A new departure in endpoint protection
18 March 2016 | 0
Antivirus programmes that rely on signatures are unable to cope with the wave of modern, evolving and mutating threats. Therefore, a solution was required that worked in a different way that could detect not only the current crop of malware and viruses, but also their various mutations and even future developments.
The solution, for one vendor, was mathematics.
Cylance was founded by Stuart McClure, formerly of McAfee and Intel, on the basis that algorithms could better determine the behaviour patterns of viruses and malware than mere signatures. Developing this theory, Cylance has created an artificial intelligence system that employs machine learning through algorithms, evaluating each instance of suspect code for the likelihood of malicious or undesired intent.
The approach focuses on prevention of code execution, not just detection. This, according to Lloyd Webb, sales engineering director, Cylance, is a key differentiator in the market and offers a higher level of protection.
The key implication of this method of operation is that there is no reliance on constant updates for the system to remain effective. According to Webb, the system receives a major update around every six months or so, but even if this did not happen, the basic effectiveness of the system remains as its primary operation is self-contained in its AI.
Another key element of the Cylance system is its low resource footprint. Cylance provides its protection while using very little in terms of system resources, and can detect and prevent malicious code execution in around 50ms.
By comparison with other systems, Webb highlighted, the antivirus signature system does not scale well to thousands or hundreds of thousands of users. Other protections such as widespread network encryption reduces overall visibility of what is happening on the network. Mutations in malicious code are now the norm, and not the exception meaning that antivirus system that cannot automatically detect such developments can only provide lesser protection.
Cylance, in contrast, works by collecting vast amounts of sample of malicious code of all sorts from all sources. It then extracts the essential characteristics and expresses them mathematically to ‘fingerprint’ the behaviours.
From a database of more than 5 million characteristics, it fine tunes its algorithms for detection, and then classifies the characteristics into clusters for different types, families and variations of threats.
Webb said that there is heavy use of data science in its systems to determine exactly what is good and bad in detected code.
The Cylance system is predictive, in that it detects and intercepts code execution, and preventative in that it stops the threat before it can be effective.
“This is understanding malware at the DNA level,” said Webb.
The Cylance system is Microsoft approved, available on Mac OS, with Red Hat support coming soon. It has also been taken on by Dell as one of its SecureWorks offerings.
Cylance was also featured in the 2015 Endpoint Magic Quadrant by Gartner as a visionary.
Cylance is available in Ireland through Netforce.