twixx - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Dell: Signature-based detection must give way to machine learning

Dell's Brett Hansen discusses his company's new approach to advanced threat protection, which leaves behind signature-based detection and embraces machine learning.

Dell is hoping to close the book once and for all on signature-based detection and usher in a new approach to advanced...

threat protection that utilizes machine learning.

While signature-based detection is commonly used in many antivirus and antimalware products, the technology giant this year has rolled out two new offerings -- Dell Data Protection | Endpoint Security Suite Enterprise and Dell Data Protection | Threat Defense for small businesses -- that incorporate machine learning and artificial intelligence technology from advanced threat protection startup Cylance. With its renewed focus on endpoint security, Dell seeks to leave behind the signature-based antivirus/antimalware model of old and embrace machine learning and artificial intelligence.

Brett Hansen, executive director of data security solutions at Dell, spoke with SearchSecurity about the Cylance partnership and the potential of machine learning security technologies. He also discussed the shortcomings of signature-based detection and how the proliferation of endpoint agents is causing headaches for enterprises. Here are excerpts of the conversation with Hansen:

Dell seems to be taking a new approach to endpoint security. How did this come about?

Brett Hansen: We entered into a relationship with Cylance last year. They've developed an advanced threat protection solution using machine learning and artificial intelligence. Basically, the difference between what Cylance does and what signature-based detection does is that they take a snapshot [of a threat] and try to match that snapshot exactly with the next signature. Cylance looks at the underlying code -- the DNA, if you will -- and based upon up to 2.5 million different factors, it can then diagnose if it's a known good or a known bad in a matter of a few milliseconds. So we've increased efficacy of endpoint security dramatically. In February of this year, we launched an endpoint security suite with Cylance; the decision for use to launch a suite was based upon feedback from our customers and from many, many research studies that tell us that the majority of customers, especially those in the midmarket, prefer to purchase a suite of offerings versus standalone offerings.

Why is that?

Hansen: It's simpler to administer. You have one point of contact. If you're loading multiple security agents on endpoints, it's not uncommon that those endpoints agents will try to secure one another, resulting in all kinds of challenges. I can tell you a week does not go by when I don't see some sort of flash around multiple endpoint agents on a Dell device, and everyone's pointing fingers at everyone else, including Dell. And we say, 'Wait a second, you've got McAfee here, you've got Trend Micro there, that's what is causing the problem, not us.' And I mentioned the midmarket, but I think even larger enterprises are starting to become encumbered by how many endpoint agents they have. I was with a Fortune 25 company recently, one of the largest companies in the world, and their CSO's opening concern was not stopping the latest threats or protecting data. He said 'I've got 10 or 12 endpoint agents per device.' He was a recent hire as CSO, and the organization had previously been very decentralized, and each department in his purview was grabbing what they could and loading it on their devices. So he had a proliferation of agents. And larger companies are saying they don't want a dozen agents -- they want three or four, and if at all possible, just one.

The sheer proliferation of malware variants -- and how easy it is to manipulate an existing piece of code to create a new signature -- makes signature-based detection not completely worthless, but pretty close to it.
Brett Hansenexecutive director of data security solutions, Dell

How does Cylance combine with Dell's own security offerings?

Hansen: It's a combination of Cylance's advanced threat protection and our data-centric encryption solution and our homegrown authentication technology. The authentication is a local device authentication that can tie back into broader IAM strategy, but it's focused on authenticating that particular device and not applications. Since the launch, we've seen really excellent traction. I'm tracking about 25% of my revenue from that new suite, and that's being driven by both traditional volume sales as well as our 'on the box' sales motion where we're selling our software as part of a client solution package. And that continues to play well with customers who are looking to simplify their lives by buying the endpoint and the endpoint security all together from one company.

How does this tie into Dell's other suites like the enterprise mobile management suite?

Hansen: Great question. Today it does not tie into the EMM suite. However, I am actively working on expanding the assets that the endpoint security suite can manage. Our intention will continue to be to have a core set of offerings, which will be encryption, authentication and advanced threat protection, but then also offer customers additional capabilities that they can purchase a la carte. If you make those purchases a la carte, then we are going to maintain those as a single console, a single workflow and a single agent. We don't want to have what people call suites and basically have them be a marketing bundle. We're going to hold true to this. If we're going to call it part of our suite, then it's going to be a single console, single agent and a single workflow. And we'll be expanding with capabilities starting in the 2017 calendar year. We have a high degree of confidence that in early 2017 we'll have the first new assets for the suite, and we'll expand those out further going forward. At Dell World [in October] we'll probably have a lot more information.

Endpoint security seems to have come back into focus these days. A few years ago we didn't have any endpoint agents, and now we have too many. Why do you think endpoint security has become a priority again?

Hansen: That's where all the threats are coming from -- 95% of all data breaches originate at the endpoint now. If you think about security, the weakest link in your chain is people. And it's difficult to protect employees because they are often their own worst enemies. It's based off of a few thousand years of wanting to collaborate, being curious and wanting to explore. The assailants have devised strategies exploiting those weaknesses. And even a well-trained individual will likely succumb to a well-engineered attack. For me or you to actually differentiate between a legitimate email and a well-organized social engineering attack is pretty unlikely. The good news is that's a minority of the attacks we see today. But what CISOs are seeing today is the sheer volume of attacks growing. So getting back to your question about why the pendulum has swung back to endpoint security, for years I was relying on my signature-based AV/AM [antivirus/antimalware]. And it was doing a comparable job. And in the last few years, we're finding that it is now failing consistently. The sheer proliferation of malware variants -- and how easy it is to manipulate an existing piece of code to create a new signature -- makes signature-based detection not completely worthless, but pretty close to it.

We would contend that there's still a need for defense in depth -- no one is arguing against that. But we need to do a better job of stopping the attacks at the endpoint prior to the execution. And that's what makes this Endpoint Security Suite so strong; because I'm looking at an executable and I am able, in real time, to make a differentiation between good and bad, I can stop a compromise before it happens. And we've seen that this is well over 99% efficacy with both your known malware and your zero-day threats. And I always stress this to customers. It's 99% efficacy. There are absolutely zero offerings in the world that are 100% foolproof. But what you are able to do is dramatically reduce your risk profile because you're now able to stop far more attacks at the endpoint.

Besides failing to detect new malware variants that have no known signatures, are there other drawbacks that signature-based detection causes?

Hansen: A number of customers have told me recently the biggest challenge they have is because of the growth of malware -- which is really not that sophisticated -- and because there are so many new pieces out there and it's become so prolific, they're spending more and more of their time remediating malware attacks. And that is expensive, but it also takes their eye off the ball of the next social engineering attack, which is what they need to be focusing on. Instead of looking for what could be a highly sophisticated attack to steal IP from my organization, I'm spending all my time remediating malware attacks because AV/AM solution is ineffective against these new malware variations.

What we can offer in an artificial intelligence, machine learning approach is a higher degree of efficacy, reduce the overhead of having to maintain signature-based AV/AM with all the frequent updates it requires, and most importantly, we can start to dramatically reduce the number of compromises at the endpoint and take a posture of prevention versus detection and response, which is a far more cost-efficient approach.

Stay tuned for part 2 of this interview with Dell's Brett Hansen.

Next Steps

Read about endpoint security products in this SearchSecurity Buyer's Guide

Find out how machine learning in the cloud can boost enterprise security

Learn more on mitigating risks to machine learning applications

Dig Deeper on Network Access Control technologies