Prevention is possible with the right people, processes, and technology. Your security stack is swamping you in alerts, it’s time to think beyond today’s security approach and get out of the endless loop of chasing attackers. There is a better approach!
As you may have heard, the Federal Government is requiring the removal of all Kaspersky software. Federal departments and agencies are required to identify any use or presence of Kaspersky products on their information systems and discontinue present and future use of the products by November 13 and remove the products by December 13. https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01
The reason?
This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
Any organizations (including contractors, universities, etc.) that receive federal funding should consider removing Kaspersky since your funding could be at risk. Consider our alternative approach because there is a better way.
Alternative Approach
Traditional antivirus software only detects around 40% of all malware, which means 60% of malware goes undetected. With CylancePROTECT, it’s possible to prevent over 99% of malware before it can execute. Cylance isn’t a “detect and respond” antivirus solution that will leave your systems open to continual attacks.
Cybriant offers Cylance as an endpoint security solution or as a managed service. Cybriant can assist you in the migration from your old anti-virus product and in the implementation, tuning, and management of your Cylance deployment.
Why Cylance?
Cybersecurity firm Cylance uses lightweight artificial intelligence (instead of heavy signatures) to provide customers with security that “predicts, prevents, and protects.” They have recently caught Gartner’s attention by being considered a Visionary in the Endpoint Security realm.
According to Gartner’s 2017 report, Cylance is “by far the fastest-growing EPP vendor” in the market. This is due in great part to its 2016 implementation of CylanceProtect with OPTICS, an endpoint detection and response solution that enables users to “see” the root cause of attacks. With the new OPTICS system, Cylance also released a powerful cocktail of updated support for scripted control, memory protection, and application and device control features.
Gartner also praises OPTICS as a highly versatile system that can seamlessly operate on-premise or can be cloud-enabled. As reported by Gartner, Cylance customers related that OPTICS had “easy deployment and management, low-performance impact, and high-execution detection rates against new threat variants.”
Learn more about artificial intelligence for threat detection.
The threat landscape is as dangerous as ever. Machine learning, and endpoint security will help improve the security of the most vulnerable devices, endpoints. Learn more about how Machine learning tools can help improve your endpoint security.
Endpoint Security is the approach that organizations take to protect their network when accessed by endpoint devices. Endpoints can be laptops, desktops, and even smartphones. Today’s digital resources combined with the increase of remote workers open a multitude of entry points for hackers to be able to access your corporate network. This is why endpoint security is a vital piece of network security in your security strategy.
Machine learning endpoint security is a software tool that organizations use to monitor their endpoints. Managed detection and response is the outsourced service where security analysts monitor your endpoints on a 24/7 basis.
Traditional antivirus programs are more simplistic and limited in scope compared to machine learning endpoint security, like Managed Detection and Response. Antivirus can be perceived as a part of an MDR system.
Antivirus is generally a single program that serves basic purposes like scanning, detecting, and removing viruses and different types of malware.
Endpoint security systems, on the other hand, serve a much larger role. Endpoint Security contains many security tools like firewalls, whitelisting tools, monitoring tools, etc. to provide comprehensive protection against digital threats. It usually runs on the client-server model and protects the various endpoints of an enterprise’s digital network and keeps the endpoints secure.
Hence, Machine learning endpoint security solutions are more suited for the modern-day enterprise as the traditional antivirus has become an obsolete security tool to provide total security.
Read more at Traditional Antivirus vs. EDR (Endpoint Detection and Response)
Machine learning is the use of statistics to find patterns in large amounts of data. Many platforms are using machine learning and artificial intelligence to improve their algorithms which will improve the overall user experience. Machine learning endpoint security helps find unusual patterns in user behavior to detect potential malware attacks.
According to SentinelOne, there are two main approaches for AI-based malware detection on the endpoint right now: looking at files and monitoring behaviors. The former approach uses static features — the actual bytes of the file and information collected by parsing file structures. Static features are things like PE section count, file entropy, opcode histograms, function imports and exports, and so on. These features are similar to what an analyst might look at to see what a file is capable of.
With enough data, the learning algorithm can generalize or “learn” how to distinguish between good and bad files. This means a well-built model can detect malware that wasn’t in the training set. This makes sense because you’re “teaching” software to do the job of a malware analyst. Traditional, signature-based detection, by contrast, generally requires getting a copy of the malware file and creating signatures, which users would then need to download, sometimes several times a day, to be protected.
The other type of AI-based approach is training a model on how programs behave. The real trick here is how you define and capture behavior. Monitoring behavior is a tricky, complex problem, and you want to feed your algorithm robust, informative, context-rich data which captures the essence of a program’s execution. To do this, you need to monitor the operating system at a very low level and, most importantly, link individual behaviors together to create full “storylines”. For example, if a program executes another program, or uses the operating system to schedule itself to execute on boot up, you don’t want to consider these different, isolated executions, but a single story.
Training AI models on behavioral data are similar to training static models, but with the added complexity of the time dimension. In other words, instead of evaluating all features at once, you need to consider cumulative behaviors up to various points in time. Interestingly, if you have good enough data, you don’t need an AI model to convict an execution as malicious. For example, if the program starts executing but has no user interaction, then it tries to register itself to start when the machine is booted, then it starts listening to keystrokes, you could say it’s very likely a keylogger and should be stopped. These types of expressive “heuristics” are only possible with a robust behavioral engine.
This question comes up a lot, and understandably so. I’ve written about this before in What Matters with Machine Learning. Essentially, since AI is so new, people don’t know the right questions to ask, and there’s a lot of marketing hype distorting what’s truly important.
The important thing to remember is that AI is essentially teaching a machine, so you shouldn’t care how it was taught. Instead, you should only care how well it has learned. For example, instead of asking what training algorithm was used (e.g. neural network, SVM, etc), ask how the performance was tested and how well it did. They should probably be using k-fold cross-validation to know if they’re overfitting the model and generalizing well, and they should optimize for precision to avoid false positives. Of course, raw model performance won’t be an indicator of how well the product works because the model is probably just one component in a suite of detection mechanisms.
Another important consideration is training data quality. Consider for example two people trying to learn advanced calculus. The first person practices by solving 1,000,000 highly similar problems from the first chapter of the book. The second person practices by only solving 100 problems, but made sure that those 100 problems were similar to and more difficult than questions on practice tests. Which person do you think will learn calculus better? Likewise for AI, you shouldn’t bother asking how many features or training samples are used. Instead, ask how data quality is measured and how informative the features are. With machine learning, it’s garbage in, garbage out, and it’s important to ensure training data are highly varied, unbiased, and similar to what’s seen in the wild.
Since static and dynamic AI are both very different, adversaries must use different evasion techniques for each one. However, it should be noted that since AI is still fairly new, many attackers have not fully adapted and are not actively seeking to evade AI solutions specifically. They still rely heavily on traditional evasion techniques such as packing, obfuscation, droppers & payloads, process injection, and tampering with the detection products directly.
If attackers want to avoid static AI detection, they essentially must change how their compiled binary looks, and since it’s impossible to know how they should change it a priori, they’ll have to try a bunch of variations of source code modification, compilation options, and obfuscation techniques until they find one that isn’t detected. This is a lot of work, and it scales up with the number of products they’re trying to avoid.
It was once believed that antivirus was enough to protect your endpoints. Endpoint security has taken over as the better technology to protect your endpoints. Endpoint Detection and Response (EDR) was formerly known as Endpoint Threat Detection and Response (ETDR) and is sometimes referred to as Next-Generation Anti-Virus (NG AV). Source
The industry vernacular then moved to Managed Detection and Response or MDR. At Cybriant, we call our MDR service Managed Detection and Remediation because our team will walk you through the remediation process, which is a valuable step in prevention. The next step in endpoint security is XDR. The X in XDR stands for multiple data sources that will help prevention and detection.
Data Loss Prevention DLP Solutions: Everything You Need to Know
