Threat Detection And Response

Interview: How Deep Learning Can Prevent Cyber Threats

Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct, discusses the prevalent zero-day threats business are facing today, and how deep learning and a preventative approach to security can help businesses combat those threats.

Expert Insights Interview With Charles Everette Of Deep Instinct

Many cybersecurity solutions today categorize themselves as “left of boom” or “right of boom”; they prevent attacks from taking place, or they assume that breaches are inevitable and—instead of trying to stop them—help businesses identify and respond to them. One of the main arguments for detection and response is that it’s impossible to keep every threat out; instead, businesses should focus on minimizing their impact. But some security experts argue that, with the right technology, you can keep out even the most sophisticated zero-day attacks we’re seeing today, such as ransomware.

In the wake of BlackHat 2022, we spoke with Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct; a cybersecurity company focused on preventing and detecting zero-day threats with deep learning technology. Everette has over 20 years of experience in the cyber space, having held various IT leadership roles within leading technology companies such as Microsoft and HP, as well as several government agencies. Everette is a passionate cybersecurity advocate and often speaks at industry events on how SMBs, enterprises, governments and public sector organizations can protect themselves amid an ever-changing threat landscape.

In this interview, we discussed the most prevalent zero-day threats businesses are facing today, how deep learning and a preventative approach to security can help combat those threats, why—and how—cybersecurity companies should collaborate more effectively, and how adversarial AI may shape the cyber threat landscape in the coming years.

Could you give us an introduction to Deep Instinct and your main use cases?

Sure. Deep Instinct is an Israeli-based company that’s been around for eight years. It came about as a means of combatting the newest and latest sophisticated threats targeting endpoints.

It’s not enough to wait for things to execute to be able to know what they are and to blacklist them. And that’s how the older legacy solutions work,  and originations have relegated to the philosophy of : “You can’t prevent it, so you might as well let it in and then see what it’s doing, and then go back  and clean up the damage afterward in the future.” That’s not acceptable. Waiting for those attacks to come in and then responding—there has to be a better way.

So, we took some of the top experts in the world in deep learning and cybersecurity and developed a platform—utilizing deep learning but building it from the ground up—to go after some of the latest threats, to basically prevent them from even hitting the system.

Roughly 80-90% of the security companies out there today use machine learning. And they’re basically doing supervised feature extraction, looking for patterns, building their algorithms around that, and then applying that—but you still have to see what the new threats look like in order to build your pattern and recognitions around it. What we’re doing is taking millions of samples on a quarterly basis, and then training our “brain”, which is our custom-built deep learning algorithm. This algorithm mimics the human brain; there are several layers, and neurons of how they have to interconnect to be able to prevent an attack; you can’t have just one algorithm for everything.

So, we have multiple different brains or algorithms to look for PowerShell, for memory code injection, Python, executables, and so on, and they’re all customized and purpose-built.  It’s not like going out and taking something off the shelf and applying machine learning to it; that doesn’t work the same way, you’re not going get the same effective rates as a deep learning solution built from the ground up.

Our brains, our algorithms—now we’re over eight years old—are incredibly intelligent. And they’re able to literally predict the newest and greatest threats that are emerging daily.

Because of this predictive nature, we are running an algorithm in production right now that’s been going for over eight months, with zero updates. Every other security vendor typically updates their solutions almost daily. We don’t have to do that. We are effective for months and only update a few times a year.

Over the past couple of years, we’ve seen huge changes in the way organizations work and engage with digital services. What are the main cybersecurity challenges that your customers are facing today as a result of this?

Cyber gangs are constantly evolving. And one thing we’re seeing is that the lines are blurring more between independent and state-sponsored attacks, which typically have higher budgets. Especially with the breakdown in the Russia and Ukraine region, we’re seeing more of those cyber threat actors going over to the criminal side. And they’re taking that knowledge with them, so the attacks are even getting more sophisticated.

The Ponemon Institute found that 80% of all successful breaches are from zero-days or unknowns. And that’s the way it’s going to continue; there’s a lot of commodity malware out there, but if somebody wants to target you, they’re going to get inside your organization using something new and targeted with which they can bypass your defenses.

So, that’s the biggest thing we’re seeing out there: ransomware attacks and malware attacks aren’t slowing down, they’re just getting more sophisticated. A lot of these gangs have more R&D budget than large corporations do.

And it’s the cat and mouse but, unfortunately, the industry itself isn’t getting much traction. It’s very saturated with a lot of different security products, and some security solutions have some really good tech out there, but that over-saturation is confusing the clients. They don’t know where to start.

Vendors really need to start working together and say, “Our products can mesh extremely well together, if done properly.” Instead, everybody is trying to throw hate and hock their tools, instead of working together and collaborating. And that’s the problem. The cybercriminals are collaborating, they’re working together, they’re supporting each other—but we’re not.

Do you think we can expect more acquisitions in the next few years to address that, or perhaps more companies expanding their services to offer a more holistic platform, rather than segregated tools?

I don’t see that. However, there are individuals like myself and other industry experts saying that you’ve got to have synergy and communication between platforms. A lot of platforms can talk to each other, like EDR and SIEM platforms; they can take in a lot of information, and they’re doing some of that communication. The problem is, how do you wade through that analysis and eliminate the white noise?

Now organizations are getting to alert fatigue, and that’s where Deep Instinct really tries to make a difference—by eliminating the number of alerts coming in by preventing threats before they are even written to disk or memory. Typically, we see a 40-60% drop in alerts when using our platform because we’re stopping at pre-execution. We call it “high fidelity alerting”, where we work with other platforms, but we basically come to the top of the surface so, if our clients get an alert for Deep Instinct, it means that something is seriously wrong, so they know it needs to be addressed as a priority.

So, us working with other platforms is extremely important, but it’s kind of a hard story to sell. Everybody wants that silver bullet. And unfortunately, there just isn’t one solution; you need multiple layers of protection, and get them to work extremely well together. And that’s security in depth.

You mentioned earlier that Deep Instinct focuses on the prevention side of security. Why is it important for organizations to take a preventative approach to combatting these threats, rather than reacting to incidents as they happen?

Right now, everybody is reactive; they’re waiting for the threat to come in. They can’t prevent it, so they let the threat come in and land, then they start looking for indicators or patterns of compromise.

But the problem is the speed at which these attacks can start encrypting. Once they get inside, the damage they can do is in a matter of minutes. And some of these platforms take anywhere from 15 minutes to hours to days before they identify the threat. At BlackHat, I was watching a demo, and it took almost eight days for them to identify an inside threat actor before they were able to go back and find and fix everything it did. The threat actors had seven days in the system to steal data, put in backdoors, and wreak havoc. Why let them be in the system for seven days, doing damage and extorting data, when you can prevent them before the threat even lands?

You have to prevent it before the threat’s even getting in, make yourself a target that is so hard to get into that the cyber criminals are going to move on to somebody else that’s easier to breach.

How does Deep Instinct apply deep learning technologies to help stop ransomware and other zero-day threats before they take hold within the network?

Our platform is built to look at 100% of the file, compared to only 3- 5% of the file like other security solutions using ML solutions. We scan it in less than 20 milliseconds, and we can determine whether it’s malicious or benign. People are often very suspect of our claims, because we say we can stop 99% of zero-day and unknown threats and that we have a false positive rate of less than 1%. But I’ve been doing this for 25 years, I’ve been with Deep Instinct for five years now, and I’m here at the company because the technology works.

But it’s one thing is taking my word for it. So, we hired Lance James, the known adviser to Brian Krebs from KrebsOnSecurity, who validates solutions like ours. Lance James and I got talking, and we asked him to take a look and tell me what he thought of the platform. And he took a look and he said, “Impressive, but I don’t believe it. I need to tear it apart.” So, we hired his company to do just that. Over four weeks, he tore it apart, came back, and said, “Wow, you guys can actually do what you say you can do. I was speculative. I tried everything I can.” He tried to bypass our solution through common attacks and even custom-built attacks, and as soon as he tried to do something malicious, it would see it and stop it. So, he came back with a report of 99.79% effective rate against common, custom, and even targeted attacks. Lance also validated our false positive rate of less than 1%. He actually had a false positive rate of zero over the month that he was using it.

And that’s where the big difference is. Because of the security staff shortage, your security staff is constantly under pressure, overworked, and turning over, and you need to make their jobs easier. By putting a solution that prevents attacks at the edge before they even get inside your environments, we’re cutting down on the amount of time staff spends reacting and chasing after alerts, in turn reducing alert fatigue. So, they’re able to go back to addressing critical items like patching, looking at actual alerts, and getting to priority items in a timely manner instead of taking seven days.

Some experts predict that cybercrime groups will begin to utilize adversarial AI and machine learning to enhance their attacks in the near future. What could this look like, and how will it affect our current approach to cybersecurity?

Attacks are getting more and more sophisticated. And adversarial AI—using ML and Al—is definitely a concern. It is a direction they’re using. But the main issue out there still is the human factor. And more and more companies are trying to remove that threat by putting in automation, but the more automation you put in, the less eyes on glass you have. So, it’s kind of a chicken and egg issue.

So, absolutely. The gangs are getting more sophisticated, they understand what cybersecurity solutions clients are using today, and they know how to bypass that by using their own ML and their own code. They’re saying, “If I slow down my attacks and, instead of running my script back-to-back, if I put a 15 second pause in between, I now can bypass other solutions.” Or, “If I go over here and dismantle this shadow copy, I’ve now defeated solutions that depend on rollback capabilities.”

Ransomware gangs get people together for one purpose, and that’s to make money. And they’re targeting to get as much money as they can, as fast as possible. And the key thing out there is, you have to make yourself more difficult than what it’s worth to get inside. Because if they get inside, 77% of companies that have been hit will be hit a second, third, or fourth time, because they got in, put the backdoors in, extracted their money, then turn around and sell that access to those backdoors to another group of criminals.

You mentioned the human factor there—how big a part do human-centric solutions, such as security awareness training, play in helping stop these attacks?

It’s huge. I’m doing a talk at GSX, and I’ve done an article on Forbes, on insider threat. With insider threat, you have the conscious and the unconscious threats. The unconscious is your cybersecurity awareness training to help prevent human error. That could be somebody clicking on something malicious, but it’s also misconfiguration when staff  make a mistake.

But we’re also seeing that, because of the large turnover and attrition rates of employees, employees are leaving and they’re taking that knowledge with them. That knowledge then can be used maliciously, or it can just leave the organization with a huge knowledge gap. We’ve seen so many times that clients have migrated to Microsoft 365, and then the person who was part of that project leaves. But their old Exchange servers are still up and running and the businesses don’t even know they exist. They’ve forgotten about them so they’re not being patched, they’re exposed, and they end up getting hit with an attack. If the staff leave, or they’re so busy that they’re not doing their checks properly, missing updating documentation can easily be the case.

Human error is always going to be there. So, what can you do to prevent that? That’s where solutions like Deep Instinct come in. You have to have visibility of what’s going on to be able to prevent these attacks.

What would your final piece of advice be to organizations struggling to prevent ransomware and other zero-day threats we’re seeing today?

Look at prevention; prevention is possible. Stop depending on your EDR or your post-execution tools because, if the attackers get in the system, it’s already too late. Get your shields up and tighten it down more. But do it in a way where you’re not going to overload your staff, you’re actually going to make their job easier; do it smartly.

So many times, companies are waiting for a catalyst; they’re waiting for a breach in order for them to make a change. Cybersecurity is always the last thing changed, but the first thing that gets blamed. They don’t want to go through that, they are lackadaisical, or they’re just lazy—they don’t want to change out the current solution, even though it isn’t working for them.

In some industries, organizations can’t get funding until there’s a breach. So, they let stuff go through until they get a breach, then they can finally put a better solution in place. And that to me is just wrong!

If you know something’s wrong, fight for it and get it out there. Stop waiting for attacks to happen. Make the changes now, before you become a victim.

Thank you to Chuck Everette for taking part in this interview. You can find out more about Deep Instinct’s deep learning threat prevention platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.