CylanceINFINITYENGINE: Applying Data Science to Advanced Threats



Similar documents
SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

The Hillstone and Trend Micro Joint Solution

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

ENABLING FAST RESPONSES THREAT MONITORING

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Endpoint Security Management

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

McAfee Server Security

Top five strategies for combating modern threats Is anti-virus dead?

Requirements When Considering a Next- Generation Firewall

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

End-user Security Analytics Strengthens Protection with ArcSight

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Top 10 Reasons Enterprises are Moving Security to the Cloud

The Cyber Threat Profiler

Cisco Security Intelligence Operations

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Fighting Advanced Threats

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

WildFire. Preparing for Modern Network Attacks

Host-based Intrusion Prevention System (HIPS)

SANS Top 20 Critical Controls for Effective Cyber Defense

Endpoint Threat Detection without the Pain

What Do You Mean My Cloud Data Isn t Secure?

Analyzing HTTP/HTTPS Traffic Logs

Next-Generation Firewalls: Critical to SMB Network Security

White. Paper. Rethinking Endpoint Security. February 2015

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Unified Security, ATP and more

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

The SIEM Evaluator s Guide

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

Netsweeper Whitepaper

Cisco Advanced Malware Protection

Commtouch RPD Technology. Network Based Protection Against -Borne Threats

The Symantec Approach to Defeating Advanced Threats

CA Host-Based Intrusion Prevention System r8.1

Stuart McClure Ryan Permeh Glenn Chisholm Malcolm Harkins. Chief Technology. Global Chief Information Co-Founder. Officer

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Carbon Black and Palo Alto Networks

The Next Generation Security Operations Center

A New Era of Cybersecurity Neil Mohammed, Sales Engineer

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Cisco Advanced Malware Protection Sandboxing Capabilities

Content Security: Protect Your Network with Five Must-Haves

Recurrent Patterns Detection Technology. White Paper

Endpoint Security and the Case For Automated Sandboxing

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Cisco Advanced Malware Protection for Endpoints

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

A Case for Managed Security

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Endpoint Security for DeltaV Systems

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Enterprise-Grade Security from the Cloud

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Q1 Labs Corporate Overview

IBM Security IBM Corporation IBM Corporation

I D C A N A L Y S T C O N N E C T I O N

McAfee Security Architectures for the Public Sector

Critical Security Controls

Persistence Mechanisms as Indicators of Compromise

End to End Security do Endpoint ao Datacenter

IBM Security QRadar Vulnerability Manager

5 Steps to Advanced Threat Protection

Evolution Of Cyber Threats & Defense Approaches

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

IBM QRadar Security Intelligence April 2013

Securing Cloud-Based

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

Anti-exploit tools: The next wave of enterprise security

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Securing the endpoint and your data

You ll learn about our roadmap across the Symantec and gateway security offerings.

Transcription:

CylanceINFINITYENGINE: Applying Data Science to Advanced Threats The Problem An Overview of the Cylance INFINITYENGINE Platform The cybersecurity industry is now over 30 years old. And just like people, with each passing decade, we realize that what worked for us in our 20 s, simply won t work for us now or going forward. In fact, carrying forward the mindset and behaviors of those first 20 years exposes us to countless problems in health and long-term solvency. We learn that to survive in the world, we must adapt and evolve to a higher form of existence. The antiquated and archaic practices of our past limit our visibility into the future in detecting, and thereby avoiding, maliciousness. Consequently, they have given rise to a freight train-sized hole of opportunity for the cybercriminals and nation states that wish to exploit our blindspots in the cyberworld. Blacklisting (and Signatures) Can Be Compromised Blacklisting technologies rely almost 100% on signature-based techniques for detecting bad files and have been at the heart of our industry since the beginning when we had only rare outbreaks like Michelangelo, Stoned and the Morris Worm. The grossly unfortunate fact is that blacklisting remains the predominant form of detection (and thereby prevention) in the market today. Signature-based approaches to security served us well when the number of bad objects (files, network traffic, and vulnerabilities) was small and the techniques to alter those files to bypass detection were non-existent. Today, however, countless techniques exist to avoid these once stalwart protection technologies, including packers, mutation engines, obfuscators, encryption and virtualization bypass techniques. Within milliseconds, a once easily-detected malicious file can be altered to be completely invisible to even today s best traditional detection technologies while remaining functionally identical to its original maliciousness. This allows the bad guys to easily bypass security infrastructure that once detected them with ease. The sheer number of files submitted to security vendors today for analysis (over 100k daily) is so overwhelming that most vendors simply cannot handle the volume. Their methods and manpower become easily overwhelmed. The scale of the problem outpaces the industry s capacity for maintenance. As a result, most blacklisting products have rampant miss rates. Whitelisting Can Be Compromised Whitelisting technologies were developed in response to what the blacklisting world falls victim to - low detection rates. In other words, blacklisting alone detects only 5-10% of malicious files out there. The Copyright 2015 Page 1

reason whitelisting was so promising for so long was that it effectively did the opposite of blacklisting. Rather than stopping every known bad file, which is difficult and can involve a large list, whitelisting only allows files to run which are known to be good. Only allowing good files to run is presumably an easier task to manage because it involves maintaining a much shorter list. This technique has been applied to security through identification of permissible URL s and files that are known, or perceived, to be clean and safe. But these solutions have some fundamental problems as well. The first challenge with solutions that rely heavily on whitelisting is that one must simply trust what the vendor or your operations staff has designated as good. We have seen this model fail time and again with security and software vendors who have their development environments compromised and their private signing certificates stolen (e.g. Adobe, Bit9 and Opera Software). When these attacks occur, it allows the thief to sign their own malicious files as if they came from the trusted vendor. And because whitelisting solutions rely so heavily on this trust model, it allows the bad guys to easily bypass the technology. Trust Can Be Compromised As a consequence to the identified gaps of blacklisting and whitelisting, numerous technologies have crept up to fill in the gaps of signature technology including host intrusion protection systems (HIPS), heuristics, behavioral, and both hardware and software sandboxing. But all of these techniques have two core weaknesses - foundational signature elements and reliance on trust. Technologies such as HIPS, heuristics and behavioral engines remain at their core, signature-based. They rely on knowing what is bad and creating a signature for each threat. Even sandboxing technologies which claim to not use signatures auto-detonate captured files and binaries and still rely on signatures to enable alerting and blocking the next time it sees the threat. For these technologies to know if something is good or bad, they must map them to a list of known good or bad behaviors which can take minutes, hours, or days using manual verification. Even then, the attack has already happened and the detonation may not discern the maliciousness of the malware. Security Must Evolve Bad guys have the advantage with more resources and time to outwit the various detection schemes of security vendors. Additionally, many security models, like signatures, require the engagement of a human. Human involvement is fallible and limited in scale to the speed and sophistication of advanced threats. We as an industry must evolve from this outlived model to a new and ever-evolving technique; one that abandons signatures and blind trust; one that relies on a mathematical, algorithmic and scientific approach to better effectiveness and measurable accuracy. In short, we must evolve to trust math and science. Copyright 2015 Page 2

Introducing CylanceINFINITYENGINE INFINITYENGINE is a fundamental and epic shift from traditional security methods of detecting good and bad. It is a highly intelligent, machine-learning, data analysis platform. As battle-tested security industry veterans, we know previous approaches can never cope with the volume and variety of advanced threats. In response, Cylance designed INFINITYENGINE to make intelligent decisions without relying on signatures. It does this by taking a predictive and actuarial approach to data on a network to determine good from bad. This model exists in many other industries. Insurance companies use actuarial science to determine the likelihood of a risk event for the insured person at a surprisingly high rate of accuracy. This concept relies on advanced models of likely outcomes based on a variety of factors. For a standard insurance policy, they may consider twenty to thirty facts to determine the most likely outcome and charge appropriately. INFINITYENGINE uses tens of thousands of measured facts harnessed across millions of objects to make its decisions, in near real time. INFINITYENGINE, at its heart, is a massively scalable data processing system capable of generating highly efficient mathematical models for any number of problems. Cylance applies these models to big data to solve very difficult security problems with highly accurate results at exceptionally rapid rates. This is done by applying data science and machine learning on a massive scale. Coupled with world-class subject matter experts, Cylance cybersecurity is able to leap ahead of threats. While INFINITYENGINE is problem agnostic, correctly designing solutions to difficult problems takes time, knowledge and effort. The Cylance team has focused all of their efforts on detecting advanced threats, in near real-time, correctly, without signatures. This problem is one that has long plagued the entire Internet. The existing solutions involving humans, trust models or signatures have proven vastly incapable of solving this problem, resulting in massive infections, data loss, and a hostile environment for business, consumers and the Internet at large. What Is Machine Learning? Machine learning is a formal branch of artificial intelligence and computational learning theory that focuses on building computer systems that can learn from data and make decisions about subsequent data. In 1950, Alan Turing first proposed the question, Can computers think? However, rather than teaching a computer to think in a general sense, the science of machine learning is about creating a system to computationally do what humans do, as thinking entities, in specific contexts. Machine learning and big data analytics go hand-in-hand. Machine learning focuses on prediction based on properties learned from earlier data. This is how INFINITYENGINE identifies malicious versus legitimate files. Data mining focuses on the discovery of previously unknown properties of data, so those properties can be used in future machine-learning decisions. This means INFINITYENGINE learns on a continual basis, even as attacker methodologies change over time! Copyright 2015 Page 3

How It Works INFINITYENGINE collects data, trains and learns from the data, and calculates likely outcomes based on what it sees. It s constantly getting smarter from environmental feedback and a constant stream of new data from all around the world. To achieve its magic, INFINITYENGINE first collects vast amounts of data from every conceivable source. Next, it extracts features that we have defined to be uniquely atomic characteristics of the file depending on its type (.exe,.dll,.com,.pdf,.java,.doc,.xls,.ppt, etc.). Then, it constantly adjusts to the real-time threatscape and trains the machine learning system to make better decisions. Finally, for each query to INFINITYENGINE, we classify the data as good or bad. INFINITYENGINE - The Rubber Meets the Road INFINITYENGINE can be used to supercharge decision making at endpoints and woven tightly into existing security systems via a variety of integration options. It is cloud-enabled, but not cloud dependent, to support advanced detection on a global scale in limited form factor environments, or can operate autonomously while still achieving a stunning rate of protection. The breadth of deployment options helps to solve several fundamental problem points on a modern network. CylanceV CylanceV is a REST SSL application programing interface integration to INFINITYENGINE s intelligent cybersecurity decision making. Through the API and specially developed utilities, IT departments executing incident response and forensics can take the tedium out of tracking down malware and determining what is truly bad. CylanceV enables a starting point for forensic analysis and timely remediation through an automated and highly efficient approach. Tying other security tools like SIEM, log analysis, host and network monitoring, HIPS/NIDS and investigation tools including antivirus, anti-malware and forensics, into CylanceV provides contextual intelligence for more accurate and effective malware identification. The CylanceV API allows utilities to be developed in most popular frameworks (.NET, Python, etc.) and invoked through HTTPS using tools such as CURL or WGET in order to make the data segmentation easier and more efficient. Integrating third party functionality, like Python scripts, Splunk, C# to INFINITYENGINE quickly determines what is safe and what is a threat, making smart security smarter. Together, they reduce the total number of prospective compromised machines to something manageable. Copyright 2015 Page 4

CylancePROTECT CylancePROTECT is our host-based security solution built on INFINITYENGINE technology. It leverages algorithmic science to greatly increase the speed and accuracy of host protection without reliance on signatures, heuristics or behavior modeling. It offers a real-time protection layer on the endpoint that can make decisions about the nature of malware independent of connecting to INFINITYENGINE and has a stunningly low impact on endpoint performance. PROTECT offers a powerful front line of defense, whether your assets are behind your corporate firewall or in a coffee shop. Its extensive management capabilities easily blend INFINITYENGINE s pervasive protection into your existing security workflow. Summary With INFINITYENGINE, enterprises can definitively determine which files are good or bad in milliseconds with extraordinarily high detection accuracy and extremely low false positive rates. Because the system is self-collecting, self-training, and self-learning, it always stays ahead of the changes and unknowns. With such a strong mathematical approach, Cylance is changing the game of security infinitely. About Cylance: Cylance is the first company to apply artificial intelligence, algorithmic science and machine learning to cybersecurity and improve the way companies, governments and end-users proactively solve the world s most difficult security problems. Using a breakthrough predictive analysis process, Cylance quickly and accurately identifies what is safe and what is a threat, not just what is in a blacklist or whitelist. By coupling sophisticated machine learning and artificial intelligence with a unique understanding of a hacker s mentality, Cylance provides the technology and services to be truly predictive and preventive against advanced threats. For more information, visit cylance.com +1 (877) 973-3336 sales@cylance.com www.cylance.com 18201 Von Karman, Ste. 700, Irvine, CA 92612

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information