Image courtesy Darktrace

These updates help organisations address the challenges of the modern enterprise network, including managing distributed infrastructure and a hybrid workforce, detecting an increasing volume of novel, unknown and AI-driven threats and streamlining the time-intensive burden of investigation and response for security analysts.

Advertisement

Jack Stockdale, Chief Technology Officer, Darktrace, said: “For over a decade, Darktrace has pioneered the use of AI in network detection and response, achieving one-fifth of the global NDR market share and supporting nearly 10,000 organisations. Darktrace is proven to meet the needs of the increasingly complex modern enterprise IT network and currently supports customers in industries including critical infrastructure like healthcare and energy, financial services, telecommunications, retail, manufacturing and many more.

"We regularly deliver new innovations to meet the core challenges in the NDR market and advance beyond traditional requirements to help our customers secure their environments from a wide range of evolving threats.”

Darktrace / NETWORK uses a unique Self-Learning AI engine that learns what is normal behaviour for an organisation’s entire network, continuously analysing, mapping and modelling every connection to create a full picture of an organisation's devices, identities, connections and potential attack paths. With its ability to uncover previously unknown threats as well as detect known threats via signatures and threat intelligence, it adds a layer to the security stack that augments existing preventative measures.

Darktrace has helped secure customers against attacks including Log4J, SolarWinds, novel phishing scams during COVID-19 and more.  

An evaluation conducted in November 2024 of actionable detections across the global Darktrace / NETWORK customer base found that most threats detected were novel or highly anomalous. These threats were not blocked by other security tools that rely heavily on pre-existing indicators of compromise, rules and signatures, such as next-generation firewalls, secure service edge and zero trust network access, or intrusion prevention systems, due to how these components are managed.

• 30% of detections in this period were from known threats, half of which matched indicators of compromise from external threat intelligence and the other half were rules or signature-based (using machine learning to automatically manage their detection engineering properties).
   
• 70% were detections of highly anomalous activity, including insider threats, compliance risks and novel or unknown external threat activity.

To further enhance these capabilities, Darktrace introduced new detection features over the last year including:

• Threat intelligence ingestion: Darktrace can ingest and manage secondary STIX and TAXII threat intelligence to proactively detect and autonomously respond to known threats based on indicators of compromise, facilitating additional threat hunting and creation of custom detections. Now, Darktrace Cyber AI Analyst can automatically investigate, correlate and raise a critical incident for each intelligence-based detection if deemed important for the human investigation team.
• Decryption and encrypted traffic analysis: Darktrace supports decrypting TLS traffic and analysing both encrypted and decrypted forms together, including Deep Packet Inspection for protocols inside encrypted connections such as HTTP/2.
• Support for NetFlow v9: Darktrace ingests NetFlow v9 records of traffic activity which enhances visibility over areas of networks that might otherwise go unmonitored.
• Tunnelling detection improvements: Specialised scrutiny of commonly used tunnelling services that can easily be repurposed for remote access and control of devices and have seen increasing use globally throughout 2024.
• Detection of generative AI misuse: Dedicated risk and compliance detection models help prevent data loss by allowing customers to monitor, and when necessary, respond to activity and connections to generative AI and large language model (LLM) tools such as AutoGPT, ChatGPT, Stable Diffusion, Claude and more.

Advertisement

Recent updates to further support large, global deployments include:

• Centralised, enterprise-wide network detection, investigation and response: Customers can extend visibility and control across the modern perimeter-less network, with support for Microsoft Azure and Amazon Web Services (AWS) environments with Darktrace / CLOUD, remote or hybrid workers with integrations for leading Zero Trust Network Access providers or with Darktrace / ENDPOINT, cyber-physical systems and operational technology with Darktrace / OT and, a wide variety of enterprise SaaS applications and identities including Microsoft 365 and Salesforce  with Darktrace / IDENTITY.
   
• Proactive network performance monitoring: Detailed status alerts for significant changes in bulk network activity, with proactive recommendations to identify and resolve potential security threats and network performance issues.
   
• Additional customisation for distributed deployments: Darktrace offers a unified view to streamline the management of large deployments, which can now be used to centrally define a wider range of unique local settings. This increases flexibility and simplifies ongoing management for large, distributed, global deployments where different configurations are required across different locations with multiple physical, virtual and cloud deployment types.

Innovations to streamline security workflows
Darktrace / NETWORK can be used by security teams as the central place to manage and respond to threats and it is designed to help streamline and improve SOC efficiency. Innovations including Darktrace’s industry-first Cyber AI Analyst provide a patented approach to automate the investigation of alerts and understand incidents at scale. Cyber AI Analyst performed 1.5 million investigations per week on average during 2023 and generally completes an investigation within just five minutes of an initial alert being raised.

Darktrace has continued to prioritise user experience, efficiency and scale, with enhancements including:

• Automated detection engineering: External threat intelligence feeds and custom signatures are automatically investigated and an incident raised if there is a material impact. This helps minimise the amount of time and effort required by a security analyst to manage rules or continually assess incorrect or outdated intelligence and indicators of compromise.
• Explainable and automated AI-led triage and investigations for alerts: Cyber AI Analyst automatically investigates all relevant alerts to completion, including third party alerts, reducing alert fatigue by replacing the existing manual triage process with AI. It now provides detailed explanations of an investigation, its reasoning behind search queries and significance of findings, even for those alerts that are not escalated to incidents. This frees up teams to focus on response actions, threat hunting and proactive hardening.  
• Increased customisation of investigations: Customers can now specify how Cyber AI Analyst investigates alerts, providing increased flexibility for custom alerts.
• Upgraded incident interface: A new interface centralises all components of an investigation and gathers all capabilities needed to follow up on incidents, including incident structure, key investigation details, Autonomous Response action summaries, third party alerts and more.
• MITRE ATT&CK mapping: Darktrace tracks any relevant model alert to the MITRE ATT&CK framework and will display this is in any related Cyber AI Analyst investigations and reports.  
• Autonomous Response enhancements: Cyber AI Analyst can initiate and further leverage Autonomous Response actions when it discovers a high importance or large-scale incident, even if the initial alerts were not threatening enough to justify immediate automated actions. The duration of Autonomous Response actions can also be adjusted at a global level, giving security teams the flexibility to enforce a minimum containment time aligned with their known or target time to follow up.

Darktrace was recently named a leader in the 2024 IDC MarketScape for Worldwide Network Detection and Response and the KuppingerCole Leadership Compass: Network Detection and Response (2024).

Advertisement