There is an old saying: An ounce of prevention is worth a pound of cure. That could be the motto of the entire cybersecurity industry.
Cumulative global spending on cybersecurity is projected to exceed $1 trillion between now and 2021 – but cybercrime damages will cost $6 trillion annually by then.
PricewaterhouseCoopers “says that corporate espionage costs the world’s thousand largest companies in excess of 445 billion a year,” said John McClurg, vice president and Ambassador-at-Large for Cylance Inc., a cybersecurity company based in Irvine, Calif.
Those estimates don’t capture the impact of hacking in the government space, which can’t be measured in dollars alone – consider the impact of hacking into Iran’s cyclotrons to impede its nuclear program, or, closer to home, the effect of hacking into the Democratic National Committee’s email servers last year.
In other words, cybersecurity is a growth industry.
Its premise, after all, is to defend computers and networks against attack. One way to do that is to patch known software vulnerabilities. Another is to scan traffic and try to match “signatures” (hash values) of known malware against reference libraries maintained by the top cybersecurity companies.
Both of these approaches are resource intensive and cause a number of issues for user productivity and increased help desk calls among other issues. Moreover, patching is a time-consuming process that never ends, and by definition it cannot identify zero-day weaknesses – vulnerabilities that haven’t yet been identified. Equally, scanning and matching can introduce latency into networks, slowing their performance, and its potential efficacy depends upon both the completeness of the malware library and the frequency of updating references.
One weakness they have in common is they are reactive – patching requires that a vulnerability was identified by being exploited; ditto for creating the malware libraries. Sometimes that just requires a single infected machine, which is then quarantined from its network. Far more often, though, the malware isn’t detected until well after the fact, when it has spread and the malicious actors have already extracted information or otherwise compromised the network.
“The ability to create malware is so low-cost,” said Chris Quinn, director of federal sales engineering for Cylance Inc. “To create a new signature via hash [changes] takes only seconds.” The company estimates that at least 400,000 new pieces of malware are created every day.
At an introductory presentation of Cylance’s new approach to cybersecurity McClurg said the problem with reactive detection is one of big data – there’s too much information, distributed across too many repositories.
So the holy grail of cybersecurity is predictive prevention, being able to identify and block malware that has never been seen before.
Cylance’s approach aims to do just that at the endpoints, and claims a remarkable 99+ percent success rate.
Using computing power and big data analytics, the company applies machine learning and artificial intelligence to study hundreds of millions of “good” files and hundreds of millions of “bad” files to develop an algorithm that Cylance’s software uses to predict which of those two groups a new, unknown file coming into an endpoint belongs in.
“The huge amounts of malware now out there mean there’s enough data to apply AI and big data analytics to,” Quinn said. “This is a data science-derived approach. We take those examples and do a feature extraction, which allows us to get millions of features associated with a file. The algorithm derived … allows us to identify something as malware or not by inspecting the features.”
“Having mapped the genomic structure of the files making up the Internet, we make software that predict and prevent cyber attacks on the endpoint, in real time, using pre-execution [artificial intelligence] algorithms,” is how McClurg described it.
Since the algorithm is mathematically predicting if a file is benign or malicious, the Cylance software doesn’t require frequent updating. “Malware continues to evolve in the wild, so the algorithm’s decay is very slow,” Quinn said. “Over six months, approximately, our 99+ percent goes down maybe 0.1, or 0.2 percent.”
That indicates a need for updating the algorithm; the company runs its analytics on the most recent hundreds of millions of good and bad files and updates its algorithm accordingly. “We continue to just grow our sample set – we include everything we had before, plus every additional example we’ve acquired over the past six months,” he said.
The Cylance software checks incoming files when they come in or when they are accessed, Quinn said. It’s a “very lightweight” process that occurs in the background, with little to no impact on the computer’s performance. If a file is diagnosed as malware it’s quarantined; the user can choose to be notified, and Cylance does notify the console or management platform, as well as having the option to send the file to Cylance’s own library.
There are federal customers using Cylance now. “The National Institutes of Standards and Technology historically has endorsed a signature-based approach because that’s all that was available,” Quinn said. “They’ve definitely been very open and willing to listen to our approach [and] potentially adapt their recommendation to emerging capabilities like this. They want to understand it, and they want to see proof that it’s valid and functional.”
Quinn warned that just as Cylance has harnessed artificial intelligence to begin predicting and preventing cyber attacks, that capability can be used by adversaries.
“The use of AI or machine learning by the adversary to overcome what we do” will develop, he said. “When we’re talking about the use of AI or machine learning for adversarial purposes, we’re generally talking about nation-states; they’re better resourced, better able to get their hands on the technology.”