Fighting Malware with AI and Machine Learning

For many years now, artificial intelligence and machine learning have consistently topped the list of areas in which pundits have predicted advances in computing. In some sense, the promise of these technologies is irresistible, offering super-human means for performing computation and reasoning that was previously unthinkable. And if you doubt that such advances are possible, just tap in a Google search for instantaneous access to some piece of information that previously would have required months of research to obtain. So now, the original promise of AI and machine learning, perhaps dating all the way back to the great Von Neumann, has come to cyber security, and the big question is whether these techniques will give a real advantage to the defense. I recently had the opportunity to sit down with my good friend and industry luminary, Stu McClure, CEO of Cylance, to solicit his views on this important new area of malware protection.

EA: Stu, can we say that traditional anti-virus software with its base of signature patterns is officially dead?

SM: We can certainly say that it’s actively failing customers around the world every minute of every day. The reason that the entire endpoint detection and response market grew up was to try to help security teams find what last-generation anti-virus keeps missing and clean it up as fast as possible. The problem is that these are arson investigation tools, and there’s no time to do an investigation like that when the house is on fire. That’s why prevention is so critical.

EA: How do you explain to a non-expert how artificial intelligence can be applied to problems of cyber security?

SM: Information security today is a numbers game. Artificial intelligence and the mathematical algorithms we’re building are ideal for scaling to meet the number of attempted attacks that organizations are experiencing every day. The headlines will tell you that companies locked into older endpoint security technologies are losing the battle, because the number of threat actors is increasing, the number of malware mutations and attack types is increasing exponentially, and the number of attempted attacks on increasing numbers of devices is also growing. People don’t scale, and budgets will never be infinite. So if you’re relying on either your team of experts or the signature-coding teams inside traditional anti-virus companies to scale to meet the crushing number of attacks, then you can’t win. Machine learning makes it possible for Cylance technology to predict whether something is an attack based on hundreds of thousands of properties learned from earlier attacks. Current industry-standard techniques, such as signatures, heuristics, and behavior monitoring rely on simplistic, easily evaded data points. Best of all, algorithms can convict a file as bad or good in milliseconds, they don’t need coffee breaks, and they never have a bad day as humans sometimes do.

EA: Regarding machine learning, isn’t that really just traditional expert system rule-based construction? Or is there really something new here?

SM: There really is something new, and that’s why our application of artificial intelligence to anti-virus is able to operate disconnected from networks and the cloud, and is even protecting air-gapped networks inside critical infrastructure installations. Traditional antivirus products – in fact, all other anti-malware products – can allow a zero-day in and gut your road warriors’ laptops within about a day of being disconnected from the cloud or corporate network to get the daily update. In fact, the advancements in the last decade in machine learning, including ours at Cylance by our team of data scientists and mathematicians, have fundamentally changed the way we interact with technology. These genuine breakthroughs that have taken machine learning to new levels are responsible for our 99+% conviction rate when encountering brand-new malware – malware that might have been created only the day before. Our Chief Data Scientist, Matt Wolff, came from the NSA’s TAO unit and often shares our breakthroughs in areas such as deep learning on disassembly data and new applications for data exfiltration at security conferences such as Black Hat. What our team discovers each week gets used for continual evolution of our math model and algorithms for use on the endpoint.

EA: Empirically, are you seeing better results in the enterprise regarding malware in critical systems?

SM: If by “better results” you mean “better malware protection in the enterprise on critical systems,” then yes. But generally, this is only true because they have adopted very heavy-handed operational controls of those systems. The change control process requires multiple layers of approvals and still misses major attack vectors such as stolen private certificates as well as malicious insiders posing as programmers. Our technology at Cylance is designed to help enterprise users truly achieve better results without having to change business processes or adopt heavy controls.

EA: You’ve been in the cyber security industry as a leader for many years. What are the key trends that you see occurring now and into the next few years?

SM: We’re definitely beginning to see the rise of ransomware as a service. It’s a simple matter now for any random threat actor to hire a mercenary hacker to buy some ransomware off the shelf and make a minor modification to turn it into something that can take a business offline for days or weeks. The worst of it is that federal law enforcement are saying these types of attacks can almost become “the perfect crime” – namely, untraceable when the criminals are operating through third parties and being paid in Bitcoin.

EA: Do you ever see the defense catching up to the offense in cyber security?

SM: Yes, I think we will finally see, for the first time ever, the defense catching up. And this can be best achieved by applying AI to the prevention of threats on the endpoint. Leveraging Cylance’s technology, we can foil 99+% of cyber attacks without ever allowing the malware to run. So the defense can catch up and continue to harden their security posture, resting assured that the ultimate mission of nearly every one of the tens of thousands of attempted cyber attacks will be thwarted.