For decades, the security profession has relied on the best technology we had at the time to deflect the onslaught of what we faced daily in the way of virus and malware attacks. Now, as predicted by Thomas Kuhn in his book “The Structure of Scientific Revolutions, we’re seeing the dawn of a new day where AI’s machine learning and advanced mathematical algorithms now offer validated deflection rates, pre-execution, in the realm of 99%. This session will explore this new paradigm and how it will impact our future.
Main points covered:
• How did our profession change in the world of reactive detection?
• How to escape the inertia that held us, prisoners?
• What is the power of AI and machine learning?
• What are the risks of this new technology?
Presenter:
Our presenter for this webinar, John McClurg serves as Vice President and Ambassador-At-Large of Cylance, where he is responsible for building Security and Trust programs & operational excellence efforts. Prior to Cylance, he served as the CSO of Dell, Honeywell, and Lucent and in the U.S. Intelligence Community, as a twice-decorated member of the Federal Bureau of Investigation (FBI). He also served as a Deputy Branch Chief of CIA where he helped to establish the new Counterespionage Group and was responsible for the management of complex counterespionage investigations. McClurg was voted one of America’s 25 most influential security professionals.
Organizer: Ardian Berisha
Date: October 25th, 2018
Recorded webinar link:
3. The World is Flat
• Cyber / Physical
• Domestic / International
• Public / Private
• Church / State
• Business / Security
Traditional boundaries of interest
grow ever more porous
4. With increasing connectivity comes an increase in the number
of Threat Vectors, Avenues of Attack, open to an adversary.
Internet of Things
Household appliances
Driverless cars
Cameras
Human organs (Brains)
SCADA Systems
Supervisory Control And
Data Acquisition
Monitors and controls critical processes
8. Counterterrorism – Lockerbie, Oklahoma City, Unabomber
Pheakers & Hackers – Dark Dante
Counterespionage – Harold “Jim” Nicholson
Corporate Life – “Not If But When”
Elaborate “Defense In Depth” Structures –
Complex, Costly, Reactive: Post-execution
Reaping the Reactive Life
A call for new paradigms
9. Emergence of the Proactively Predictive:
Snowden
US Government Requirement – Viable Trusted Insider Program
Big Data Analytics – AI’s Machine Learning & Mathematical Algorithms
We Had To Do Better
11. Reactive Detection
Reactive Detection Versus Prevention
• “Big Data” problem: Early indicators
too numerous and distributed,
across too many repositories
Algorithms
• Software that allows us to pull
data into algorithms that could
be fed from numerous
repositories across diverse
environment
Prevention
12. Security
No longer just the guns, gates,
guards, and geeks of yesterday;
Now a duty owned by all.
No longer a distasteful cost of doing
business; Now an indispensable and
inextricable aspect of advancing it.
13. Wetware: Individual Users
• Spear-phishing draped in “Beguiling Specificity”
“Here’s a picture of your
daughter kicking the winning
goal at last Saturday’s soccer
game!”
CLICK
Malware embedded
14. How well are critical assets identified
Enclaved those assets
Detected the compromise
Contained it
Expelled it
Leverage new insights gained
Only
19%
Detected
Preventing Compromise
Not if, but when…
1
2
3
4
5
6
15. Preventing Compromise
Not if, but when…
90% of All breaches tied to Malware
Detection, Incident Response, Triage,
Damage Mitigation and Remediation
16. -Thomas Kuhn
American Physicist, Historian
and Philosopher of Science
Structure of Scientific Revolutions
Periods of normal science are
interrupted by revolutionary science.
New paradigms to change
the rules of the game, our
standards and our best practices.
“ ”
“
”
17. No more sacrificing at least one
endpoint or employee’s computer
for the greater good—for the
creation of a signature---
NO MORE SACRIFICIAL LAMBS.
NO MORE
Sacrificial Lamb
20. How it Works
Determine if a file is good or bad
purely on the information contained
in the file replicated on a sustainable
massive scale.
Prediction based on properties
learned from earlier data to
differentiate malicious files
from safe ones.
Patterns have emerged of how specific
files are constructed.
Humans are simply incapable
99.7% Effective
21. Proactively Predictive: AI’s Machine Learning
ML is a type of artificial intelligence (AI)
that provides computers with the
ability to learn–without being explicitly
programmed, without the assistance
or intervention of humans.
AI provides the opportunity to develop
pre-execution, malware prevention—
more disruptive than anything I’ve
seen in the last two decades.
ACCELERATION
22. Industries such as healthcare, insurance, and
high-frequency trading have applied the principals
of AI and machine learning to analyze enormous quantities
of business data and drive autonomous decision making.
Core of the AI-based security approach is capable
of applying highly-tuned algorithmic models to
enormous amounts of data.
An AI or machine learning approach to security will
fundamentally change the way we understand and
control risks not only posed by malicious code but other
challenges such as passwords, access, and authentication.
Security
as a
Science
The Future of Malware Prevention
23. Having mapped the genomic
structure of the files making up the
internet, We make software that
predicts, then blocks
Cyberattacks, on the endpoint,
in real time, using pre-execution
artificial intelligence algorithms.
PROACTIVELY PREDICTIVE
25. How Traditional AV Vendors
Crete a single Signature
Cloud
Threat DB
t3
Human Malware
Researchers
and Automation
t2
Triage
and Classify
t1
Collect
Samples
t0
t7
Deploy
Signature
t6
Test
Signature File
t5
Security
Admin Updates
t4
Signature File
All Known
Malware
New Malware
(Last 24 Hours)
Zero-Day
Malware
28. Infused new life into
the profession
Artificial intelligence redefines
and strengthens the cyber
security community
Machine learning will not lose
efficacy over time even as
attackers alter strategies
Proactively Predictive:
AI’s Machine Learning
29. • Test threw the worst of 2016, 2017, & 2018 malware
at a 2015 Version of the Cylance Math Model.
• Result: An End-user would have been protected
even if they hadn’t updated their math model
for over two years.
• As much as 33 months, but on average a
predictive advantage (PA) of 25 months.
Minority Report: From Fiction To Reality
30. The dawn of a new age!
A Paradigm Shift…Galileo Lives Again!
“Prove for one’s self.”
32. May you Live in Interesting Times
- A New Paradigm Benediction
“ ”
33. ISO/IEC 27032
Training Courses
• ISO/IEC 27001 Introduction
1 Day Course
• ISO/IEC 27001 Foundation
2 Days Course
• ISO/IEC 27001 Lead Implementer
5 Days Course
• ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
www.pecb.com/events
Good Afternoon! It’s great to be back here in Brazil. This is actually my 8th visit, spread out over the last 40 years, when as a young man I actually live here in Sao Paulo. Those intervening years reminds me of the old saying:
Over a decade ago, Tom Friedman, in his iconic book…The World is Flat…opined that this age, in large part due to the advance of cyber, would be characterized as one in which “traditional boundaries of interest…would grow ever more porous” click --whether that was the traditional distinction we drew between the cyber and physical, domestic and international, public and private, church and state…security and business.
That porosity has been exacerbated by the emergence of the Internet of Things, or what some of us are now calling the Internet of Everything, where even our appliances, not to mention driverless cars, cameras, human organs, and SCADA systems are now connected to the internet. click SCADA is an acronym for Supervisory Control and Data Acquisition and refers to an industrial computer system, that monitors and controls critical processes. In the case of utilities, SCADA devices monitor and control substations, transformers, and other electrical assets…even nuclear centrifuges. click With this porosity or increasing connectivity comes an expansion of “Threat Vectors” or passages through which adversaries may attack interests tied to these devices. In such a world cyber vulnerabilities can undermine physical interests and physical vulnerabilities can undermine cyber interests.
Although the Security Profession has always aspired to prevent adverse actions coming through those vectors, we have found ourselves stymied in the world of Reactive Detection. Whether its terrorism, hackers, or espionage, the best we’ve generally been able to do is react after the fact--The proverbial “ambulance at the bottom of the cliff, rather than guardrail at the top.”
Our past is replete with instances of such efforts and the results that they produce….those results aren’t always something we want to remember. Unfortunately, As the philosopher George Santayana reminded us:
One of the more dramatic lessons from the past of the importance of remembering was chronicled during World War II. The Nazi’s had developed a new threat…the V1 rocket of flying bomb. At the end of the day the reactive detection efforts of the Allies, post execution, proved costly, resource intensive and ultimately ineffective. That deficiency was only exacerbated when the Nazis moved to the next generation of threats the V2 rocket. It wasn’t until the allies turned to Proactive Prevention, Pre-execution, striking at the sites where the rockets were made or from which they were launched that the tide was turned.
I personally was introduced into the world of the reactive early in my professional life.
George Washington, in the depths of the American Revolution, was asked what, amongst all that was then churning around him, most kept him up at night. It wasn’t the Continental Congress, who even then seemed challenged when it came to productive action. Nor was it his men, freezing and starving to death at Valley Forge. The answer he gave was--- click “Their spies.” Since then, over 240 years, we have been amassing what are considered early “data points” indicative of trusted insiders, who were considering, or who had actually turned, toward the darkside. Unfortunately, it is not just malicious insiders that can hurt us, but also those who act unthinkingly or carelessly with regard to the trust given them.
Notwithstanding the insights garnered over time, we’ve find ourselves reacting to these betrayals. Our inability to proactively predict and then prevent such violations of trust, Click was the result of a “Big Data” problem. Those early indicators were too numerous and distributed, across too many repositories, to allow us to wrap our cognitively-limited minds around them, at least given the technology then available. Click But the times are changing. Click Technology strides have produced software that allows us to begin looking at both structured data, like Excel files, and unstructured data, like that which reflect internet activity, pulling the data into algorithms that could be fed from numerous repositories across diverse environments. We developed just such a program at Dell.
As a result of those efforts, Security has transformed from a “distasteful cost of doing business,” to– and inextricable, and “an indispensable aspect of advancing it.” Inextricable because of compliance, indispensable because we delivered the service at a price point that made us competitive. No longer just the “guns, gates, guards, and geeks” of yesterday, but now--a duty owned by all—because of the connections that now exist between the physical and cyber worlds within which each of us now stands.
When I say “All” I mean what I call the “wetware” the humans whose brain is 76% water. Although in Cyber War, a nation may be ultimately targeted or engaged, the starting point very likely will remain that of an individual user, click the victim of an initial attack advanced via what is called “spear-fishing” --the use of an email, draped in beguiling specificity, harvested from information someone unthinkingly posted on social media, which is then used against them, as an inducement to click on an infected attachment— click “Here’s a picture of your daughter kicking the winning goal at last Saturday’s soccer game.” What self-respecting and guilt-ridden father, who happened to miss the game, could resist. click Once clicked, the malware embedded in the attachment launches and proceeds to do any one of many insidious things such as credential harvesting or keystroke logging. Although he may have been trained and knows better, he is first and foremost still a vulnerable human-being.
Given that anemic historical performance, the industry found it prudent to manage the expectations of organizational leaders. Usually that means “under promising, over delivering”. To that end, a mantra now dominates the security profession: “It’s not if, but when” one will be compromised ---“Not If but When.” It’s galling professionally to admit. But it seemed imprudent not to establish that expectation. With that understanding in place, when a compromise does occur, rather than being summarily fired, the discussion with one’s leadership can more productively turn to such questions as how well have we click (1) identified critical assets, click (2) enclaved those assets, click (3) detected the compromise, click (4) contained it, click (5) expelled it, click and (6) leveraged the new insights gained, in raising the bar, so that the next compromise will be harder for an adversary to accomplish. The likelihood of such compromises is augmented by the historical deficiencies of our Anti-virus partners. Remember: On a good day, click those traditional partners captured only 19% of the evil that was coming at us, a deficiency exacerbated by the fact that our adversaries have now automated the rate at which they alter the signatures of their viruses.
Consequently, what evolved were elaborate defense-in-depth structures, which carried with them, as their unspoken, supporting assumption, the fact that “it’s not if but when” one would eventually be compromised. click When one layer of protection failed, the deeper ones would hold…or at least that was the hope. That assumption, over time, gave way to downstream activities, the effective execution of which required incredible amounts of time, money, energy, and resources- click -Detection, Incident Response, Triage, Damage Mitigation and Remediation. The Security Industry has profited nicely, over the years, as a result of that complexity and growing insecurity. That conflict of interest works to undermine the enthusiasm with which the industry embraces solutions that might proactively prevent. We knew however, when it came to viruses that we could do better… click we had to do better given that 90%...of all breaches…are tied to malware. The time for a new paradigm has arrived.
Thomas Kuhn described, in his seminal book the Structure of Scientific Revolutions, a model in which periods of “normal science” are interrupted by periods of “revolutionary science.” It challenged us as a society to consider new paradigms, to change the rules of the game, our standards, and our best practices.
That fact led many in our industry to reach a point of frustration. The historical failings of our Anti-Virus partners pushed them to the point of declaring: “No more sacrificial lambs! No more sacrificing at least one end-point, one computer, in order to obtain a signature or instance of the latest virus.”
A survey of the entire, global Security Community was conducted and identified over 60 different companies, all who claimed to offer something new in the way of what is called “Advanced Endpoint Protection.”
The goal of pre-execution approach is to analyze suspect code and determine if a file is good or bad based purely on the information contained in the file itself, and then repeat that at a sustainable massive scale. Over the past few decades, click patterns have emerged that dictate how specific types of files are constructed. There is variability in these patterns as well as anomalies, but as a whole, consistency has arisen as statistical sample sizes increased. click
Given the magnitude of the data involved, humans are simply incapable of making a determination as to whether the file is good or bad – yet legacy AV vendors still rely heavily on human decision-making in their processes. click Alternatively, machine learning focuses on prediction, based on properties learned from earlier data, to differentiate malicious files from safe ones. The ability to do this across a huge number of samples is important because, as I mentioned, modern malware creation is largely automated, enabling it to elude legacy Anti-virus solutions.
Applied AI uses complex algorithms that can predict if a program is malicious based on millions of features. click This approach to prevention has proven extremely effective, 99.7% effective, at stopping malware before it gains a hold on a system, and without the need for a “sacrificial lamb” or initial victim to become infected.
The advent of applied Artificial Intelligence (AI), also known as machine learning, liberatingly delivers this new paradigm--that “better way” when it comes to malware prevention. click Machine learning is a type of artificial intelligence (AI) that provides computers with the ability to learn when exposed to new data without being explicitly programmed and without the assistance or intervention of humans.
While legacy antivirus (AV) vendors had hoped that post-execution analysis solutions would give them an edge against the malware onslaught, it’s clear that relying, on products that only detect malware after it has executed, is no longer viable. click AI now provides us the opportunity to develop pre-execution malware prevention engines in a manner that’s truly disruptive—unlike anything I’ve seen in the last two decades.
In order to keep up with modern attackers, security technologies need to evolve alongside them–without relying on human intervention. That’s where Artificial Intelligence and machine learning have the advantage. click For years, industries such as healthcare, insurance, and high-frequency trading have applied the principals of AI and machine learning to analyze enormous quantities of business data and drive autonomous decision making.
Click Similarly, at the core--of an AI-based security approach--is a massively scalable, data-processing ‘brain’ capable of applying highly-tuned algorithmic models to enormous amounts of data in near real-time—fractions of a millisecond. click An AI or machine learning approach to security will fundamentally change the way we understand and control risks not only posed by malicious code but other challenges such as passwords, access, and authentication.
Just as Kuhn’s model predicted, the security paradigm is shifting from regular, click outmoded reactive strategies to one in which security is pursued as a science, where AI stands forth as the primary agent for that revolutionary change.
The OPM/Cylance Timeline
2014: Cylance was called in to OPM by a reseller partner, Assurance Data, and OPM evaluated CylancePROTECT
2014: OPM’s Director of IT Security Operations recommended deploying CylancePROTECT
2014-2015: “Internal politics and bureaucracy” delayed the adoption of the product
April 16, 2015: OPM discovered suspicious activity on its networks
April 16, 2015: OPM called Cylance consultants in “to help with the forensics” because “it was their tool that found the malware”
April 17, 2015: OPM IT Security Officer Jeff Wagner said in an email that Cylance was able to find things that other tools could not “because of the unique way that Cylance functions and operates. It doesn’t utilize a standard signature or heuristics or indicators, like normal signatures in the past have been done. It utilizes a unique proprietary method.”
April 18-19, 2015: Cylance Consulting used CylancePROTECT to identify and remove all instances of malware from the network
Traditional Signature-based Anti-Virus is predicated on a backend operations that are completely reactionary. Typically, in order to write a sig, you have to get your hands on the physical sample.
There are half a million new samples that need to be processed in any given day
Example, we had a customer of 100k endpoints and they would consider it to be a good thing to roll out a dat in 5 day
For years, one of my favorite movies has been Groundhog Day, which chronicles the tale of a narcissistic weatherman forced to live the same day repeatedly. This maddening process makes him feel like many security professionals who, over the years, have found themselves battling the same threats and vulnerabilities, as though stuck in a cycle from which they could never escape.
The predictive capabilities of mathematical modeling and continuous machine learning offer an end to those groundhog days and have infused new life into the profession. Given our limited cognitive and physical capabilities, and our general inability to keep up with the cadence, volume, and sophistication of modern threats, many wondered how much longer they could have persisted in the ever-repeating, world of the reactive--characterized by ever-growing inter-connectivity and resource constraints. click Artificial Intelligence changes and redefines all that, strengthening the community with the knowledge that there is one version of the “ever-repeating” that we can welcome--that of continuous learning, based on new data and new techniques. To that end, click I believe machine learning will not lose its efficacy over time—even as attackers alter their strategies, as we know they will.
We are definitely seeing the dawn of a new age, a new paradigm. The old paradigm of signature based, post-execution anti-virus, however, will not go quietly into the night. We’re already seeing a cloud of confusion and counterclaims emerging…not unlike that faced by poor Galileo when he championed a new paradigm. click In that environment, all are encouraged not to be beguiled by that passion either side might exude, but to “Prove for one’s self”--which is the superior solution. Ultimately the strength and truth of this new approach speaks for itself.
Bill Gates, Stephen Hawking, and Elon Musk
AI can be intimidating and is, of course, being utilized in fields other than just Security. Stephen Hawking, Elon Musk, Bill Gates, and other very bright individuals have recently issued clarion calls of caution and concern, even ominous warnings. Like any new technology, AI can be a two-edged sword, and thus, careful and considerate reflection in its deployment is, as it has always been--the order of the day.