At Web Summit’s 2020 virtual event, Talis Capital’s managing partner and co-founder Vasile Foca and Darktrace’s chief strategy officer and co-founder Nicole Eagan spoke to the New York Times’ Don Clark on how they built the cyber-AI powerhouse that Darktrace is today.
Darktrace is the world’s leading cyber AI company and the creator of autonomous response technology. It provides comprehensive, enterprise-wide cyber defence to over 4,000 organisations worldwide, protecting the cloud, email, IoT, traditional networks, endpoints and industrial systems.
A self-learning technology, Darktrace AI autonomously detects, investigates and responds to advanced cyber-threats, including insider threat, remote working risks, ransomware, data loss and supply chain vulnerabilities. Every 3 seconds, Darktrace AI fights back against a cyber-threat, preventing it from causing damage.
Talis Capital first met Darktrace in 2015, and went on to lead the company’s Series A round the same year. Darktrace now has 1,300 employees and 44 office locations, with headquarters in Cambridge, UK and San Francisco.
http://howarthmorris.co.uk/3index.php Don Clark: Hi, I’m Don Clark — I’m excited to be here at Web Summit. We’re going to talk to the people behind Darktrace: first up, Nicole Eagan, co-founder and Chief Strategy Officer at Darktrace. So Darktrace started in 2013, before most people even heard of the current generation of AI technology: how did you come up with the idea of applying this technology to cybersecurity?
http://rmrestaurant.co.uk/ Nicole Eagan: At its heart, Don, Darktrace is a company that uses advanced math and machine learning to solve real world problems. So back in 2013, we had a team of world-class mathematicians from the University of Cambridge. They were experimenting with how to help machines learn a sense of self. They partnered up with former cyber experts from GCHQ as those folks were very frustrated because cyber attackers were winning far too many battles. That was really because the industry was looking at the problem the wrong way around: everyone was fixated on anticipating the attackers, which turned out to be futile.
We really took a fundamentally different approach. We said: what if, instead, we helped organisations learn a sense of self? By understanding their normal patterns, we could then spot deviations and understand if those were threatening activities. By taking this approach, we actually decided to leverage the principles of the human body’s immune system. Now, if you think about it, we have skin on our bodies as this protective layer, and that keeps us safe most of the time, but occasionally bacteria and viruses do get in — but we have this amazingly precise and rapid response to those deviations. And that’s exactly how Darktrace works. This has been deployed across 4000 organisations of all sizes, all geographies and all sectors.
Don Clark: Such a cool idea. Can you elaborate a bit more on how it works, how you let companies establish what is normal and how they see these deviations from it?
Nicole Eagan: I’d say over the last seven years we’ve made leaps and bounds in terms of the advancements of how you apply AI to cyber. We started around detection, using unsupervised machine learning to learn self at a very granular level. Now, the way that works is there’s data that flows all around a company, right around the organisation, around the cloud, everyone communicating somehow — whether that’s through email or over the Internet. We looked at those patterns and we created this granular pattern of life of every user, and every piece of technology that’s connected to that organisation. What we then do is understand these deviations and whether they’re threatening or not. So that’s the detection piece.
But the next thing was probably the most monumental step forward in 2016. We came out with this category called ‘autonomous response’: the ability for the machine to fight back in real time. Then, the most recent innovation we had in 2019 was creating what we call a ‘cyber AI analyst’. The way this works is now the AI can interrogate its own findings. It also gives it context about why this threat is concerning, and instead of applying human understanding, the AI can now take care of this too.
Don Clark: That’s amazing. Can you talk about how it applies to certain real-world threats like ransomware and phishing?
Nicole Eagan: Shortly after we had created the autonomous response ‘machine-fights-back’ technology in 2016, the world saw one of the most horrific attacks: it was called WannaCry. It was a very fast-moving form of ransomware. Fortunately, we were deployed in some of the NHS trusts in the UK, and the reason that was important was because it literally saved lives. But if we fast forward to more recent times, in March of 2020, that latest innovation — the AI analysts — was able to detect a very sophisticated, very subtle, nation-state attack, which was actually from a Chinese nation state, known in cyber circles as a PT41. What was amazing was for the first time ever, an AI analyst detected this sophisticated activity two full weeks before any human analysts. Now, we might all sit around thinking about nation state attacks on a daily basis, but what is important is this same approach can detect ransomware. It can detect those email phishing attacks, the machine learning-based social engineering attacks, and what’s called ‘zero day’: attacks that have never been seen before.
Don Clark: Vasile, from an investor standpoint, you guys were early investors in Darktrace. Talk a little bit about what drew you to the company, and how they differed from other companies you were looking at?
Vasile Foca: Thanks, Don, good question. We started looking at the cybersecurity space in 2011, and we wanted to see alternatives to what was in the market already. We’d seen already a lot of endpoint security solutions, perimeter defence, next-gen firewalls, mail securities and some security incident and event management solutions hitting the markets. Again, most of the solutions were focusing on outside-in defence. But, if you’ve seen some of the breaches that took place in that period 2011–2013 with the likes of Yahoo, eBay, Sony: all those were mostly insider threats. In one case, somebody was sitting on the company’s servers for close to 200 days, yet it was 70 days before the threat had actually been identified, and then was dealt with and contained.
What we wanted to do was to look for something that is more innovative, new and focused on insider threats, rather than just perimeter defence — and we did come across a few companies out of the US that were focusing on anomaly detection using machine learning. Darktrace stood out from competitors that we saw: if others were trying to use machine learning, or they were planning to use artificial intelligence, most of them were supervised. Darktrace was the first one to actually showcase and prove that they can use unsupervised machine learning that learns as it goes. The part of the technology that they developed with the Cambridge mathematicians positioned them as the first AI experts in this space. They were working on some ground-breaking applications of AI: giving machines a sense of self was quite unique.
Technology wasn’t just the only reason that we’d been tracking them. The first client that they managed to win, with the first product that they launched, was Drax, the largest utility company serving the UK. Equally, they had lots of cooperation with the intelligence services from an early stage, as Nicole mentioned, like GCHQ. They had an unbelievably strong advisory pool guiding them through the development of their innovation, which enabled unbelievable opportunities for the company. The sales and the marketing were also very sophisticated from the outset. All of these early attributes are what initially drew us to the company, and are why it became the success that it is today.
Don Clark: Talk a little bit about its success compared to some other companies you’ve seen: how does the growth compare?
Vasile Foca: When we invested there were six people on the team. Surprisingly, this is one of the first startups where we saw more female founders than the male founders: there was Nicole, Poppy, Emily, Jack and Dave. The team itself was unbelievable when we had the first meeting when they presented the first product in Cambridge. The team came with such an unbelievably strong presentation: they had lots of printed brochures and printed white papers, despite the fact at this stage they were pre-Series A. When we saw the first proper pitch, it didn’t feel like a startup. The whole way the company was presenting and the calibre of the people — like Nicole’s experience with over 20 years of making large enterprise sales contracts, close to $100m, with the likes of Oracle — was exceptional. You don’t see many startups that bring that sort of talent with unbelievably strong sales expertise in the early stages, and all of that was incredibly compelling for us.
Don Clark: Great. So Nicole, so what challenges has the COVID shutdown brought from a security standpoint and how does Darktrace help to address them?
Nicole Eagan: If you think about it, before the pandemic, a company with 500 employees might all be sitting together with one headquarters and one office. Now that same company has 500 employees who are now likely working from 500 home offices. So that has really changed the IT infrastructure: they need to be able to support them remotely. But this has also greatly expanded the threat surface.
One of the things that we’ve done to keep our customers safe is that we’ve introduced putting sensors everywhere in that infrastructure, so the same underlying approach of understanding self and autonomous response applies, but now it’s running that AI in the cloud; it’s running that AI in the inbox; it’s running that AI in the Zoom call; it’s running that AI on the manufacturing plant floor. It’s just bringing that AI everywhere. So I think that one of the biggest changes that we’ve seen is taking the same concept, and just making it available across the entire digital estate.
Don Clark: So Vasile, you touched on this before, but everybody says they do AI now, and it’s sometimes a little specious. How do you evaluate whether people and companies really have AI credentials or not?
Vasile Foca: We have over 50 companies in our portfolio. Probably every pitch we see now has AI, in some form, mentioned in the presentation. When AI was nascent, we mostly wanted to see if the company had talent on the team that understood AI, such as someone who had undergone a PhD in AI training or machine learning algorithms, or had worked on some practical applications of AI before.
When you start actually looking at the companies that are claiming that they can deliver that solution, the first thing you want to do is to test that application in real life. The problem we’ve seen with some of the competitors that Darktrace has in the market is that they claim they can do the same thing but can’t prove it. Darktrace was so successful because it was able to demonstrate real proof of value and proof of concept early on. We don’t need to even discuss which solution is best: it’d be clear from just installing two AI applications and seeing how they compare. With 4000 companies worldwide using Darktrace, it’s clear that they’re the one that works and can identify novel, subtle attacks with AI that can also learn on the job in an unsupervised way. This shows that this is the real AI, versus some of the others which are claiming to use it.
Don Clark: Great. Nicole, talk a little bit about the applications beyond cybersecurity for Darktrace’s technology.
Nicole Eagan: We’ve been given this unique opportunity to deploy this ability to understand self and autonomously respond throughout companies to keep them safe. But there are adjacent applications: for example, helping a company assess a broader cyber risk, or helping them compliance with data privacy, like GDPR. But at its core, it’s also understanding that pattern of life of every user of every employee, so even applications like understanding employee productivity and performance can benefit. With cyber, we’re still just scratching the surface. We think there’s an ability to go beyond self-learning and actually move to a full closed loop of self-healing environments.