Cylance vs. Future Threats: The Predictive Advantage

Intro

Cylance can protect your organization from threats which will not exist for years to come. This is the conclusive result of testing performed by SE Labs (download the report here) which evaluated Cylance’s claims that CylancePROTECT® predicts and protects against future threats. SE Labs runs an innovative testing facility that analyzes how security software performs against the entire cyber kill chain.

As outlined by SE Labs in the test report, the Predictive Advantage (PA) unit of measure is defined as “the time difference between the creation of the model and the first time a threat is seen by victims and security companies protecting those victims.”

The results of the SE Labs test demonstrate that CylancePROTECT’s PA ranged from 11 months to 33, with an average PA of 25 months. In other words, CylancePROTECT users could neglect updating their security client for over two years and still be protected from all the tested attack families.

The Process

The SE Labs test was performed under strict controls to ensure the integrity of the results. The test machines were confined in an offline environment, preventing security products from updating or accessing Internet-hosted services.

This isolation ensures they remain unmodified from their original state at release. The threat samples were pulled from nine prominent malware families and mixed with legitimate applications to assess the rate of false positives. Results were assessed by following a strict framework of retrospective analysis.  

Threats selected by SE Labs are first verified as active malware through exposure to vulnerable (internal) systems. Once confirmed as live, the threats are sent to the test environment. The selected malware families are divided between two common methods of introduction: email attachments and threats downloaded from the web. Each threat is then classified as either public or private.

A public threat is one obtained from public malware repositories, recognized threat websites, and organizations which collect malware from the wild. Private threats consist of unique lab-generated variations of public malware. Cylance played no role in the selection or analysis of threats.

Security solutions are judged on the following performance measures:

  • Pre-execution prevention
  • Detection categorisation
  • Threat detailing (name, attack type)
  • Failed detections
  • False positives
  • Legitimate executions allowed without false positives
  • User alerts
  • Secondary payload prevention
  • Anomalous behaviour (unexpected or confusing reactions to malware)
  • Earliest predicted date (aka “Predictive Advantage”)

Predictive Advantage

When a threat is prevented successfully it is then tested against earlier versions of the same security solution. This process continues until the solution fails or there are no editions of the antivirus (AV) software left to test. The PA is determined by subtracting the creation date of the security solution from the creation date of the prevented malware. For example, products created in April of 2016 which prevent malware created in April of 2018 score a PA of 24 months.

The Results

CylancePROTECT’s PA scores against all nine families of malware were extraordinary. Our Agent 1300, released in May of 2015, predicted and protected against all nine families, with an average lead time of 25 months.

Our best performance was a two-years and seven months prediction advantage over the Cerber family of malware. The Locky malware family, with multiple campaigns and variants launched over time, was predicted and prevented by Cylance at an average of a year and eight months before appearing.

Conclusion

Simon Edwards, founder of SE Labs, said the following about our test results:

“It's really interesting to see some independent test data that highlights, in a clear and easy-to-understand way, how machine learning models can detect and thwart malware that did not exist at the time of the models' creation.

 Everyone in the industry has heard that AI, machine learning or what-have-you is going to save us all. And everyone has heard of the attacks that we used in this test – they are all famous ones. So to see that the technology we've seen so heavily marketed over the years is truly capable of stopping tomorrow's threats is reassuring and also exciting.”

The SE Labs results echo a message that Cylance has championed since 2012 – AI-driven security solutions can protect organizations from threats years before they are created. Cylance has documented the predictive advantage of our AI/ML approach to security against WannaCry, Petya-Like, Olympic Destroyer, and countless others.

By testing software against the entire cyber kill chain, SE Labs highlights the enormous benefits of using AI-driven security products. Their results emphasize the urgency of switching from traditional, reactive, AV defense strategies to predictive solutions like CylancePROTECT.

For the full details on the Cylance Predictive Advantage, read the SE Labs report.