Prevention vs Detect & Response: It’s time to Converge
Over the years, the cybersecurity industry has proven and is proving itself to be poor-performing at the prevention or pre-execution phase of the malware. According to Cylance’s Regional Director, Ang Ban Leong, the cybersecurity industry is also beginning to place its bets on ‘detect and respond’ methods when it comes to approaching security.
But, detect and respond methods tend to kick in during the post-execution phase of the malware, when the bad virus has already infiltrated an organisation’s networks.
Ang pointed out, “By the time you’ve detected (the malware) and responded, it may be too late!
“Once your machines are compromised, everything looks normal and you won’t be able to tell you have been breached. So, what’s your strategy?”
Another trend he noted, is that organisations may opt to spend more dollars on prevention technologies, with less on detection and response solutions, or they may have a strategy which is vice versa. Interestingly, research firm Gartner has predicted that endpoint protection platforms (EPP) and endpoint detect and respond (EDR) solutions will merge.
Whether this happens or not, Ang observes that the cybersecurity industry is actually adding more layers of defense solutions, because the antivirus layer was broken and ineffective. It’s pertinent to note that antivirus was built for a time when malware wasn’t coming out hard and fast like they are today.
Needless to say, layers upon layers of defense not only complicates defense strategies with too many solutions, it takes focus away from the assets that need to be protected.
The approach Cylance takes is not to add more layers, but to relook the antivirus layer in a modern context and address its shortcomings in today’s era.
Ang pointed out, “When a malware is discovered, a human has to look at the file, decide how to uniquely define this file (using signatures), then they have to release it to an antivirus engine, after which the customer still has to test it in the lab and deploy it… deployment also has to be fast enough or they risk audit issues.”
With this tedious and time-consuming process in mind, Cylance identified two important things that it wants to do. Ang explained, “We don’t want humans to do it, because it creates a T-plus situation. We want to bring malware prevention time to T-minus, instead.”
That means recognising and detecting malware before they are even released.
We need artificial intelligence (AI)
Using AI, Cylance is able to stop the malware before it exists. Ang explained, “Cylance uses its malware machine learning model built in November 2015, and still we were able to block the Wannacry ransomware which wasn’t even created yet till months later. Our machine learning model to block Wannacry was created 20 months before.”
According to him also, SE Labs has discovered Cylance’s AI engine to be 25 months ahead of malware, on average, a capability that is deployed to over 14 million endpoints globally, today.
What does this Cylance capability or its malware machine learning model look like to its users? It translates into some pretty powerful prediction capability which is put to good use hunting threats.
Ang explained that it looks for things that haven’t run yet in the customer environment. For example, before a payload execution, before command and control connections are established, or before exfiltration. It looks for compromised credentials, for example log ins on machines that are not in the same physical location at the same time.
“Machine learning can look for these things and pop it up for me,” Ang said, adding also that Cylance agents are small enough and can be found embedded in medical devices, effectively bringing Cylance protection technologies into the realm of Internet of Things.
“Customers should give themselves a predictive layer to help them predict malware, instead of being reactive to it,” Ang opined.
When spending strategies come to mind, he also opined that prevention/protection can exist with detect and respond methods. “You can’t just focus on endpoint detect and response (EDR) without a good prevention strategy.”
“If your prevention layer is weak, you just spend too much time on alerts and waste time because you will be faced with a very noisy detection and response environment that your staff has to respond to,” Ang said.
This can be avoided with strong prevention capabilities like Cylance’s.