SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
And then there was Cylance: In discussion about machine learning & cybersecurity
Tue, 6th Sep 2016
FYI, this story is more than a year old

Cylance is an innovator, and they realise one thing most cybersecurity providers don't - most new malware is just a variant of everything currently on the scene. With that in mind, and with so many different combinations of the same thing, the question becomes: how do you manage this massive amount of data?

Andy Solterbeck, Cylance regional director, talks to TechDay about how the system works, and why organisations should not rely purely on traditional anti-malware approaches.

Cylance has been well-established globally, and just over five months in Australia. In that time, it has gained forty customers already. So what do they do and how do they do it? Cylance uses a substantial database that uses predictive engines to actively analyse threats in the Cylance labs, looking for common attributes. Machine learning then takes control as it sorts out which files are malicious and which ones aren't.

The company's technology is such a disruptive way of thinking that Solterbeck says works for Cylance and has made it the "fastest-growing company in the world. In the Fast 5000 that they have in the US, we're number 26".

So it's a grand achievement for the company, who now has more than 1100 customers globally in the space of just two years.

"What we've done is actually apply approaches and techniques that are really common in other industries, but haven't been applied in security. So concepts of big data, large datasets, massive cloud compute, algorithmic mathematics to drive insight out of large amounts of data," he says.

Cylance was a very early adopter of those techniques. The company has 11 petabytes of storage in the cloud that holds billions of files. The files are classified as 'good' and 'bad'.

The company uses supervised machine learning to first tell the system what the malware is. The machine then uses feature extraction to analyse the files.

The features and combinations of features of any one file can equates to 30 million. Through a filtering process, the machine narrows it down to 5 million to whether it's good/bad and what type of bad, he explains.

"This stuff is all done in the cloud. Then what we do is create mathematic algorithms that can allow you to interrogate that file for those features. It's basically a scoring algorithm. With what level of confidence do you believe this is a bad file or not and also what kind of bad or good it is."

"The big so-what in all of this is traditional signature and heuristics-based approaches we know are not effective anymore. We're 99% effective in terms of detection and hence prevention of the execution of malware," he explains.

This approach works well in virtual systems because it is so light. The company also uses proof-of-concept selling to show enterprises just how vulnerable they are.

"We know you're running something and we say 'put us over the top of it' and we'll see what we can find. And we always find something, and usually some pretty bad stuff."

The whole intent is to allow end users to not worry about their own actions. Cylance blocks that from ever running in the first place.

While Australians might be just starting to adopt this disruptive approach to cybersecurity, there is something of a contradiction afoot. Australians were very early adopters of cloud security, and it was the banks that went first.

"For whatever reason in the security space, we've been pretty conservative in terms of adoption of new tech. I think our market is probably the most significantly two-tiered."

These tiers are the top few, the very large organisations who need to be conservative in technology adoption, and the next tier comprised of large incumbents who have been on the scene for a long time.

He believes that it's a timing issue - disruption in the industry is only happening now in Australia. While customers may be just experiencing the disruption, Cylance has decided to use the channel as its selling avenue.

Solterbeck says that Cylance is 100% pure channel. "Right now we're building a channel of solution partners which are evaluative resellers, but also I'm a huge fan of the MSSP model for Australia. So we're going to aggressively push towards that MSSP model - because in the end they're the ones that are going to be able to provide solution sets for organisations," he explains.

He explains that from a skills, budgetary and visibility perspective, it is difficult for SMBs in particular to maintain a risk profile. This means that MSSP models will be a growth area both in Australia and internationally.

As for ransomware, Solterbeck says that organisations should accept that it's a higher-risk environment than it used to be.

"Take appropriate mitigation. That to me means either directly applying new tools or getting those tools from somebody who can provide them."

Cylance is well-positioned to cover all sets of malware in a rapidly changing landscape, and one in which cybersecurity should by all means be predictive in nature through the power of machine learning.