I like watching movies because I can relate almost anything in my real life to the movies I watched.
Last week, I did a presentation at “Security Days Tokyo 2018,” and I used Star Wars to describe the targeted attacks, non-malware attacks, AI-based, NGAV, etc. The Star Wars analogies were well received.
Nowadays, attackers are becoming smarter; they are very targeted, and hide deeply. It’s almost impossible for most of the security solutions to detect malicious behavior. Some malware will not operate if the security solution tries to detonate it in a sandbox; it will only function when it lands on a certain endpoint in a certain environment.
Attackers have also learned if they manipulate the known-good applications, such as PowerShell, they will have a better chance to achieve their goals without being detected and blocked. These attacks are known as “non-malware attacks,” and are increasing rapidly.
Now to Star Wars. Let’s first think about the senator Palpatine. After watching all the episodes, we know who he really was; he was hiding successfully and deeply in the system that even the Jedi failed to detect his true character. And Palpatine was very targeted. When he sensed the vulnerability of Anakin Skywalker, he started to manipulate and exploit Skywalker while not triggering any alert.
In this case, Anakin is PowerShell, the known-good application. We see the whole process of his fall, and we know that even the “known-good” can be manipulated and used by the bad (and the damage it can cause).
We are hearing more and more about the AI in many industries. AI sounds like a magical word, as the solution to every problem. Although AI might solve many problems in the future, we know it’s not the cure-all yet, especially when fighting the quickly evolving “darkside.”
C-3PO and R2D2 in Star Wars are a perfect example of the AI. They might be very loyal, smart and helpful, but can you count on them to fight the darkside? I mean, even Master Yoda failed to stop the Sith lords given how sly the bad guys were.
Carbon Black uses streaming prevention to detect and prevent attacks. The sensor monitors and collects all the data about processes running on the endpoint. Its big-data analytics engine will then correlate the processes and analyze. Streaming prevention does not only analyze files, but the behavior and relationships of all the processes. That’s how we connect the dots and get a better understanding of what’s happening on the endpoint, and that’s why we can more accurately detect and prevent the attacks than other solutions.
After my presentation, a prospect approached me and asked “Who do you think is doing the streaming prevention in Star Wars then?” This is indeed a good question!
My answer was that it’s audience who’s watching the movie, who has the visibility to the actions (and even the psychological state) of all the characters in the movie. We get to know who’s good, who’s bad, and what’s about to happen while following the story (translate into “monitoring and analyze the stream” in streaming prevention).