Skip Navigation
BlackBerry Blog

Beyond the Behavioral Hype(rbole)

NEWS / 01.30.17 / Josh Linder

Many endpoint tools and security service providers claim to utilize behavioral techniques to discover vulnerabilities and exploits. While this sounds good in theory, this is a dangerous type of advertising based on buzzwords currently popular in the industry, rather than the software and tools being adequate by themselves to fully solve the root cause of cyberattacks.

Today, it’s not good enough to simply claim to be good enough. Attackers and attack techniques have evolved to the point where it’s a never-ending game of cat and mouse against automated attacks on our companies and organizations. The reality of the matter is that employee machines aren’t connected to the Internet – or corporate networks – 100% of the time, and malicious attackers and malware don’t operate during convenient business hours. To adapt to our current threat landscape, security tools must prevent cyberattacks at all times, and must fully understand the DNA of malware and viruses.

As an industry, we need to focus on prevention, rather than just responding to malware that’s already established a hold on the system. The current startling number of breaches highlights massive gaps in many methods of ‘protection’. Legacy antivirus solutions suffer from flaws in detection, leading to missed malware, yet they continue to push file analysis, user behavior analysis, host rollback, and remediation as the gold standard for malware detection and data breach protection.

Myth 1: Threat Prevention Can Be Accomplished by System Behavior Analysis

If organizations had to secure endpoints using system behavior analysis to identify suspicious activity, they would fail to identify Patient Zero. For system behavior analysis to begin working, malicious files must execute first on the endpoint before they are flagged as dangerous. In this all too frequent scenario, the damage is already done before the legacy antivirus solution even starts working. Instead of waiting for malware to get into your system before reacting, why not block it altogether, before it gets a chance to execute?

Myth 2: Automated Policy-Based Mitigation Is Enough

The foundational premise of endpoint detection and response (EDR) is discovery before protection. When malware is allowed to execute, the threat is not prevented. That’s like allowing an intruder carrying a flaming torch to walk in through your front door, and waiting till they set fire to your house before calling the cops. Endpoint protection software powered by artificial intelligence (AI) and machine learning (ML) will ‘see’ that lighted torch before the intruder even sets foot in your house, and keeps the front door shut tight. Killing specific processes, file quarantine, or disconnecting compromised hosts from the network is not the best approach and practice for threat prevention – here, prevention is key. Why focus on detection rather than prevention, if prevention is an option?

Myth 3: Remediation Is a Victimless Crime

Waiting to be compromised and notified, and then having to deal with the financial drain of cleanup and remediation is not a good way to operate. Many so-called next-generation endpoint (NGEP) tools offer an awkward mix of flawed techniques meant to help you fight the good fight. But mashing together system behavior analysis, policy-based prevention, and after-the-fact remediation doesn’t fix the problem. It just creates market confusion through the overuse (and incorrect use) of ‘trendy’ marketing buzzwords, misleading organizations to believe they are protected. Instead, these ‘solutions’ add more burdens on your security and IT teams and hurt your finances, while allowing malware and attackers to gain

Get Out Your Mop - it's Attack Cleanup Time

You’ll often hear the misleading value message of EDR and threat hunting tools: they don’t require any clean up. The reality is not so cut and dry. These tools are predominantly used to fix the mess left behind after behavioral tools fail. In other words, rather than fixing the core of the problem, they’re adding another layer of security solutions to make up for the failure of the first layer. Complexity very quickly leads to an added burden on security and IT teams, adding more and more layers of expensive security with which to react and manage. Discovering the unknown is great, but preventing the unknown from destroying your systems and stealing your customer’s data is better.

A Solution for the Modern Age – Focus on PREVENTION

Next-generation AV powered by AI and ML can predict and prevent over 99% of all known and unknown threats, detect anomalies across memory and scripts, and offer complete protection – creating an environment where there is no Patient Zero, no sacrificial lamb, and no need for remediation, because the attackers and malware never gained entry in the first place.

Predictive Intelligence

To truly protect, you must predict. Using our patented artificial intelligence engine, Cylance is able to discern attacks the moment it is deployed. Coupled with continuously improving machine-learning algorithms, the model improves over time to adapt to new threat vectors. Essentially, the product can learn what types of files are likely to be malware based on similarities between known malware and these new files. Attackers aren’t just rebooting old malware files to go after your organization; they’re creating entirely new ones. To get ahead of those attackers and truly play defense, we need to teach our security tools to ‘learn’ as a human would. That’s where Cylance comes in.

Sound too good to be true? If you’re thinking that everything we’re saying about our product is also marketing hype and false promises, we invite you to test for yourself. Security practitioners with a deep background in AV build our products, and they know the importance of relying on real-world tests and seeing the results with their own eyes. We believe that the only security tests that matter are those done in real world, in real environments.

Learn how to test CylancePROTECT® for yourself, in your own environment, and put us up against your existing AV solution. We’re ready for the battle.

Josh Linder

About Josh Linder

Josh Linder is a previous contributor for Cylance®, who are revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Our technology is deployed on over ten million endpoints and protects hundreds of enterprise clients worldwide including Fortune 100 organizations and government institutions.