Serious Discussion Deep Instinct | Deep Learning AI Cybersecurity Platform

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
So this is the new flavour of the month cyber security wise? Is it any good? Why is it that good?

Always looking to try new things, I'll read the thread when I have time just not now.
  • It’s good because it’s light, quick, down-to-business prevention layer. It offers effective deep static analysis applied only locally (machine learning information is saved in ProgramData) and without accessing the cloud all the time (lack of connection does not have detrimental effect on its capacity).
  • Powerful fileless attacks (targeted attacks) prevention.
  • Provides accurate threat classification so admin would take appropriate measures.
  • Does not require add-ons and additional services.
  • Can be effectively combined with various Microsoft protections such as Smart Screen and Defender.
  • Prevents exploits (to an extent).
Cons:
  • Does not oversee network events (it will have to be combined with Anti-Bot/IPS, specially on business environment).
  • Does not block malicious websites (this can easily be taken care of).
  • All cons related to static analysis in this case apply (these have been widely discussed, I suggest looking here for more information). For example packers can be identified with signatures very quickly and effectively, whilst static analysis extracts almost no attributes (just noise). Behavioural blocking (runtime analysis) will in most cases kick in but it may be too late. Static analysis works best when combined with dynamic analysis/emulation which in this case is missing.
  • Some competitors provide better forensic analysis
  • Misconfiguration can cause a lot of headaches. (Home users may be better off with Kaspersky, Avast, Norton).
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
So this is the new flavour of the month cyber security wise? Is it any good? Why is it that good?

Always looking to try new things, I'll read the thread when I have time just not now.
I like it. Fast light granular tweaking, good documentation, friendly responsive support in US from reseller Cyberforce, has many layer-flavors so minimal or no other security apps needed, my first suggestion put it on VM first. Why did I deploy... I like AI thingies, accorded to Microsoft, ESET humptydumpty'ed my win firewall, so I had a spot for it on my hardware win10. Others can better explain it strengths and weaknesses, if any. It does have its nuances. "Awesome and intelligent endpoint. It is also light and resource efficient. It doesn't affect the performance of the host device yet performing effectively. Rolling out and installation were easy and smooth. Silently acts on any threats and applies the most appropriate response." When it does something, it gives you lots of info about what it did.

 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Is all this drama worth it? Does DI provide that much better protection than Kaspersky or Bitdefender, as examples, that you need to go thru all this? Just wondering. Thanks.
Just reportin' my experience in close to real-time, and YES! Good software and I'm learning stuff too. I like it. IMO best on a VM until you get as smart as it is :D
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
@Trident suppose user wants to run a 2d opinion scan once a week or once a month, eg, NPE KVRT ESET online, F-Secure online, would you, can you, run those while Di is running, or do you disable Di, or better just don't do it?? :unsure:
Using second opinion scanners is fine but you must add the scanner to behavioural blocking exclusions. Not adding the second opinion scanner under exclusions will subject its behaviour to vigorous monitoring, will increase the size of the forensic database and will cause degradation of performance as both the scanner and DI will be very active. In addition, it may also generate noise.

Once you exclude the second opinion scanner, you are good to go. I personally don’t run such scanners.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Is all this drama worth it? Does DI provide that much better protection than Kaspersky or Bitdefender, as examples, that you need to go thru all this? Just wondering. Thanks.
PS what was frustrating for me on Monday, I was 99% sure I was following correct steps to allow a Behavioral analysis exception for software I that is known good and I run on regularly. But Di would not let run. On Monday, support techs assumed that I borked it somehow, and they sent me marginal replies without really taking a look. I "wasted" half a day to get them to take a deeper look, (more like 2/3 of a day) and it was only then they realized that their machine was not properly talking to my machine. I think they tweaked something on their end to fix that, which then fixed the problem. End of rant. Except for first half of today, the support techs have been very good. And finished very good by the end of the day.
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Using second opinion scanners is fine but you must add the scanner to behavioural blocking exclusions. Not adding the second opinion scanner under exclusions will subject its behaviour to vigorous monitoring, will increase the size of the forensic database and will cause degradation of performance as both the scanner and DI will be very active. In addition, it may also generate noise.

Once you exclude the second opinion scanner, you are good to go. I personally don’t run such scanners.
Got it, I will not run any. Makes sense given what I've learned so far about Di.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
Is all this drama worth it? Does DI provide that much better protection than Kaspersky or Bitdefender, as examples, that you need to go thru all this? Just wondering. Thanks.
Users here like to learn, hence they go through the drama. Home AVs are too automated and boring for many (including for myself). The business solutions have a lot going on and provide a lot of details (I personally love them, look at those Check Point reports above which are now even more detailed). They provide deep dive into the malicious behaviour, Mitre Att&CK matrix and others. Users who don’t care about any of that are fine with home AVs.
 

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,237
Users here like to learn, hence they go through the drama. Home AVs are too automated and boring for many (including for myself). The business solutions have a lot going on and provide a lot of details (I personally love them, look at those Check Point reports above which are now even more detailed). They provide deep dive into the malicious behaviour, Mitre Att&CK matrix and others. Users who don’t care about any of that are fine with home AVs.
Yes I know, its a good learning experience trying software like this.
 

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
123
  • It’s good because it’s light, quick, down-to-business prevention layer. It offers effective deep static analysis applied only locally (machine learning information is saved in ProgramData) and without accessing the cloud all the time (lack of connection does not have detrimental effect on its capacity).
  • Powerful fileless attacks (targeted attacks) prevention.
  • Provides accurate threat classification so admin would take appropriate measures.
  • Does not require add-ons and additional services.
  • Can be effectively combined with various Microsoft protections such as Smart Screen and Defender.
  • Prevents exploits (to an extent).
Cons:
  • Does not oversee network events (it will have to be combined with Anti-Bot/IPS, specially on business environment).
  • Does not block malicious websites (this can easily be taken care of).
  • All cons related to static analysis in this case apply (these have been widely discussed, I suggest looking here for more information). For example packers can be identified with signatures very quickly and effectively, whilst static analysis extracts almost no attributes (just noise). Behavioural blocking (runtime analysis) will in most cases kick in but it may be too late. Static analysis works best when combined with dynamic analysis/emulation which in this case is missing.
  • Some competitors provide better forensic analysis
  • Misconfiguration can cause a lot of headaches. (Home users may be better off with Kaspersky, Avast, Norton).
two more cons:
1.Instead of querying the cloud for reputation as soon as they detect a false alarm, they often quarantine the file and then it is quickly restored automatically again.
2.They do provide the ability to add your own IoA to implement EDR functionality (which they did in the mitre test, modifying an extremely large number of settings), but there are no pre-configured rules to fully map behavior to the mitre att&ck framework, so I don't think they can quite be called "EDR".
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
so I don't think they can quite be called "EDR"
No, EDR/XDR there is just no way. Also the protection components are not enough to call it that. If anyone wants EDR they can combine it with Defender for business or another solution.

Btw did you see those Check Point reports I left in one of the previous posts? I love them 😀😀
 
Last edited:

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
123
No, EDR/XDR there is just no way. Also the protection components are not enough to call it that. If anyone wants EDR they can combine it with Defender for business or another solution.
They did, but I don't know why they did it. They implemented the mapping index to att&ck by modifying the settings and participated in the EDR test of mitre.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
They did, but I don't know why they did it. They implemented the mapping index to att&ck by modifying the settings and participated in the EDR test of mitre.
They can participate in this test without being an EDR. There is no requirement that the product should be EDR, it should be a business solution. Check Point also tested there and with very high coverage, isn’t an EDR either.

This test simulates techniques, tactics and procedures used in real attacks and focuses on whether block was produced or admin was notified (how much of them are covered).
Blocks can be produced with various components, including but not limited to definitions, behavioural blocking, static analysis and others.
Only for the notification part it makes sense the product to be EDR.
Because Deep Instinct is not, it had much lower coverage than let’s say Sentinel One which is.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
If anyone wants EDR they can combine it with Defender for business or another solution.

Btw did you see those Check Point reports I left in one of the previous posts? I love them 😀😀
So the curious question: At first I had Defender (consumer - home) but was urged by Cyberforce to integrate Di which turned off Defender. Ok. So CyF offers Di but not Defender for business or is it called for enterprise? Is Defender business available for us folks? :unsure: If so, how / where. or skip thinking like that o_O
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
So the curious question: At first I had Defender (consumer - home) but was urged by Cyberforce to integrate Di which turned off Defender. Ok. So CyF offers Di but not Defender for business or is it called for enterprise? Is Defender business available for us folks? :unsure: If so, how / where. or skip thinking like that o_O
Defender will be required on a true business environment to provide threat hunting (this is where you see threat on one machine and need to inspect many others too). It will also provide forensic analysis capabilities (this is when you need to recover after a successful attack you need to know the scope, what was accessed, modified, deleted, exfiltrated, encrypted). This is what’s missing from Deep Instinct and Defender for business can provide. In addition, Defender for business will provide a powerful later of cloud ML and emulation (also known as dynamic analysis and cloud emulation/detonation). So it’s like a puzzle coming together.

If you are not on a business environment, the whole forensic analysis, threat hunting, attack recovery is not in any way useful to you. If you are still interested in Defender for Business, it is available directly from Microsoft at a very low price.
 

ShenguiTurmi

Level 3
Well-known
Feb 28, 2023
123
They can participate in this test without being an EDR. There is no requirement that the product should be EDR, it should be a business solution. Check Point also tested there and with very high coverage, isn’t an EDR either.

This test simulates techniques, tactics and procedures used in real attacks and focuses on whether block was produced or admin was notified (how much of them are covered).
Blocks can be produced with various components, including but not limited to definitions, behavioural blocking, static analysis and others.
Only for the notification part it makes sense the product to be EDR.
Because Deep Instinct is not, it had much lower coverage than let’s say Sentinel One which is.
I'm actually curious to try a full EDR solution. Another guy from my company bought cylance optics a while back and I watched him test it, but their EPP section left me very unsatisfied (extremely high false positive rate). crowdstrike's EDR is good, but too expensive.
I don't know how to choose, if separate EDR without EPP, I saw Fidelis, and aml sells it (Taiwan reseller where I bought DI), but I can't decide if I really want to choose one without EPP plan.
cybereason? Seems good, they have bitdefender engine and comes with their own machine learning, the mitre test score of EDR is also very good, but I can't find their reseller, if you know their reseller please let me know, thank you very much.
 
  • +Reputation
Reactions: Trident

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
EDR is also very good, but I can't find their reseller, if you know their reseller please let me know, thank you very much.

They have a lot of different partners in the UK, but not sure about your region. Cybereason is difficult to purchase as a single license (many won’be willing to deal) because they are used to EDRs being on demand from large businesses.

I am very interested in Paloalto, Check Point and Sentinel One. Check Point I have already contacted reseller, the rest will be at a later stage. In my opinion, these are the best. CrowdStrike is good, but overrated.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top