SOCFortress Integrations — Darktrace ActiveAI Security Platform

SOCFortress
4 min readJul 9, 2024

--

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Darktrace ActiveAI (network sensors) security events using a single pane of glass.

About Darktrace ActiveAI Security Platform

Darktrace is a cybersecurity company that specializes in using artificial intelligence (AI) and machine learning to detect and respond to cyber threats. Here are some key points about Darktrace:

Darktrace uses machine learning and AI algorithms to identify unusual patterns and behaviors in network traffic. This helps in detecting potential threats that might go unnoticed by traditional security measures.

Darktrace’s AI continuously learns from the data it processes, improving its understanding of what constitutes normal behavior within the network and thus enhancing its ability to detect anomalies.

Darktrace’s Antigena technology provides autonomous response capabilities. When a threat is detected, Antigena can take immediate action to neutralize the threat, such as quarantining affected devices or blocking malicious connections, without requiring human intervention. It’s designed to provide real-time threat detection and response, enabling organizations to react quickly to potential security incidents.

Darktrace typically does not require installing agents on endpoints. Instead, it uses a different approach for monitoring and protecting a network. Here’s how Darktrace works:

  • Network Traffic Analysis: Darktrace deploys sensors (often called “appliances” or “probes”) at strategic points within the network. These sensors can be physical or virtual and are usually placed at network chokepoints, such as at the internet gateway or core network switches, to monitor traffic flows.
  • Data Collection: The sensors collect network traffic data, including metadata, which is then sent to Darktrace’s central AI engine for analysis. The AI engine can reside on-premises or in the cloud, depending on the deployment model chosen by the organization.
  • Machine Learning and AI Analysis: The AI engine uses unsupervised machine learning to build a baseline of what is considered normal behavior for the network and its users. It continuously monitors network traffic, looking for deviations from this baseline that might indicate a potential threat.
  • Anomaly Detection: When an anomaly is detected, Darktrace analyzes it to determine if it is a benign deviation or a potential security threat. This analysis considers various factors, such as the type of anomaly, its context, and its potential impact.
  • Autonomous Response with Antigena: If a threat is confirmed, Darktrace’s Antigena module can take automated actions to mitigate the threat. These actions can include isolating compromised devices, terminating suspicious connections, or throttling bandwidth to certain areas of the network. This response is designed to be immediate, reducing the window of opportunity for attackers.
  • Integration with Existing Security Tools: Darktrace can integrate with other security tools and systems within the organization, such as SIEM (Security Information and Event Management) systems, to provide a more comprehensive security posture.

Darktrace sensors are essential for monitoring network traffic and collecting data for analysis.

The sensors are strategically placed at key points within the network where they can monitor traffic effectively. Common locations include:
— Network Perimeter: At the internet gateway to monitor incoming and outgoing traffic.
— Core Network Switches: To capture internal network traffic between different segments.
— Data Centers and Cloud Environments: To monitor traffic in and out of critical infrastructure.

The collected data is sent to Darktrace’s central AI engine for analysis. This AI engine can be deployed on-premises or in the cloud, depending on the organization’s preference and infrastructure.

By deploying these sensors, Darktrace provides comprehensive visibility into the network, allowing it to detect and respond to threats in real-time without the need for endpoint agents.

Ingesting Darktrace events

Darktrace events and alerts can be ingested leveraging Darktrace’s API.

Visualizations

Total alerts, events and detected devices:

Detected devices by OS:

Registered alerts by name/category:

Events table:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).