When the Church of England fully upgraded its legacy IT it was running barely any security at all, so it was quite a leap when Grant Jennings, security manager at the COE, picked the AI security vendor Darktrace to combat a rising ransomware threat.
About two years ago, when Jennings joined the organisation, the entire infrastructure was running on a 20-year-old legacy platform.
"They had no security whatsoever so I started adding security in," Jennings says, speaking with Computerworld UK. "It was a big job. My approach was that we had to have a multi-layered, multi-vendor approach – and you've got to take the stance that someone's going to get in. You need to know what's happened."
Attackers certainly were getting in: up until Jennings bumped into Darktrace at a trade show, the Church was being hit with ransomware attacks, as many as three or four in the space of six to eight weeks. In all instances the problem was internal – Jennings admits that IT literacy is not particularly high in the organisation – usually through a malicious email.
"We had to restore from backup," Jennings says. "By the time we knew about it, it had encrypted large amounts of our networks. It took days."
Darktrace is a machine learning cybersecurity company that studies behaviour across the entire network and flags up unusual activity – this could be an insider threat, for instance, or an external hacker. It monitors all network types, including physical, virtualised, cloud, IoT and industrial systems. See also: Machine learning in cybersecurity: what is it and what do you need to know?
The Church of England invited Darktrace in to run a proof-of-value trial. A technical engineer and an account manager came to the office to install the box, where it would sit silently to learn typical behaviour on the network for two weeks before it had useful intelligence.
According to Jennings, the installation took between 30 minutes and an hour. For his part, Jennings only had to make a copy of the Church's pre-existing data and give this information to Darktrace.
"Apart from that there's no configuration work, except for adding user accounts so people can log in and have a look at the interface," Jennings says. "Other than that, it takes care of itself."
A member of staff at the Church logged into their AOL account during this testing period. She was expecting a parcel from FedEx and opened a scam email that looked legitimate – but a hidden payload ran on her computer and began to encrypt data on the network.
"Immediately I had a phonecall from one of the Darktrace employees to tell me this was happening," says Jennings. "We were able to shut it down before it did any major damage. So as a proof of value that really sold it – that it could do this straight away."
This detection was one of the driving reasons the Church signed off on a contract with Darktrace. According to Jennings, the Church doesn't have a cybersecurity team and the product from Darktrace effectively acts as an automated replacement. It flags up threats and prioritises these, along with generating a weekly report that executives can look over. And unlike other security products, Jennings notes that this is particularly user-friendly.
Threat data visualisations
"The visualisation is one of the key selling points for the product," Jennings says. "With other systems, it doesn't matter what they are, the thing you see when you look at the logs is text-based lines you have to look at, go through, and determine as a security specialist, does that look normal? Then take a copy of it, reverse engineer it, try to work it out ourselves. With the visualisation of Darktrace you don't have to do that. You can replay what happened with each device involved in the attack or the treat."
He says the biggest benefits are the ability to see the breaches and what users are doing before anything becomes a problem.
"Those ransomware attacks where data was encrypted ate up about three to four weeks of IT's time to get all the files back, sort the users out, sort the applications out, whatever it encrypted," Jennings explains. "That's a huge amount of time when we're a small team. The ability to shut it down before it causes damage and we'd have to spend all that time on it has saved us on numerous occasions – on time alone it's beneficial."
Machine learning - a replacement for pen-testing?
It was useful, he says, that the learning curve is also low – especially when compared to other products where a cybersecurity professional will need to understand how to put workflows into a product and other layers of configuration.
And he is sold on the machine learning element, too: "The threat landscape has changed – I don't think you can go down that pen-testing route. Pen testing secures me against known vulnerabilities now, then I put all my rules into my firewall, and I'm safe today. But what happens next month?
"There's a whole new set of weaknesses that I don't know about but I'm not going to pay for a pen test again because usually you pay for them once a year. The model just doesn't work – you need to have something that's real-time, adapting and changing, to allow us to see and then deal with the threats that keep us secure.
"These old methods – I think that's a dying set of technologies, they'll be used for certain things but not in the world of securing a network. Pen testing a network which is live and that all your users are on, and you've got 600 staff, where security is changing every day?
"Pen testing only secures me on the day I get my report and implement it. After that I'm not secure. I need to see the vulnerabilities in real time as they change and adapt."