art hathaway - artificial intelligence - real threat prevention

Artificial Intelligence.Real Threat Prevention.

Art HathawayRegional Sales Director, Ohio Valley

Steve RichardsSales Engineer, Ohio Valley

3 | © 2015 Cylance, Inc.

The Future of Security

Past

Pre-ExecutionHumans Needed

Present Future

AV SANDBOXING ISOLATION EDR

Post-Execution

z

Pre-ExecutionNo Humans

AI

HIPS / ANTI-EXPLOITATION


Required Solution

Reduce risk by preventing malware before it executes.

Cylance prevents malware by using Artificial Intelligence tounlock the DNA of advanced threats.


Algorithmic Science• Machine Learning• Cluster & Classify• Pandora ML

Confidence Scoring

Threat Indicators• Anomalies• Collection• Data Loss• Deception• Destruction

Collect / Classify / Context


How It Works

EXTRACT

COLLECT CLASSIFY& CLUSTER

TRANSFORM,VECTORIZE

& TRAIN

BAD

GOOD


What is a Feature / Attribute


Extract ~15,000,000 features

RosAsm Base3.exe PE File Structure

DosMZ Header

DOS Stub

PE File HeaderPE Signature

Image_Optional_Header

Section TableArray of Image_Section Headers

Sections.idata

.rsrc

.data

.text

.src

Directories

lea rcx,[rdi+20h]mov qword ptr [rdi+8],r13mov qword ptr [rdi+10h],r13mov qword ptr [rdi+18h],r13mov qword ptr [rcx+20h],r12mov qword ptr [rcx+18h],r13lea rdx,[rsp+258h]or r9,0FFFFFFFFFFFFFFFFhxor r8d,r8dmov word ptr [rcx+8],r13wmov ebx,r14d

DOS HeaderNT HeaderFile HeaderSection HeadersExport DirectoryImport DirectoryResource DirectoryRelocation DirectoryDebug DirectoryPacker UsedCompiler TypeCompiler LanguageFile sizePE sizeImage section headersImage importsFunctions calledKernel hooksImage PathsImage Resource DirectoryBitmapsIconsStringsRCDataIcon GroupsVersion Info


x=[1007013456]

TransformationNormalization and Vectorization

Meta-data that creates new featuresx=[1602111430]

x=[2819209111]

x=[3220101036]

x=[9910192839]

x=[2201920391]

x=[8819102999]

x=[5778492200]

x=[0001928311]

x=[7564778203]

x=[9928183918]

x=[9929192839]

X

Matrix

x=[0019376471]

x=[0093810292]

x=[0019102922]

x=[6657749100]

Unsafe

Safe


Deep Discussion

• First Order Feature – information you can extract directly from the binary or it’s structure

• Second Order Feature – Ex. Entropy Value of a binary or section of binary.

• Third Order Feature

The world is growing more

VOLATILE AMBIGUOUS COMPLEX

And it is all speeding up …

© 2015 Cylance, Inc. 14

The Escalating Battle for Control in Cyberspace

Increase in sophistication and number of cyber attacksGovernment concerns are driving new regulationIncreasing tensions between privacy and security

Growing debate about the Roles of Government and Industry in Privacy and Security

Threats & Impacts – A Simple Summary

IP Loss(technology leadership)

Shut Down Your Business(materiality impact)

Compromise you to Compromise others

(trust, brand, reputation)

Product Vulnerability (trust, brand and reputation)

An Adversary

The idea is to assess soil and landscape types, weather and pest issues to boost crop yields and profits.

All the farmer needs is a smartphone, a GPS enabled tractor connected to cloud, with the data & analytics

All a government needs is access to the data

The idea is to facilitate a precision bombing.

The idea is to cure blindness.

Doctors on June 19th 2015 insert a retinal implant into a patients eye that is connected to high tech glasses with a

camera and a video processing unit

The idea is to extort money.

All a bad person needs is poorly developed or managed technology and the ability to execute malicious code

The idea is to improve road maintenance and safety

All a municipality needs is sensors in the cement, sensors in cars, sensors with people, connected to the

cloud, with data and analytics

The idea is to profit from or to harm others


The idea is to improve food safety and reduce cost

All a food and beverage organization needs is real time information flow from the slaughter house to the point of sale

The idea is to save cows


Adoption of smart grid

devices water/power

Tech inside more than

phones, tablets, laptops

IP enabled home

appliances

Centralized home

information flow (bundled

services via internet)

Proliferation of devices & app

markets

“Virtual assets” -

content with emotional

attachment in digital world

Pervasive wearables

updating social computing

Open source Intelligence

refining targets

Expanding attack surface - greater technology integration with society well beingCyber has been IS characterized as the 5th domain of warfare

Digital EvolutionIn the next few years the attack landscape will dramatically change:

$2M in funding for the attack came from cyber crime

In November 2008,10 Pakistani members of an Islamic militant organization, carried out a series of 12 coordinated shooting and bombing attacks lasting four days across Mumbia. The attacks, began on Wednesday, 26 November and lasted until Saturday, 29 November 2008, killing 164 people and wounding at least 308.

The idea is to terrorize


A growing digital economy relies on Trust

“We saw air let out of the balloon, an evaporation of trust”

“the reputation of the Tech industry went backwards”

“By a margin of 2 to 1 people don’t believe that governments or businesses are thinking enough about the broad negative societal impacts that technology can have”

Richard Edleman – Feb 2015

Breaking someone’s trust is like crumpling up a perfect piece of paper

Breaking someone’s trust is like crumpling up a perfect piece of paper

You can work to smooth it over, but it’s never going to be the same again

RESPOND

DETECT

PREVENT

Automated Manual

Control Approaches

Cont

rol T

ypes

Semi-Automated

9 – Box of Controls

Risk

Cost

RESPOND

DETECT

PREVENT

Automated Manual

Control Approaches

Cont

rol T

ypes

Focus is on Minimizing damage – only variables are time to detect and time to contain

Focus is on Minimizing vulnerability and potential for harm

Semi-Automated

Risk

Cost

RESPOND

DETECT

PREVENT

Automated Manual

Control Approaches

Cont

rol T

ypes

Semi-Automated

Where most of the industry is focused

Risk

Cost

RESPOND

DETECT

PREVENT

Automated Manual

Highest RiskHighest CostMost Liability

Lowest RiskLowest CostLimited Liability

Control Approaches

Cont

rol T

ypes

Semi-Automated

Where most of the industry is focused

Shift Down and Left

Risk

Cost

RESPOND

DETECT

PREVENT

Automated Manual

Control Approaches

Cont

rol T

ypes

Semi-Automated

MOTION

Risk

Cost

RESPOND

DETECT

PREVENT

Automated Manual

Control Approaches

Cont

rol T

ypes

Semi-Automated

MOTION

PROGRESS

Risk

Cost

RESPOND

DETECT

PREVENT

Automated Manual

Control Approaches

Cont

rol T

ypes

Semi-Automated

MOTION

PROGRESS

HIGH CONTROL

FRICTION

Risk

Cost

RESPOND

DETECT

PREVENT

Automated Manual

Control Approaches

Cont

rol T

ypes

Semi-Automated

SUSTAINED PROGRESS

LOW CONTROL

FRICTION

WE NEED SOLUTIONS THAT …

To Enhance Trust in Technology

LOWER RISK LOWER COST LOWER FRICTION

so we can make sure tomorrow is better than today

Total Cost of ControlsObvious Direct Cash Buckets• AV replacement• Security Operations• Hunting team• Investigations• Legal• Help Desk Calls

• Performance complaints• Infection related issues

• IT operations costs• IT emergency response• Infrastructure costs• Rebuild/re-image costs

Less Obvious Direct Cash Buckets• De-cluter other controls

• Other end point products (cyberark, client proxy, DLP, ect)

• Other control products • Extending PC lifecycle

• Headroom back due to performance• Other IT operations costs

• EOL’d systems – delayed upgrades• Change patching windows• Servers can be protected – normally cannot

complete disk scan with AV• Reduce infrastructure costs due to less

“chattiness” with cloud

Total Cost of ControlsHero• Value of IP

• Maintain market leadership• Cost of a privacy breach

• Litigation• FTC, class actions, ect• ediscovery

• PR & Comms• Credit monitoring

• Mgmt Distraction

Zero• Spent on the “insurance” and no

proof that you “saved the world”

All about probability of bad things occurring and a wide range of outcomes/impacts financially

Control Friction• Controls are a “drag coefficient” on business velocity

• Slow the user• Slow a business process

• Too Much control Friction• Business and users go around security and IT

• Add’s cost – IT isn’t managing IT anymore• Data and business silo’s are created• Loss of purchasing power

• Add’s risk• Risk and Security team becomes blind – cant prevent, hard to detect, and

everything ends up being an after the fact response• Business adheres to the controls – generates systemic Business Risk

• Loose time to market• Loose ability to innovate• Loose long term market leadership