New technology approaches to today’s threat environment
Date: Thu, 08/04/2016 - 12:52
Too often the bad guys are winning. Every day we learn about more cyber attacks – that is to say, more successful examples where hackers manage to penetrate vital business or government systems, steal data, steal money, steal intellectual property, and insert secret back doors for continuous surveillance, espionage, and sabotage
Greg Fitzgerald, Chief Marketing Officer, Cylance, at NetEvents EMEA Press and Analyst Summit, Rome, Italy
Image credited to NetEvents
Essential industries are compromised. Servers, networks and platforms are weakened. We are exposed. Cybersecurity’s foundation is broken. The good news is that there’s a fundamental shift taking place, driven by both vendor innovation and by demand from the corporate community to do better.
No longer is cyber security simply an IT challenge: CEOs are losing their jobs, insurance premiums are skyrocketing, and regulators are worried. Cybersecurity is front and center from the boardroom, to the back room IT shop.
We’ll follow the presentation with a Q&A to see if these new approaches will result in fewer successful cyberattacks – and if it’s time for the good guys to start winning again.
Greg Fitzgerald, Chief Marketing Officer, Cylance, at NetEvents EMEA Press and Analyst Summit, Rome, Italy
My name is Greg Fitzgerald. One of the reasons I’m brought up here is because the whole conference is around innovation in the cloud. Given my age, I have been blessed honestly to be highly active in the banking community in the early 1990s but then transitioned to actually be part of the innovation boom and bubble in Silicon Valley in the 1990s where I was part of Compaq Computer creating the disruption of the old kind of Sun Microsystem servers to low cost Windows servers supplying the Internet Service Providers with a way for people and companies to access the Internet, the cloud equivalent at that time. I moved to BMC Software to use technology to manage the servers, the Internet cloud and help IT management. I came to Europe, spent a couple of years expanding BMC Software and got enlightened with how people actually use technology and I moved back to the States with that premise and then started to focus on security.
So I think where we start today is interesting because I’m going to talk from an industry perspective over the past 15 years where I’ve been a part of how security has transformed itself. Everything we’ve talked about today culminates in security being a concern in three ways. One, cyberattacks. I’m worried about data loss, business disruption, and damage.
I’m also worried about privacy - personal information, who has it, where it resides, and where it goes.
We can also think of one more level of security which is regulation and that particular area is a serious concern because, like I mentioned on the panel, regulation of being compliant with PCI or in America HIPAA, or any other compliance means nothing if you’re not actually protecting yourself properly. This ends up just being check boxes to make someone happy.
So what I want to show you today is going to be interesting because I’m going to take a chance, I’m going to take a risk. I’m going to show you a live cyberattack in front of your eyes. I’ve never done it before in front of the press or analysts. I typically have done this in front of a customer or prospect. I do know it works hopefully. We will all pray to the demo gods. The objective that I want to show you is that the security foundation is fundamentally broken.
Cyberattacks that we hear about, and that’s the piece I’m going to focus on cyberattacks, doesn’t really matter how it occurs. I love hearing the conversation about, “Oh it was a phishing attack” like an email attack. “Oh no it was malware placed over here by this cyber attacker. Oh, they had hacked our website and got in”. It’s irrelevant, to be totally honest. How they get in means nothing. What’s meaningful is what did they do, meaning everything, and I do mean everything, within a device of any sort - tablet, mobile device, phone, IOT, server - is that an attack must execute to be successful. So I’m going to use that as the key term - execution. A cyber attack, to be successful in some part of the attack chain, must run. As an example, if I have a bunch of malware, which I do on this machines, but it’s meant to attack a specific application that I don’t have on the machine, do I care? The answer to that is no. Why? Because it will never execute because the application it is targeting is not there.
I often use that example with Macintosh computers. There are tons of Microsoft attacks, exploits, vulnerabilities, whatever you want to call them, holes in the Microsoft operating system, but on a Mac they will not execute.
Now, take a step to the various types of attacks. What we typically see are email and t web browser based attacks. Those are primary attacker methods. Why? Because attackers are inherently lazy. They want the least path of resistance to get onto and access the device. Why do they want to go on the device? Because it’s the easiest way to ride into the corporation.Whether that’s to get inside the organisation’sdatacentre itself or through to their cloud. So as the 25% to 40% of you that raised your hands that you have a VPN access to your organization and you think you are safe, I would say think again because I’m going to show you. The VPN is just a secure tunnel. It does nothing to prevent an attack or keeping your organization safe if your device has already been compromised.
So I’m going to take a risk here and I’m also going to tell you what I’m doing. This is really important because I want it to be totally transparent. This is not a gamed system. This is not something that I’m trying to embarrass other vendors, but it’s going to happen.
You can go to any one of these publicly available websites and download free malware. What is malware? Malicious software. It is software designed to do something with a bad intention. Not all malware is a virus or a Trojan. It can be a legitimate application like in the IT management world, admins often use a product called PSExec, or another tool that’s called Go To My PC. Those are totally legitimate applications to do the IT jobs better, faster.
Now, if it’s that tool is on an IT person’s device, that’s legitimate. If that’s on my device and I didn’t place it there, then that’s an illegal programme. It should not be there. That means someone has access to my machine, is completely controlling my machine unbeknownst to me.
So, in our particular test I’ve got a Microsoft based system here. I’m going to download malware. So let me show you what I’m doing. The demo gods do work. So what I’m going to show you here are the main anti-virus competitors. On almost every corporate device is an anti-virus programme. 80% of the market on a global scale, which is about $5b total available market, is Symantec, McAfee, and TrendMicro. There are more than 60 other antivirus/antimalware vendors. Kaspersky, Sophos, etc. there are many common names. I’m going to use the big three because that’s what most corporations have. In most cases, the individual as well. What you can see here, is that Symantec is updated. Before the coffee break I wanted to show you that I have updated their antivirus signatures up to the latest couple of hours. You can see the same thing with MacAfee as well. Just for transparency, completely updated today successfully, everything is there.
Here’s the challenge. I actually had to go to over the wireless network here. It took me about an hour to update the signatures for just three products. Now, the one that I happen to be a part of, Cylance, is up in the right-hand corner and I’ll describe why this is different and innovative relative to our conversations today. I’m going to hit a button that is going to download from those publicly available websites a random sample of malware of 100 pieces, then I’m going to automatically run against these devices when it is ready. So let’s do this.
So it is now downloading and preparing. You’re going to see little black boxes which are command line interfaces on each one of these devices. That is going to execute each one of the pieces of malware serially and we’re just going to see what happens. I have no idea if ours is going to have mistakes or issues either, but I can guarantee that the other guys probably will.
Now I have one disclaimer. When we do this, because it is malware, remember these are bad people, I don’t know what could happen. We could have a naked picture. We could have a system shutdown. We get crypto locker every once in a while and ransomware and we’ll see what happens. So I’m going to hit the button here. Go.
So what is happening? Now any item that pops up means that it missed a cyber attack. But since I just updated the signatures, these products should know the malware, right?
Initially, antivirus was fully designed to identify and stop known attacks. It was designed pre-execution and the early days of cyber attacks had a low volume of attacks and the attacks were not very sophisticated. Also the people and the process associated with them were simple. Let me giveanexample.
A signature is based on the concept that an attack has been found somewhere because someone has already been compromised. Some very intelligent threat researchers investigate, they find the files that seem to have the indicators of compromise, they take the files, they give them an autopsy, they look inside to see if there is somethingthere that shouldn’t be, or if there is something that is missing that should be. Cyber attackers are trying to manipulate the system to get access to your computer. What they want to do with that access can be of various means. Like I said on the panel, user name and access are usually the main objectives but it also could be to steal data. It could be to key log your keystrokes for any number of reasons. It could be to send data out. All of it is designed to be totally invisible to you, the compromised person.
So what we’re seeing here on the screen, oh, this is not good. McAfee finally triggered. What I’m going to show you now is Symantec. This is not good. I’ll show you why it’s not good. If you don’t know what this means, first of all, they let a lot of malware execute. Second of all, what this particular piece of malware means is they have gotten CryptoLocked. Are you familiar with what CryptoLocker is?
Okay, let’s look at this notepad. If I read what it is saying, it says, “What’s the matter with your files?” It says, “Your data was secured using a strong encryption” which means I’ve locked down your data. What it also says is “what should you do next?” They’re kind of being funny, but it basically says, “You can wait for a while until the price of a private key will raise. So you will have to pay twice as much to access your files, or you can start collecting bit coins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option than paying in order to get back your data.” That is a very typical ransomwarecyberattack.
So does anybody have Symantec in here right now? You should be worried because this is malware from the last 24 hours. Now does it mean you got hit? No. There are hundreds of thousands of bits of malicious software collected to these data sites every single day. It doesn’t mean that you’re particularly going to get attacked, but it does mean that if you had protection the way you have it today, you’re totally vulnerable. So the confidence of whether you are safe or not is shaken.
Let’s just go back to show what might have happened to the other guys. Let’s see here. TrendMicro, who happens to have TrendMicro? Okay, TrendMicro, oh, I’m sorry. Mark you’ve got TrendMicro too? I’m sorry. This particular case has a different type of interface for the CryptoLocker that was part of the 100 samples. So, if we look at that, what you’re seeing here is that the files were encrypted as well. You can try to follow the instructions, but for the most part my data is encrypted and taken. So I would have to follow some sort of process to either pay for the hostage, which is my data, to be remedied, or give it to my IT guy because now, as an end user I am completely useless. I can do nothing with my computer. These particular systems are now owned, so we have to remediate, meaning to fix it.
I of course want to show you our product which is Cylance Protect. What it is showing, which is out of the 100 files - you can’t see it. It’s still processing. I think it says 98 - we found two abnormal and then everything else we found. This computer is not locked up. So the point here is that it did stop the malware. You can see all these unsafe items that were found.
Now, let’s get back to the presentation and why that’s important. If we look at what is happening in the industry today, we have run this test across the United States andAustralia 75 times which is why in this cyber attack demo I was relatively confident I knew what was going to happen. The reason is we’ve shown that a new approach to a massive problem through innovation is changing and disrupting the market significantly. We’re based in Southern California with about 350 employees and we’re about $100m revenue, growing incredibly fast. We’re only three and one half years old. We’re growing faster than Palo Alto Networks and FireEye as a small little antivirus company.
What you see in this slide is the variability that a signature foundation, the baseline for all security that exists today, except for a couple of innovative vendors, is flawed. Its based on people who have to find the problem first, then they have to create a remedy and then they have to have something that exactly matches the problem they saw the first time. But what are hackers doing? They’re mixing it up. They’re changing the attaks. They’re taking what was a known piece of malware, because I said they are lazy, and they’re changing a couple of the bits and bytes, the zeros and ones. It’s not a hard thing to do. And then sending it through the security systems and this is what you get – compromised machines.
The researchers at these competitor companies are working really hard and you can see that on a daily basis the signature files vary in their ability to detect malware. We did this test in Boston, Sydney, San Francisco, Denver, Dallas, Washington DC, etc and they varied every single day we did this. Sometimes the signatures are written with quality and they’re good. Sometimes they send download update to their customers that night. Its all variable.
Now why is this important? For Europe it is massive, in my opinion. In America we don’t have fines for lack of protection today. But now with the new privacy laws and data protection that is so incumbent upon European nations you’ve got a massive regulation that says you can get fines as a percentage of sales for poor protection, poor notification process and poor record keeping. Think about that. A percentage of sales can go as a fine. So that means there can be significant financial hits to you as an organisation if you don’t follow these rules. We just talked about why cloud security getting so popular and why people getting more confidence to let cloud handle security. It’s because the liability changes from the corporation to the cloud provider.
The second rules about not notifying the supervising authority or the subject. That would be a notification to you that says, “Hey, guess what, data was stolen. We’re very sorry. Here’s how we’re doing to fix it”. That’s all fine and dandy to say, but that’s really bad for the individual. Think about this. My bank calls me up. They said, “You know what, your credit card data information has been stolen. I’m really sorry”. I’m like, “Well, great because my credit card now has $20,000 maxed out. When are you going to fix it?” Well, of course, they’re a big company. Days, weeks, months. What happens? The problem is mine. I’m an individual. I can’t use the card and I’m travelling through Europe. My credit is already getting hit because I got $20,000 and can’t pay it all back immediately. Third, my bank is slowing me down and then fourth, I can’t go get more credit because I’ve maxed out my credit when they do the credit history check. So as an individual I have a serous problem. I need to always care now about what is happening with my particular access and data.
And the other rule - not conducting impact assessments, meaning just not being prudent in what the company does to take precautions can lead to more serious infringements that can merit a 4% penalty on top of that.
So what’s the challenge? We actually have two battlefields. One is the cyber actors. I mentioned earlier there is starting to be a very significant stratification between who is attacking you and how they’re doing it and what they want to do with it. For example, we have nation state attacks. I mentioned China, North Korea, Iran, Russia. Those are the obvious anti-ally countries. But realistically, location, or attribution only provides anecdotal information about the attack.
Cylance has a research group. We put out two reports in the past two years, one in particular on Iranian associated actors. 15 industries across 16 countries with over 50 companies had been compromised. You might go, “Okay, what’s the big deal?” The fact is that all it takes is one cyberattack on one of those industries in one of the oil and gas fields to bring down the entire global economy. If you think about America, we had that global oil spill with BP a couple of years ago. That was one oil spill disrupting the entire world. Imagine if you could do 100 oil rigs with one push of a button. Those compromised systems exist. Do we know what they’re going to do? No. But the fact that they can is dangerous. We’ve been in a kind of “Cold War”. It’s not the fact whether they can, is whether will they do it or not.
The attack surface, on the other hand, is exorbitant, so it’s made my job easier as the hacker. I want the least path of resistance. So I can go after your laptop. I can go after your mobile phone. I can go after your home computer. I can go after your edge server. I can go after the retail store that you visit. I can go after this Wi-Fi network.
Another report we put out identified one of the major suppliers of Wi-Fi networking equipment has vulnerabilities and has been hacked. So if you’re in a Mandarin Oriental in Hong Kong, if you’re in a Marriott in New York, it doesn’t matter to the hacker. They can put a piece of malware on the equipment and get access to every person staying in that hotel.
Now, do they often care about certain people, like my grandma, my sister, my daughter? Not necessarily. But what if they’re actually looking for someone like me who travels 90% of the time that has access to a very sensitive organisation that also has access to very sensitive data at very large organisations. They’re looking for Greg Fitzgerald. Its not that hard to figure out where I am.
You’ve also got organised groups. Everybody knows Anonymous here in Europe. Big issue. They typically do political and socially oriented attacks. You’ve also got rogue independents. Those hackers work for money or various motives, in the case of our Iranian attack, you have those hackers that we could never say was actually the nation of Iran. What we had to say was associated with Iran. We had the names of the individuals, we had the locations of the servers they were using, the domain names of the websites, all of which were in Iranian either properties or languages, Arabic that was particular to that particular region that we were looking at and was able to take a look at how they attack.
So what we also have on the other side is internal organizational challenges. Like bureaucracy. We just talked about it. IT department has control issues. We’re trying to sell to other control freaks and it is a very difficult proposition because they think they can dictate the behaviour of their employees. But as we just heard in the panel previously, that has shifted 180º and now the IT, if they think that, are totally in denial and place the organization in a weak position.
You’ve also got budgets that are always very sensitive and yes, a large piece of the IT budget, but security is still somewhere between 5% and 8%. That’s it of your total IT budget.
The last piece is human behaviours and I think we all agree it’s tough to change human behaviour. That is a major issue. So behaviour is a problem that we deal with internally.
Then when we look at how do we protect on both fronts, we’ve got people, process and product. So we never say a technology only can solve the problem. There is no silver bullet. It is a combination of having individuals that are conscious of what they are doing and conscious of the fact that it actually impacts themselves even if they don’t necessarily care about the organisation upon which they are a part of, which would be bad too, but that’s a human behaviour.
Then you’ve process. What’s the process? Process is if you’re attacked what happens if someone is violating a policy. It was interesting, we talk about policies, but nobody even pays attention to them anymore. The convenience factor of technology has bypassed the process of policy management.
The other thing is frankly, there is just not enough people to hire that are good. So if you have good employee that’s relatively fair and honest and they don’t follow policy, are you going to fire them? No, probably not. Are you going to discipline them? Probably not. Most people are conflict averse. So policy has changed over the past 50 years to where it used to be draconian you do this or you don’t have a job to now, I’m going to look the other way because I really need you because there is just not enough quality talent out there at all. Big change in today’s dynamics.
And then finally the product.
So I take a disruptive and a different turn than what the industry has changed. So people go, “You know what, we’re just going to get attacked”. To me that is a losing proposition. That’s just a bad attitude. That’s like someone is going to punch me in the face so just go ahead and do it now.
The idea is we should punch back because the attackers are just bad people. They’re like bullies. That’s really what they are. Do you succumb to a bully? No. You have to stand up at some point in your life or else you’ll always be run over. So the idea is really good security people get aggressive in prevention. Instead of detecting and responding, they get proactive in stopping the attacks on the exposed devices before they start. Thatisprevention.
The second thing is they have a process. They just don’t go, “Hey, when we get attacked I will figure out what we do next”. There is always a process and theyfollow the process. If they can do that, they can actually stop the attack quickly and prevent the damage that’s going on.
When we look at security products, and I’m going to transition here because it’s talking about innovation, you always talk about next move. What’s next gen? That word is annoying, but we use it frankly. Why? Because people simply understand it. What is Cylance? We’re a next generation antivirus. Wow, to me as a marketer that’s very limiting to what we actually do. We are much broader than that. But it’s basically to lower your security risk over time with a very poignant pain point right now.
Security is a risk game. It’s insurance, to be honest. That’s all it is. It’s a matter of what am I going to lose by someone gaining access and that is where the companies start to figure out how much did they spend, how much effort do they put forth, how much imposition on the end users they put relative to the risk to the organisation. So a good product needs to be able to reduce risk significantly with a low impact to the organization.
Great products need to be cost effective. You’ve got to reduce risk but you’ve got to be cost effective. But if you’re free, what’s the perceived value? There are lots of companies, especially the big incumbents who are recognising that their innovation or lack thereof is causing them to lose market share to a bunch of innovative start-up companies. What we’re seeing is that the cost of ownership for them is not going down. They’re actually burdening the system itself.
Now, amazing security products improve the user experience. Everybody has talked about BYOD and your devices, but in the end, if security is impeding your productivity and the progress that you have with an employee it’s just not going to be worthwhile because people will find a way around security. So if you can improve the user experience, then these organisations that are providing the security will provide huge value. So we always talk how “hero” products actually do it all.
So what are we doing today to prevent threats? We often talk about protection versus prevention. Protection, as an analogy, is where I can protect your house with a house alarm and video cameras, but it does not stop the thief from getting in the door or the window, taking my jewellery and leaving? All it does is tell me someone broke in and maybe give me a video recording that they left. I have no idea where they went, what else they took, what they’re doing. That’s protection.
Prevention is actually the ability to stop the activity. As an example when the thief tries to open the door lock or open the window you shock them and arrest them so they can’t succeed. That’s prevention. It also works for deterrence, obviously. If they know that they cannot get in they will put their efforts elsewhere. So they’ll go to companies that don’t necessarily have proper prevention, processes, or people.
Now, the last piece here to look at the security vendor companies and the various protection approaches. So the reason I bring this up is look at all the vendors that are here providing some sort of solution and as we were talking this morning at our table, there are over 1,500 start-up security companies trying to solve the problem of asuccessful cyber attack. The enormity of the problem is matching the enormity of the venture capital investments there to go after that 6% security budget. Why? Because the foundation of the security by the major players, the oligopoly of those players, is broken and they are not innovating to keep their leadership. There are a lot of different approaches and what we like to say at Cylance is look at the various solutions to see what fits your organization.
For example isolation. It doesn’t matter if you’re going to try to isolate everybody and put them in a container if they are still getting successfully attacked. That’s one model of protection, but it’s not going to work for everybody.
Whitelisting is the concept around what you can and can’t install. I used this earlier. This is great, but unless you’re a draconian IT shop, it is useless to dictate what people can and can’t do, that’s a very difficult policy management approach to security.
Exploit prevention. Exploit is the concept that there is a hole in a Word doc or a PDF or some sort of application and that I can get through that hole to then put that malware on the system. So that’s nice attempt at protection, but that’s only a piece of an attack or a style of attack.
And then you’ve got antivirus vendors who are just trying to keep up. What’s fascinating, if you look at every single one of these vendors here is that they do security the exact same way.
What’s a little unknown secret is that in the antivirus industry shares protection signatures. We all have little research groups, but the reality is after we get a little advantage, maybe a week or two weeks, we share that information for the goodness of the industry. So the reality is it kind of doesn’t matter what vendor you have. I just showed you that the signature variability is different for every single vendor in the industry unless you look at a new approach to identifying and preventing malware. This is the only little advertising I have - There is a new artificial intelligence approach which is actually using the modernisation of cloud and large data analytics that has literally only become possible in the past five years, thanks to Amazon web services. We’re using the compilation of 10,000 simultaneous machines to do computational analysis of the features of malicious software.
So think about this, just like I experience when I walk into the airport, if I’m fidgety and I’m kind of sweating it out, what do the security people do? They’re probably going to pull me aside and at least have a conversation to see if there is anything else I may be hiding or up to. That’s even before I go through the metal detector and all the other security detection elements. Stopping me before I get in - that’s prevention. It’s a very hard thing to do in the cyber world, but it’s one where innovation and cloud capabilities are being used to enable new technology approaches.
So, as I summarise the past 20 years, we’ve got the past, which was pre-execution. Like I said, stop it before it executes, but at a time where there were humans involved. Because that efficacy has degraded over time, there has been about 15 years of technology that were created to “find attacks faster”. That’sgreat. Youhaveto.
Nothing is perfect. There is no silver bullet. But you need to get to a point where you can actually prevent it from the very beginning and not introduce human error. Its getting too complex because the volume of attacks is very high. The moderation of attack mutations and variability of them is very high and physically, no human can keep up with it all.
There are two primary choices in life. To accept the conditions as they are or accept the responsibility for changing them. What I think you’re going to see over the next couple of years here is a massive transformation in the style of protection, the policies associated for protection, and the implementation of true prevention.
So, thank you very much.
Thank you, Greg. I’m going to ask just a couple of questions, throw it open to the floor.
First of all, you kind of mentioned the user convenience element of it, but we didn’t see any of that. I know you are conscious of the fact, as we all are, that essentially in the real world convenience trumps security every time. How do you fix that?
I totally agree. I think the impetus and the challenge for the market is that if, as was stated before, if security imposes any sort of disruption to the business it’s useless security. It may be good security but as the employees or the personnel that are trying to implement it will soon get around it or they’ll disable it. We see that all the time and it goes back to the processes and the people issue. Are they educated enough to recognise they truly need securiyt and that they can work within the systems that they have. There has to be open communication realistically because we recognise that an IT department may be verysiloed and very almost self-centred in a way for what makes their jobs easier, faster, stronger without truly being conscious of their purpose in the organisation which is to empower the employee and the people while reducing risk to the business.
I’d like to know a bit more about the business model behind this and how that works for you because this all sounds very expensive to do to do what you’re doing with AWS. So you talk about making it cost effective. It sounds like what you’re doing is expensive, so how do you marry those two things?
Well, the way we look at things is that frankly, our technology and how we’ve created it is actually much more efficient than any other vendor. For example, what we do and the protection that we’re able to provide, what you saw live here, is done with literally less than 100 people in terms of threat researchers because it is powered by the machine intelligence in the cloud. So what we’ve done is we’ve basically in ourlaboratory we’ve been sucking in hundreds of millions of bits of good information (a Word doc, PowerPoints, Excel files, applications) and we’ve extracted the features of what good is. So now we know inherently what good looks like.
We’ve also done the same thing with just millions of bits of bad (worms, viruses, Trojans, advanced threat attacks, you name it) and we’ve analysed those. What we as researchers did three and a half years ago was we were able to look at the identifiers for what makes it ‘bad’. Kind of like cancer. If you’re looking at human cells, which ones have the potential to create certain types of cancer? We apply the same logic in a mathematical form in terms of features so that now we’ve taught a machine to look at anything that comes in the door, or anything I see scanned on my computer, extract its features, apply values, and then put it one of those two camps – safe or threat. So that’s the efficiency because now literally all there is, is a very small 40-megabyte autonomous intelligent agent that’s now replacing your antivirus. There are no files to update. There is nothing in the cloud I need to download to keep it current. There is no connectivity requirements. So I’m now 100% safe on my local host. Now, that’s how we do our business.
For companies looking at switching AV, this is interesting. They spent 20 years implementing endpoint security on every new device they give to a new employee. So first thought is hey, switching costs are high. The reality is when we ask them to please add up the impact if one person gets compromised. They literally pull out a spreadsheet of a long list and they say look, first of all, the employee that is trying to do productivity is offline. Second, he or she calls a help desk. That costs $35 every time they just pick up the phone. Third, I’ve got help desk that is now pointing fingers at the network people to identify what’s going on and if there is damage. Application people say it’s not my problem. The systems people that are saying the same. I’ve also now got to get third parties involved, if we need to identify malicious files. True threat researchers that are second or third tier sophistication, which costs a lot of money, are usually outsourced consultants. My lawyers and now my executives have to be notified. If I’m giving you the European new laws, I now have notifications that have to start going out to my people so now my brand is going to get crushed, the confidence in my customer base is going to get shaken and I’ve got fines that I’m probably liable for.
So, when we ask them about that one time compromise, one miss, they start to realise that the technological costs are minor compared to the operational impacts.
So it’s expensive. Okay. The other final question I have for you is really around the actual comparison you made which is it’s easy to have a go at the signature based stuff, but that’s not been cutting edge for a long time. There has been a lot of pretty good zero day prevention technology that I’ve seen over the years here at NetEvents, some of it presented by some of the people in the room who now have different hats on. So, if you were to do a comparison between a good modern zero day prevention technology and what you showed us, what would that show?
There are two parts. One is we’re in a technological evolution. If you look back 20 years ago McAfee, Symantec and Trend, the antivirus signature model, that was it. That was fantastic. That was the best of the best. Technology is needing to look at the fundamentals of what I’ve done in the past and know there is going to be something new and better. So when we look at what’s happening today, the context of the attack surface like we talked about and the sophistication of the attackers creates a model where we need to simplify the solutions we have. I do believe in the defence and depth approach. But again, let’s go from throwing in the white towel and getting hit in the face to let’s take off the gloves and let’s start proactively preventing the attack in the first place. The idea behind that is, of course, let’s prevent as much as we can. Let’s put in place technologies that are really good at identifying finding it faster and that you allow the network to start to breathe a little bit more in terms of the monitoring and management that has been implemented.
Yes, but with respect, that’s not hitting back. That’s still reactive.
Yes. The last part is very much reactive. I think that if we can see the entire industry for the most part is 90% reactive. Our proposition is let’s get 90% proactive and allow the 10% to be chasing what you know is going to get in inevitably.
Okay, thoughts, comments, questions.
Camille Mendler, Lead Analyst - Enterprise Services, Ovum
Yes, hi. Great presentation. Thanks very much oh and happy St. Patrick’s Day. I’m guessing with your name there will be some blood there.
So, I love the model of using this automated approach predicting, but the computers can’t tell us much about the fragmentation of attack and by that I mean what’s interesting to me is that we’ve got different types of attackers out there, many more than we used to. There is industrial espionage type of attacks. There is political attacks. There is the terrorists. Then there is the hobbyist in their bedroom because they’ve got nothing better to do. I don’t think that machines can predict that fragmentation where it’s all going to come from. I note you had done some analysis on what was it Japanese industrial attacks. I don’t know if we can predict that with machines. Can youcommentonthat?
Thank you for bringing it up because the premise upon which someone does something is totally unpredictable. Why does China want to attach Japan? I don’t know. In the end we truly believe, you can almost look at it as a waterfall, you cancome in from various directions and various styles of attacks. Let’s use an analogy of your home again. I can come through your window. I can come through your front door. I can come through your back door. I can be in your car and go into your garage as another method. I can follow your wife right behind her as she walks through the front door. There are a lot of ways to get in.
Where our research and frankly 20 years of doing this shows is in the end, the “how” and “why’ of the attack is kind of irrelevant. It’s the “what” is on your device or server and what it looks like and what’s the intention of that particular software that’s important.
99% of all cyberattacks, regardless of laptop, desktop, server, whatever, are malware, meaning malicious software. So let’s think about this for a minute. There is an attack process. There is typically what they call reconnaissance and you’re trying to analyse how am I going to get inside that house. Then there is, well, I’ve got a strategy of how I’m going to get in and now I’m going to formulate the tool or the technology to do that. It’s that tool/technology that can be predicted and can be identified because every bit of software has a fingerprint, it has DNA.
So you can look at the DNA of every piece of software on a laptop or a desktop or whatever the device is and you can make a definitive decision of whether its safe or threat. Only math and only machines are able to look at the code deep enough to create a calculation that is accurate enough. So again, in the human world, the threat analysis is done by humans. I’m going to use another analogy. I don’t mean to belabour. But a Word document is roughly 15,000 features. It’s how big the size is, what’s the metadata, the calls it makes to your operating system, where it resides, the structure of the file itself. That has nothing to do with what’s written inside. It’s literally that’s just what Microsoft built – inherently good.
So a hacker can only two things with that. They can either attach onto it and make it a transport mechanism so when I send it to you and when you open it, it drops that other piece of malicous software. Boom. We can identify that other piece of software as that piece doesn’t belong.
The second one is what’s called scripting and they can stuff inside that particular document specific scripts that basically take another action, usually the callout to a command and control server, to pull down more software. We can identify that. Again, only a machine is able to look at that kind of a level in real time and not impact the end user.
We like to call it the last line of defence. Everything on a device has to run. If it’s physically there but doesn’t run, it doesn’t cause harm. If it runs and executes, you’ve got a problem.
Hector Pizarro, Editor in Chief, DiarioTi
Given the big resources that malware actors have, how likely is it that they will also hire computing power from Amazon, for instance, and fight you with artificial intelligence as well?
Yes, that’s a very good question.
That’s great right. Fight fire with fire. There are two answers to that. Even within the vendor industry people go, “Oh, Greg, Cylance is really unique but if Microsoft decide they want to get in this game they’ve got lots of money, lots of people, a lot of stuff. The answer is they can. We can’t prevent anybody from doing this and frankly, what we’re doing is a blend between art and science. So let’s go back. The principles of artificial in science came out of MIT, Stanford, etc and are relatively new concepts. There are many companies that have tried to use AI but they have not figured out how to solve a couple of problems with this approach. One is false positives, meaning calling something bad when it’s actually good, or scale. How to do this across hundreds of thousands to millions of endpoints which Cylance has about six million endpoints that we’re protecting today.
The key about a machine learning is that it’s like a child. You teach it something to learn and it has to go at a certain pace. So not matter how much computing resources or how much information you give it, it still has to chew it up. So, for example, we look at ourselves as we have got a two or three year advantage of any competitor like any Microsoft, anybody else at McAfee, Trend, etc. If they want to get into this we’ve got a two or three year advantage on them because we’ve taught the machine that big round wheels and a yellow square is a school bus. We also taught him that big round wheels and a big double decker bus in the UK is also a bus but it’s a city bus. They have to learn the same process.
From the floor
Great question. False positive, our is 0.0002.
Good. Good answer. Nice and short.
Comparatively, the industry is a 0.05. So again, a machine is just incredibly accurate and a lot of that honestly goes, when we started it was a high false positive. Like in the percentage like single percentages. Just the learning curve has just come down to where we’re more accurate.
Great. Thank you.
Thank you. I’ll talk to anyone afterwards.