Has anyone out there got any opinions or experience of Darktrace?
Looks like a very clever bit of UI but does it produce the goods?
Any info might be useful!
From what I understand it works ok but has an entry price of no less than 80k for enterprise Go out and look at these guys, from what I can see its a better product at half the price. Sandstormtechnology.com (SOC in Box) they call it. Let us know what you go with.
Neither, a salesman from Darktrace has contacted my company and the IT boys want to have a look. As I said, the UI is very fancy but I wondered if it actually produced anything of value in anyone's experience.
AI might be a useful tool, but who knows in this case. If there were members who could say it provided some significant insights, it might be worth a look.
In our experience, we use it to fill in the gap for network security monitoring. It show the value during PoC and show us traffic/activities that we were not aware of. With AI it reduce the overhead to constantly tweak the rule with traditional network monitoring tool.
Disclaimer: My company is a DarkTrace partner.
That being said, I will not recommend anyone a solution that is not right for them.
With DarkTace, besides clever marketing and (personal opinion annoying UI), it does bring a lot to the table.
Not sure if they have bragged about it to you already, but the city of Las Vegas is actually using it to protect its infrastructure.
My early experience with ML/AI(ish) products started with LightCyber years ago, before they were gobbled up by PAN. Essentially an anomaly detection and alerting tool integrated with NAC to quarantine the compromised machines.
DarkTrace works on similar principles with advanced and evolving detection algorithms.
It does allow you to playback the incidents' progress, which is a very nice feature.
Things to note: If you are planning to rely on antigena for dynamic protection, for UDP traffic you'll have to integrate it with your existing firewalls, as by itself, it relies on TCP RST for isolation.
You may also consider splitting your monitored environment in two segments, one that is prone to relatively unpredictable pattern changes and one with the more established workflows.
Doing that will reduce the false-positives and you'll be more confident in turning the full auto mode on.
Overall, I think that either this or similar solutions are inevitable if we are to stand a chance of stopping evolving algorithmic exploits.
@Andrew I have seen it working as others have stated to augment the network monitoring via the UI. A lot of people seem to like the UI, as an extra screen to determine attack sources. The information is normally sent to the overarching SIEM for centralised normally via Leef.
Others I have seen include Extrahop Reveal (X) - Sans have a report on this to detect stealth attacks.