art hathaway - artificial intelligence - real threat prevention
TRANSCRIPT
Artificial Intelligence.Real Threat Prevention.
Art HathawayRegional Sales Director, Ohio Valley
Steve RichardsSales Engineer, Ohio Valley
3 | © 2015 Cylance, Inc.
The Future of Security
Past
Pre-ExecutionHumans Needed
Present Future
AV SANDBOXING ISOLATION EDR
Post-Execution
z
Pre-ExecutionNo Humans
AI
HIPS / ANTI-EXPLOITATION
4 | © 2015 Cylance, Inc.
Required Solution
Reduce risk by preventing malware before it executes.
Cylance prevents malware by using Artificial Intelligence tounlock the DNA of advanced threats.
5 | © 2015 Cylance, Inc.
Algorithmic Science• Machine Learning• Cluster & Classify• Pandora ML
Confidence Scoring
Threat Indicators• Anomalies• Collection• Data Loss• Deception• Destruction
Collect / Classify / Context
6 | © 2015 Cylance, Inc.
How It Works
EXTRACT
COLLECT CLASSIFY& CLUSTER
TRANSFORM,VECTORIZE
& TRAIN
BAD
GOOD
7 | © 2015 Cylance, Inc.
What is a Feature / Attribute
8 | © 2015 Cylance, Inc.
Extract ~15,000,000 features
RosAsm Base3.exe PE File Structure
DosMZ Header
DOS Stub
PE File HeaderPE Signature
Image_Optional_Header
Section TableArray of Image_Section Headers
Sections.idata
.rsrc
.data
.text
.src
Directories
lea rcx,[rdi+20h]mov qword ptr [rdi+8],r13mov qword ptr [rdi+10h],r13mov qword ptr [rdi+18h],r13mov qword ptr [rcx+20h],r12mov qword ptr [rcx+18h],r13lea rdx,[rsp+258h]or r9,0FFFFFFFFFFFFFFFFhxor r8d,r8dmov word ptr [rcx+8],r13wmov ebx,r14d
DOS HeaderNT HeaderFile HeaderSection HeadersExport DirectoryImport DirectoryResource DirectoryRelocation DirectoryDebug DirectoryPacker UsedCompiler TypeCompiler LanguageFile sizePE sizeImage section headersImage importsFunctions calledKernel hooksImage PathsImage Resource DirectoryBitmapsIconsStringsRCDataIcon GroupsVersion Info
9 | © 2015 Cylance, Inc.
x=[1007013456]
TransformationNormalization and Vectorization
Meta-data that creates new featuresx=[1602111430]
x=[2819209111]
x=[3220101036]
x=[9910192839]
x=[2201920391]
x=[8819102999]
x=[5778492200]
x=[0001928311]
x=[7564778203]
x=[9928183918]
x=[9929192839]
X
Matrix
x=[0019376471]
x=[0093810292]
x=[0019102922]
x=[6657749100]
Unsafe
Safe
10 | © 2015 Cylance, Inc.
Deep Discussion
• First Order Feature – information you can extract directly from the binary or it’s structure
• Second Order Feature – Ex. Entropy Value of a binary or section of binary.
• Third Order Feature
11 | © 2015 Cylance, Inc.
The world is growing more
VOLATILE AMBIGUOUS COMPLEX
And it is all speeding up …
© 2015 Cylance, Inc. 14
The Escalating Battle for Control in Cyberspace
Increase in sophistication and number of cyber attacksGovernment concerns are driving new regulationIncreasing tensions between privacy and security
Growing debate about the Roles of Government and Industry in Privacy and Security
Threats & Impacts – A Simple Summary
IP Loss(technology leadership)
Shut Down Your Business(materiality impact)
Compromise you to Compromise others
(trust, brand, reputation)
Product Vulnerability (trust, brand and reputation)
An Adversary
The idea is to assess soil and landscape types, weather and pest issues to boost crop yields and profits.
All the farmer needs is a smartphone, a GPS enabled tractor connected to cloud, with the data & analytics
All a government needs is access to the data
The idea is to facilitate a precision bombing.
The idea is to cure blindness.
Doctors on June 19th 2015 insert a retinal implant into a patients eye that is connected to high tech glasses with a
camera and a video processing unit
The idea is to extort money.
All a bad person needs is poorly developed or managed technology and the ability to execute malicious code
The idea is to improve road maintenance and safety
All a municipality needs is sensors in the cement, sensors in cars, sensors with people, connected to the
cloud, with data and analytics
The idea is to profit from or to harm others
All a bad person needs is poorly developed or managed technology and the ability to execute malicious code
The idea is to improve food safety and reduce cost
All a food and beverage organization needs is real time information flow from the slaughter house to the point of sale
The idea is to save cows
All a bad person needs is poorly developed or managed technology and the ability to execute malicious code
Adoption of smart grid
devices water/power
Tech inside more than
phones, tablets, laptops
IP enabled home
appliances
Centralized home
information flow (bundled
services via internet)
Proliferation of devices & app
markets
“Virtual assets” -
content with emotional
attachment in digital world
Pervasive wearables
updating social computing
Open source Intelligence
refining targets
Expanding attack surface - greater technology integration with society well beingCyber has been IS characterized as the 5th domain of warfare
Digital EvolutionIn the next few years the attack landscape will dramatically change:
$2M in funding for the attack came from cyber crime
In November 2008,10 Pakistani members of an Islamic militant organization, carried out a series of 12 coordinated shooting and bombing attacks lasting four days across Mumbia. The attacks, began on Wednesday, 26 November and lasted until Saturday, 29 November 2008, killing 164 people and wounding at least 308.
The idea is to terrorize
All a bad person needs is poorly developed or managed technology and the ability to execute malicious code
A growing digital economy relies on Trust
“We saw air let out of the balloon, an evaporation of trust”
“the reputation of the Tech industry went backwards”
“By a margin of 2 to 1 people don’t believe that governments or businesses are thinking enough about the broad negative societal impacts that technology can have”
Richard Edleman – Feb 2015
Breaking someone’s trust is like crumpling up a perfect piece of paper
Breaking someone’s trust is like crumpling up a perfect piece of paper
You can work to smooth it over, but it’s never going to be the same again
RESPOND
DETECT
PREVENT
Automated Manual
Control Approaches
Cont
rol T
ypes
Semi-Automated
9 – Box of Controls
Risk
Cost
RESPOND
DETECT
PREVENT
Automated Manual
Control Approaches
Cont
rol T
ypes
Focus is on Minimizing damage – only variables are time to detect and time to contain
Focus is on Minimizing vulnerability and potential for harm
Semi-Automated
Risk
Cost
RESPOND
DETECT
PREVENT
Automated Manual
Control Approaches
Cont
rol T
ypes
Semi-Automated
Where most of the industry is focused
Risk
Cost
RESPOND
DETECT
PREVENT
Automated Manual
Highest RiskHighest CostMost Liability
Lowest RiskLowest CostLimited Liability
Control Approaches
Cont
rol T
ypes
Semi-Automated
Where most of the industry is focused
Shift Down and Left
Risk
Cost
RESPOND
DETECT
PREVENT
Automated Manual
Control Approaches
Cont
rol T
ypes
Semi-Automated
MOTION
Risk
Cost
RESPOND
DETECT
PREVENT
Automated Manual
Control Approaches
Cont
rol T
ypes
Semi-Automated
MOTION
PROGRESS
Risk
Cost
RESPOND
DETECT
PREVENT
Automated Manual
Control Approaches
Cont
rol T
ypes
Semi-Automated
MOTION
PROGRESS
HIGH CONTROL
FRICTION
Risk
Cost
RESPOND
DETECT
PREVENT
Automated Manual
Control Approaches
Cont
rol T
ypes
Semi-Automated
SUSTAINED PROGRESS
LOW CONTROL
FRICTION
WE NEED SOLUTIONS THAT …
To Enhance Trust in Technology
LOWER RISK LOWER COST LOWER FRICTION
so we can make sure tomorrow is better than today
Total Cost of ControlsObvious Direct Cash Buckets• AV replacement• Security Operations• Hunting team• Investigations• Legal• Help Desk Calls
• Performance complaints• Infection related issues
• IT operations costs• IT emergency response• Infrastructure costs• Rebuild/re-image costs
Less Obvious Direct Cash Buckets• De-cluter other controls
• Other end point products (cyberark, client proxy, DLP, ect)
• Other control products • Extending PC lifecycle
• Headroom back due to performance• Other IT operations costs
• EOL’d systems – delayed upgrades• Change patching windows• Servers can be protected – normally cannot
complete disk scan with AV• Reduce infrastructure costs due to less
“chattiness” with cloud
Total Cost of ControlsHero• Value of IP
• Maintain market leadership• Cost of a privacy breach
• Litigation• FTC, class actions, ect• ediscovery
• PR & Comms• Credit monitoring
• Mgmt Distraction
Zero• Spent on the “insurance” and no
proof that you “saved the world”
All about probability of bad things occurring and a wide range of outcomes/impacts financially
Control Friction• Controls are a “drag coefficient” on business velocity
• Slow the user• Slow a business process
• Too Much control Friction• Business and users go around security and IT
• Add’s cost – IT isn’t managing IT anymore• Data and business silo’s are created• Loss of purchasing power
• Add’s risk• Risk and Security team becomes blind – cant prevent, hard to detect, and
everything ends up being an after the fact response• Business adheres to the controls – generates systemic Business Risk
• Loose time to market• Loose ability to innovate• Loose long term market leadership