Sophos' Project Darwin embraces AI to combat evolving threats

Cyber security vendor Sophos is invoking the spirit of famed English evolutionary scientist Charles Darwin to rally the security industry around its vision for connected cyber defence, opening the company up to working with APIs and other third parties to tackle sophisticated threats.

By Tamlin Magee May 18th 2018

Cyber security vendor Sophos is invoking the spirit of famed English evolutionary scientist Charles Darwin to rally the security industry around its vision for connected cyber defence, opening the company up to working with APIs and other third parties to tackle sophisticated threats.

Former Sophos product SVP Dan Schiappa, who is now the company's chief innovation officer, said the industry should take a joined-up approach to applying artificial intelligence to security decisions.

Speaking with Computerworld UK, Schiappa explained how the company's internally named 'Darwin Project' evolved from its previous work.

"About four years ago we introduced the concept of 'synchronised security' and this is where security products speak directly to one another, and share information," he said during a telephone interview. "The simplest example was, if we saw a compromise at an endpoint, it would share that information to the firewall and then the firewall would eliminate that endpoint from being able to talk to the outside world."

The company expanded that to preventing threats from moving laterally, and created the ability for the endpoint to speak to the firewall, for example informing it which applications were running on it.

In other words, where previously the applications were unknown to the firewall, this model made them visible, so that the firewall could make decisions about setting policies against each one.

Sophos now wants to combine that approach with its work in neural networking to identify and predict malicious files before a 'patient zero' infection happens.

It will use data from a range of sensors that could be either 'endpoints' or 'enforcement points': IoT devices, access points, firewalls, or failed authentications, for example. The idea is that whether they are devices or events, they will all inform one another.

Survival of the fittest

"The reason we call it Darwin is because survival of the fittest didn't mean the strongest or the smartest, it meant those that could adapt to change the best," Schiappa said. "So as your IT environment is constantly changing – new devices, new cloud services, new employees – it's the ability to have insight into that overall ecosystem through a variety of sensors.

"It's being able to use that deep learning AI to analyse the information we're pulling off those sensors, then asking a variety of enforcement points to respond in real time to what we're seeing, is where the security industry really needs to move."

Sophos has a sizeable ecosystem of products that it can intelligently connect on its own, but there's plenty of areas the firm doesn't work in, so this is a wider 'call to action' for the industry according to Schiappa – that is, opening up APIs to third parties.

"We think this is something the whole ecosystem should embrace because there's no customer that we have that will be 100 percent Sophos for everything," he said. "As much as we would love that... it's not terribly common.

"While we will certainly embrace this within our own technology we want to expose APIs to others – like Darktrace, for example, or a company that does vulnerability assessment technology we don't have, could participate, could interconnect with the ecosystem, to the API, to provide us both sensor information, or in some cases be an enforcement point."

Skills gap

Ultimately Schiappa hopes this could intelligently reduce risk by combining data from a number of different parties.

For example if a business traveller in a high-risk geography is trying to remotely access their work on a server that is known to be unpatched, they might have their access restricted until they got into an internal office that was ranked as a safer environment.

In that case it might be Sophos working with another security vendor plus a travel and expense management solution such as Concur, all informing each other.

"I think one of the biggest problems we have today is we have a bunch of resources and assets to protect, so we have created a bunch of security controls for a bunch of completely disparate products," Schiappa said. "Then we pull a bunch of information in and show it to a security analyst, and hope that analyst is skilled enough to make a mental correlation of that data and do something about it.

"At best you're going to get responses in minutes to hours. What we see in some of these security reports is up to 60-plus percent of active attacks had been on the network for over a month. They get in and sit there and do lots of reconnaissance. Of course there is also the basic smash and grab ransomware attacks.

"But the combination of more sophisticated stuff – you are trusting a very skilled security analyst to do that. The problem is we are throwing so much information there's so many things for that analyst to investigate, they're either not going to get to everything they need to get to, or you don't have enough security analysts to do it."

That's a problem made worse by the cyber security skills gap, which one analyst house has said could be as high as 1.8 million people by 2022 unless there is a radical new approach to recruiting and training. As a result of this the biggest enterprises attract much of the best talent, leaving smaller businesses struggling. And it only takes one weak link in any supply chain to compromise the lot.

One radical approach would be taking the analyst out of the equation altogether in the SMB tier, although it could be argued this is more Thomas Malthus than Charles Darwin.

"What we want to do with Darwin is take a lot of work off that analyst, or in some cases, in the mid market, replace the analyst with artificial intelligence," Schiappa said. "Let the deep learning do that for you, and not have to trust the human to do it.

"We are building a world where we will be trusting AI to drive our cars, so we need to apply that same type of technology to make security decisions."