Cylance Delivers the Anti-malware Product of the Future

NEWS ANALYSIS: With its Protect software, the security company shows at the Global Cloud Innovation Summit that not everything needs to be in the cloud, and some things are better if they're not.

TIBURON, Calif.—It's not very often that you see something new in security. Most of the new products that show up in my press release stack are variations of things that have come before. Sometimes there are important enhancements, sometimes there are cool new names, but a lot of it involves incremental change and little else.

That's why I was pretty skeptical when I watched the CTO of a company called Cylance being grilled by the press in the main session of the Global Cloud Innovation Summit, being held in the tony surroundings of the Corinthian Yacht Club here on April 23. There, Glenn Chisholm was explaining the need for real endpoint security in a cloud environment. Hackers, he explained, can only get to a company's cloud service through the company's endpoints—in other words, its computers. Thus, he said, the need to protect the endpoints.

The need for endpoint protection is really nothing new, although most organizations don't spend a lot of time thinking about it. But perhaps they should.

Still, what makes Cylance's security product, called Protect, different isn't that it provides endpoint security, but how it does it. According to Chisholm, what the company does is build a mathematical model of how software should work and then prevents anything else from running. The result is an antivirus/anti-malware program that requires only about 30 megabytes of space and doesn't need frequent updates. There's no huge database of virus signatures to check, and nothing to go out of date.

"We provide the ability to decide what the endpoint executes and when it does it," Chisholm said in a subsequent conversation. "The software makes the decision, and if it isn't good it doesn't let it run."

So how does the Cylance Protect software make such decisions? Partly it's derived from the mathematical model, and partly it's because the software uses machine learning to figure out what's appropriate to run and what's not. Chisholm said that Cylance does issue updates, but those are when the model is improved to perform better.

Performance, it seems, is a big deal to the Cylance engineers. Instead of situations (we've all seen them) in which the antivirus (AV) software soaks up a significant portion of the CPU cycles on a computer, the software from Cylance is designed not to impact the performance of the endpoint. Updates are mostly to make the software work even better than it already does.

At this point, I should add that the Cylance view of an endpoint isn't exactly the same as it is elsewhere. To Cylance, an endpoint is pretty much any computer on the network including workstations and servers.

The software works by examining anything that tries to run on the computer, regardless of whether it's running directly or being loaded from the Web. The software analyzes the internal workings and checks to see what it's presenting itself as. This means, according to CMO Greg Fitzgerald, that a Word document shouldn't contain executable code, code that's presenting itself as an application should have a user interface, and drivers shouldn't be executables. "If it has an icon saying it's a Word file, it should be a Word file," he said.