Don’t Test a Bomb With a Hammer

It has become abundantly clear of late that legacy signature-based antivirus (AV) solutions cannot cope with, and scale to, the sheer volume of malware we see in today's threat landscape.

In part one of this blog, we took a behind-the-scenes tour of the labor-intensive signature creation process used by legacy AV security software. In part two, we’ll explain how Cylance's revolutionary use of artificial intelligence (AI) and machine learning (ML) effectively detects malware both predictively and pre-execution.

Cylance has been on the road for many years now, taking our Unbelievable Tour throughout the world where we have demonstrated how Cylance’s predictive technology works. Our demonstration involves a live malware test, where we pit 15,000+ pieces of malware (many of them less than 24 hours old) against our endpoint protection product CylancePROTECT®, and a number of the leading legacy AV vendors.

The cumulative UBT results from the last few years show that Cylance typically detects and blocks over 99% of malware, while Symantec detects 52%, Trend Micro 41%, and McAfee 21%. 

Most people who witness our ‘unbelievable’ detection results often have one or more of the following reactions:

The ‘Too Good To Be True!’ Reaction

For those who think our results are too good to be true, well, this is exactly why it's called the Unbelievable Tour. We named it after the reaction of one of our very first customers.

We completely understand this reaction, especially after 30+ years of being told by AV vendors that they can only detect zero-day malware after one of their customers first becomes the sacrificial lamb and gets infected. Unfortunately for that first customer, this is the only way for legacy AV companies to obtain a sample and create a signature to guard against it.

Sacrificing one person for the good of the many is a popular idea that has played out throughout history. However, since nearly 1 million new malware threats are released each and every day, 365 days a year… we’ll let you do the math on that one.

The ‘Anchoring and Adjustment’ Reaction

Another reaction we often see is for a user to try to anchor onto something familiar. People will typically run through the list of old techniques other security vendors use, in an attempt to understand how our new technology works. The conversation usually goes something like this:

Q: "So you don't use signatures or hashes. Does that mean you use heuristics?"
A: No. Heuristics are a type of signature.

Q: "Do you do behavioral analysis?"
A: No. Behavioral analysis requires allowing the malware to execute in order to determine what it does. Cylance determines that a file is malicious pre-execution. We never want it to run because if it runs then it's game over. You wouldn’t test a bomb by hitting it with a hammer, would you?

Q: "Do you use emulation?"
A: No. Emulation is static and behavioral analysis in an artificial environment - which means allowing the malware to run.

Q: "Do you use sandboxing?"
A: No. A sandbox is still behavioral analysis in a virtual or segregated environment.

The reason why Cylance's technology is so effective, so predictive, and performs so well is because our approach is a complete departure from the reactionary signature-based and behavioral-based technologies of yesteryear. 

The Facts: How Our Technology Works

1. Instead of reacting to individual pieces or families of malware piecemeal, Cylance takes our entire collection of over one billion samples of known malware and known trusted binaries, and allows the artificially intelligent ‘brain’ of our software to train on the entire corpus.

2. Every file analyzed is parsed into 15 million static features that are extrapolated for analysis. Some examples of these features are the file length, the use of digital certificates (which are often legitimate but can be stolen), whether the file is using a packer, and the complexity or entropy of the file. When you are dealing with 15 million unique features multiplied by billions of files, the math quickly starts to add up and it soon becomes obvious why human malware researchers cannot scale to our level of processing.

3. Our proprietary machine learning algorithm trains on all that data and automatically chooses the features that are statistically significant and that represent the entire body of known malware.

4. The output of all this learning is the artificially intelligent model in Cylance's agent, which resides on every device on which our product is deployed.

5. When a never-before-seen file appears on the user’s device and attempts to execute, the AI model compares the millions of features within the new file to all the features of all the files it trained on during the machine learning process.

How Our Technology Differs from Legacy AV Technology

There are many significant advantages to this approach over legacy signature-based technologies:

 •  Our AI model is predictive. No more reacting to zero-day malware after the fact with a better-late-than-never signature update. 

 •  The malware is blocked pre-execution. The malware NEVER runs, loads, deploys or executes. If the malware loads as a process, then you're spending all of your energy and effort stopping the bleeding and investigating what happened. We don’t let it come to that.

 •  No signature updates. Many enterprise companies have full-time security employees dedicated to testing and updating the signature files they download from their AV vendor every single day. Cylance saves their time and your company’s money by eliminating that part of their daily workload.

 •  Nominal impact to system performance. With less than 3% CPU utilization and ~40MB of RAM, there's a deliberate reason why our company name is pronounced "Silence." If your security product has bogged down your systems and all your devices are yelling at you each day to update your antivirus signatures, that’s a huge operational headache. Cylance brings you a far quieter way to enjoy protection.

 •  Elimination of human error. The computational power of ML exponentially surpasses the ability of humans – even really smart humans who have spent their entire careers learning and acquiring experience on malware analysis.

 •  No false positives due to human error. The AV industry has a long history of producing an embarrassing amount of false positives over the decades, due in large part to human error. Using AI eliminates the risk of false positives stemming from human error. In fact, our AI model has been able to identify commercial software that uses similar techniques as malware (such as anti-debugging techniques, injecting into memory, and polymorphic tendencies, which are all ‘red flag’ traits of malware). This gives security admins additional insight into the risks of using such software so they can make decisions in the best interest of protecting their enterprise. This also allows them to focus their time and attention on improving their company’s security posture rather than reacting to mistakes made by traditional signature-based antivirus.

Would You Trust 1990s Technology Today?

That legacy signature-based AV technology you’re probably using on your home and work computer endpoints was created in the 1990s – that’s over 25 years ago. In the 1990s, the World Wide Web had only just been invented. We were all playing Super Mario on our 16-bit Super Nintendo consoles, logging into AOL email accounts via dial-up modems, and trying to figure out how to record voice messages on our tape-deck answering machines. Your computer had a Pentium 1 processor and your cellphone was the size and shape of a brick.

The technological and threat landscape has evolved significantly since then. You wouldn't use 1990s technologies in business today, so why would you trust 1990s antivirus technologies to protect you against today's complex threats? A security product that relies on waiting for the malware to run to determine that it's malicious reminds me of this Bugs Bunny episode: 

In fact, I’m here today to tell you that you shouldn't trust any AV legacy vendor when they tell you that you are 100% protected against all the nasties out there today. You’re not, because there is no such thing as 100% efficacy, despite what popular AV brands may tell you.

You shouldn't trust third-party testers either, due to the unfortunate prevalence of Pay to Play’ testing methodologies. Don’t even trust us! We encourage you to test for yourselfbecause your testing results are the only results you can trust.

Hiep Dang
Director of Product Management, Cylance