Darktrace's "digital antibodies" have stopped one Brexit-themed data protection threat: while trialling the machine-learning anti-hacking system's latest security automation tool, one company was alerted to an insider threat.
A previously well-behaved employee reacted angrily to their employers' strategy for dealing with Brexit by digging out confidential documents with the aim of leaking them, but the would-be Julian Assange was spotted by Darktrace's Antigena, which not only uses machine learning to hunt for threats but also automates the response.
"It's an interesting example, not because of Brexit, but because this staffer never leaked anything in the past," Dave Palmer, DarkTrace's director of technology tells WIRED – making such a threat hard for human colleagues to spot. "The documents were blocked from leaving the organisation."
The British cybersecurity startup uses machine learning to hunt for odd behaviour on corporate systems, meaning its Enterprise Immune System can spot zero-days and other hard to find attacks. Antigena is the latest effort, extending the automation to the response. After a period of testing with a number of companies, the firm is making Antigena available for all.
"Antigena is a further set of AI-type components all about making smart or autonomous decisions to stop the unexpected in businesses in a way that has lots of context, so we can buy security teams time to respond," Palmer says. "The system helps to have your back on things that you weren't expecting to happen."
The system appears to be genuinely learning. Palmer advises customers not to even look at it for the first week, saying it gets up to 80 per cent of its intelligence after a month, peaking at a year of learning on a system.
Some attacks are easier to spot than others — it requires subtlety to notice a careful insider attack, while a ransomware attack, for example, looks like a "bomb going off in the environment". But noticing an attack isn't enough, as by the time humans take action it may already be too late. For a ransomware attack, Antigena may respond by automatically preventing files from being encrypted. "We start interrupting those types of attacks," Palmer explains.
That assumes that companies are willing to hand over their decision making to a machine. Some aren't.
Darktrace has offered Antigena on a limited basis for companies to trial since last year, and what it's learned from early testers hasn't changed the mathematics or algorithms at the core of the system, instead it's led to tweaks in how it communicates to users.
That includes a "human confidence mode" that forces the system to get approval before taking action, as well as animations that tell the story of how the attack was spotted, to show how the algorithm came to its conclusion — we humans want to know the why, not just the what.
Palmer notes that hackers could make use of such unwillingness to automate responses, with attackers learning which spots corporates leave to humans to defend - and therefore have slower response times, making them weak spots to target.
While security teams can leave Antigena as the automated first line of defense against cyber attacks, it's easy to see why they in particular would like to be the ones to tap the button giving it approval first — after all, we've all heard AI will be stealing our jobs. Palmer argues Antigena will make it easier for security staff, meaning they can move along from firefighting to more strategic planning.
Palmer doesn't expect smart automated systems will mean companies cutting back on security staff. "Are we going to be saying, 'there's just too many cyber people, when was the last time we got hacked, why are we employing these people?' That's never going to happen, not anytime soon," he says. In reality, we've got to start doing different things just so we can keep up."
In the future, Palmer suggested Darktrace could become a digital mentor for security staff, gathering up the skills of the best people in the industry to help support and train new team members, like a learning, evolving textbook. "They could be guided in how other people would react to the same information they're being presented with," Palmer says. "Alongside that, the companion would be pre-emptively bringing in all the data that the security team member could be wanting at different points."
While Palmer doesn't see AI-based antivirus taking off on the desktop, it could extend out of offices to the IoT, smart homes and even smart cars, preventing attacks without needing constant updates to malware lists, he says.
"Our phones are getting pretty bullet proof, but all of the cheap IoT and smart home stuff is shown over and over again to be enormously vulnerable," he says. "If someone can't start their car in the morning or can't unlock their door, that's going to be more impactful [than desktops]... so we're moving more in that direction."