Blog

Cloud

Keep the car running: Why AAA Washington turned to Autonomous Response

Keep the car running: Why AAA Washington turned to Autonomous ResponseDefault blog imageDefault blog image
03
Feb 2022
03
Feb 2022

AAA Washington is best known for its emergency road service, but operates in a broader range of areas including insurance and travel. Our priorities from a security side are two-fold: making sure we are adequately prepared to defend against advanced and pertinent threats like ransomware, and protecting the sensitive data of our employees and our members.

About two years ago, we hit a fork in the road. Our information security team was conscious that we had a gap in real-time monitoring, and in particular, 24/7 response. It wasn’t that we didn’t already have tools in place, or that we weren’t shipping logs, we just didn’t have a 24/7 protocol. So if an attack were to come in at 3am, for example, we weren’t confident enough in our ability to take immediate action to contain the threat.

So we looked at two options. It was our Matrix ‘red pill or blue pill’ moment: a choice between the willingness to learn a life-changing truth by taking the red pill, or taking the blue pill and opting for the more traditional path.

For us, that blue pill – and what many recommended at the time – was the option of consulting an external 24/7 Security Operations Center. We knew this would solve our problem, but it also had a lot of drawbacks, mainly around time consumption: you have to get a service-level agreement (SLA) in place, set up SNMP traps, ship logs over to the SOC, who are then tasked with untangling those logs. You know that the SOC is then looking at AAA Washington’s environment along with hundreds of others. You’ve got to develop a relationship with the SOC technician who doesn’t know the nuances of your environment or your business logic…

So understandably there was a level of reluctance there.

And then we had the red pill, which for us, was Darktrace, offering AI technology that could learn our environment all by itself, and respond autonomously to emerging attacks. No steep learning curve, no ongoing maintenance.

We had to try it. Cloud deployments are available but even for our on-prem arrangement, the trial process was a no-brainer: we got the box, plugged it in, and we were off and going. If we didn’t like it, all we had to do was unplug it and ship it back.

The visibility Darktrace gave us was immediately apparent, and in that first week it alerted us to the fact that every other night, 1GB of outbound traffic was going to an East Coast data center from our back-up appliance. We thought we knew what was going on in our digital enterprise, but we had no idea – Darktrace providing that knowledge and filling those gaps showed us that this was heading exactly in the direction we wanted.

Autonomous Response

So full marks for visibility and anomaly detection, but what about that response capability that led us to consider Darktrace in the first place? We were keen to see what actions Antigena would recommend and assess their accuracy and severity.

Being naturally risk-averse at AAA Washington, we initially set Antigena up in human confirmation mode, meaning an operator had to give the green light before it took action. It took about two weeks for it to learn the nuances of our digital environment, and it wasn’t long before we found its actions were extremely accurate, and minimally disruptive.

It never took drastic action like quarantining a device, it simply stopped what we needed it to. It played a significant role in protecting us in the wake of some high-profile attacks, including the SUNBURST attacks and the more recent Log4shell vulnerability.

Adapting to a hybrid cloud strategy

In the two years since deploying Darktrace, we have made significant changes to our digital infrastructure – including, like so many others, migrating to the cloud. I wondered whether we would lose the visibility and protection we got from Darktrace when this happened.

But with its dedicated SaaS Modules for Microsoft 365 and others, Darktrace had this covered. It’s been able to shed a light on malicious activity occurring across our full Microsoft 365 product suite.

We can see things like unusual email forwarding rules that indicate an account takeover. With other tools, it takes six to eight clicks to find that information. The information is available, but accessing that data is a complex and convoluted process. Darktrace delivers that holy grail of having a single pane of glass view in a security tool. Having that detailed one stop view means reducing mean time to understanding, and mean time to response.

Self-Learning AI on the endpoint

And when large-scale remote working came about, Darktrace again brought visibility and Autonomous Response to cover our endpoint devices, protecting them from threats like ransomware that would go undetected from network coverage alone. The ability to stop these threats at the first hurdle, before they spread and infected other devices, was crucial for us.

It was another case of Darktrace adapting, and another reason I’m confident about working with Darktrace as a long-term partner: every time I think Darktrace is going to not be as relevant, these new developments bring us up to speed.

Keeping the show on the road

Darktrace has done exactly what we wanted to do by filling that gap we had in 24/7 response. But it has gone further by proving that time and time again, it can adapt as our digital infrastructure changes and grows, and can cover our employees wherever they work.

The technology presents us with all the information we need in a single pane of glass with the Threat Visualizer. With the Mobile App, I can get notifications of high-priority alerts and Darktrace’s autonomous actions, wherever I am. And when there’s a serious incident, there is always someone available to offer support and get me what I need to know, fast.

Taking that red pill all those months ago was one of the best decisions I’ve made as an IT security professional. Whatever challenges are down the road, I’m confident Darktrace will be there to meet them.

Hear from more Darktrace customers

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Ron Nichols
Senior Information Security Analyst at AAA Washington (Guest Contributor)
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Keep the car running: Why AAA Washington turned to Autonomous Response
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.