Darktrace

My main use case for Darktrace  is to identify remote connections and abnormal connections such as FTP or any kind of RDP happening inside our LAN network or company network, where we want to verify the data transfers and check if any abnormal user is transferring data through the network to the outside, or any kind of suspicious activity.

One specific example of a situation where Darktrace  helped me spot something unusual is when one of the employees tried to copy some of his data to the outside. He is a developer trying to implement an application in a cloud environment, and while he was copying his file from inside our network to a cloud network, we got an alert, which we considered significant because he had not done it earlier, as it was an initial step in his developing environment. Because of that alert from Darktrace, when we checked with him, it was actually a legitimate activity.

Darktrace impacts my organization positively by providing us with a better understanding of abnormal activities detected among users.

The positive impact includes helping us identify a lot of transfers and abnormal activities, as some users try to perform RDPs inside our network, using LAN for different desktops or laptops, making it quite useful to identify users, especially those from a non-technical background.

In my understanding, the best feature Darktrace offers is the identification of copying files, which acts as a DLP , and it is a main concern for companies because users sometimes copy data outside without knowing, especially those without a technical background.

When I mention the DLP-like feature and file copying detection, the alerts have been very timely, as we get an alert within a couple of minutes, which is excellent. Even if some developers are working after hours and copying files, our SOC team detects this, and most of the time they call us so we can identify the users. The alerts are quite accurate and proactive.

As of now, I feel Darktrace can be improved to better detect end device activities, such as laptops or desktops, to bind it with our network.

I have been using Darktrace for around two years.

Regarding scaling, we initially planned for 2,000 to 4,000 devices, but we did not add any additional licenses for more devices after implementing Darktrace.

The customer support from Darktrace is good. We reached out to them a couple of times to check on some features, and they helped us very effectively.

Integrating Darktrace with our existing security tools was not difficult at all. We simply SPAN our core network port into the Darktrace side, and we did not face any difficulties at that time.

In terms of the interface and reporting, I believe Darktrace is good. I have also worked with ExtraHop, and compared to them, I feel Darktrace is way ahead, so I do not have any improvement suggestions for reporting views.

Darktrace is a very good tool, and we introduced it after we had an incident in a previous company, where we faced an attack and that is when we introduced this tool, which helped us identify a lot of abnormal activities, mainly from our developing team. My company is quite large with around 8,000 employees and they are developing a lot of things without our knowledge.

Although I do not have exact numbers, I can say that our security posture has improved a lot since implementing Darktrace, especially as our SOC team monitors the activities and we communicate with users about the need to stop certain activities.

During my time at the company, we did not find any zero-day threats or unusual attacks, but we noticed certain abnormal activities done by users.

My advice for others looking into using Darktrace is that for large-scale companies with huge teams, especially developers working separately from the system teams, it is crucial to implement security measures, as sometimes the most vulnerable positions come from those in technical backgrounds who can create security loopholes. In such environments, having tools Darktrace is essential to improve the organization's security posture without compromising their reputation. I would rate this product a 9 out of 10.

Regarding the autonomous response feature, I appreciate how it functions within the platform.

Based on my experience, I believe the solution could be improved in some areas, and there are certain drawbacks that I have encountered.

I have been working with Darktrace  for approximately one to one and a half years or longer.

In general, I would say that the interface of Darktrace  is intuitive enough, and it aids in understanding threat landscapes and attack paths.

Regarding scalability, I would rate it eight points.

If asked to rate Darktrace support on a scale from zero to ten where ten is the best, I would give them five points.

Regarding the installation and initial setup, I found it to be straightforward rather than complex.

Concerning pricing for the product, I would say it is somewhat expensive.

I have rich experience with many tools including Vectra, Cisco firewall, and Check Point.

The typical use case for Darktrace  is for threat vector scanning, detecting any unusual activity, and anomaly detection. Apart from that, it is very helpful in incident response.

The features I find most effective in Darktrace  include anomaly detection. The machine learning model provides accurate alerts after the learning period of 1 or 2 weeks, especially for network anomalies or something that the user is trying to access, which can include trying to visit unknown sites or botnets, and those things get detected and represented in a very good dashboard.

Darktrace positively impacts my organization by enhancing threat hunting, particularly in east-west traffic within the same subnet. Previously, we only used traditional firewalls that cannot catch this lateral traffic. After deploying Darktrace, we gain insights into machine-to-machine communication, which adds more value to the organization and is especially beneficial for the SOC team.

In terms of improvement for Darktrace, pricing is the main concern. Pricing bothers me and this is one of the major factors when choosing a solution. When we get feedback from customers, that's the only felt need. When we factor in Darktrace, we do it only limited. We put it on where the perimeters and connections are, but still, some gray areas are left out, especially if we have multiple branches. We need Darktrace on each branch to get the data out, and I suggest having some kind of a centralized product that gets data from multiple sources to aggregate and provide the data.

I have been familiar with Darktrace for the last 5 to 6 years.

In terms of the speed and effectiveness of Darktrace's automatic response, it gives clear alerts whenever anomalies happen on the network, enabling us to catch them on the fly. However, some of the rules generate false positives, especially with system calls, which get incorrectly marked as anomalies. These are actually system call integrations that need fine-tuning based on our environment integrations.

Regarding Darktrace's capability to adapt and recognize abnormal activities through machine learning and AI, sometimes a password expiration prompts the user to connect to different sources to get the new password changed. During that time, it picks this up as abnormal activity when connecting to LDAP during off-business hours. This is an example of how it detects what it considers an anomaly, since user authentication typically happens during business hours.

Regarding overall stability, Darktrace is a stable product, and I have no complaints from customers wherever it is deployed.

While considering if Darktrace is scalable, I note that there are storage limitations, where the planned capacity can sometimes be overutilized. There is still a gap in terms of storage, and we are trying to figure out how to increase that capacity for regulated environments, which require data retention for 5 to 6 years.

I can rate Darktrace's technical support as one of the best products in the world. We have seen satisfaction reflected on our customers' faces after deployment when they start seeing the data and the dashboard, and they often express surprise at the network traffic visibility that Darktrace provides.

I would rate the technical support of Darktrace between 6 to 8, as the support is good and we receive timely assistance whenever we raise an issue.

Before working with Darktrace, I did not use any similar solution in the same category. Earlier, I was using something called decepters, and my organization may have explored different products, but I learned about network detection and response through Darktrace about 5 to 6 years ago.

Deploying Darktrace is quite easy and plug and play, wherein all we need is to put it in a data center, rack up, and do some switch configuration. The learning would take a week time, and once the data gets populated, we get a very good dashboard.

For deploying Darktrace, I would require 3 to 4 people. We would require a data center person to assist in racking and mounting this, and some network engineers would make this configuration to spend the data ports.

When considering return on investment for organizations using Darktrace, the disadvantage lies in having to use a physical appliance. Running a quick POC is not possible since the hardware has to be shipped from the UK or elsewhere, but other NDR solutions provide virtual appliances that can be deployed on virtualization servers to get up and running quickly.

In terms of setup and licensing costs, Darktrace is on the pricier side compared to similar solutions in the NDR market. Other NDR solutions are also on the higher side, but Darktrace stands out as a bit higher. Competitive pricing would certainly help me as a system integrator to convince customers.

I did not evaluate other options when looking into Darktrace, but some customer preferences led us to consider other NDR solutions, such as 40 NDR. Our customers had a Fortinet setup with various products, and they preferred the 40 NDR for proprietary visibility when collecting logs from Fortinet devices.

We are using the latest version of Darktrace. I have not used Darktrace's Enterprise Immune System. Antigone is the feature of Darktrace that we have recently experienced. At the moment, I have not encountered a situation where Darktrace's self-learning capabilities reduced the risk of data breaches, but it performs very effectively overall. It requires some time to adapt; initially, when we deploy, it takes weeks. On a scale of 1-10, I rate Darktrace a 9.

Regarding the ROI, we have experienced a significant reduction in phishing emails and have utilized our time efficiently, resulting in approximately 70% ROI.

The support is the main problem, though there are some other issues as.

In terms of AI functionality, I have seen some AI integrations overall. Darktrace is completely designed based on AI and machine learning, making it very efficient in identifying suspicious behavior and suspicious emails.

We are using the Securonix SIEM  solution, and from ManageEngine, I use Help Desk and the Patch Manager .

On a scale from 1 to 10, I would rate Darktrace as six points.