How AI-Driven Anti-Virus Tools Add Power to Cybersecurity Methods
Traditional anti-virus tools rely on signature-based solutions to help agencies defend against cyberthreats. During a typical workday, the tools scan disks multiple times for signs of possible compromise and regularly connect with update servers to download new signatures of emerging threats.
The challenge? With IT environments rapidly expanding and ransomware methods constantly evolving, signatures can’t be developed quickly enough to keep pace at scale. In addition, Cameron notes, “some solutions allow the execution to occur to determine if it’s good or bad, but this can modify the operating system, and bad things can happen.”
The Cylance AI that was acquired by BlackBerry takes a different approach. “We don’t allow ransomware to execute,” says Cameron. “Instead, AI intercepts that call at the kernel level. We don’t use signatures because they’re reactive.
“What we do is analyze potentially malicious resource calls using a math model that we’ve trained by feeding it billions of files. This allows the AI to extract the features of a file at a DNA level,” he adds.
If the tool detects a problem, no execution occurs. Instead, the issue is reported, and IT teams can investigate it while it’s quarantined on a machine.
Teams can dive further to determine which threat indicators were recorded and examine why the file is attempting to stop specific services or inject specific services. Cylance AI offers more than 100 human-readable threat indictors to streamline this process.
Humans Are Smart, but AI Makes Them Smarter
Cameron puts it succinctly: “The math is smarter than humans. A phenomenal human analyst can know between 150 and 200 features in a file. We have the ability to look at 2.7 million features in 100 milliseconds or less to determine if something is good or bad.”
The Cylance AI model is currently in its seventh generation, and Cameron notes that new models are only deployed when exhaustive testing proves they’re more accurate than the current version.
“It takes a lot of files to achieve this level of machine learning,” he says. “It’s a huge training phase, but it allows the solution to make intelligent inferences about unknown files, which in turn protects against everything from traditional ransomware to emerging zero-day attacks.”
This inferential approach also makes it possible to protect against fileless attacks.
“It’s important to cover not just malicious binaries, but also fileless attacks,” says Cameron. “These could be a Word doc or Excel spreadsheet trying to trick users into executing something in the background, which could then go out, and execute and pull down ransomware.”
Cylance AI offers protection for both memory space attacks and techniques that exploit legitimate network and system services. “We have script control,” he says. “This includes active scripts, PowerShell and macros, along with two new scripts for .NET and Python. We’re constantly adding support for new scripting languages.”
Cylance AI Is Cloud-Based, but not Cloud-Dependent
Cameron also notes that while Cylance AI is cloud-based, it’s not cloud-dependent.
“The AI model and its endpoint agent run locally on every system under protection,” he says. “So we don’t need a connection to the cloud to detect malware and prevent it from executing.”
Once a cloud connection is re-established, the agent checks in with the BlackBerry dashboard to update its status and changes to security policies.
In addition, agencies can configure the solution however it best suits their needs. “You have the ability to group your machines by servers, laptops, etc.” says Cameron. “It’s completely flexible. All admin functions and analytics are centrally managed in the cloud-based console.”
“This includes analytics about malware detection, threat indicators, how machines were affected and much more,” he adds. “You can quickly pull up whatever data you need for root cause analysis.”
Bottom line? Ransomware risks are rising. AI-driven tools make it possible to outpace and outsmart attackers with proactive, prevention-first, endpoint protection.
Brought to you by: