Published on July 25th, 2017 | by Tony Thompson
Darktrace vs. SS8 Part 1: Detection Methodologies
Perception is everything in building a brand, and nothing helps build perception more than money. Enter our competitor Darktrace in the network traffic analysis (NTA) category, which for many, would appear to be dumping cash on the campfire to acquire new customers and build a brand for network-based threat detection.
But for good reason. Case in point, the company just raised another $75 million on a post-money valuation of $825 million. Hats off to the Darktrace team and CEO Nicole Eagan for ramping the company, and more importantly helping educate the market about network-based detection technology.
This brings us to you, the reader or potential buyer who may have learned about Darktrace from one of their many sales people, watched a demo, or maybe you’re an existing customer wondering about the value for your investment.
The good news is you understand the importance of network traffic analysis and network visibility for advanced threat detection. Now, it’s important to understand the competitive landscape, and that there is more than one way to skin a cat.
SS8 vs. Darktrace
In this four-part blog series, I’m going to cover Darktrace versus SS8 Networks based on four key criteria: Detection Methodology, Simplicity (or ease of use), Deployment Considerations, and of course, Cost. For this edition, we’ll start with detection.
(Full disclosure: The information here is based on our own independent research and feedback from current and prospective Darktrace customers.)
Mathematics vs. Recursion
If you’ve been to a security event where Darktrace is a sponsor, or spoken with a Darktrace sales person, you’ve no doubt heard them speak about the importance of machine learning, or AI, for detecting threats. This is, of course, a revolutionary way of thinking about threat detection on the network.
But this heavy reliance on mathematics begs the question of how you trust a machine to do security thinking on a dynamic network that is constantly changing? The challenge is baselining the environment and having a granular understanding of what “normal” is.
While Darktrace speaks about “self-learning” as a means for overcoming the steep learning curve of identifying normalcy, the reality is that network traffic is constantly changing. In today’s agile work environment, new applications are constantly being adopted and the behaviors inside the applications are constantly changing, making it almost impossible to baseline the normal vs. the anomalous.
With a heavy reliance on mathematics can come a heavy dose of false positives.
The SS8 BreachDetect approach is different. It starts by subscribing to the idea that every day in security you get smarter. New threats are identified, researched, dissected, and new signatures and patterns are created. And while those new learnings are great for protecting you going forward, a “blind spot” persists in the network because of the unknown attacks that infiltrate your network weeks or months ago without any signature or pattern to detect them.
To solve this blind spot problem and shrink, or eliminate, the dwell time that exists, SS8 applies recursion to a recorded history of the network, continuously applying the latest threat intelligence to that history to uncover the threats that were missed by the firewall and signature-based anti-malware technologies.
This is where SS8 has taken a page out of our 15+ year history in hunting down suspects or terrorists as part of law enforcement investigations. In the terrorist world, the suspects hide, encrypt and are very careful about the methods and frequency of communications. The same holds true for hackers attempting to siphon out sensitive or proprietary data from your organization.
Only by constantly rewinding the network, scoring the behaviors of devices communicating over the network, and summarizing the information in a simplified format, can you get to the heart of a compromise in your environment, be it ransomware, phishing, beaconing, exfiltration and more.
High-Definition Network Records
When it comes to analyzing the network in any form, you need to start with the quality of data extracted from the network. In this industry, the impulse is typically: Grab a NetFlow record, or record the full packet, or capture some combination of the two. With SS8, it’s about generating High-Definition Records, or HDRs.
In short, SS8 HDRs are detailed, application-level metadata summaries generated from all communications on the network. HDRs were developed from SS8’s years of network and protocol extraction expertise working with the world’s top law enforcement and intelligence agencies, and powering eight of the world’s largest telecommunications providers for compliance. This means we know networks well.
HDRs deliver unprecedented detail about network sessions because they represent what is happening on the network at the transaction level, the flow level and the session level. An HDR contains more than 140 fields of forensic detail all the way up to layer 7. With HDRs, there’s no need to worry about limited fidelity from NetFlow, or the high cost and overhead of retaining and analyzing full packets.
More about Devices, not just Network Alerts
This leads us to the “alerting” differences between Darktrace and SS8 (which I’ll also cover in the Simplicity post of this series). If you’ve had the pleasure of seeing a demo of Darktrace, you know they didn’t cut corners on user interface (UI) sizzle. The globe spitting out multiple lines of information flying at you seems like a lot of important stuff is happening, right?
Well, maybe. The Darktrace system will alert on many different atomic events happening on the network. Does this help, or just take you back to the future with alert-fatigue and trying to decode every network anomaly or logged event?
In contrast, SS8 BreachDetect is all about identifying the device-of-interest, without having to install software on the device itself. Our approach is about scoring the network behaviors tied specific devices (laptops, servers, IoT, etc.) and alerting you to those devices with forensic detail about device, including OS fingerprinting that tells you if the device is running Windows 7 Service Pack 2, a Firefox or Chrome browser, and if there are any software agents running on the device.
In summary, network traffic analysis tools are critical for detecting today’s more advanced attacks. it’s important to understand the many differences between an offering like Darktrace and SS8 Networks for threat detection, and while you may prefer one approach over the other, I hope you’ll go into your journey of selecting a vendor with eyes wide open to help you make the correct decision for your business.
In my next blog, I’ll cover simplicity, or ease of use, with each respective solution.
Tony Thompson is vice president and general manager of threat detection for SS8 Networks.
Note: SS8 is a registered trademark of SS8 Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.