From defending states to defending enterprises: a new approach for cyber security
“So, here’s a crazy idea...”
Looking back now I realise that ideas that begin with this statement often go one of two ways. They either A) go nowhere because they are immediately shot down by those around us and we give up, or B) might initially be dismissed as crazy, but something keeps us going and sharing it with enough people, and eventually we find others who are equally as crazy and who have the talent to actually pull it off. Then things get interesting.
In short, my crazy idea was this…
“…In the same way that GPS systems become more accurate by using multiple satellites to pinpoint the most accurate location, why don’t we build a system for detecting cyber-attacks that applies the same principle?”
I’d always been a bit of a geek. From an early age, my Mum had taught me how to touch type on a Vtech computer, but it was my Dad who really hit it out of the park when he came home one day with an Amiga 500 computer – it was an amazing machine, and I was hooked. Despite my interest in computers I chased another boyhood dream, and my love and passion for soldiering that I discovered during my time in the Army cadets would eventually lead to me joining the UK's specialist military units. I’ve now spent the best part of the last 15 years jumping out of planes, diving out of submarines, helping to rescue hostages abroad and conducting surveillance and reconnaissance in far and distant places.
Despite how cool this sounds I could never fully escape my boyhood passion for technology, and actually it was during my time within the UK's specialist military units that I fell into the world of hacking. Combining my two main interests was a dream come true, and I ended up becoming the first cyber specialist within these military units.
Learning more and more about this world was eye-opening, and I became fascinated by how technology could help us to achieve our missions more safely and more efficiently.
One of the underpinning principles of successfully deploying highly trained specialist military units in any operation is to ensure they have “access to the highest forms of intelligence” – makes sense right...? We worked on very complex intelligence problems and trained relentlessly to be ready to apply ingenious thinking, surprise and positive action to achieve our missions. So, in these situations (that often had very slim chances of success) the least we could ask for was to be given the best information available to help us improve our odds.
This environment instilled within me a sense of mission that drove all of us to perform in extreme situations. When I left in 2015 I was concerned that I would never find the same passion and drive again.
However, I ended up throwing myself into the cyber security industry, which pretty quickly became a comfortable fit. I spent my time conducting penetration tests, performing incident response and working with some great cyber technology companies. In some ways it felt like being back at the start, but the quality of people who inspired and mentored me was second to none.
The more I worked with a wider range of security operations teams, the more I began to realise that there were common problems across the industry. I sympathised with the individuals who were under extreme pressure to achieve great things in very difficult circumstances. I could see that there were significant improvements that could be made, and as I began to discuss these ideas within the community I had an increasing sense that there were lessons learned from my military background that could be directly applied to helping security operations teams better protect businesses.
It was with that idea that I began to develop Senseon: an idea that could become enormously helpful for the cyber defence community, but which represented a mountain to climb in terms of development effort. My mission was to take a different direction, and to humbly suggest to the industry that maybe, just maybe, there might be another way to approach the problem.
Perhaps rather than applying lots of traditional single point solutions (something that organisations across the globe currently rely on) we should be building an entirely different system that gathers increasing levels of relevant information and then analyses this data from multiple points within a business.
Crucially, for this approach to work, each of these points would have to be able to have autonomous conversations with one another – to work together natively, as one, to better detect and autonomously investigate cyber threats.
Humble beginnings, big ambitions
It seemed a simplistic idea on the one hand: a brain interprets the information it receives from multiple senses, and it is good at correlating this information to aid perception and decision making. But building a cyber defence product based on the same principals would require long development cycles, cross-domain knowledge, immensely talented people and well, money. Looking around my small London flat, these were not things I had in ready supply.
I don’t think I had ever worked so hard in my life than in those early days. This may sound like a strange thing to say because I wasn’t exactly being shot at anymore, yet by contrast, the challenges in those early days seemed overwhelming. Fuelled by caffeine and (too much) pizza, I began working on the design and a proof of concept of the technology.
Not only was I developing this new idea, but I also had a full-time job and did cyber security consultancy separately, to pay the bills. It was during this time as I was performing a penetration test for a client through one of my businesses, that I was afforded the opportunity to install version 0.1 of Senseon.
I now had data – and a customer!
A green light
All of a sudden, things began to get just a little bit easier. The development began to speed up, but finding the right level of talent to achieve the mission was tough, and it took time. Eventually, one-by-one and slowly at first, we built a team who would turn this idea into reality. Importantly, it was those people who shared my passion for the Infosec industry and who realised that Senseon had a genuine opportunity to move the needle in cyber defence who began to gravitate towards us.
In fact, I now think that if we hadn’t been so ambitious about our mission and the motivation behind it, we wouldn’t have been able to attract such amazing people in those crucial days of early development.
Fitting in and standing out
It is Senseon’s first mission to solve a perennial problem in the industry: there are too many false positive alerts and not enough people to deal with them. The implication of this tactical problem is that those charged with defending organisational networks and data struggle to spot the attackers’ signals amongst all of the noise.
This really is the foundation of our mission at Senseon. We believe in solving difficult problems well, and in helping the overburdened security professional sleep at night. Each individual within the Senseon team at this point had direct experience in developing cyber defence technology, or working within or even establishing security operations centres. We understood the pains and challenges faced by those working in security operations and wanted to help address the issues that we ourselves had struggled with.
The first problem we identified was that the industry is full of single point security solutions, and these tools often rely on only one source of intelligence to make decisions. This limitation means they must err on the side of caution, and the result is that when they see something unusual they must produce an alert - despite not having any degree of certainty that it is indeed malicious.
Small organisations often don’t have the resource, cash or expertise to manually investigate this flood of alerts. At the other end of the spectrum, it very quickly becomes unscalable for larger enterprises: they may have dedicated security teams and larger security budgets, but they are running dozens of these single point solutions. Fundamentally, solutions don’t have the ability to talk to one another, or if they do the burden is placed on the end user to figure it out. The result is often a manual, almost duct-taped together system at the back end or in the SIEM.
Senseon’s aim is to help organisations of all sizes cut through the noise, discount what is merely unusual, and bring focus to investigating genuine threats.
The birth of AI
We had laid the foundations of the technology. The system architecture was in place – including everything from the process of gathering and enriching data across its various senses, to how we would visualise threats. It was now time to work on the next challenge: building meaningful AI.
Before I go on to explain more about how our AI functions, I feel it important to classify what I mean when I talk about AI. Artificial intelligence (AI) is a concept we are all aware of from science fiction, but in reality, its current applications and abilities are very different.
Machine learning is considered a branch of AI. It comes in different forms: AGI, or ‘artificial general intelligence’ refers to a level of intelligence that is comparable to the human brain, capable of understanding or solving any challenge put to it – a goal that has not yet been achieved, but represents an ambitious project being developed by the likes of Google DeepMind. ANI, or ‘artificial narrow intelligence’ is a simpler and more targeted version of AI that has specific goals and an understanding that is only relevant to its intended application. This is a much more practical solution, and this form of AI has been applied and proven in many real-world situations.
Senseon utilises sub-branches of the narrow and targeted form of AI including machine learning, natural language processing and knowledge management, that best suits cyber security. Applying aspects of AI to cyber security has multiple challenges, including the modality, periodicity and interpretation of the data - we will expand more on these topics in future posts, describing how we have integrated various approaches and overcome these latent challenges to produce an overarching intelligent system.
In short, machine learning and AI help us to perform tasks at a scale we would not otherwise be able to achieve. It can process large quantities of data with great speed and accuracy to find patterns within that data which would take a human analyst far longer to spot. Perhaps more importantly, it is also often able to find things that a human analyst might not be able to see at all. You will probably have heard discussions about machines replacing humans, but this is not Senseon’s aim.
Given the skills and resource gap within the global cyber security industry, we see AI as a way to augment the analysts. AI should be used to enhance our capabilities and to help us bring focus to what we do.
The art of automation
In its infancy, basic machine learning was able to spot anomalous activity - understanding when irregular events occurred within an organisation’s environment. Anomaly detection is useful at surfacing unusual behaviours that could potentially be cyber threats, but it doesn’t address the fundamental problems I mentioned earlier, regarding the high volume of false positive alerts. Indeed, if you deploy pure anomaly detection at enterprise scale, you really run the risk of creating an additional layer of noise for attackers to hide in.
To overcome the issues of false positives, I knew that our technology and approach needed to go further. With the help and support from our advisors, such as Dr Ken Urquhart, a former Senior Director for Innovation at Microsoft and early Applied A.I. researcher at CERN, and by bringing AI specialists, such as Dr. Neil and Dr. Ivan into the team, we were able to do something that no other system was able to do.
To achieve our ambition of going beyond anomaly detection and separating the benign from the genuine, we would have to build a complex technology involving many components. This process would later be known as ‘AI Triangulation’ – the system at the heart of Senseon.
We enabled our intelligent system to gather context to improve accuracy, we built multiple senses to observe behaviour across the entire organisation, we developed bots to automatically gather specific ‘just-in-time’ intelligence from beyond the organisation’s perimeter, and importantly we gave the AI the ability to have a conversation-like approach that allowed each of the components to talk to one another, pause for thought, and learn from experience rather than making rash decisions and snap judgements.
Perhaps not such a crazy idea
Often unfairly, cyber security professionals can be perceived as being hugely cynical. Something we have found very humbling is the overwhelmingly positive response from the Infosec community as we have been on this journey. We are hugely grateful to all of the security teams in the beginning who went above and beyond to help us develop Senseon into what it is now. Their belief in our technology and our approach drives us forward every day.
I can’t express how satisfying it has been to see the ideas and passion of the team drive the company to this stage, and how rewarding it is to put our tech into the hands of those who need it most. We are successfully challenging the perceptions of how cyber security should be done – and it’s great.
I’m proud of what we’ve created at Senseon, not just as a technology but also culturally. It’s a great place of energy, innovation and possibility, with a fantastic level of comradery across the team. I’d like to think that I have a very good understanding of what it means to have a strong community and culture from my time in the military, and that we have achieved that at Senseon.
Of course, we didn’t get here alone. It is the joint wisdom and support from friends, family, colleagues, investors and advisors who have helped to build the Senseon story and who have supported us to get the business to where it is now – one of the best-resourced tech companies in the world at our stage of growth. We continue to develop business in the Americas under our brilliant US CEO, Kate Kuehn @KateKuehn and look forward to even more exciting times ahead.
Looking back now, I’m glad that Option B paid off. Sometimes, even the crazy ideas are worth listening to.
About the author
David Atkinson, Founder and CEO, Senseon
Before moving into the cyber security industry, David spent over 15 years working within the UK’s specialist military units where he was the first cyber operative. His combined experience and technical abilities gained from his background in military, government and the private sector has led him to challenge the current approaches to cyber security and to create Senseon.