Episode Summary: The upsurge of malware and sophisticated attacks continue to keep cybersecurity in the spotlight, but new developments in AI and deep learning offer more advanced solutions to combat security threats. This week, we catch up with Eli David, CTO of Deep Instinct—a company founded in Israel with US headquarters in San Francisco—that applies deep learning in malware defense and information security. David spoke with us about why and how the deep-learning approach to AI is relevant to the future of cybersecurity.
Companies that are actively building their own security infrastructure, or are in growth mode and know they will eventually need to, should find this interview particularly relevant. David shares his perspective on how and where potential cyberthreats focus their attacks and the resulting ramifications for industries as they look for best ways to respond to and prevent attacks.
Expertise: Deep learning and cybersecurity
Brief Recognition: Eli David has researched and delved deeply into neural networks, genetic algorithms, and security. As CTO and co-founder of Deep Instinct, his team includes former members of the Israeli Defense Force’s special cyber units. He holds a doctorate, an MS, and a BS in Computer Science from Bar-Ilan University. He also developed a grandmaster-level chess playing program called Falcon, which learns by processing datasets of chess games.
Current Affiliations: Chief Technology Officer at Deep Instinct
1 – Companies Require Advanced Threat Protection (APT) to Prevent Sophisticated Attacks
Focused, sophisticated attacks on major companies are on the rise, and often times the intrusions successfully extract data. It is all too common to see headlines about records at large enterprises being compromised. Still, even more of these attacks go unreported to the public. Traditional security measures (for example signature-based protections), are no longer sufficient defensive measures against malware attacks. For example, Ransomware is a more recent example of a threat that historically targeted homes, but that in the past few months has expanded to large companies. These threats, usually a combination of malware, often target company back-ups as well to make it more difficult to defend or close the loop. David sees this as a trend that will become worse in the next few years.
Turning Insight Into Action:
While most attackers are targeting big companies to reap potentially bigger rewards, medium and even smaller companies may be at risk, simply because they often have less resources to invest in security defense. Regardless of size, David suggests a two-step process for implementing APT solutions:
- Understanding the paradigm shift in cybersecurity is an essential first step. Companies that want maximum security can no longer depend on antivirus software, which only provides protection against currently existing malware; they need different, more advanced solutions that detect new and unknown malware threats .
- Companies should do their research on the most recent APT advanced solution. If resources are available, David suggests designing proprietary programmable logic controllers (PLC), testing different APT solutions for detection rates, and reaching an educated decision as to which best solution best suits their needs.
The following is a condensed version of the full audio interview, which is available in the above links on Emerj’s SoundCloud and iTunes stations.
(3:42) Why does deep learning work in the security space? How can we get folks to understand why multiple layers of neural networks are necessary?
Eli David: Let’s look at this problem that we’re trying to solve and deal with in cybersecurity. There are huge amounts of new malwares created every single day; actually the conservative estimate is about one million new malwares every single day and it is probably much more than that, but when we look at these new malwares we see the vast majority of them are simple and small mutations over previously existing malware and that then those brand families, nation state APT, are far from being brand new. On average, a so-called completely brand new family of malware is between 10, 20, at most 30 percent different from previously existing code and malicious content.
(4:47) Nation states, just to clarify the terms, what do we mean by that? Do we mean malware created by government agencies to tap information? Is this what nation state implies?
ED: That’s the correct definition. During the past few years, several extremely sophisticated malware satellites have been uncovered. They have been attributed to various nation states, but these are considered again by attribution, some of the most sophisticated malware families. But after they are detected, usually stumbled upon, and they’re manually analyzed, we do see that they are far from being brand new—10 percent different, 20 percent different. So everything is a mutation of one another. And if you look at this whole cybersecurity world, we see a gradual evolution. There are no jumps, no revolutions, just a gradual evolution…it should sound like detection should be easy, they’re all mutations. However, even the simplest mutations, most of them go undetected by currently existing detection methods…
(11:40) Do you think that in the future—let’s say two, three, five years—do you think that more wholehearted overhauls of malware, real innovation from the ground up in malware, will be required to get past systems that are leveraging deep learning?
ED: What we see in the world of malware creation and new malwares, again, is a gradual evolution. It’s a gradual evolution when you look at the day-to-day or week-to-week progress, but if you look at it from the point of view of what happens several years from now, or what has changed now from several years ago, you do see a big leap. Even though it’s evolution, it’s quite a measurable magnitude. We’ve already see that the attacks will be more sophisticated, not in the sense that there are more new vectors of attack or new components, but we already have millions of different vulnerabilities and exploits and ways to use them. We see that the more advanced malware, they combine them together; they take one building block from here, and another building block from there, and they create more sophisticated malware that is much more difficult to detect.
(15:23) What do you see as trends in the next half decade on the threat side…that you consider to be the most serious for businesses that take their security seriously, in the coming five years?
ED: We see a good comparison by the way of comparing North America to Europe—Europe being more conservative, more slow to change. We do see that, just now, they are changing and understanding that made for more fast APT protection solutions. Until a few years ago, most of them did not understand the need for much more advanced protection. In North America, we see that the trend start much earlier. All of the western world needs to quickly move to more and more advanced protection solutions, and we see that at different paces in different areas.
Regarding the kind of threats that emerge, we see many more focused attacks on large companies. We see very focused, sophisticated attacks on Fortune 500 companies. Some kinds of attacks that we were used to seeing were just attacking many companies and hoping that they could get what they wanted from one or two of them. If you attack too many people then you exponentially increase the risk of your malicious component being detected. What we see nowadays is completely targeted attacks, they’re tailor-made for a certain victim and most of the time they do manage to get inside.
(20:11) It sounds like, for the most part, the people who need to be concerned about dealing with new targeted mutations here, variations, would likely be companies of a substantial enough size or monetary value.
ED: You’re correct. It’s a function of the incentive of the attack. Of course the trophy is bigger in bigger companies, that’s why they are the targets of more sophisticated attacks. But we do see, also, attacks against medium-size companies because usually they are much less protected. So many times the attackers decide, “Well, I don’t want to attack this company which has 100,000 endpoints because they probably have many more layers of defense, so instead I’ll attack this other company with just 2,000 endpoints because they probably just have antivirus and a firewall, and in a matter of a day I will be inside and do whatever I want to do,” so they are easy prey.