TIBURON, Calif.—It’s not very often that you see something new in security. Most of the new products that show up in my press release stack are variations of things that have come before. Sometimes there are important enhancements, sometimes there are cool new names, but a lot of it involves incremental change and little else.
That’s why I was pretty skeptical when I watched the CTO of a company called Cylance being grilled by the press in the main session of the Global Cloud Innovation Summit, being held in the tony surroundings of the Corinthian Yacht Club here on April 23. There, Glenn Chisholm was explaining the need for real endpoint security in a cloud environment. Hackers, he explained, can only get to a company’s cloud service through the company’s endpoints—in other words, its computers. Thus, he said, the need to protect the endpoints.
The need for endpoint protection is really nothing new, although most organizations don’t spend a lot of time thinking about it. But perhaps they should.
Still, what makes Cylance’s security product, called Protect, different isn’t that it provides endpoint security, but how it does it. According to Chisholm, what the company does is build a mathematical model of how software should work and then prevents anything else from running. The result is an antivirus/anti-malware program that requires only about 30 megabytes of space and doesn’t need frequent updates. There’s no huge database of virus signatures to check, and nothing to go out of date.
“We provide the ability to decide what the endpoint executes and when it does it,” Chisholm said in a subsequent conversation. “The software makes the decision, and if it isn’t good it doesn’t let it run.”
So how does the Cylance Protect software make such decisions? Partly it’s derived from the mathematical model, and partly it’s because the software uses machine learning to figure out what’s appropriate to run and what’s not. Chisholm said that Cylance does issue updates, but those are when the model is improved to perform better.
Performance, it seems, is a big deal to the Cylance engineers. Instead of situations (we’ve all seen them) in which the antivirus (AV) software soaks up a significant portion of the CPU cycles on a computer, the software from Cylance is designed not to impact the performance of the endpoint. Updates are mostly to make the software work even better than it already does.
At this point, I should add that the Cylance view of an endpoint isn’t exactly the same as it is elsewhere. To Cylance, an endpoint is pretty much any computer on the network including workstations and servers.
The software works by examining anything that tries to run on the computer, regardless of whether it’s running directly or being loaded from the Web. The software analyzes the internal workings and checks to see what it’s presenting itself as. This means, according to CMO Greg Fitzgerald, that a Word document shouldn’t contain executable code, code that’s presenting itself as an application should have a user interface, and drivers shouldn’t be executables. “If it has an icon saying it’s a Word file, it should be a Word file,” he said.
Cylance Delivers the Anti-malware Product of the Future
Fitzgerald also noted that Cylance’s Protect software is fully capable of coexisting with other AV and anti-malware products. In many cases, the other software is required by organizational policy or it’s there under a contract, so removal isn’t an option, even though it’s no longer necessary, according to Fitzgerald. Once Protect is in place, support calls for AV-related problems generally drop to nearly nothing, he added.
Unfortunately, there are problems in this otherwise happy situation. The biggest is that not everyone can buy Cylance Protect. Fitzgerald said in an email that currently only large enterprises can buy the software directly from Cylance, while SMBs can buy it through resellers. It’s currently not being sold to individuals.
The company is in the process of expanding its coverage and the types of hardware it runs on, Fitzgerald said. That hardware presently includes Windows computers and some security appliances, but it will be coming soon to Apple OS X computers and Linux. Support for Android and Windows mobile devices is also planned, he said, but currently there are no plans for an iOS version of the product.
The good news is that for organizations that buy it, implementation is said to be fast and easy. Fitzgerald said that no IT skills are required to install or manage the software. He noted that Protect will prevent execution of the malware that accompanies phishing attacks, and that the software can recognize things like the Crypto Lock malware and prevent execution.
Some of the aspects of Cylance Protect seem similar to those of other anti-malware software such as Malwarebytes, but there are significant differences, notably that Protect does not require updates to its database because it doesn’t use one. This makes it ideal for computers that can’t or don’t receive frequent updates, which includes many machines that contain sensitive information where the risk of loss through an Internet connection is too great.
But is it really the future of endpoint security? That remains to be seen, and I’ve requested a copy of the software so that I can find out. But in the meantime, Cylance has been conducting a series of demos in which engineers intentionally download malware to see if Protect can detect it. So far, it has.