AI and Machine Learning in Endpoint Cyber Attack
Jared Phipps
Vice President Worldwide Sales Engineering
Source: Ponemon Institute Source: Verizon DBIR 2017
90%
80%
70%
60%
50%
40%
30%
20%
10%
0
80%
20%
71%
29%
65%
35%
Breaches And Malware Use In Breaches Continues
Trending Up
What tactics do they use?
62%Of breaches
featured hacking
51%Over half breaches
includes malware
81%Of hacking-related breaches leveraged
either stolen and/or weak password
F Y 2 0 1 6 F Y 2 0 1 7 F Y 2 0 1 8
Hope is not a strategy
Threat Landscape
Malware
Exploits
Live
Attacks
Document-based
exploits
Browser-based exploits
Application-based
exploits
Ransomware, Trojans, worms,
backdoors
File-less / Memory-based malware
Script-based: Powershell,
WMI, VBS
Credentials: credential-
scraping, Mimikatz
Q: Can we relay on signatures and reputation data for
Endpoint Protection?
A: How hard is it to change a file hash?
(It’s never too early
for XKCD)
© 2018 SentinelOne All Rights Reserved. Confidential
Secret Sauce
What is it?
© 2018 SentinelOne All Rights Reserved. Confidential
Data.
© 2018 SentinelOne All Rights Reserved. Confidential
Static Engine Model Creation
© 2018 SentinelOne All Rights Reserved. Confidential
© 2018 SentinelOne All Rights Reserved. Confidential
The first visualization you
look at will always reveal a
data quality error, and if it
doesn’t reveal a data quality
error, that just means you
haven’t found one yet. — Hadley
Wickam
Data Exploration
© 2018 SentinelOne All Rights Reserved. Confidential
t-Distributed Stochastic Neighbor
Embedding (t-SNE) Visualization
© 2018 SentinelOne All Rights Reserved. Confidential
Machine Learning
• Easy to get 99.9% accuracy
• Hard to get 99.99999% accuracy
• Last ~0.01% is:
good training data and features
super important (1 FP every 10k files is bad)
more skill = less “stirring”
© 2018 SentinelOne All Rights Reserved. Confidential
What is learning?learned function
aka decision boundary
aka model
© 2018 SentinelOne All Rights Reserved. Confidential
Learning / Training / Fitting a
Model
APT > Malware
(enter Behavioral models)
The S1 Platform: The Right Technology at the Right Time
BEFORE
Static
AIPrevent attacks
pre-execution
DURING
Behavioral
AIConstantly monitor and
map each running
process for
incongruous behaviors
AFTER
Automated
EDRAutomate remediation
and response...even
rollback
Live Scenarios
Where the EPP market is going ?
On ExecutionPre-Execution
Cloud Intelligence +
Whitelisting / Blacklisting
Post-Execution
Mitigation Remediation
Forensics
Dynamic Malware
Detection
Dynamic Exploit
DetectionAdvanced
Static Prevention
11010
101010
11001
+ +
In a single agent
Must Haves in Your Legacy AV Replacement
• Be autonomous. It must have the built in logic to be just as effective
offline as it is online. In other words, NOT cloud reliant.
• Be protective by reliably mitigating file-based & fileless attacks
• Provide visibility for SecOps (storyline, raw data & hunting)
• Not be a pain for SysOps (deployment, operation, remediation)
• Not be a pain for end users