BACKGROUND & DEVELOPMENT
In 2013, Roke Manor Research, the research and development arm of the Chemring Group, was tasked with creating a commercial cyber
security product that reflected the immense level of expertise held within the research organisation in order to bring defence grade network security to any organisation. Roke at this time were only engaging in cyber security research for national security organisations. Chemring Group, however, wanted commercial organisations to benefit from the same level of protection afforded to these government agencies. To enable this to happen, a team was formed comprising software engineers and network analysts from three departments within Roke; State-Level Cyber Research, Lawful Intercept Probe Development, and Machine Learning Research.
The team members first defined key requirements for the new product, these were identified by reviewing current cyber protection solutions used by organisations at the time, as well as the common beliefs all members of the team shared. By the end of this exercise, the team had agreed that whatever product they developed it needed to follow a military approach to protection, by allowing the user to prepare and act before any attack had actually occurred, and in the event of an attack, be able to monitor and contain the attack before it created significant damage.
During early prototyping the product was called RIO, and was simply a lawful intercept probe collecting all network data partnered with a neural network designed to detect network based anomalies. Since the technology developed by Roke was class leading (the data capture systems for lawful interception, and the ground-breaking neural networks for anomaly detection) the system performed extraordinarily well. This system was sent out for initial testing in 2013 with military networks, and won a competition run by DSTL (part of the UK MoD) aiming to find novel ways of discovering zero-day threats. Since the system analysed network data behaviourally, rather than based on rules or signatures, no matter how many new threats were thrown at it, or how many times existing threats were modified to beat signature systems, the network behaviours remained the same and were detected successfully.
The platform was eventually rebranded Perception and pushed out to early-access customers within high threat industries in the UK. The prototype was effective but later deployments uncovered some areas that required some further attention. When deployed in more realistic networks in early customer evaluations with major banks and financial institutions, the false positive rate was too high. This tends to be a side effect of anomalous behavioural analysis when used as a sole means of detection. The temporary response to this was to select a higher bar to what was anomalous before alerting. The team carried out research into this concept and discovered that once over a relatively low ‘anomaly rating’ there is no correlation between how unusual something is, and how likely it is to be malicious, rendering anomaly detection on its own impractical in real- world deployments. An alternative approach was needed.
An easy approach potentially was to add reputation feeds into the product to detect known malicious IPs and domains, however, threat intelligence feeds can also have a high false positive rate and almost all of the test customers were already utilising threat intelligence feeds to some extent so the system was duplicating effort. In the end a more robust set of systems needed to be developed. The decision was made to add in two more behavioural identification systems, firstly a data store of forensic information that gave the system historical context to identify behaviours, and secondly an advanced deep packet inspection (DPI) engine to identify behaviours based on packet and reconstructed session contents. The Cyber Security Research Department at Roke were tasked with throwing every type of conceivable threat at this new architecture, and Perception identified everything with outstanding accuracy. Any drawback or blind spot of each of the three approaches was more than covered by a combination of the other two. This version of the product was designated version 1.0 and customer sales commenced in 2014.
DESKILLING THE PRODUCT
Although the product at this stage was able to identify all manner of system misconfigurations, potential vulnerabilities, active malware, and poor user behaviour, Perception still required a skilled analyst to understand and filter the behaviours it produced. It became clear that the product needed to be made more accessible and user friendly to use for analysts that didn’t necessarily have state-level threat hunting experience or a
huge amount of experience in Network Behavioural Analysis. To do this, the software team collected use cases for every stage of the threat investigation process carried out by the analysts. By carefully understanding how the analysts discovered threats using behavioural data, they developed ‘ForensicAI,’ a fully automated AI analyst built into the product. ForensicAI uses artificial intelligence to mimic analyst behaviour to automatically and instantaneously identify threats and vulnerabilities that can take an analyst hours to uncover by correlating multiple behaviours together manually. At this point Perception was identifying massive amounts of useful information and saving the analysts hundreds of hours. ForensicAI debuted in version 2.0 of Perception in 2015.
The Perception team has remained committed to developing the product throughout its life. The product is constantly evolving to introduce novel and interesting ways to address the challenges faced by analysts when protecting their networks. An easy to understand UI based on analyst’s existing toolset has continued to improve over the years so the system feels familiar to analysts of any skill level, allowing them to easily start to use Perception’s powerful threat identification capabilities.
Perception keeps a record of all connections made on a network, and this database was made available to the user in the ‘KnowledgeBase’ feature added to version 2.5 in 2017. KnowledgeBase allows the user to filter connections made by any device inside or outside of the network, helping them build up chronological incident reports and manually investigate incidents using a complete datastore of all network activity. Today Perception is one of the most advanced weapons in the cyber security arsenal. Whether you’re trying to detect previously unknown threats, identify unwanted user behaviour, or close network vulnerabilities before they are exploited by an attacker, Perception gives you a significant advantage in this fight. Perception has been designed specifically to give you unique insight into the behaviours of the devices on your network that will give you an edge against even the most determined adversaries.