Update: SentinelOne responds in the comments. Additionally, they claim (and I have no reason to doubt this claim) that the report I referenced was an older version that had incorrect information on the part of Tevanos.
As a follow-on to my recent post about endpoint security (see “A bomb just dropped in endpoint security…“), I thought I’d share some additional thoughts, conclusions and opinions.
It really comes down to beer. But more on that later.
First off, Joe Menn at Reuters wrote a story this morning. It’s a good story, fair and balanced. Worth reading. There will likely be more stories as well.
Beating up vendors isn’t really my thing
In the recent blog post, there were a lot of slings and arrows thrown at a few endpoint security players. My blog got trolled quite a bit. I cleaned it up.
Cylance certainly came under heavy attack by some commenters, and I removed those comments.
I’m not interested in beating the crap out of some company; I’m really just interested in writing about stuff that I find is interesting.
There was a possible confusion that got propagated that Cylance was using VirusTotal directly in their product. I now have information that this may be incorrect.
Cylance was using VirusTotal, as they said in the Reuters article. It’s possible they were using the service to download samples to train their engine, not directly from inside their product. It’s also possible that they used VirusTotal to help detect malware.
I don’t know for sure, and that’s why I expect to be talking to them in the next several days.
Note that Cylance is not a bad group of people. There are many very good people working there, and they run a good business. I’ve challenged them to get more public tests, and I hope they do so. So far, there have been two tests that I know of — a condoned test by Av Test, and another test, where AV Comparatives/Effitas had to basically break the rules to try and get a copy of Cylance (one can’t just download Cylance and test it, as Cylance keeps its trials very closely monitored).
So testing more, and being more public, would be a good thing.
At any rate, peace, people.
Other endpoint players
I don’t know about other endpoint players. I know SentinelOne, for example, has been open about using VirusTotal.
Specifically, this report (PDF) on SentinelOne’s capabilities in healthcare, highlight this point:
SentinelOne ensures that it is always up to date, checking file hashes against reputable sources such as Virus Total. Using this method, SentinelOne’s platform does not suffer the traditional time lapse in needing to push out new definitions…
[Edit – As mentioned earlier in this blog, SentinelOne tells me this quote is from a PDF of an older document that incorrectly noted VirusTotal as a source and has since been corrected.]
Regarding Palo Alto Networks and CrowdStrike, I really don’t know the involvement of these players. But as the Reuters article mentions, they have been users of VirusTotal (and have not been participating with the community). That’s not to say they’re bad people or have bad products (CrowdStrike and Palo Alto both make excellent products). It’s just something that has been addressed.
My knowledge of the endpoint security market comes from the fact that I’ve been there in the trenches.
I’ve presented at conferences like VirusBulletin and submitted papers, etc., but that’s the fun stuff. Actually being in the day-to-day sweating bullets to try to keep your customers protected is a very difficult task.
You see, we created a full-stack antivirus product at my last company (Sunbelt Software’s VIPRE) and I personally ran the antivirus lab for some time.
When we released the product, it was probably mediocre, and we avoided tests. It got better when we started opening up to tests, and in fact, it got quite good (and then I sold the company and, well, I don’t recommend the product anymore).
We were on VirusTotal, and it was painful to see us miss detections. But at least we saw ourselves for what we were, and made our product better as a result.
Is there a “next-generation?”
The truth is there are only so many ways to skin a cat. The former Eastern Bloc countries were famous for producing some of the world’s most brilliant mathematicians and now we have companies like Kaspersky and BitDefender with just those same type of people. Yet even they have a tough time of it (no matter what they say publicly). It’s not an easy business, trust me.
I don’t entirely buy a lot of the “next-gen” security arguments. I think that there is room for innovation, but I’ve seen companies like Malwarebytes (of which I’m a board member and incredibly biased toward) and (recently) Symantec do some very impressive work in detections, without resorting to anything of the next-generation type. It really comes down to a lot of hard work, block-and-tackling type of stuff.
So, it’s no surprise that people do whatever it takes to get the best result possible. If this means using VirusTotal to do a hash lookup (which IMHO is fairly silly, since polymorphism makes hash lookups far less useful than people might think), or good old fashioned PR to paint lipstick on a pig, well, so be it.
The key is openness. If you have something special, open it up to the world for them to look at, to test, to validate. Be a part of the community and give back to it. It will make your product much better.
Which comes to the beer
Information sharing in security happens around conferences and beer. (When I brought in a new lab manager for my research team years ago, I urged him to spend as much time as possible going to conferences and drinking beer with other experts. He didn’t object).
Perhaps that is a bit tongue-in-cheek, and it’s not that we’re a bunch of alcoholics (well, mostly not), it’s simply that a lot of information sharing happens at conferences, when experts talk to each other freely. The swords of competition are put down briefly, people open up, and you hear a lot of interesting things.
And what I hear around the tables is what is reflected in some of my blog posts. There is good data, but it can’t be substantiated and it won’t ever be confirmed. So, I’m sorry I can’t be specific, despite many of you emailing me for much more detail than I am prepared to give. Trust is everything in security.
But beer? Yes, we can all share that freely. So, here’s to beer (in my case, the ever excellent Buckler Non-Alcoholic).
You can see who VirusTotal credits here.
4 replies on “It really comes down to beer (endpoint security redux)”
[…] Update 2: I’ve updated this post with additional information, here. […]
Hi Mr. Eckelberry,
I thought it might be worthwhile to quickly write up what SentinelOne is doing, how it works and how it takes advantage of VirusTotal.
SentinelOne uses Dynamic Behavioral Tracking, that runs realtime, on the endpoint and utilizes advanced machine learning to detect behavioral patterns as application and code is executing on the device. We do this across Windows, Mac and Linux with our own proprietary, patent pending technology. This is our core detection engine. It works on the device – even completely OFFLINE, and is an autonomous module, that can detect, mitigate and remediate threats in real time. No connection to the cloud needed, no hashes, no signatures.
We also have something we call “Cloud Intelligence”, which is in essence our way of crowdsourcing information between all of the intelligence we gather, either from our client base (if they opt-in), and/or from third party reputation feeds, VT included. It is NOT part of our detection engine, and its entire purpose is to validate hashes, out of band, regardless of our Dynamic Behavioral Tracking engine.
VirusTotal has approached us a few weeks ago to let us know of the policy change coming, and at first we didn’t even think its applicable to us since it stated “scan engines”. SentinelOne is NOT a scan engine. We don’t scan files or check for signatures. We monitor code execution on a live system – VERY different than a scan engine, and obviously not something VirusTotal can integrate right now – as it is equipped to deal with command-line scan engines and static signatures.
We are all for better security and improving the overall state of security in the world. We were willing to work with VT to integrate our engine into their engine list, but seems like someone was really hot to “drop bombs” rather than to actually work with the vendors so everyone could enjoy better detection. We have stopped usage of all VirusTotal intelligence (which was 1 out of 7 different services we were using), until we figure out whether there’s a true intent on VirusTotal’s part to include next generation technologies (aka – not “scan” engines).
As an AV consumer I found the whole Virus Total issue irrelevant because the two products that we have focused on are SentinelOne and Cylance. Both products use a similar approach to malware detection and have similar levels of success. I like them both, especially after suffering for years with old school, signature based, solutions. As a CISO I’m looking for a product that’s effective against all attacks, especially zero-day attacks, regardless.
After our bake off we ended up going with Cylance. I preferred SentinelOne for their builtin, one button or automatic, isolation and remediation along with their visual kill chain capability. But they got outmaneuvered by Cylance who worked out a deal with Dell to get their product integrated with the Dell Data Protect platform which we had already deployed. So the operations support issue ended up carrying the day as it does in so many cases.
I would recommend either product to those interested in implementing an effective solution that does not have AV signatures as their core component and which will work in a disconnected mode. What do signatures get you in the long run anyway? I don’t want to just rely on someone else’s infection report to have protection against zero day attacks. I could very well be that business who has to suck up that 1st hit. I want something that works right away, all the time.
That is why the NextGen crowd is doing so well.
They're already begging Christie to run for president. If he can manage to be a little more overbearing and freenheeliwg with ridiculously false statements, he could be a contender. Next to Romney and Pawlenty, he's Mr. Excitement.