artificial intelligence to serve threat prevention · artificial intelligence to serve threat...
TRANSCRIPT
PASSION. PERSISTENCE.DRIVE.
Our mission is to protect everyone under the sun.
We’re passionate about securing enterprises from today’s cyberthreats by using
disruptive technologies like artificial intelligence and machine learning to predict
attacks before they cause damage.
Stuart McClure Ryan Permeh
▪ Malware is used in 90% of cyber
incidents
▪ Adversaries create huge
numbers of malware variants to
avoid detection… or they design
one just for you
▪ Unique malware is the norm
rendering traditional AV totally
useless.
▪ ~6 new malware every second!
2016 VERIZON DBIR
Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
How traditional AV vendors create a single signature
CLOUD
THREAT DB
ALL KNOWN
MALWARE
ZERO-DAY
MALWARE
t3
HUMAN MALWARE
RESEARCHERS
AND AUTOMATION
t2
TRIAGE AND
CLASSIFY
t1
COLLECT
SAMPLES
t0
NEW MALWARE
(LAST 24 HOURS)
t7
DEPLOY
SIGNATURE
t6
TEST
SIGNATURE FILE
t5
SECURITY ADMIN
UPDATES
t4
SIGNATURE
FILE
The Future of
Past Present Future
AV Hips /
Anti-Exploitation
Sandboxing Isolation EDR AI
Specialized Humans NeededPost-Execution
No HumansPre-Execution
Humans Needed
CylancePROTECT
leverages the power of
machines, not humans,
to dissect malware’s DNA.
Artificial intelligence then
determines if the code
is safe to run.
WHAT WE DO NOTWHAT WE DO
Oren Harari
"Edison’s electric light did
not come about from the
continuous improvement of
the candle…"
THE CASE FORARTIFICIAL INTELLIGENCE
AI every day, everywhere
AMAZON – Predictive wish and commercial proposition
NETFLIX – Movies and series proposal
FACEBOOK – Face recognition in pictures
SPOTIFY – Music proposition and radio
GOOGLE – AlphaGo, Best Go game player
APPLE – Siri, voice recognition and speech
Skype – Real time language translation
CYLANCE UNLOCKS THE
DNA OF MALWAREELASTIC CLOUD COMPUTING NOW
MAKES IT POSSIBLE
▪ Algorithmic science
puts machines to work to
separate bad from good
▪ Thousands of cloud nodes
COLLECT
HOW DO WE DO IT? ALGORITHMIC SCIENCE AND MACHINE LEARNING
TRANSFORM,
VECTORIZE AND TRAIN
X = [63796c616e6365]
X = [70726576656e74]
X = [70726f 74656374]
EXTRACT CLASSIFY
AND CLUSTER
Supervised Machine Learning (in 1 Slide (☺))
hθ(x(i))
Learning is adjusting the wi,j’s suchhat the cost
function J(θ) is minimized (a form of Hebbian learning)
AGENT DETAILS▪ Approved by Microsoft
▪ Agent stands alone or complements
the security stack
▪ <1-2% CPU | 40-60 MB footprint
▪ No cloud, no prior knowledge,
no signatures
▪ Minimal updates
▪ Windows XP SP3 – Windows 10
▪ VDI & Terminal Services compatible
▪ Server 2003 SP2 – Server 2016
▪ Mac OS X 10.9 – 10.12
▪ Linux CentOS-Redhat
POC AND DEPLOYMENT OVERVIEW
PHASE 1 PHASE 2 PHASE 3POLICY
MONITOR ONLY AUTO-QUARANTINE
MEMORY + SCRIPT
ALERT
THREATS FOUND
HOSTS
AUTO-QUARANTINE
MEMORY + SCRIPT
BLOCK
PHASE 4
OUTBRIEF
Deployment
Console Navigation
Review Detections
Policy Development
Zones
Final Scenario Testing
Full Protective StateReview findings
Outbrief with leadership
SE
Account Manager
SE
POC Threat Researcher
SE
POC Threat Researcher
SE
POC Threat Researcher
Account Manager
CUSTOMER
USE CASE
CUSTOMER PROFILE
Leader Watchmaking industry
With branch offices worldwide (~40 countries)
IT INFRASTRUCTURE
~1’300 Systems Windows Workstations and Servers
~100 Systems MAC
POC SCOPE
CYLANCE Protect Deployed on 200 Windows Workstations
1 Month (Deploy, background scan, triage, protection)
RESULT
~2’500’000 Files analyzed
~200 Unsafe Files detected :
▪ 150 Addware, Spyware and Unwanted Program
▪ 30 PUP (admin tool, specific tool, security scanner)
▪ 10 False-positive (own development, tools)
▪ 7 Malwares (Bank Trojan, Backdor)
▪ 3 Zero Day (Ransomware undetected by AV)