Security startup Darktrace wants businesses to rethink how they protect their data from hackers.

The company, founded last year in Cambridge and backed by Mike Lynch’s $1 billion investment fund, Invoke Capital, claims that it’s no longer enough to put walls up around the edge of an organisation’s network. Instead, it argues that firms should concentrate on monitoring what goes on inside the network.

“People are finally accepting that compromises are happening, regardless of how much perimeter security and malware detection software they’ve put in,” said Darktrace CEO Nicole Eagan in London last week. “Now the conversation is starting to change to: ‘There’s definitely compromise but compromise doesn’t always need to turn into a business crisis, meaning that it doesn’t need to take down brand reputation and it doesn’t need to disrupt operation of service'.”

Once a network has been compromised by a hacker or a team of hackers, the individual/group will typically look to steal the credentials from a member of staff, said Eagan.

“Normally they’ll go for someone who has pretty good access around the system,” she said. “Maybe it’s someone in HR, maybe it’s an admin person."

She added: "Once they’ve stolen credentials, they’re now an insider, so you need very sophisticated technology to all of a sudden see if this person that has valid credentials is doing weird things that they normally don’t need to do in their daily job.”

Darktrace claims that its appliance, which sits in the organisation itself and not in the cloud, can help firms detect this unusual behaviour. Unusual behaviour may include trying to transfer large amounts of data to an unknown machine, for example, or sending emails to random addresses at strange times of the day. 

“We use very machine learning technology that we developed in Cambridge," said Eagan. "It learns the network, learns the behaviour, and once it does that it can spot abnormal or strange things that all of a sudden start happening."

Eagan explained that Hackers can sit dormantly inside a network for long periods of time, often over 200 days, before making a move. When they do make their move, she said many of them only give off very subtle or weak signals. 

“You have to use advanced mathematical algorithms based on Bayesian theory that understand these very weak signals of abnormal behaviour because these people are silent and intelligent and patient,” she said. 

Darktrace claims that many of the other security vendors, such as McAfee, Symantec and Kaspersky, are concentrating their efforts on developing “threat intelligence” software, which looks at attacks that have just happened. 

"It [threat intelligence] provides attack information and people love it because it shares data between anyone who’s had an attack. What it doesn’t do is say whether that attack is relevant to your company. Even if you’re in the same industry, it doesn’t mean the attacker is going to use the same attack, and, if they’re sophisticated, they’re not going to. “

Eagan adds that senior managers at large organisations often allocate vast amounts of time and resources to investigate these attacks, ultimately distracting their teams from focusing on hackers that are already inside the network doing a subtle targeted attack. "The sophisticated attacker is using all those bells and whistles to their advantage," she said.

Some of Darktrace’s first customers were from the energy and utilities sector but businesses in financial services, aviation, rail and manufacturing are starting to realise the benefit of this new era of security, according to Eagan. Due to the nature of Darktrace's product, many companies are unwilling to go on record saying they use it. However, last month, Virgin Trains revealed it's using Darktrace to monitor its network traffic on a 24/7, real-time basis.

Darktrace's revenues are currently split 50/50 between the UK and the US but Eagan expects this to change as growth in the US starts to take off following the introduction of Darktrace sales and marketing offices in New York City, Chicago and San Francisco.  

Employing ex-spooks 

The firm currently employs approximately 50 people, including former cyber analysts at GCHQ, MI5, the NSA and the FBI. 

"We hire a lot of people out of the intelligence community," said Eagan. "Our intent is to take all of that hands on practical learning that the intel communities has learned at the highest levels, package it up and deliver it to a corporate market." 

Prior to Egan, Darktrace's CEO was Andrew France, the former deputy director for Cyber Defence Operations at British intelligence agency GCHQ. France was appointed CEO in January 2014 but quit after less than a year to start his own consulting firm.  

Upon leaving, France said the company was growing rapidly and required someone who could oversee international expansion.

“It needs now a different kind of strategic leadership that’s not me,” said France, adding that he would stay on the advisory board and keep a stake in Darktrace. “I know my limitations.”

Headcount at the company is expected to increase sharply as it embarks on a worldwide sales and marketing push. This will be supported by the £10 million - £20 million investment made by Invoke Capital.

When the Invoke Capital investment was announced, Autonomy founder Lynch said: “We are delighted to announce our first investment in a genuinely innovative company, in such a critical area as cyber security.

“Darktrace brings a radically different solution to the challenge of protecting our information in today’s environment of cyber threat. It is an inherently mathematical approach that does not seek to block information flow, but rather understand it, in all its practical complexity and subtlety.”

Eagan added: “We’re fortunate that Invoke has a significant size fund so we have access to capital if necessary."

Darktrace won Techworld's Enterprise Startup of the Year Award last week. 

Find your next job with techworld jobs