case for this type of approach? I think for sure it's a threat detection, but many people say, well, anomaly detection, so what? But it's much more the deep understanding of an environment where we can also respond surgically by understanding normal behavior and enforcing that in context in real time, without the human having to pre-define every playbook so that. So that's super powerful.

Speaker 1: 27:25

Yeah, really good use case. But there's one thing you said that I really wanted to touch upon, like living off land techniques. What other unknown sort of things besides living off the land and spearfishing are actually good use cases for your way of approaching it?

Speaker 2: 27:38

Yeah, I like to think Difficult to predict attacks. When I say unknown attacks, it's those that are very hard to predefine. So that could be things like permutations of malware where we don't have signatures or routes for novel type of exploits where there's no idea of IPS signatures. Supply chain attacks so anything that's abusing trust. Supply chain attacks like SolarWinds or Okta, for example, or Okta, for example, it could be very targeted things like spear phishing, zero days or N days, in particular, certain types of linging off the land. So anything that's abusing legitimate identities is extremely difficult to find for traditional approaches. But I would say it's absolutely those difficult to predefine, pre-describe or yeah.

Speaker 1: 28:21

Am I correct under or like kind of assume, that those sort of attacks you just mentioned, those really can't be pinpointed and highlighted in any other way besides the way that you're doing it?

Speaker 2: 28:33

I wouldn't know how. How do you predefine Log4j in specific without describing the behavior around it? How do you know and that's the interesting bit, right how do you know how you and that's the interesting bit, right? I know that other vendors are trying to find things like insider threats or lateral movement, abusing identities by again summarizing other lateral movement insider threats from their big database of customers and then generalizing that and pushing it down to the individual customers to find similar attacks again. But that is crazy to me and I've had many conversations where that approach failed with organizations because when it says, well, this connection, this RDP connection, that's an insider threat and A it comes from a big cloud model, data model, so you don't have any details why that is. It's been summarized across 10,000 customers, so you can't tune it and it's very prone to false positivity.

Speaker 2: 29:25

And if you say no, no, no, it's just a novel admin that has changed from finance into an administrator role very rare, but it happens. You know they gain some new skills and they discover their love for RIT, hate finance. Now that is legitimate, that's okay. But every time that happens you as a human team have to go in there and tune it out. If Darktrace says well, rob all of a sudden goes from being a smart, charismatic podcast host to being a sysadmin, which is also fine, but he starts to log into many devices over SSH.

Speaker 2: 29:53

Darktrace might say whoa, that is very unusual. Take a look, there was nothing seen before, there was no further kill chain, so it's just weird. But if you keep doing this, the first time Darktrace might say it's 100% weird and really unusual. But as you and your peers continue to behave in this way, the next time it happens Darktrace might say well, actually now just 70% unusual and if that comes in new normal, it will go away by itself as an alert. And that is significant, because what breaks most backs in a big sock is not the use case creation but actually the use case during the sorting out of false positives. And again, this is not a silver bullet I'm describing, but that level, that plateau of false positive sorting that you only have to do is significantly squashed because the system keeps learning with your business change yeah.

Speaker 1: 30:39

Very interesting and I know that you've answered this question a million times. But just before I move on, when it comes to detection engineering, how are you like the system is just doing all the detection engineering itself, or do you have anybody in Darktrace that's actually influencing detection engineering from the outside? Or is it all happening on the box? I know, I've asked this before and I haven't answered it, but just in the.

Speaker 2: 30:59

No, no, no, you didn't ask it in that way, so I gave a different answer. You said are you looking for threats, sharing these threats? We're not doing that. What we do do we look across our customers that allow us to from a model performance perspective. So if we do create a new behavior detection, which might happen once a month or so right, it's quite rare actually these days. But we keep an eye across our customers how these models work and how they perform. So when we push something like this and we see, well, the DNS tunneling model that we adjusted a bit is now firing a lot, a lot across customers and especially in the finance sector, then we might take a look at those performance indicators and see if there's any way to improve that. But it's not to push down new detections to cover emerging threats. Prove that. But it's not to push down new detections to cover emerging threats, it's more to enhance the performance and the performance of the resources on the local departments, for example.

Speaker 1: 31:51

Cool. So your detection engineers are how would you describe them? Like hardcore mathematicians.

Speaker 2: 31:58

Not even that. That's a beautiful thing. What my detection engineers do, any customer could do. We just do it across our customer base to make sure the fleet fleet is healthy. But actually it's saying things like well, the dns tunneling model because I mentioned a few times is looking for an unusual amount of dns requests in a unusual amount of time from a device that never does it, going to a rare destination on the internet and then, if that's firing too much, you might be able to say, well, maybe also stop it from firing from proxy servers. Right, because proxies might do that a lot. So every customer could do the same thing. And the beauty is you don't have to be a data scientist to do that Right, it's any analyst can do it. So there's still a level of detection engineering that customers might want to do Right.

Speaker 2: 32:39

Like I said a few times, nothing is a silver bullet. While, like I said a few times, nothing is a silver bullet. While our system is very efficient, you still might want to add more local context. You still might want to disable some detections. You still might want to create some of your own. You still might want to sharpen some. So customers can absolutely do this and the bigger ones and more mature ones do it, but I would say the level of effort required to have a functioning dark trace is significantly reduced compared to a traditional detection engine approach.

Speaker 1: 33:05

When it comes to the market. When you were at Black Hat and you're looking around the floor there, what comes to your mind? Are your peers in the space? I'm not sure who you would call yourself comparable. Is it like Vectra? Or what an extra hop? I have no idea. But what do you think? Is the market catching up? How do you look at the market?

Speaker 2: 33:30

On the very, very broadest, you know perspective and zooming out. I am quite happy to see that so many people are now looking at machine learning, although it's mostly AI chatbots. But what we needed was more innovation to help with a lot of the pressing problems we have in security operations. So, in generally speaking, I think it's a good thing that more people try to push boundaries and automation. But if you double click on just this space, just from the network, you have to unfold the machine learning because the devil is in the details, and I described to you in intricate detail in your audience how we work, how we do not pre-train, we learn purely based on the customer's environment.

Speaker 2: 34:00

I like to say we learn the business, they learn the breach. So they might be looking at the same traffic. There might be something popping out at the end that looks like detections, but everything else is very different, like the amount of durability, the level of noise, with precision, the context, given the real timeness, what's done with these things. So I wouldn't say they are a competitor. And if you look at other spaces, other point areas, like email, you might see AppNormal Security again a great company. But they also use that approach of supervised learning, trying to get every bad thing from their customers that they see and then generalize it or push it down. That means you have to tread a lot of water to stay still, which we don't have to, because our system self-learns. We think it's good if there's healthy competition, but, honestly speaking, I still think we're the only ones with a core AI platform that has taken all of this data and truly self-learns in an environment self-tuning itself.

Speaker 1: 34:54

Have you patented these ways of doing it, like, why haven't the others sort of caught on and just copied you?

Speaker 2: 35:00

Yeah, well, there's patents, of course, but that's always a tedious legal process. You really have to create this from the ground up. You have to really think about it's nothing you can vote on. You could also ask me why doesn't google just recreate this? Or why doesn't microsoft just spend five billion and recreate a dark trace? Now there's.

Speaker 2: 35:17

You really have to af the ai knowledge and the researchers and I said earlier that it's a niche area that's self-learned. Probably 90% of machine learning globally in tech is supervised machine learning like LLMs or transformers or stuff like that. The stuff we're doing is quite niche, so you don't just find these people growing on trees and knowledge around that. But it's not just about the R&D advantage. You really have to architect your data pipelines, your business model, right. We don't want to summarize a lot of things in our big cloud and pump in more logs and get more license cost of those logs. We don't want to drive more intelligence insights from a big data cloud. We just want to protect customers locally with our cool stuff.

Speaker 2: 35:57

So you would have to have a very different approach to your business model. How you want to scale your business with data pipelines. You have to do some significant engineering fee to get it so performed that it runs locally, physically or virtually. And that would only be to recreate the detection part. Right, right, not even the autonomous response, not even the AI analyst, not even things we didn't even speak about, which is with understanding a business so intricately as we do.

Speaker 2: 36:21

We can also predict attack paths by saying we know your identities, your social communications, emails and your networks, your vulnerabilities via integrations. Now we can predict what local attack paths have the biggest impact on your business. So it's for us, not just about detection response anymore, it's also what else can you do with that self-learn of the business, which could be predicting attacks, attack path modeling and vulnerability prioritization, or even, after an attack, helping a business to get back on their feet, instead of getting an incident response team in that is writing big playbooks, our machine learning system can tell you what the best steps are to recover after an incident, because it knows your business so intimately. So to your question again why haven't others recreated this? They will need to start from scratch, not bolt it on anywhere, and really architect it the same way we did in the machine learning architecture, data pipelines and business level, and then they would only catch up on all heels. I mean, let's be careful, because I work for Darktrace right.

Speaker 2: 37:15

Of course I'm very biased, but yeah, I think that's how I think.

Speaker 1: 37:19

So just to wrap this up like your. So just to wrap this up like your take on platform versus best of breed and what's the future of this space.

Speaker 2: 37:27

Yeah. So what's my take on platform versus best of breed? I think both are legitimate approaches that should be options for companies. Some companies, especially medium to smaller sized ones, might want a platform approach when it comes to their SOC tooling. This could be an XDR-esque approach, it could be a Darktrace-esque approach, it could be a SeemSource approach whatever suits them they have to know. But it's certainly easier to have consolidation and having to deal with less vendors and less hassle and less integrations.

Speaker 2: 37:57

I would say in general, we probably have too many niche solutions in cybersecurity for very specific problems. So almost every CISO I talk to says I've got too many vendors, I've got too many point solutions. I don't want to consolidate to a single platform, but I want to get from 85 to 50 or so. That is the trend I'm hearing and observing. Of course we cater to that right. I said earlier, I think we've got several best of breed solutions that actually are part of a bigger platform that works together in synergy. So I think driving towards a platform-esque approach is great.

Speaker 2: 38:28

I always think you want to have a layered vendor approach. You want to maybe have Microsoft for the non-threat defense and inspect into your E3 and E5. Anyway, they're doing pretty well these days and you might want to have a dark trace for the stuff you cannot predefine. Working in conjunction and maybe you want to have one or two other solutions for more edge case problems. But having 80 or so vendors, I don't think that's manageable. So I welcome the consolidation in the space.

Speaker 2: 38:54

There's some interesting financing on that. If you think back to 2021 times, VC money was very cheap and we saw such an influx of Israeli and Silicon Valley security companies that often solved a specific, very tiny problem but were competing for budget and mind space and there were so many of them. That was really difficult. It still is for c source of thing, but back then it was even more difficult because there were so many zombie companies but were never becoming profitable anyway or never had a reason to exist, but were inflated by vc money keeping them alive over the lifetime of thing. Yeah, so I think there's there's them alive over the lifetime of thing. So I think there's more complexities in the space of too many vendors and stuff like that. But I think if best of breed is more applicable to you as a big business because you have a big in-house engineering team that wants to integrate themselves, that's also absolutely fair game. So I think both work. It depends on the circumstances, Cool.

Speaker 1: 39:43

Well, mr Heinemeier, you are a very smart man. I can tell that I gave you a very what I thought were complicated questions, but you made it sound very simple. I really appreciate you explaining Dark Trace to me and to our listeners. Do you have any?

Speaker 2: 39:58

closing thoughts. I just want to say thank you. I'm genuinely grateful for having the chance to speak to you and hopefully contribute to something for your listeners. Anybody wants to connect and have a chat? I'm on LinkedIn, as Maximilian Heinemeyer Just hit me up and we can have a talk.

Speaker 1: 40:12

Thank you so much, sir. Enjoy your weekend when that time comes.

Speaker 2: 40:15

Thank you.

Speaker 1: 40:17

Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicno. Thank you for listening and we'll see you next time.