Blackhawk Network, a $1.9 billion multinational in the prepaid-card industry, was undergoing a consolidation of its security architecture in an effort to give better visibility into threats as they unfolded and that would also adapt to the threat environment as attackers changed their strategies.
That included hiring a new head of cyber defense, Vari Bindra, in December of 2015, who wanted to create a central security operations center and consolidate the company’s varied data centers down to just two.
As he set out on that mission, he came across the Enterprise Immune System made by Darktrace that uses machine learning to detect threats, including those it has never seen before.
The platform, being deployed in Blackhawk’s two data centers, has yielded two big benefits. First, it has enabled eliminating other security platforms for a savings that more than pays for Enterprise Immune System. And it has reduced the mean time to detect intrusions by 40%, Bindra says.
When he came into the job, he wanted to have a single view of the company’s security posture, but he found he was dealing with too many different defensive tools - 28 to be exact. He wanted to trim that back as much as he could without sacrificing security.
Among those Darktrace has replaced: packet capture, deep packet analysis technologies, some reporting tools and two different versions of IDS and IPS on the network layer.
He was also looking for technology that was adaptive in that it could keep up with new threats over time as attackers changed techniques and strategies.
He had been interested in behavioral analytics as a way to find suspicious activities among users and devices. “I had a fairly decent idea of what I wanted this technology to do, which was learn and tell me the anomalies that are happening and present it to me in an easy to digest format.”
Bindra had never heard of unsupervised machine learning, which is part of what Darktrace uses. It digests data about network and endpoint activity and learns what is normal and what is anomalous, but without focusing on predefined areas such as user behavior. “It was attractive to me in that aspect because it did not come in with any set of baggage or learning that it already had,” he says. “It was a new technology that stood there in the middle of all the action and just learned.”
He became interested enough to try it out during last summer, and in August, entirely separate from the Darktrace proof of concept, he ran a penetration test on a data center. He didn’t let the pen testers know about Enterprise Immune System and he didn’t let Darktrace know about the pen test. The results were convincing.
“Within an hour of the test starting, Darktrace lit up,” he says. “It showed me there were external actors interested in my firewall, they had breached certain areas and now they were doing some lateral movement in some of my environments. Once I had this information I was able to take immediate action and get those guys out of our system. It showed Darktrace was more than just snake oil.”
In December as he was bringing on a new data center he ran another penetration test, again with Darktrace deployed. He wanted to see if it would work in a Unified Compute Services environment, the Cisco-based integrated data center technology. “Within a few hours of the testing launch it was able to give me the insights, the metrics of what needed to be done to further reinforce the perimeter of the data center,” he says.
His main concern was east-west traffic within the data center where attackers might pivot and do reconnaissance. “That’s one thing I was not able to trace in the other data centers,” he says. “Other data centers had a mix of virtual machine and non-virtual machine – it was about 60-40%. A lot of physical systems did not really provide me an opportunity to test east-west threats.” But Darktrace was able to detect this activity.
He says that with Darktrace in place, Blackhawk is catching more cases of users accidentally sending sensitive data out of the network. Before, “We would not know about it,” undermining the company’s data loss prevention rules.
The platform is catching a greater variety of threats, as well, including file-less malware attacks, use of Java extensions for compromise and VPN tunneling through browsers. “Or here you could set up a reverse proxy - somebody’s talking to their home computer - and traditional technologies are letting them do it, but Darktrace is lighting them up,” he says.
Darktrace gives him metrics on what he calls the velocity of attacks. So if, for example, it could tell that during holiday season reconnaissance attempts by outside attackers against public-facing Web sites goes up 300%. With that knowledge, the company can take measures to deal with stepped up attack attempts.
He says his analysts are able to handle about 40% more incident investigations per day without suffering burnout. “Their engagement levels haven’t gone down because they don’t have to run around to two or three different tools just to cross-check, cross-verify and confirm the event has happened or not,” he says. “They can do it all from one pane of glass.”
That’s because the tool organizes threats the way an analyst would: hit the high priority threats first and work your way down the list. “It works, I would say, at a pace an analyst would like to work. It was created with an analyst in mind, not just a slap-on technology on top of an analyst’s already busy world,” he says.
He says he hasn’t turned on Darktrace enforcement features, but would like to when he gains confidence in them. It would further reduce the mean time to respond to incidents by eliminating the time it takes for an analyst to receive an alert, decide what to do about it, then access the appropriate device management platforms to make defensive changes. “There’s about 15 or 20 minutes in between. That’s the time when you still left the risk on the table,” he says.