Blog post

Cylance SWOT published! How important is Machine Learning to Endpoint Security?

By Avivah Litan | June 05, 2017 | 1 Comment

We just published a SWOT on Cylance, (see SWOT: Cylance, Endpoint Protection Platforms, Worldwide ) a firm best known for bringing machine learning to endpoint security by developing self-contained supervised models that analyze and block file-based malware before it executes.

Cylance’s innovation earned the company stellar growth and market mind-share as discussed in our SWOT. See Figure 1 for a comparison of endpoint security company growth rates – the notable orange line represents Cylance’s 2016 revenue growth rate.

Figure 1: EPP platform growth rates 2015/2016


Nonetheless, advanced attacks are more frequently using file-less techniques (in memory and script-based).  Cylance and other endpoint security vendors are challenged to deploy machine learning (ML) models that address these newer forms of attacks, where voluminous training data to support the models is harder to gather, manage, and synthesize properly.  (Some startup vendors, such as Ensilo and Barkly, say they already use ML models to detect and block fileless attacks, although these capabilities have not yet been vetted).

Just how important is machine learning anyways when it comes to stopping attacks that start on endpoints?

It’s really only one tool in what needs to be a layered arsenal.

Case Study: Malware-based Attack Launched against U.S. Restaurant Chains

A partially successful attack on U.S. restaurant chains hammers this point home. Hackers recently launched a five part attack against these establishments that started with a malicious .rtf file attached to a phishing email.  The execution of that file enabled the hackers to gain persistence on targeted hosts, and to plant artifacts in target host registries. The hackers used legitimate software to create scheduled tasks that ran their scripts in order to maintain persistence.

One restaurant chain had Cylance software deployed on its endpoints and it reportedly detected one file-based portion of the attack. (Reportedly, none of the various deployed EPP agents at the restaurant chains were able to detect the the initial .rtf file). But unfortunately, the target did not have Cylance running in ‘block’ mode so the detection failed to stop the attack.  That was a configuration issue, not an issue with Cylance’s software.

A second restaurant chain did manage to block the attack, but not because it had the latest anti-malware software running on the host.  Instead, it blocked the attack because the security manager at the restaurant had previously disabled admin privileges on all hosts that did not require it, including the one that the malware landed on.  The net result: the malware was unable to write the initial file to disk at that restaurant chain and the attack was thwarted.

Lessons Learned

What can we learn from these real-world events:

  • Start with basic hygiene and sound security practices on your endpoints, for example:
    • Stay current with patch management
    • Disable privileges and programs (like Powershell) that are not needed on most end-user endpoints.
  • Use a layered endpoint security approach that includes application whitelisting and blacklisting, and other controls that come bundled with most EPP platforms.
  • Keep your current endpoint protection platforms up to date – many incumbent vendors have useful features in their most current platforms that enterprises have not yet turned on or deployed.
  • Make sure next generation controls are configured properly so that they can do their thing. For example, if you do deploy software like Cylance, put it in BLOCK mode rather than just Detect mode (obviously after you have tested and are comfortable with it).
  • Likewise be sure to configure all your security layers correctly. For example, when limiting admin privileges, be sure to log any attempt to override the limits.

The bad guys will inevitably get through any single layer of endpoint security controls.  But they are much less likely to get through multiple layers and their chances of success decrease proportionately to the number of layers that an organizations deploys.   Security layers need to extend beyond the endpoint into other attack surfaces, such as networks and databases, and into central analytics engines that can contextualize and correlate suspect events across different attack vectors.

Cylance gets lots of credit for bringing effective self-contained machine learning to endpoint security – our SWOT explores this, along with the increasing threats Cylance faces in the market as it tries to maintain favorable growth rates.

One thing is a given – there is no silver bullet for fighting attackers.  A layered approach is essential.


Comments are closed

1 Comment

  • Naveen Palavalli says:

    Avivah, this is great practical advice for enterprises to better protect their environments and also identify the right endpoint security solution!