Start-ups often begin in an effort to transition a technology or a service into the market by way of a new business. We talked with Champion Technology, who’s had the experience of taking their Darklight product from its development inside a US Department of Energy National Laboratory and moving it to market. Ryan Hohimer (Champion’s Chief Technology Officer), John Shearer (Chief Executive Officer), and Jess Richter (Chief Revenue Officer) described how the process worked for them. It’s worth noting that Darklight seeks to address the shortage of cyber security experts.
After 9/11, Hohimer spent considerable time at a National Laboratory working on large graph analytics with a view to studying the motivations and intentions of terrorists and other bad actors. The challenge was how to represent and reason about insights derived from the “soft sciences” like sociology and psychology. That study led naturally to investigation into and understanding of user behavior in other environments, and especially in cyberspace. Darklight’s technology emerged from that work.
“We had a group that looked into the national labs for breakthrough technologies, and whether that underlying technology could be used in the commercial sector, and sold back into the government, Shearer said. “Ryan had invented an incredible tool with his team that didn't seem to have a commercial application, but we saw that it was patented. It was unique in that no one else had applied this advanced AI reasoning in the areas they did. Where you have either a massive amount of information or not enough information, and you have a scarcity of experts to make sense of it and turn it into something actionable.” This kind of capability can be applied in many fields.
There are a million cyber analyst jobs open. This inevitably means not only a shortage of labor, but it also means that there’s considerable churn within that constrained labor pool. It typically takes eighteen months for an analyst to learn the context of the enterprise they’re protecting. “That's tribal knowledge.” Darklight captures that knowledge without requiring analysts to write lots of code. An analyst’s tribal knowledge, preserved in Darklight, becomes another asset of the company. If an analyst leaves, the company retains his knowledge. “The knowledge that needs to come forward is the domain expertise of human analysts,” they said. “Knowing network traffic, packets, protocols, the bad guys--if they know these, and their business processes, anomalous behavior stands out like a sore thumb. We capture that expertise. An AI tightly coupled to the real intelligence of those cyber security analysts is what we bring to the table.”
The underlying system was architected primarily as a sharing method. “Analysts would rather do higher level thinking. A good analyst is a highly creative problem solver.” Problems divide into ones for which an answer can be programmed, and one for which an answer cannot. There may be no one right answer, they noted, and they stressed that Darklight doesn’t force one. Its goal is to serve as a virtual analyst that enables highly skilled analysts to do a better job, concentrating on becoming creative problem solvers.
Darklight’s technology was enabled by the semantic web movement. It can pull in content, theory, and logic from thought leaders as well as giving them an operational and computational form to do it. A typical security operations center (SOC) might have between two and ten analysts. They probably need five hundred, but that’s an impossibility given the realities of the labor market. Darklight thus enables one analyst to do the work of perhaps twenty.
This is one company’s experience in adapting technology in a way that reduces the fatal dependence on scarce expert labor.