Skip Navigation
BlackBerry Blog

Raising the Bar For Endpoint Protection

NEWS / 10.21.16 / Robert Friend

Before joining the company, I led the panel for the Orange County Technology Alliance that gave the 2015 Cybersecurity Innovation Award to Cylance. Our panel judged that their endpoint protection product CylancePROTECT® demonstrated clear benefits to end users with solid technology advancements that made the world a better place, above and beyond all other nominees.

During the judging process I witnessed a product demo of CylancePROTECT preventing malware execution in real time, stopping a huge batch of live malware samples dead, pre-execution. I was so impressed that I decided to join the company.

When Hackers Attack

From my previous network security experience, I knew that our customers use network security for defense to help obstruct attackers from getting to corporate data. However, these days, endpoints are no longer kept safely behind the traditional corporate security perimeter.

Today, many endpoints are remote - or “on the road” - connecting to unknown wireless hotspots on the fly with all the risks that entails. In the meantime, an increasing number of employers are relaxing internal rules to allow employees to “bring your own device” (BYOD), meaning that each and every employee now subjects corporate networks to a vast influx of potential security hazards, for instance downloading unofficial apps and programs or playing insecure games such as Pokémon Go in sensitive office areas.

We all know that many successful cyberattack campaigns socially engineer employees in order to gain access to their corporate-connected endpoints. However, while recently reviewing the 2016 Verizon Report, I was surprised to learn that even these security-conscious days, 30% of phishing messages were opened by the target, and 12% went on to open the weaponized attachment or clicked the malicious link, thus enabling the cyberattack to succeed.

With these worrying facts in mind, it makes sense for CIOs and IT teams to proactively protect their company by installing a shield on all corporate endpoints that will counteract any unwise decisions made by employees.



Help, I’m Drowning in Zero-Day Malware!

It’s official – traditional signature-based, heuristic, and behavioral antivirus (AV) products are no longer effective against today’s tidal wave of sophisticated attacks that utilize multiple variants of malware. One key reason for this is that attackers can easily and effectively disguise (“mutate”) malware using ubiquitous packer software which modifies attributes and changes the cryptographic hash, allowing complete circumvention of traditional AV tools. While this sounds complex, for most adversaries, this is just as easy as changing the license plate of a stolen car.

The 2016 Verizon Report analysis also shows that 99% of malware hashes are seen in the wild for only 58 seconds or less, and most malware was seen only once, reflecting how quickly hackers are modifying their code to avoid detection, usually by way of automated means.

Since the vast majority of legacy AV vendors rely heavily on outmoded, post-execution strategies, it makes sense for attackers to utilize mutated malware to leverage the same attack vector and breeze past traditional AV with a new, undetectable attack. For example, the Cerber Hash Factory variant of ransomware uses automated assembly code to generate unique file names and hashes every 15 seconds - far faster than any legacy AV vendor can churn out signatures to counteract the attack.

Unfortunately, this problem is further amplified by the fact that traditional AV may only have a fraction of their available signatures available on the endpoint at any point in time. Effectively, AV vendors face the impossible task of deciding who gets protected against what on any given day. Thus, a more intelligent AV solution is required to prevent execution of even previously unknown and shut the flood gates on polymorphic malware and zero-day exploits.

What if Antivirus Protection Actually Worked?

So how can we faithfully protect all endpoints from malware, whether or not they have a network connection? How can we eliminate the constant cycle of remediation and rollback conducted by IT teams cleaning up yet another cyberattack, with the associated loss of in-house productivity, not to mention the daily operational overhead expense of traditional AV products?

Any solution requires a product that can not only prevent mutated and zero-day malware execution in real time, but must also include two key technological elements:

    Prediction: The ability to predict malware advancing beyond 99% efficacy
    Prevention: The ability to prevent malware execution at the endpoint in real time


Figure 1: Next Gen AV Uses Machine Learning and Artificial Intelligence to Detect Malware

The use of artificial intelligence (AI) technology is on the rise, and has been used by Google to anticipate searches, by Netflix to suggest movies, and by Amazon to predict customer buying preferences.

In endpoint security, AI identifies previously undetectable advanced threats, including ransomware, by treating all files like they have never been seen before. With its dynamic adaptability, AI conviction efficacy has been shown to be significantly higher than that of traditional AV, and unlike those archaic tools which have an extremely short shelf-life, AI continually improves over time by learning and maturing in much the same way that the human brain does.

Malware Prevention, Not Just Detection

Imagine a world where there is no such thing as out of date signatures or signature downloads, thus unleashing SecOps resources to be more productive and proactive with their time. Because AI-trained mathematical models function just as well when untethered from the Internet, algorithm updates can be downloaded to the endpoint every 6 months, or even not at all. This means that a network connection is not required to prevent malware execution, which enables highly effective protection for air-gapped environments such as Industrial Control Systems (ICS).

Meanwhile, this innovative malware prevention technology relies solely on AI prediction to terminate malware before it has an opportunity to execute. Furthermore, this does not require any additional technology layers, such as signature-based scanning, behavioral analysis, sandboxing, or cloud-based look-ups for industry confirmation. The bottom line is if malware does not execute, there is no remediation mess to clean up, and there is no loss of intellectual property, confidentiality, trust, brand, or reputation.

In all my years of experience in this industry, I've only ever encountered one next-generation antivirus (NGAV) product that fulfils the above requirements and provides predictive, pre-execution prevention in real-time, doing what all other AV vendors currently on the market cannot. It prevents execution of significantly more threats than any other AV product currently on the market, providing effectiveness, efficiency, and increasing productivity in the workforce. It eliminates the need to ever execute malware in-system for behavioral analysis. And it enables greater SecOps productivity by eliminating the need for continuous updates and endless scheduled AV scans, while minimizing endpoint resources.

CylancePROTECT features greater than 99% efficacy using artificial intelligence mathematics (not signatures) while preventing threats before they execute, typically in less than 50ms. It treats all files as zero-days and convicts malware that is old, new, or never seen before; it does not matter how the malware gets to the endpoint: through the network, drive-by URL, phishing email, “candy” USB, etc.; and it provides full protection without a network connection or frequent updates.

I respect Cylance’s mission to protect every endpoint under the sun. Since awarding Cylance the innovation excellence award and learning the difference between prevention vs. detection, I truly believe that Cylance is in the best position to make the world of endpoint security a better place.

A Final Word: Don’t Trust Anyone

Rather than trusting any vendor’s words, including ours, I recommend you evaluate any AV product side-by-side in your own environment. Cylance encourages and simplifies testing for yourself here: Know The Truth.

Robert Friend
Technical Marketing Manager, Cylance

Robert Friend

About Robert Friend

Robert Friend is a previous contributor for Cylance®, who are revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Our technology is deployed on over ten million endpoints and protects hundreds of enterprise clients worldwide including Fortune 100 organizations and government institutions.