Published on August 1st, 2017 | by Tony Thompson
Darktrace vs. SS8 Part 2: Simplicity/Ease of Use
Simplicity. Quite possibly one of the most controversial topics in cyber security. One camp argues the shortage of cyber security expertise demands we need tools that limit the amount of time users spend looking at screens. The other side says too much ease-of-use leaves us potentially exposed by not having enough forensic visibility and control.
I would argue it needs to strike a balance, and offer the user both. Alert on only what’s important as soon as possible without having to sift through mounds of data, and secondarily, provide a means for deeper forensic investigation capabilities that enable the user to understand all the nuances of threat activity and network behavior.
This leads us back into the network traffic analysis (NTA) space and my four-part competitive blog series on Darktrace versus SS8. I’m looking at Darktrace versus SS8 Networks based on four key criteria: Detection Methodology, Simplicity (or ease of use), Deployment Considerations, and Cost. In part 1, I covered detection methodologies and if you haven’t had the chance, please read Darktrace vs. SS8 Part 1: Detection Methodology as a starting point.
Keep it Simple
In this second edition, I’m examining the simplicity of using Darktrace versus SS8 BreachDetect. To set context on this, I’m making an assumption you have some knowledge about Darktrace by speaking with a sales person, watching a demo, or maybe you’re an existing customer wondering about the value for your investment. This blog series also assumes you understand the value of network-based visibility and threat detection at some level.
So, let’s jump right in.
If you’ve seen a demo of Darktrace, you know they didn’t cut corners on the user interface (UI). The 3-dimensional globe and PC images spitting out multiple lines of information flying at you seem like a lot of important events are happening. Window frames can be opened that highlight lines and lines of device event logs, connection history, network subnet information, protocols, and more.
Visually, okay on the eyes with the “dark” layout. But as a busy user that must quickly decipher what’s bad, what’s an attack and what’s compromised, you have to ask yourself “what am I supposed to look at?”
In contrast, SS8 BreachDetect is all about helping you identify the device-of-interest, without having to install software on the device itself. Our approach is about scoring the network behaviors tied specific devices (laptops, servers, IoT, etc.) and alerting you to those devices with forensic detail about device, including OS fingerprinting that, for example, tells you if the device is running Windows 7 Service Pack 2, a Firefox or Chrome browser, and if there are any software agents running on the device.
The best way to understand these differences is to look at both user interfaces side-by-side.
Above on the left you have the Darktrace UI. On the right, SS8. At first glance, you can immediately see a radical difference in the approach to alerting.
The Darktrace system alerts on many different atomic events happening on the network. Does this help, or just take you back to the future with alert-fatigue and trying to decode every network anomaly or logged event?
SS8 BreachDetect: Clean, Easy-to-Use Interface
In contrast, SS8 BreachDetect has taken a page out of the engineering workflow and developed a color-coded Kanban-style threat board, where each tile on the board represents a device-of-interest. This model exposes devices on the network that require investigation, and scores each tile (or device) with a “High,” “Medium,” or “Low” risk designation, based on the combination of network behaviors the devices is exhibiting.
Even more powerful, user and threat behavior information is displayed in each tile to qualify the severity of the threat and help you quickly identify if a device is tied to a user identity. This circumvents the need to sift through massive amounts of log data and threat intelligence to identify a device-of-interest.
When you decide on a solution for network-based threat detection, you also need to think about how the advanced attacks behave today. It centers around the concept of time. We’ve all seen the stats about breaches going undetected for more than 200 days, or 240 days, or in the case of Yahoo!, two years. With this in mind, it has become essential to understand the full lifecycle of an attack when investigating a threat – from reconnaissance to exfiltration.
View the Cyber Kill Chain At A Glance
By clicking on a threat tile within SS8 BreachDetect, users gain an end-to-end, timeline-based view of the entire cyber kill chain for each device-of-interest. Activity is displayed on the timeline according to the stage of the cyber kill chain, including reconnaissance, delivery, exploitation, command and control, actions, and any other activity associated with the threat. Here you can see each behavior in the kill chain on a per-device basis.
Rather than atomically alerting and simply providing network-specific detail, we took it a step further by presenting, in simplified terms, how an attack detected took place, what subsequent exfiltration activity has occurred, and where to look to find the source and remediate the threat. From each event on the timeline, easy-to-understand explanations enable users that are not cyber security experts to chase down and mitigate breaches like a forensic investigator would.
Finally, we continually hear from prospective buyers and existing Darktrace customers that they simply don’t log into the Darktrace system. Some don’t have the time and are content waiting for their weekly, or monthly report from Darktrace, which then prompts the security leader to send members of their team out to investigate. It’s a managed services model, at a pretty high price (more on price in an upcoming blog post).
Shifting Power to the End-User
At SS8, we want to put the power of the technology in the hands of the user, because it was designed to simplify the workflow of both proactive threat detection, and deeper network forensic investigations. We learned this from more than 15 years working with some of the works largest intelligence and law enforcement agencies to hunt suspects and terrorists.
In the terrorist hunting world, law enforcement needs to act swiftly based on information available, without having to lose time navigating the data. The same holds true for security leaders in today’s enterprise. Time is money, and it’s about accepting that your preventative security measures won’t stop everything.
In summary, you’ve got choices out there when it comes to network traffic analysis solutions, and the simplicity or ease of use of the technology plays a critical role in your fight against malicious actors. Preferences may very on user experience, and it’s important to understand the many differences between an offering like Darktrace and SS8 Networks for threat detection. While you may prefer one approach over the other, continue to have an open mind and be sure to pit one versus the other to be sure.
In my next blog, I’ll cover deployment considerations and options with each solution.
Tony Thompson is vice president and general manager of threat detection for SS8 Networks.
Note: SS8 is a registered trademark of SS8 Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.