Cylance, Predictive Advantage

Burrito

Level 24
Thread author
Verified
Top Poster
Well-known
May 16, 2018
1,363
Cylance Report Reveals Malware and Tactics of OceanLotus Group and Weakness of Traditional AV

We also talked about the power of machine learning and the impact of predictive advantage. While many of the household names in antimalware and traditional security tools may struggle to identify and block these threats until or unless vendors capture a sample to reverse engineer and develop the appropriate signatures, Cylance has been able to detect all of the variants for more than two years. For some variants, the predictive advantage for Cylance is as much as three years. In other words, if you installed Cylance two years ago and never updated it again, it would still be able to protect you from these OceanLotus Group attacks.


Inner Circle Podcast: Episode 009 - Scott Scheferman Explains Predictive Advantage

Traditional antivirus / antimalware solutions rely on giving the attacker the first move. There has to be a “patient zero” that gets infected, or some other means of detecting a threat in the wild before there can be a defense against that threat. The antimalware companies capture and reverse engineer the threat to develop a signature that recognizes and blocks it…once the signature is available and deployed on your system. Before that point, you’re still vulnerable. During the lag time between the threat being detected and you applying the appropriate signature, you’re still vulnerable.

I think Cylance actually provides a predictive advantage in some cases. Where it has been tested now multiple times.... years-old Cylance would have caught zero-day malware (and ransomware) of today.

But... isn't this somewhat a matter of security through obscurity? Malware developers test malware against products and systems until it can penetrate. So when Cylance develops enough market share, won't some malware developers just test it against Cylance until it works? Machine learning is great. But I think there are definitive limits.

But right now... in the unlikely event that you are hit with a certain type of zero-day, Cylance could be great.

I run Cylance on several systems. It's super-light and totally unobtrusive. And for certain malware types, it is a great line of defense.

But... I believe that Cylance -- for me -- will never actually catch anything, as my other security measures would catch it first. I'll never actually get hit with a zero-day that penetrates everything else.

In the meantime, I have my exotic insurance policy (Cylance), which I get for free, which might stop that very unlikely zero-day in the future.

Cylance -- great, effective and innovative online security that you will probably never need.
 
E

Eddie Morra

Cylance have a very nice R&D - one of the employees actually helped me figure some things out recently (related to AMSI), and I'd have been lost for a lot longer if it hadn't been for them.

I think that the market Cylance is in is very competitive... and I am not referring to the security software market as a whole here. I'm referring to security solutions which are marketed as being Artificial Intelligence/Machine Learning based.

There's other solutions which are marketed as being Ai/ML based which have huge potential, like CrowdStrike and SentinelOne. Both of them also have brilliant engineers (e.g. CrowdStrike has Alex Ionescu and SentinelOne has Yarden Shafir).

While many of the household names in antimalware and traditional security tools may struggle to identify and block these threats until or unless vendors capture a sample to reverse engineer and develop the appropriate signatures, Cylance has been able to detect all of the variants for more than two years.
They do make a valid argument because Cylance is capable of detecting threats which were not detected by other AV vendors through their technology, but other AV vendors can make the same argument about Cylance, because Cylance does not detect 100% of all malicious software and other AVs have detected threats that Cylance could not.

While I like the technology behind it, I personally feel that "true" Artificial Intelligence has not been achieved yet - and won't be for an incredibly long time - but it goes without saying that Ai-based detection through training data is still beneficial and will improve over time as it is adapted and experimented with more. Over time, false positive detection rates will decline as well as the technology becomes more accurate with its trained data.

I am not so much a fan of the Cylance home version because it has some limitations which other main AV products do not have (e.g. scripts and allegedly WOW64 processes for on-execution - do correct me if this is incorrect) but I do like their endpoint version a lot more and I can tell that they've been maturing over-time. One thing I do really like about Cylance is that it tends to be quite lightweight - I've never heard of a heavyweight complaint - and it is allegedly good on privacy.

It could be a smart move if Cylance were to offer an SDK to license out their technology to other AV vendors who do not have the resources/want to implement their own "Ai" based detection systems (or would like to enhance their own existing ones) in terms of company and revenue growth.
 
E

Eddie Morra

So when Cylance develops enough market share, won't some malware developers just test it against Cylance until it works?
Malware authors who can get their hands on Cylance properly and have the necessary skill-set will be capable of doing what you are saying, but it is going to be a huge-lot harder than how it would normally be. The reason for this is because... they do not know how Cylance's Ai system is trained (e.g. the data which is being put in to train it) and thus they have to spend an extreme amount of time performing trial and error, and they may never actually succeed.

An easier solution would be to develop the threat from scratch whilst checking with Cylance for each individual component as it is being implemented so they can start to pin-point which part of the attack is causing the detection. This can be done without re-starting the threat from scratch, but it might be tricky if the organisation was bad, and from what I've seen... malware authors usually have bad organisation skills.

There's another issue even if you can get the detection to disappear based on the Ai system: the endpoint version of Cylance (at-least) does have dynamic mitigation's for various behavior which can be enabled for the configuration, and thus it can catch out certain behavior from unknown/untrusted processes in real-time. You'll need a specific skill-set to start getting your way around this... which means you're going to need to be experienced in Windows internals, or have someone who is - and they need to be better than those working at Cylance to find a way to evade detection scope of the dynamic mitigation's (e.g. an alternate way that may have been missed by Cylance) or capable of finding an exploitable vulnerability/other work-around.

Anyway, unless the attack is specifically crafted and targeted for people using Cylance, it is going to be tricky business, because what works for bypassing Cylance (excluding dynamic mitigation's for the endpoint version) likely will not roll for other unlike-Cylance vendors and vice-versa.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top