How deep learning is crafting the next generation of security software

For consumer and enterprise users, viruses and malware are a never ending cause of trouble. However in the enterprise market there are bigger things at stake – businesses have much more sensitive data and services in place that can’t afford to be compromised in any way.

Year on year, attacks on enterprise networks have steadily grown, and recently a surge of intelligent malware and ransomware have been crippling networks and systems around the globe. These systems do have measures in place to prevent these attacks from happening, but they often tend to be from different vendors or don’t provide adequate protection from all possible fronts.

“On the operational side of things a lot of customers have different solutions that work well, but there are just too many different consoles and portals to log into when managing them all,” comments John Shier, Senior Security Advisor, Sophos, at GITEX Technology Week earlier this year. “It just creates a lot of confusion and frustration. Customers just want a central solution for their security needs, and that’s where we step in to help out. We help businesses to bring all these different components together in a simple way, so that security isn’t the thing that’s holding a business back, but driving your business forward. Each component should talk to each other so that the security overhead is kept to a minimum – everything is just in one easy to use space.”

“On the threats side we’re still seeing a lot of ransomware and phishing that’s leading to compromise of credentials, and we’re able to help our customers in a couple of different ways. We have anti-exploit and anti-ransomware technologies in place in conjunction with traditional AV mechanics. We’re laying things on top of traditional security protocols to ensure that customers are protected at all costs.”

Malware and ransomware has seen an accelerated growth in the past few years, simply owing to the fact that there are now a growing number of affected organizations who are willing to fork out a payment in order to quickly restore their files and get their systems back online. “Malware and phishing is an ongoing problem in more developed countries, simply because companies in these regions can afford to pay the $400-500 that’s required as ransom for the data,” commented Shier.

When asked if there were any particular trends or system attacks that were unique to the region, Shier said that what the Middle East is experiencing is no different from any other region. “For companies in the Middle East they’re not being exclusively targeted – they’re under attacks as normal as any other company around the world would face. Ransomware was something that a couple of companies here did have problems with specifically, and that’s something we addressed quickly so that future attacks could be stopped.”

Even with security protocols in place, organizations often suffer because there’s some sort of loophole within the system, or some sort of way to circumvent the measures in place. Shier advises that companies look at security technologies as layers instead, which ensures a broader protection plan for the business.

“The advantage of layering different technologies is that the weaknesses of one technology is covered by the strengths of another,” explains Shier. “In the example of malware, we’re able to cut off its access to the Internet, so effectively it’s unable to connect to a foreign server and begin the encryption process, thus rendering it harmless for easy removal. We look for common exploit patterns and techniques all the time, so we’re able to intercept or flag up certain processes that we think are newer variants of previously detected threats.”

“Even if malware is able to get through and begin encrypting files, we have a component in place that specifically looks for that kind of behavior. If it comes across a process that is encrypting files at a rate that is not normal behavior, then it will convict the process and back up the encrypted files to a secure location before replacing them with decrypted ones. So there’s a complete chain of control in place that protects users, just thanks to the way that everything is layered.”         

What’s interesting to learn is that Sophos is already looking at more intelligent ways to anticipate malware attacks and have preventative measures in place before attacks can spread. As with any security provider, Sophos spends a considerable amount of time and effort on analyzing incoming email samples and new threats – time that could otherwise be spent on working with other projects. So the company is introducing machine learning as an ambitious front to its software, in an attempt to greatly improve the automatic classification of malware and similar attacks.

“Intercept X that’s coming out shortly is going to introduce machine learning – not only do we want to automatically detect and deal with threats in a system, but we also want to do it as efficiently as possible,” Shier adds. “We see on average over 400,000 new email samples a day, and other security labs will see the same kind of volume as well. Machines are very capable, but they can only deal with threats to a certain limit – there are some attacks that are more complex, and may very well fool machines. So that requires a human analyst to intervene and see what’s going on. What deep learning does is it helps us accelerate the amount of automatic detection that we can do on that vast amount of samples coming in. The analysts are then required less and less for those fringe cases, which accelerates the detection process and frees up our analysts to work on new innovations rather than working on malware.”

“We’re going to continue to take that machine learning to different product lines the more we work on it, so that it can ultimately communicate with our different products and help us better identify unknown threats. So if a malware email comes in and we block it if it’s opened accidentally, we can then ask the system to look at where else that email exists where it hasn’t been opened yet, and deal with it straight away. We want to provide the best threat intelligence that we can, and there’s a lot out there in the market that isn’t doing what it should. We want to make sure that what we offer is relevant to a business, and gives you the best protection from across as many platforms as possible.”

Leave a Reply