The cybersecurity industry has always had a fortress mentality: Firewall the perimeter! Harden the system! But that mindset has failed—miserably, as each new headline-generating hack reminds us. Even if you do patch all your software, the way Equifax didn’t, or you randomize all your passwords, the way most of us don’t, bad actors are going to get past your heavily guarded gate, into your network. And once they do, they’re free to go wild.

Scott Rosenberg is an editor at Backchannel. Sign up to get Backchannel's weekly newsletter, and follow us on Facebook, Twitter, and Instagram.

That’s why some in the industry are beginning to focus less on sealing borders from outside threats and more on sensing bad behavior inside as it happens—when it can be stopped. They’re shifting from military metaphors to the language of biology; they’re designing immune systems rather than barricades.

Darktrace, founded by Cambridge University mathematicians and ex-British spies, uses machine learning to define what “normal” looks like for any network and all its devices and then report on deviations and anomalies in real time. That’s a big break from the usual security routine of cataloguing prior attacks and guarding against repeat performances. Darktrace CEO Nicole Eagan argues that artificial intelligence is the only way to defend networks against the “unknown unknowns”—the inside jobs and novel exploits your antivirus scan won’t find.

Eagan is an Oracle veteran who, like many of her cofounders, also did a stint at Autonomy, the Cambridge-based big-data innovator that was acquired by Hewlett Packard in 2011 (and sparked a legal battle after HP decided it had paid too much). Darktrace isn’t the only company promising to flag malefactors at work inside networks; other outfits like AlienVault, NetWatcher, and SS8 also say they can offer that kind of deep-field defense. But none of these competitors relies as heavily on AI capabilities as Darktrace—and some are outspokenly skeptical that it can be done at all.

Eagan recently sat down with Backchannel to explain how Darktrace’s approach could help democracies trying to protect their elections and how the hacking of Equifax will change the way businesses connect with one another.

Scott Rosenberg: Say you’re running an online retailer. You’ve already got all the usual network defenses. What do you need AI for?

Nicole Eagan: The big challenge that the whole security industry and the chief security officers have right now is that they're always chasing yesterday’s attack. That is kind of the mindset the whole industry has—that if you analyze yesterday’s attack on someone else, you can help predict and prevent tomorrow’s attack on you. It’s flawed, because the attackers keep changing the attack vector. Yet companies have spent so much money on tools predicated on that false premise. Our approach is fundamentally different: This is just learning in real time what's going on, and using AI to recommend actions to take, even if the attack’s never been seen before. That’s the big transition that Darktrace is trying to get folks like that online retailer to make: to be in the position of planning forward strategically about cyber risk, not reacting to the past.

I know military language gets overused in this industry, but it sounds like you’re taking the defense from the network’s borders to the whole interior. Does Darktrace just replace the old firewalls and virus catchers?

Nicole Eagan Courtesy of Darktrace

I think there’s been an over-investment at the perimeter, trying to harden it—as well as in things like looking at the dark web to see if your data’s already published out there, or buying third-party threat intelligence feeds about historical attacks on other companies. If they did make any investments inside, it’s usually done on what’s called rules and signatures [pattern-matching known exploits and viruses], which, again, is just yesterday’s attack written in a rule, and then you try to catch it.

When we start working with companies, it changes their mindset about security. It gives them visibility they've never had before into the goings-on of the pattern of life of every user and device inside their network. It lets them see their network visually in real time, which is an eye opener. They also realize that you can catch these things early. The average attacker is in a network 200 days before real damage is done. You’ve got a lot of time.