To meet these dynamic and evolving security threats, there is an urgent focus among Australian CSO’s and their IT security teams to integrate the use of real-time, machine learning threat analysis to solve this problem at the endpoint for their businesses.
At Com-X we work closely with BlackBerry Cylance to provide our customers with the most advanced malware and threat prevention technology available. CylancePROTECT combats common threats such as malware, ransomware, fileless malware, malicious scripts, weaponized documents, and many other attack vectors. CylancePROTECT also works without the use of signatures or the need to stream data to the cloud for AI analysis. No matter where the endpoint resides.
Dynamic Security: How does this compare with traditional AV for Endpoint Threats?
Traditional antivirus (AV) and malware products are now struggling with the speed of evolution of Cyber threats. In many cases, this renders them less and less effective with the likes of file-less malware, which writes nothing to disk so therefore cannot be caught by traditional AV signatures. Modern authors of malware are even running enterprise style tools for testing their attacks and payloads, utilising bootlegged multi-engine scanning sites to see if they can be detected before they are released into the wild. If they can be detected, they modify the malware code and try again until it passes under traditional AV products.
New methods for dynamic security, preventing the execution of malicious code, have been sorely needed by our customers over the last few years — whether the threat is malware binaries, fileless attacks, script-based, or new malware attacks that are just emerging.
Traditional AV products rely on 4 key methods for detecting malware:
Pattern Matching and Byte Matching
Uses signature definitions to detect threats by detecting an absolute match of the threat’s code. The caveat on this approach is that attackers can easily bypass signatures by mutating, obfuscating, or otherwise changing up the code in their malware.
Heuristic Approaches:
Here, a traditional antivirus engine looks at loose properties of a file, such as the file size, whether it looks like it’s using a set of dangerous functions, or whether it has abnormal permissions. This approach is limited because it generally relies on a number of rules (perhaps ten) before determining a file as malware. In this case, an attacker only needs to change one small property of the file such as inserting arbitrary code into a file to make it appear larger, and when heuristics can’t match that property as potential malware, they are able to fool the Heuristics detection system.
Behaviour Analysis:
Like Heuristics, this approach for dynamic security targets behaviour exhibited by malware. For example, is the file changing the file system or the system registry, or is it spawning additional processes? The obvious problem with this approach is that the malware must execute before it is detected, which may mean that damage is caused before the malware is quarantined.
Hashed Based Approaches:
In this case, the AV calculates hashes over different parts of the file (such as MD5 hash), then analyses that hash to see if it matches the hash of a known virus. If it does, then the AV determines that the file is a virus. The problem with hashes is that if a single bit gets changed in any of the code areas used to generate the hashes, the hashes produced are wildly different, and may therefore result in the file as not being detected as a virus.
Where does this leave the traditional AntiVirus in dynamic security?
At Com-X, we think this leaves traditional antivirus approaches in a difficult position. More and more IT managers we come across are looking for a less “static” approach that doesn’t rely on signature files and doesn’t wait until the malware has actually activated. The constant scanning of files and signature file updates hampers the performance of endpoint devices and also impacts user experience and productivity.
The demand from IT Managers is for genuine threat prevention instead of the traditional historical and reactive signature-based approach to malware.
Machine learning with traditional AntiVirus
Traditional AV vendors use machine learning for a number of purposes in their anti-malware frameworks, for example:
Pattern Matching and Byte Matching
A machine learning algorithm is used to analyse and scan known malicious software code in order to define the vector, generally from a trust network in the cloud.
Heuristic Approaches:
A machine learning algorithm is used to generate a signature, heuristic, or hash algorithm as described above.
Despite the fact that machine learning is used in these ways by traditional AV, there is still a problem whereby this approach relies on static, signature-based threat detection rather than proactive threat prevention.
How does dynamic threat detection with AI and Machine Learning work better for preventing malware threats?
When using Blackberry Cylance, our Com-X customers gain from a signatureless approach to malware prevention that leverages artificial intelligence and machine learning in order to prevent malicious code from executing.
Cylance studies billions of files and measures nearly 1.5 million features, which are used for analysis and then training of their machine learning models. Examples of these features could be the file length, the use of digital certificates (which are often legitimate but can be stolen), whether the file is using a packer, and the complexity or entropy of the file. But, instead of looking at five or ten features to make the decision about whether a file is good or bad, the Cylance machine learning algorithm looks at 1.5 million features. Each one of those features can be represented as a layer in the Cylance deep learning network. The presence or absence (and the weight) of a feature determines the path through the layers to reach a decision about a file’s integrity. This analysis creates a deep, branched structure used by the Cylance model that outputs a confidence score. The higher the confidence score, the more certain Blackberry Cylance will be that a sample is malicious – despite the model never having seen it before.
This is the basis for building a predictive model, learning from massive amounts of past data to identify malware and threats that may not even yet exist.
The Cylance machine learning model has been trained to make decisions to identify malware in milliseconds, locally on each endpoint. At Com-X, this dynamic security model allows our customers to eliminate the time-consuming and resource-intensive tasks associated with maintaining signature-based solutions.
Why do we recommend BlackBerry Cylance for our customers?
It’s Effective
- Cylance consistently prevents the execution of previously unknown, known, and custom-crafted malware and payloads without the need for signatures.
- It prevents the execution of unauthorised scripts.
- It provides superior malware prevention accuracy whether online or offline.
- Blackberry Cylance leverages a combination of behavioural rules and AI-based machine learning models for EDR threat detection.
It’s Really Simple
- Cylance replaces, or if necessary, augments, existing anti-malware solutions (augmentation is only recommended for temporary/transition purposes for maximum solution value).
- CylancePROTECT is a Microsoft approved AV.
- It is simple to deploy globally using GPO, login script, or third party software management packages.
- Cylance allows the automation of response actions to behavioural threats without human intervention.
- Updates are easy and infrequent (for example, the current model is 14 months old).
Performance
- Cylance is non-disruptive to the environment. No reboot is required on workstations or servers.
- Improved end-user experience – a fully autonomous agent with a reasonable system resource footprint:- Eliminates the need for regular hard disk scans.
– Reduces aggregate CPU and memory usage. - Cylance lowers network bandwidth usage by eliminating legacy solution DAT file distribution challenges.
- Cylance can return performance to VDI infrastructure while providing a more complete guest OS-based anti-malware solution compared to hypervisor-level malware only scanning.
- Enterprise-wide attack indicator queries are returned in seconds.