Darktrace's Nicole Eagan on How AI Predicts, Prevents HacksChief Strategy Officer Shares How the Cybersprint Buy Extended AI to Attack Surface
Security perimeters, remote working and complex hybrid IT environments are expanding - making attack surface management top of mind at many organizations. Darktrace recognizes that demand, and through its purchase of Cybersprint in early 2022, the cybersecurity artificial intelligence vendor is moving from focusing solely on internal threats to also defending the external attack surface.
The company historically just applied AI to detection, using it to analyze existing data features and augment human teams with machine-speed response, says Chief Strategy and AI Officer Nicole Eagan. But with Cybersprint, she says, the AI is looking into incidents that haven't happened yet, forcing it to simulate how an attacker would behave based on an outside-in view of the victim (see: Black Hat: Incident Recovery, Threat Hunts & Blockchain Woes).
"Everyone's been firefighting in cyberspace, and it's been very reactionary," Eagan says. "You get attacked, and you try to spot it and stop it as fast as you can. We really felt that this whole industry is shifting quite radically to being more about true cyber risk management. What if we could actually use AI to predict and prevent attacks? Cybersprint is a big part of that for Darktrace."
In this video interview with Information Security Media Group, Eagan also discusses:
- How clients benefit from applying AI to external attack surface management;
- What customers are saying about Darktrace's new prevention offering;
- What spurning Thoma Bravo and remaining public means for the company.
Eagan identifies and shapes Darktrace's strategic plan, leads the company's AI vision together with Darktrace's CTO, and provides product strategy and direction. She served as Darktrace's sole CEO from September 2014 to October 2016 and co-CEO with current leader Poppy Gustafsson from October 2016 to May 2020. Eagan's extensive career spans 30 years working for Oracle and early- to late-stage growth companies. Prior to Darktrace, she was chief marketing officer at HP Autonomy from 2005 to 2012. Before that, she spent seven months as senior vice president of marketing at Quest Software, two years as CMO of Peregrine Systems and five years as Oracle's senior director of strategic marketing.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Nicole Eagan. She is the chief strategy and AI officer at Darktrace. Good afternoon, Nicole. How are you?
Nicole Eagan: I'm doing great. Thanks so much for having me.
Novinson: Thank you for making the time. I wanted to start off by talking about the first acquisition in Darktrace's history, you acquired Cybersprint back in February for 54.7 million. What does the integration process around the Cybersprint acquisition looks like? What does that allow you to do?
Eagan: I think what was really interesting is if you look at Darktrace and our mission and evolution, we've always been focused on applying artificial intelligence to the existential threat of cyber. We did that in a very unique way, we created our own proprietary machine learning kind of approach, we help, we call it self learning AI. And what that did was actually learn about an organization from the inside-out. And that really helped because it meant that it could detect novel threats, it can detect insider threats and things that were going missed by other approaches. So then talk about Cybersprint. And where this fits in. We were always focused on this inside-out data, kind of the internal threats and attack surface. And what we found was really interesting about Cybersprint is they were looking at everything we weren't, the external attack service. And so really being able to combine the internal with the external, but while using this very bespoke and unique AI approach we had is really was all about, we couldn't be more thrilled with the integration efforts. In fact, we've already combined the Cybersprint acquisition into a research project that we had been working on for a couple of years at our AI labs called Darktrace Prevent. And this really shifts everything. You probably will know, Michael, that everyone's been kind of fighting and firefighting in the cyberspace, and it's been a very reactionary - you get attacked and you try to spot it and stop it as fast as you can. And we really felt that this whole industry is shifting quite radically to be more about true cyber risk management, and moving to what people often call the left of the attack. So what if we could actually use AI to predict and prevent attacks, and Cybersprint is a big part of that for Darktrace.
Novinson: What's different about trying to apply AI to the prevention phase, as opposed to the detection and response phases, where Darktrace has played historically?
Eagan: It's a great question, because when you look at applying AI to detection, for example, your AI is actually analyzing existing data features and being able to move as quickly as it can, and kind of augment those human teams with machine speed response. But when you actually start to look at Prevent, it's a bit about asking the AI to look into things that haven't happened yet. And that's a different data set entirely. So I think what's interesting with the whole Prevent space is you're actually doing things like looking at, if the AI were to pretend it was an attacker, first, how would it look at you from the outside world? And what can it see? And how might it leverage that visibility to spin into the inside and do a targeted attack, and then you get into new areas of applying AI. Basically, we had to work for quite a long time to figure out how to get an AI algorithm to understand the crown jewels or key assets of any given organization bespoken specific to that organization. So, for example, who are the most vulnerable people combined with the most vulnerable targets? And most importantly, do you have countermeasures in place? So can you actually have AI emulate the attacks and say, "This attack, even if somebody would have found this vulnerability, you already have three layers of countermeasures in place. You're okay, there." But over here, if we look at what happens in this attack path simulation, you did not have anything in place. And so what can we do to actually harden your systems? And that gets really interesting because now it means you can have the kind of insights that you get from the Prevent into your existing detect and response, hardening the whole environment. And I think that's a game changer from what we can say.
Novinson: What's different from the customer standpoint. What's different about the view they get from external attack surface management versus the inside-out view that are traces provided historically?
Eagan: I think, but when I speak a lot to Darktrace customers about this, and I've been able to actually see it live running in a number of their environments. I think it comes down to the use cases. What are the use cases now that you can do so in the other way in detecting respond, it was usually talking about what kind of threats are responding - insider threats, we're seeing zero days novel attacks. And I find when you're talking about tax service management, it's much more use-case driven. So for instance, third-party risk and supply chain, there's a great new capability that we've added into Darktrace attack surface management called Newsroom. So what happens when you actually see breaking news stories about threats? And the first thing, actually, everyone seems to ask is, "How bad is it? Does it apply to me?" so being able to actually go to the attack service management console, see these real-time news feeds, and then actually see if it's green, in other words, you're okay, this isn't in your environment, or it's red, and you've got 55 instances of it. And let's pinpoint those for you immediately. So I think those use cases, we also see a lot of shadow IT use cases. And another one that is quite interesting is actually cloud environments. Somebody who spins up a cloud environment, and maybe they were just testing out some new systems, or maybe it was a project that then spun down and they forgot to close down the cloud, we see a lot of that type of cloud instances, one use case I never had thought of, that was an eye opener for me being my passion in AI was actually being able to see when one of your AI systems is training off of third-party data. I don't think a lot of people think, "Oh! That's something that's visible from the internet, and actually can be used as a brand new attack surface." So I think that breadth of an almost endless feeling, use cases that you can get with attack surface management. But again, the most important thing, I think, is being able to feed that knowledge into your internal security systems to harden in an environment and really, kind of in the background, just keep that whole ecosystem working in its optimal state.
Novinson: In terms of Darktrace Protectors, it's a relatively new offering for you. Is it the same profile of customer using protectors is using detect and respond and heal? Are you seeing some different customer types or different customer profiles using the Protect feature?
Eagan: So it's Prevent and one of the things you see in it is that what ends up happening is this a lot of our existing customers who already kind of are passionate about what we're able to do with Darktrace Detect and Respond. But now they are just, they're shifting their attention to being more proactive to be more preventative. But also we start to see some new people, even from the existing customers come into the equation. So for instance, we're seeing chief risk officers join more of the meetings together with the chief information security officer. We're seeing even compliance angles where people are interested with how does this maybe help me make sure that I'm staying in compliance, and that people in the outside world can't see some of my sensitive data that might be protected by different compliance acts and things like GDPR? I think what we also are seeing is if a company has red team, red team in place, whether that be internal red teaming, whether it be a combination of internal and external, whether it be actually even third-party pen testers, we're starting to see the people who have not versus when I think about Detect and Respond, we're normally talking to the blue team. So in larger organizations, where they have these teams split up, you'll start to see some of that pen testing and red teaming type of activity kind of filter in. But we also are seeing new customers who want to start with Prevent, who kind of say, "Well, isn't this the logical place to start? Let me start by understanding where I might be vulnerable, but most importantly, what my highest priority cyber risks are?" And that's the stuff quite frankly, oftentimes, the CISO wants to be able to communicate to the board of directors. We're really trying to uplift a lot of this communication, not to just be about digging in the weeds, so to speak, but really being talking about here are the five or 10 top cyber risks that are facing us today bespoke to our organization. And here's where we already have countermeasures. And here's where we're going to make some investments and shore things up.
Novinson: Very interesting. Want to talk a little bit about the work you're doing as chief strategy and AI officer, and particularly around the AI labs that Darktrace runs. What have been some of the key areas of focus or investment for you in terms of the AI labs?
Eagan: Yeah, so in terms of the Darktrace AI research center, I feel it's absolutely fundamental and foundational to how we operate as a company. Rather than operate on pure kind of what many vendors call product roadmaps. We actually start by looking at breakthrough research. And we actually allow our researchers which we have 150 members, 80 with master's degrees, 30 doctorates in there, very broad, everything from astrophysics to linguistics to data science. And they've actually produced numerous award-winning breakthroughs from the center that later make its way into actual products. I'll highlight maybe some of those top-level breakthroughs. One is, and this was the foundation of when we founded Darktrace, it was using epidemiology theory to identify the most infectious devices inside an organization. We also had some real breakthroughs around autonomous response back and actually about the 2015 timeframe. And this was - our approach to autonomous response was that it should work seamlessly across all your environments, it should work, it doesn't matter where the attacker is coming from, because they're going to pivot. So we have this view that it needed to work seamlessly across your email, your SaaS applications, your cloud, your endpoint, and, if necessary, your OT and IoT devices. So that very broad thing. In Darktrace Prevent, we had a whole research project about using graph theory to map out risk assessment paths across the enterprise and do that risk prioritization. I think one of our most interesting breakthroughs is what we call cyber AI analysts. And it's the ability to have the AI. In this, AI was quite different for us. It learned off of human threat analysis, and it learns how to hypothesize about what is this I'm looking at? What are the theories or hypotheses that I need to disprove or prove to validate that this is actually a threat? And that AI analysts say it saves teams time, about 92% time savings on threat investigation, which is, we know, with the skill shortage with headcount shortages, AI analysts just makes all the difference in the world. So literally, we've filed well over 100 patents out of the research center. So I've just listed a handful. But the exciting thing to me is that we actually publish all this research on our website, and people can just peruse it and kind of, we hope through this effort as well as through productizing, we're kind of giving back overall to the broader cyber community.
Novinson: Darktrace announced earlier this month that it was unable to come to terms on a take private offer from Thoma Bravo and would instead continue forward as a publicly traded company. Two part question for you. First, why did Dynatrace decide to move forward as a public company rather than going private under Thoma Bravo? And then secondly, what does that decision mean for your customers?
Eagan: I think it has always been our path. I think when you you started out a company, you envision building a successful business, expanding to over 7400 customers, as we've done, we just completed our first full year as a public company. So we're fairly newly public. And we just announced really strong stellar results that were right on target, and exceeding expectations. So I feel like in many ways, we're at the start of our journey as a public company, not at the end. And I think it just, we need to follow the path, business is growing tremendously well, the customer satisfaction is very high. And I think especially if I look at the recent acquisition of Cybersprint, the general availability and the quick uptake of the Prevent offering, and we also last year announced what we call our technology vision of a continuous cyber AI loop. And we're working on these really neat areas about self-healing technology. And so, as I said, for our executive team, our leadership, we feel like we're still at the beginning of our journey as a public company, and we just have so much more we want to accomplish, and that we want to provide to our customers and give back to the greater community.
Novinson: As you referenced in your answer, it's been a little over a year since Darktrace went public on the London Stock Exchange. What does that mean for your organization, both in terms of customer visibility and awareness, as well as from a financial standpoint in terms of money for R&D, technology, etc.?
Eagan: Well, I think some of the reasons you do go public is actually to be able to increase your investment in R&D. It also helped us obviously fund things like the Cybersprint acquisition, and really to fulfill this greater vision we have around our Darktrace cyber AI loop. That is why you kind of go public. So you get access to that type of funds to make those increases in R&D and technology investment and really be able to deliver to your customers on this bigger vision that we have.
Novinson: Very interesting. Let me ask you here, finally, our readership at ISMG are primarily chief information security officers, what do you feel is the biggest area that CISOs are overlooking when it comes to their security strategy today?
Eagan: It's difficult, but very good question. I think elevating the conversation to one that's much more about cyber risks to the company. And really understanding the impacts of a particular attack and how could you get out there in front of it? How could you strengthen and harden your environment? And how can you articulate this in the language of the business? If this particular instance were to happen, there's this kind of probability that it would result in a business outage, and it could take us X amount of time to recover from that. So I think looking at this bigger picture of cyber risk. And as we get into the next area, this area I alluded to, that's coming out of a research center now around Heal, which is not a product yet. It's still in the research phases. But I think that gets into really the area of cyber resilience. And I think overall, and I do think CISOs do a great job of this, really looking at where all the places that you can automate and augment your human teams and lift them up to deal with the future of your business and working with other departments and making sure that security is built into your next product offering. And let's try to lift them out of having to kind of live in this ongoing environment that we've seen for the past decades of firefighting. So I think that's the transition that I actually proactively see a lot of CISOs making, lifting up into cyber risks, planning for cyber resilience, and then figuring out how to automate and augment to help out their human teams.
Novinson: Interesting stuff. Nicole, thank you so much for the time. Thank you. We've been speaking with Nicole Egan. She is the chief strategy and AI officer Darktrace. For Information Security Media Group, this is Michael Nathanson. Have a nice day.