A lot of security books are written. Stuart McClure, CEO of Cylance, is the author of “Hacking Exposed: Network Security Secrets and Solutions”, the best selling computer security book ever sold
We spoke with him this week at the annual AISA Conference.
McCLure left his role as the global CTO for McAfee and founded Cylance about three years ago. The trigger – when asked what end point security he ran on his own computer he answered honestly saying he didn’t use any software. The trouble, says McClure is that the existing end point security applications on the market didn’t work.
“I had this idea that there had to be a better way to determine whether something was an attack of just normal behaviour”.
McClure reasoned that if he was able to use his brain to determine whether an application was acting anomalously or if an email was a phishing attack that the same should be achievable with software.
“I didn’t trust my computer to some random technology. I would just use my brain,” he says. “I’d look for suspiciousness”.
As a technical expert he was well versed in the use of software debuggers and other tools that are usually outside the expertise and experience of most end users. His success rate with this approach was 100% - he never suffered an infection or was subjected to a successful hack or attack.
This lead him to a revelation: “If my brain can do it why can’t I train a computer to do it?”.
The problem the computer needed to solve was simple – can software determine if something is good or bad before it’s opened or even reaches the user? Given that all attacks are launched from an end-point, being able to effectively protect the end-point from incursions is critical in negating
Two years after starting Cylance, McClure and his team had their first “math model” ready. Based on pure algorithms, they had a tool that was able to determine whether something was good or bad regardless of whether it had been seen before by the software or, indeed, anyone else ever before.
Given the way malware is mass produced these days this is a critical point of difference says McClure. Traditional signature-based end-point protection relies on the security software developer recognising the malware and deploying a signature to the client so the software can recognise the malware. Cylance’s approach is different.
Their software is an artificial intelligence engine that recognises malicious or unauthorised activity regardless of whether the application in new or previously known.
Although traditional anti-virus vendors have tried this in the past, McClure says they never took it far enough.
“They looked at 100,000 samples and 3000 features. We map to seven million features today – that’s one of the key breakthroughs: seven million ways to determine whether a file is malicious or not”.
“It’s sort of like if someone comes up to your house and they look like they shouldn’t be there. You’re not going to let them in the house. You’ve never seen that person before yet your ‘spidey-sense’ has fired off. That’s what the technology does – it blocks anything that look suspicious”.
The advent of fast processors over recent years has made it possible for this approach to work. Rather than matching the digital fingerprint of a piece of malware with a signature, Cylance uses artificial intelligence. This approach wasn’t possible years ago as the processor power needed wasn’t available.
“It takes about 10-20 milliseconds per file to determine whether something is good or bad,” says McClure.
Read more: Cybersecurity, Meet SAM
McClure says Cylance uses Amazon’s cloud to access enough compute power to create the math model. Once the model is created, it’s wrapped into the application which can then be deployed to end-points.
“The learning happens in the cloud and is pushed down to the end-point. There’s no need for any more updates or connectivity,” says McClure.
Updates to the algorithm are under constant development with update currently released every nine months or so. Updates to the model were more frequent when Cylance first launched but, as the model matured and was refined, they have been less frequent. McClure expects the model to be refined even less often.
“This is one of the big myths in the industry. Hackers use the same tools, same ideas, same concepts – they just use a different, fancier format”.
This is a key point of difference with traditional antivirus says McClure. Those vendors push out signature updates weekly or more frequently with each update sometimes hundreds of megabytes. Administrators then need to push these out to end-points. That operational overhead is substantially reduced by Cylance.
Cylance has relationships with Blue Coat Systems and Raytheon with their technology integrated into the hardware built by those companies. McClure told us other partnerships were coming.
McClure says the software has been deployed to very large enterprise enterprises as well as large SMBs thus far. However, he says a play for consumers is “inevitable”.