TM TM Why Are We Still Being Breached? Are 1 st Generation and NexGen solutions working? Rick Pither Director of Cybersecurity
Session Agenda 01 SparkCognition Introduction TM 02 Why Are We Still Being Breached? EPP, EDR, 1 st GEN AV, NexGen? 03 Differences in AI/ML Tesla vs Legacy Auto Manufacturers 04 DeepArmor Enterprise Built from AI
SparkCognition Portfolio SECURITY OPERATIONS SOLUTIONS PATENTED ALGORITMS MALWARE PREDICTION PREVENT PRE-EXECUTION PREVENT UNKNOWN SEIM, IT logs, Threat Intelligence Industrial and operational data PLATFORMS OR SERVICES INDUSTRIAL IOT PERFORMANCE PREDICTION ASSET MAINTENANCE FAILURE PREDICTION STUCTURED UNSTRUCTURED Files, Documents. Scripts, Macros Billions of Alerts 1M+ pages/documents 10Ks Research Reports Contracts JSON, CSV, XML Historical and Real Time Sensor Data Support Tickets Incident Reports DOCUMENT CLASSIFICATION WORKFLOW AUTOMATION COGNITIVE QUERY STRUCTURE TEXT AUTOIMATED MODEL BUILDING STRUCTURE TEX INTO TABLES BEST ALGORITM FOR CUSTOMER DATA SET CLIENT CHURN FIREWALL RULE SETS MALICIOUS BOT DETECTION PII DATA LEAKAGE THREAT PRIORITIZATION NETWORK ANOMOLIES AIR QUALITY/WEATHER PATERNS INVENTORY REQUIREMENTS EMPLOYEE ATTRITION HOME CREDIT DEFAULT RISK FINANCIAL/INSURANCE FRAUDS SOLAR OUTPUT/WEATHER PATTERNS
Why are we still being breached? The evolution of tools and tactics Hacking as a Service Open source tools and online services that lower the technical barrier to entry for attackers Single Use Malware Highly targeted, single use attacks with no two variants being the same Polymorphism Attacks that can automatically mutate to evade signatures and IoCs Trusted Application Attacks Attacks that leverage trusted applications like document, macros and scripts to deliver payload In Memory Attacks Direct injection of code into memory space to evade file monitoring Weaponized AI Leveraging machine learning to generate adversarial malware 69% of organizations don't believe their antivirus can stop the threats they're seeing - Ponemon Institute
Quick History of the Endpoint Market Effectiveness of solution Broken; Not as effective AI/ML is everywhere FUD around file-less and in-memory EDR is now the answer Too many attacks/alerts/data Zero day still a struggle 1 st Gen Reverse engineered FUD Marketing 2 nd Gen Rush to add AI/ML capabilities Reverse engineered EDR tilt 85+ Vendors Time and adversary strength grow
Defense in Depth Cloud Firewall Email Gateway Network IDS/IPS EPP EDR IR Forensics Effectiveness Effectiveness IR Cost
Why EPP? OUTSIDE 73% INSIDER 27% EPP Endpoint Prevention Platform PRE-EXECUTION STATIC DETECTION FILE-BASED IN MEMORY/FILE-LESS POST-EXECUTION INFECTED DYNAMIC BEHAVIORAL EDR Endpoint Detection and Remediation 101010101010101010101010101010 101010101010101010101010101010 NETWORK ANONOMLY DETECTION FILE-LESS ADVANCED MALWARE DETECTION SANDBOXING
Impact of the Evolving Attack Model Endpoint Protection must evolve to keep pace $5M Average cost of a successful endpoint security attack in 2017 1 42% of organizations reported an endpoint breach in the last year 2 77% 53% Of successful cyber attacks include new or unknown Of organizations believe their current endpoint protection solutions threats (malware, exploit, file-less), 350,000 new do not provide adequate protection against the newest attacks 1 variants are created each day 1 97% Of malware infections employ polymorphic techniques 3 35% Of cyber attacks were fileless exploits including macros, scripts and in-memory 1 99% Of malware is seen for less than one minute before a new sample takes it place 4
Security Market Whiteboard CISO=DEA 5,000 miles Vectors Plane Boat Drug Mule Sub Catapult Tunnels Drone Disguised Already here east/west state/state 3,000 miles 1. CHANGE THE DEFINITION OF WINNING 2. START REALLY CHANGING METHODOLOGY 244 new threats Per min Up 22% in 2017 32m samples SparkCognition Recommendations Help IT practice good hygiene patching privilege escalation management 2 factor authentication Network segmentation Leverage REAL AI/ML 46% malware 30% zero day 33% LOTL Detect Prevent Watch Remediate 3. REDUCE RELIANCE ON PRODUCTS/HUMANS F/W, IDS and AV are easily bypassed 4. GET OUT OF DETECTION/ALERT BUSINESS Ex: SIEM s on average on have only 12 YARA rules And they generate 10,000-50,000 alerts/day Still need tripwires along the kill chain Reduce incident response times Start to reduce number of security vendors
DeepArmor: Endpoint Protection The Future of Endpoint Protection, Built from AI Multi-Vector Protection, Built from AI DeepArmor leverages ground breaking algorithms and patented model building tools to predict and prevent across every attack vector including file-based, file-less and in-memory attacks Pre-Execution Prevention DeepArmor intercepts and prevents attacks before they can execute, eliminating the need for post-infection behavioral analysis, ineffective system rollbacks and time-intensive reimaging No Heuristics, No Signatures, No Control Features DeepArmor leverages the power of AI to prevent unknown zero-day attacks with no need for rigid heuristics, out of date signatures or rudimentary on/off control features
Threat Detection Architecture Lightweight, Cognitive Agent Windows Mac Linux Desktops/Servers 1001010111010110101011000101010110101 001010111010110101011000101010110101 File Reputation Application Control (Whitelist, Blacklist) Machine Learning File Analysis Block Known and Zero-Day Unknown Malware Exploits Kernel Level Real-Time Executable Malware Weaponized Documents In-Memory Script/Macro
Replace Legacy Antivirus How DeepArmor Replaces Antivirus with Algorithms DeepArmor s Endpoint Protection platform delivers the strongest protection against zero-day malware, weaponized scripts, macros and in-memory attacks. Prevention Technique Traditional Antivirus Signatures Heuristics Control Features Next-Generation Antivirus Basic ML & Behavioral Analysis DeepArmor Endpoint Protection Pre-Execution Machine Learning Known File-Based Malware No Out-of-Date Signatures No Rudimentary Control Features Unknown File-Based Malware Unknown Document Attacks Unknown Script-Based Attacks Unknown Macro Attacks No Post-Infection Behavioral Analysis No Rigid Heuristics (e.g., YARA) Unknown In-Memory Attacks
BitDefender Cylance CrowdStrike Symantec DeepArmor 75% 77% 83.5% 88.4% 99.6% The DeepArmor Efficacy Difference Commitment to Innovation, Differentiated Protection Near Zero-Day (<24hrs. ) Malware Detection % (Pre-Execution) 100.00% DeepArmor 99.6% 95.00% 90.00% 85.00% Next Generation Average 77.1% 80.00% 75.00% 70.00% 1st Generation Average 64.4% 65.00% 60.00% 55.00% 50.00% 60.00% 70.00% 80.00% 90.00% 100.00% 50.00%
Near Zero Day Testing (how well does your product correctly prevent something never seen before) Download random set daily No File Reputation Data Set Query Less than 24 hours old Microsoft executable Malicious Detected by at least 20 vendors Static File Pre-Execution Compare all AI/ML models