British security vendor Darktrace has launched a virtual appliance capable of monitoring 100 percent of traffic between virtual machines, in order to detect hidden security issues like Advanced Persistent Threats (APTs) and insider attacks.
The ‘vSensor’ can be deployed alongside virtualized switches with a minimum impact on hardware performance. It is part of the platform Darktrace calls the ’Enterprise Immune System’, which is based on machine learning and inspired by the way living organisms fight infection.
Unknown unknowns
Darktrace was founded in 2013 to commercialize machine learning technology and mathematical algorithms developed at the University of Cambridge. The company is backed by Mike Lynch, co-founder of Autonomy, billionaire and Cambridge graduate.
Unlike traditional security solutions, the Enterprise Immune System does not rely on policies or threat signatures – instead it uses Recursive Bayesian Estimation (RBE) theory to learn about the ‘normal’ state of the network, and identify outliers which do not fit that pattern.
Darktrace says this approach can help detect attackers that have already breached the network perimeter, and do this in real-time.
The vSensor expands the reach of the system to include virtualized environments. Each virtual appliance is configured to serve as a SPAN (Switched Port Analyzer) or ‘mirror port’ for the virtual network switch, enabling the software to capture every single packet transferred between separate VMs.
About one percent of raw network traffic is then sent to the master Darktrace appliance for further investigation.