Vendor: Cylance
This new type of test examine’s a product’s ability to use its abilities to detect threats that were found after the product was created. We call it the Predictive Malware Response Test because it tests a product’s ability to predict future malware.
A common criticism of computer security products is that they can only protect against known threats. When new attacks are detected and analysed, security companies produce updates based on this new knowledge. They apply these to endpoint, network and cloud security software and services.
But in the time between detection of the attack and application of the corresponding updates, systems are vulnerable to compromise. Almost by definition at least one victim, the so-called ‘patient zero’, has to experience the threat before new protection systems can be deployed. While the rest of us benefit from patient zero’s misfortune, patient zero has potentially suffered catastrophic damage to its operations.
Minority report
Security companies have, for some years, developed advanced detection systems. These are often labelled as using ‘AI’, ‘machine learning’ or some other technical-sounding term. The basic idea is that past threats are analysed in deep ways to identify what future threats might look like. Ideally the result will be a product that can detect potentially bad files or behaviour before the attack is successful.
It is possible to test claims of this type of predictive capability by taking an old version of a product and denying it the ability to query cloud services. You then expose it to threats that were created, detected and analysed months or even years after its own creation. It’s the equivalent of sending an old product forward in time and seeing how well it works with future threats.
Predictive Malware Response: CylancePROTECT
This is exactly what we did in this test. Using CylancePROTECT’s AI model from May 2015 we collected serious threats dating from February 2016 through to November 2017.
Such threats included WannaCry, a mid-2017 ransomware-based attack that was spread using the NSA’s EternalBlue exploit; Petya, a ransomware attack from early 2016; and GhostAdmin, malware from 2017 capable of taking remote control of victim systems and exfiltrating data.
These results demonstrate that CylancePROTECT users would have been safe from the zero-day attack types used in the test, even if they had not updated their software for two years and nine months.
Tested product from: