Skip Navigation
BlackBerry ThreatVector Blog

Don’t Be Fooled: Leveraging the Cloud for Endpoint Security Without Dependencies

There has been a tremendous effort by organizations to leverage the cloud in order to gain the well-known advantages of scalable computing power and storage by relegating hardware and tech refreshing duties to a cloud hosting provider. In fact a recent study noted that 85% of organizations now employ cloud infrastructures either moderately or extensively.

There is also a tremendous effort to leverage any and all data coming from the enterprise in order to understand the business better and know where and how to make both tactical and strategic decisions for a myriad of critical business objectives.

To that effect, some security providers have been focusing on sending event data to the cloud in order to analyze and ultimately derive threat intelligence by replaying security incidents and hot-washing what transpired in order to better identify subsequent incidents.

Here’s where that strategy falls short on delivering better security: while there may be some benefit to be gained in sending security event data to the cloud for analysis, correlation, and enrichment, that intelligence is more often than not derived far too late to be acted upon to actually make any difference in minimizing the damage, let alone actually preventing the attack.

 

Local Endpoint Prevention vs. Latent Cloud-Derived Intelligence

Put another way, many organizations are looking for increased visibility into events by leveraging cloud-based analytic security services, but that desire is in vain to the extent that the visibility gained is always after-the-fact. Even perfect, crystal clear, and omnipotent visibility by way of cloud-based analysis is useless as it comes too late to inform a decision that could actually prevent an intrusion or minimize the impact from one already in progress.

Today’s kill chains need to happen at “the speed of computing” and be fully automated because much of the hard work that an adversary needs to do in an attack - escalate privileges, inject into a process, achieve persistence, move laterally within the target network, etc. - can now be accomplished with “single clicks” or be automated by scripting the attack sequence ahead of time.

 

Security Needs to Keep Pace with Evolution of Attacks

When cloud-based SIEMs and cloud-based threat hunting services were first conceived the better part of a decade ago, the threat landscape was not moving nearly as fast as it is today, and the sheer quantity of alerts for malicious activity was nowhere near the volume we are currently faced with.

Back then static, ephemeral (with expiry triggers) indicators of compromise (IOCs) like hashes, IP addresses, command and control (C2) domains and encoding techniques were still effective in ‘finding badness’ in a network via simple approaches like reputation enrichment, pivoting from one to the next, etc.

Attackers were only just beginning to create Domain Generating Algorithms (DGAs), Twitter Account Generating Algorithms (TAGAs) and other techniques to outpace and evade the signature-based detection offerings of the period, and so the overall approach of relying upon external intelligence in order to have better visibility into what is going on internally worked to a degree.

 

Leverage the Cloud for Efficacy Without Cloud Dependencies

Since its inception in 2012, BlackBerry® Cylance® has taken a different approach altogether, eschewing this external, ephemeral, easily-spoofed, often red-flagged means of signature-based detection in favor of a prevention-first approach grounded in a sophisticated predictive AI platform boasting efficacy that literally surpasses any and all signature-based approaches whether the threat is known or unknown to HI (Human Intelligence).

Furthermore, BlackBerry Cylance reduced this complex predictive model down to an algorithm that can run locally on an endpoint and independently of the cloud (zero tether, zero reliance). This effectively restored time itself as a factor in the defender’s advantage by pushing the intelligence activity down from the cloud to the actual endpoint where the real battle to protect the network is taking place.

This approach allows BlackBerry Cylance’s customers to be able to derive intelligence from within the organization itself rather than relying upon an outside-in, latent, expired, and noisy feed of signature-based intelligence that can only be realized or operationalized in the cloud. This does not mean that BlackBerry Cylance does not leverage the cloud just as much or even more than any another vendor – it means we do it the right way and for the right reasons.

For example, we leverage the cloud for firing up tens of thousands of CPU cores in order to train our fifth-generation AI models to instantly determine if a file is malicious or benign based on many millions of features extracted from billions of test files. This is a task that could only be done in the cloud, and it enables our AI conviction models to block threats pre-emptively instead of long after-the-fact.

Even more impressive is the data science expertise that was required to shrink that massive computing effort down to a tiny, zero-friction algorithm that can be run on an endpoint with maximum efficacy and little resource consumption or reliance upon the cloud for the task of threat detection and prevention.

Lastly, our solution does utilize the cloud for a robust SaaS console experience that allows for single-pane-of-glass management of every protected device, as well as a two-way API architecture that allows cloud-to-cloud (C2C) integrations, automation, and orchestration.

 

Never Send Sensitive Customer Data to the Cloud

It is also important to note something else core to BlackBerry Cylance’s revolutionary design philosophy and architecture that cloud-dependent providers cannot deliver: customer privacy by way of granular controls regarding data collection.

Whether viewed through the lens of data privacy regulations like GDPR, the California Consumer Privacy Act, or just common sense around keeping sensitive customer data and files out of the cloud, BlackBerry Cylance’s AI platform allows for greater client control over what data from the endpoint is collected in the process of analyzing security events, and thus does not introduce additional risk to the organization.

Unlike many competitors, BlackBerry Cylance solutions do not need to ingest massive amounts of customer data and upload it to the cloud for analysis. Event data remains locally on the endpoint, and only salient data required for forensic analysis in the case of a security event is collected for EDR analysis, and the solution is designed to let the client have control over this process.

 

Conclusion

The bad guys aren’t tethered to the cloud for their offense, and that has been their advantage over cloud-dependent endpoint protection, but this is not the case with BlackBerry Cylance’s patented approach to endpoint protection.

BlackBerry Cylance leverages the cloud to do the hard work ahead of time, so you don’t have to do it after-the-fact, and we do it without additional risk to your organization.

By pushing our cloud intelligence down to the endpoint where it can operate independently and autonomously, we take can preventative actions to proactively interject the kill chain at machine-speed, which makes all the difference in terms of real-world reduction of risk in today’s hyper-automated threat landscape. 

Charles Eagan

About Charles Eagan

Appointed in June 2018, Charles Eagan is the Chief Technology Officer for BlackBerry. In this role, Charles is responsible for the advancement of new technologies, driving innovation within emerging markets and advancing security capabilities that leverage AI and Machine Learning. He is also responsible for technology partnerships and overseeing the standardization and integration of all company products with an emphasis on helping drive BlackBerry’s Internet of Things platform.