anti virus

Next generation anti virus uses artificial intelligence to identify malware.  

Gary Glover, CISSP, SecurityMetrics
By: Gary Glover
Anti virus has become increasingly less effective for detecting and protecting organizations from zero-day attacks and ransomware. Yes, some anti virus suites have new features that advertise the detection and blockage of new malware strains, but traditional software still requires malware to successfully infect a computer before it can be blocked.

The traditional anti virus software I’m talking about is signature-based. Signature-based anti virus is very reactive. It only flags and quarantines malware known to be malware. If the software hasn’t seen that exact variant of malware down to every bit, it tends to let the program run.

anti virusIn a nutshell, anti virus doesn’t protect; it cleans up malware infections after the fact. Needless to say, signature-based software is extremely ineffective. Some organizations (e.g., Netflix) are even abandoning anti virus entirely because it’s deemed so ineffective.

Wait a second . . . isn’t having and maintaining anti virus in your environment a Payment Card Industry Data Security Standard (PCI DSS) requirement? Yes, it is.

The problem is the anti virus software most companies use is so dated in its signature-based methodology that it might not fully protect your sensitive systems.

Traditional anti virus may not cut it for future PCI DSS compliance

Let’s look in depth at specific anti virus requirements in the newest version of the PCI DSS and try to look into a potential future of malware protection requirements.
  • PCI Requirement 5.1.1: Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
  • PCI Requirement 5.2: Ensure that all anti-virus mechanisms are…kept current, perform periodic scans, and generate audit logs
Knowing what you know now about signature-based anti virus, you can probably see that truly complying with PCI DSS requirement 5 might have to go beyond traditional anti virus at some point. After all, signature-based software doesn’t protect against all known types of malicious software (PCI requirement 5.1.1) such as ransomware.

In addition, new variants of malware that modify into new strains are found daily. This means even if the original malware is picked up by signature-based software, the software won’t recognize a new strain until malware analysts find and update the signature.

With the rate of newly created malware strains, it’s essentially impossible to keep current anti-virus software up to date (PCI requirement 5.2). Software would have to be updated by the manufacturer every few minutes in order to sustain current status.

Anti virus must evolve to survive

Cybersecurity defenses are evolving with attackers, and that means anti virus must too. What if there was another way to intelligently detect anti virus before it ran on a system?

A company called Cylance created a new high tech approach to push the anti virus envelope.

Cylance doesn’t use signatures to identify malware. Instead, they use an algorithm that analyzes millions of file and program characteristics and scores those elements on the likelihood of them being malicious. The coolest part? It does this through artificial intelligence.

I spoke with Jon Miller, VP of Strategy at Cylance, who said the company is the only security company in the endpoint space focused on not running malware in the first place.

“Everyone else in anti virus is focused on dynamic analysis, which means letting software run unless you know for a fact it’s bad. Well that’s just not good enough anymore.”

Here’s how their product works. Their machine-learning model does a static analysis on the suspected file. It examines the attributes of the file by analyzing every piece of data that’s extractable without running the file.

Miller says, “Using artificial neural networks, we train the model on what a good and bad file looks like with millions and millions of data points. If the file has more suspicious factors than non-suspicious factors, it blocks it. If the file looks good, the machine lets it run. The more data you give it, the more it learns, and the more accurate it makes itself.”

Out of all the companies creating anti-malware products that don’t mimic traditional anti virus, Cylance is the only one to obtain PCI DSS certification for Requirement 5. They’re also HIPAA certified.

Benefits of machine-learning anti virus

Although I’m very impressed with the work Cylance has done, this isn’t a sales pitch. I am simply stating that all businesses, large and small, should move away from the retroactive nature of today’s anti virus software.
Here are the benefits that machine-learning anti virus/malware detection products have over traditional anti virus products.
Superior data security: Traditional anti virus could allow new strains of malware to run on your systems. Machine-learning anti virus never allows suspicious files to run. In addition, an artificial intelligence system can keep up with new hacker methods. When hackers get smarter, so does the system.

No follow-up: Machine learning significantly decreases the IT effort that goes into anti virus. According to Miller, “Unlike traditional security products that send an alert and require a person to investigate, the Cylance anti virus program is purely informational. It alerts you that a piece of malware tried to run, but was identified and not allowed to run. You have no follow-up and don’t need an incident response team to drill down on every anti virus alert.”

machine-learning anti virus
No constant updates: Traditional anti virus companies have thousands of threat researchers
analyzing new malware. Each time researchers find and categorize new malware, you have to update your software. But because machine learning is intelligent, it doesn’t need researchers to analyze data for it, and doesn’t need constant updates.

Extremely low false-positive rate: Cylance’s false positive rates are “scary effective” when it comes to positively identifying malware. “Last time I looked it was .000005%,” says Miller.

System performance boosts: Because the machine-learning model isn’t caught up in performance, it doesn’t use a lot of system space. This means a computer using machine-learning anti virus will run faster than one using traditional anti virus. Not only that, but the Cylance program itself is sized at only 40 MB.

Plays well with others: You can use machine-learning systems with or without your old anti virus program. Over 80% of Cylance customers are ripping and replacing their old anti virus products with Cylance’s machine-learning model. But Miller says you don’t have to throw out your old solution, “You can configure our product to run along traditional solutions like McAfee or Sophos.” The system integrates well in both small and large companies, and delivers the same type of protection.

The future of anti virus

You don’t have to look far to see that traditional anti virus isn’t delivering the protection that businesses need. It’s essentially 25-year-old technology. Do you really want 25-year-old technology protecting your business?

The PCI DSS is getting smarter and more agile as attackers think of new ways to steal payment card data. I wouldn’t be surprised if in the next five years, the requirements won’t fully rely on signature-based anti virus as PCI DSS compliant for requirement 5.

But perhaps the industry will fix itself. Miller believes in the next five years, every anti virus product on the market will go the way of artificial intelligence.

“Machine-learning is the absolute future of information security. Using the power of computers to accurately identify millions of attributes and then make a determination can drive levels of efficiency higher than you can get with humans.”

This isn’t to say that machine learning isn’t without its flaws. After all, there are always ways to trick the system. The nice thing about artificial intelligence is the second someone tricks it, it will learn and won’t get tricked again.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

PCI DSS Learning Center

1 comment:

  1. I agree completely. Traditional AV just does not cut any more. I'm glad to here that AI is starting to emerge in this sector of business.

    ReplyDelete