Invincea Purchase, is it Possible to use Machine Learning on a UTM? Request for a future feature?

you should place your idea/request at the feature request list.

ideas.sophos.com/.../17359-utm-formerly-asg-feature-requests

I've used Invincea for a few years now, and for me their real strength is in their sandboxing. It doesn't really matter if it detects the malware or not, it's not going anywhere. I have our employees configured for 24 hour resets, so every morning they get "fresh" new installs of their Internet Explorer / Excel / Word / Reader (their bookmarks & settings remain intact). Any malware gets deleted along with the previous day's sandbox. No muss, no fuss.

I can't say I share your enthusiasm on Invincea being acquired. They have been my secret weapon and I hope they are able to remain as lean and mean as they have in the past.

You can try their free little brother (at least for now)... SandBoxie. It takes some learning, it's not as polished or user friendly as Invincea X but it is essentially the same product.

The reason for my enthusiasm about the Invincea purchase is not because of their sandboxing tech; I am excited that Sophos bought a vendor who is a leader in the field of deep learning artificial intelligence.

I am 99% sure Sophos bought Invincea because of the Machine Learning, not the sandboxing, just based off the press release, "Sophos Adds Advanced Machine Learning to Its Next-Generation Endpoint Protection Portfolio with Acquisition of Invincea."

https://www.sophos.com/en-us/press-office/press-releases/2017/02/sophos-adds-advanced-machine-learning-to-its-next-generation-endpoint-protection-portfolio.aspx

Invincea is doing the same thing that Cylance and Crowdstrike are doing. They use previous malware samples to help their Machine Learning system score new files to determine if they are malicious before they run. The entire AV industry is headed in this direction, and I honestly believe every major anti-malware vendor will use a combination of both traditional signature/heuristics detections and AI deep learning within five years.

If Sophos incorporates this tech into the UTM, it could stop and quarantine files above a certain probability threshold, for further analysis. Merging both old and new detection methods together, which should significantly decrease the effectiveness of zero-day malware attacks and malware that Sandstorm fails to detect.

My hope is that Sophos struck gold here. Invincea is a rising star in the field of machine learning. Cylance is clearly the market leader, but with the purchase of Invincea, I believe Sophos is doing what Symantec has failed to do on the endpoint. Merge traditional signature/heuristics, with behavior based (the Surfright purchase), and Next-gen machine learning AV detection, into one product.

This Machine Learning/Deep Learning/AI is some really cool stuff and is the same tech that is used in SPAM filters. I am hoping that Sophos adds it to the UTM. More info about Invincea's Machine Learning can be found here:

https://www.invincea.com/wp-content/uploads/2016/12/X_by_Invincea_Datasheet.pdf

You need not hope Sophos struck gold, I can assure you they absolutely did. That assurance is coming from real world experience using Invincea's product. My concern is what Sophos does with this precious metal. Hopefully they don't transmute it into lead.

I agree the AI aspect is much more interesting than the sandboxing. But sometimes boring is what actually gets the job done. Running employees strictly as limited users and sandboxing them may not be nearly as exciting, but it's what has worked for me. I already had Symantec Enterprise Endpoint in place along with the limited user policy and was still seeing occasional infections. The day I rolled out Invincea was the day infections stopped cold and haven't had one since. Invincea is the real deal.

I have other layers in my goodie bag as well, but each layer was staged individually and many moons apart, so there was no doubt that it was Invincea that stopped the madness.

Although I've had a long running distaste for Symantec, in their defense, I don't run Endpoint to it's full potential (whitelisting, locking down limited user install points, etc). I just don't have the time to manage it like it is intended to be run. It is quite powerful in it's own right.

As far as the AI vs Sandbox aspect, watch any presentation from any security pro / researcher / company and what you will see 100% of the time is them running infection demo in a virtual machine? Why? Because it's a sandbox. What you will never see is them running an infection demo of their "deep learning" on their own live machine, why not?

Security philosophy now rests in two camps, those who still think we can block, and those who know we can't. I'm firmly in the latter and since joining the contrarians my life is much simpler.

Agreed with you both.  I've just assumed that the AI runs in a sandbox, but I don't know that for a fact.  GP takes this a step further in creating new sandboxes every day.

Cheers - Bob

I would think also that AI is within. As far as creating new sandboxes every day, that's set and forget automated. You can dial up frequency or time of day.

For those unfamiliar with Dell Protected Work Space, this is a branded version of Invincea and is how I had the good fortune of stumbling across Invincea, I had ordered a slew of Dell Optiplexes and a free year of it came preloaded on each of them. I remember thinking "Oh great, more bloatware to peel off", then I started playing with it and realized this was actually amazing stuff. If you're in a small corporate setting and you are a Dell shop, this is an excellent way to stealth it into your company when you're doing hardware refresh. Free and clear for a year. I didn't like the red tape with Dell on the annual renewals, so after a couple of years I switched to Invincea proper.

IMHO Sophos stole this company for the price they paid. Sister company Invincea Labs does DARPA projects for the military and in the past some of their research was shared with Invincea. Now that they are being separated I fear they will lose this symbiosis.

I believe we are all right on this one. I think that Invincea is using an approach similar to Crowdstrike's and using a "deep learning algorithm" to stop malicious file execution before the file executes and at the same time, using machine learning/AI to look for malicious behavior after execution.

Microsoft has now started including AI in their ATP client to stop malicious behaviors, after execution. Their client does not give a probability that a file is malicious before execution, but looks for malicious behaviors after the file has executed:

"The system also strives to understand malicious behavior, too. More than 1 million suspicious files are automatically executed and examined within sandboxed environments in the cloud to build a better picture of the abnormal activities that malware and hacks can cause. All this data is crunched and analyzed using machine learning techniques to build models of normal and abnormal system activity. This means that not only can unusual PC behavior be identified, it can also be cross referenced against particular malware."

https://arstechnica.com/information-technology/2016/03/windows-defender-advanced-threat-protection-uses-cloud-power-to-figure-out-youve-been-pwned/

To compare and contrast, Cylance does not look at behaviors at all and instead uses deep machine learning to determine a probability that a file is malicious pre-execution. This information comes from a Cylance vendor who corrected me on Spiceworks about Cylance's use of AI:

"Windows Defender ATP is a great advancement in Microsofts' endpoint technology with it finally bringing in some aditional layers, utilizing Microsoft's strong computing power and cloud tech. The product is utilizing a heavy layer of behavioral analysis and cloud-based lookups and analytics. There is also a layer of machine learning, but from what I have heard and read, this layer is built on integrations from other companies and not in-house. The unknowns/0-Days are being handeled in a post-execution model as well, meaning the potential malware needs to execute before the determination is made.

For a similarity, it's closer to Webroot's product than anything else, especially Cylance Protect.

Cylance is not behavioral, and the machine learning portion of our technology is not connected at the endpoint detecting threats. We use ML and AI to produce a mathematical understanding of a file (algorithm) which then becomes the basis of the endpoint product. That algorithm allows Cylance Protect to make determinations pre-execution."

https://community.spiceworks.com/topic/1961618-windows-defender-advanced-threat-protection

Lastly, if I understand this excerpt from Invincea's sales information correctly, they are also following Cylance's example and doing malware detection pre-execution:

"Moving Beyond Traditional Antivirus

Attackers have been easily evading traditional antivirus solutions for years, which is why almost every breach originates at the endpoint. Invincea realized that a new way of detecting malware was critical. Created by data scientists, X by Invincea leverages deep learning, an advanced form of machine learning, as part of the industry’s most advanced next-generation anti-virus solution. This gives X by Invincea the ability to detect and stop malware – even previously unknown variants - without relying on signatures. Deep learning mimics the way the human brain thinks. Recent advances in deep learning have allowed breakthrough results, including advancements in facial recognition and natural language processing. Invincea uses similar deep learning technology to differentiate malware from benign programs. This means Invincea can detect previously unknown malware and polymorphic variants that evade signature-based solutions. In essence, X by Invincea stops malware before it can impact an endpoint, without affecting performance. This includes ransomware, weaponized Office documents, and other prominent endpoint threats

Preventing Known and Unknown Malware without Signatures

X by Invincea leverages machine learning to identify and block suspicious files before they execute. Every program found on the endpoint is automatically analyzed. First, Invincea extracts unique file features about the program and its capabilities. Second, the extracted features are then run through Invincea’s multi-stage deep learning algorithm to determine how similar the file is to other malware families. X by Invincea then returns a similarity score for the suspicious program. The higher the score, the greater the likelihood that it is malware. If a file exceeds the risk threshold, it is automatically quarantined or deleted. X by Invincea will even identify the malware family the file belongs to. The entire process, from feature extraction to quarantine, takes only 20 milliseconds."

https://www.invincea.com/wp-content/uploads/2016/12/X_by_Invincea_Datasheet.pdf

If I am reading this all correctly, Invincea does the same thing as Cylance and can determine if the file is malicious before it even executes. The only potential issue I see with including Invincea's malware detection on the UTM is if Invincea does not currently have a Linux engine. If Sophos does include Invincea's detection on the UTM, it would set it apart in a way that no other vendor can currently match. Real, next-gen detection on the UTM.

That would be nice if they incorporate it into the UTM. I just hope Sophos sticks to the strategy they made in their public announcement and leaves Invincea intact along with continuing sales of their existing endpoint product. Then we would have the best of both worlds.

I hope so too. Sophos has handled the SurfRight acquisition well, and I hope they follow that model. They left Surfright/HitmanPro.Alert so intact, that the service that InterceptX runs under is listed as "HitmanPro.Alert"

My hope is that they do the same with Invincea, with the addition of adding the pre-execution machine learning engine to the UTM, just as you mentioned, GetParanoid.

BTW, I added the feature request and would love the additional votes!

ideas.sophos.com/.../18583828-include-invincea-s-deep-learning-engine-machine-l

More about the Invincea purchase. Facebook live video from the RSA conference. They did mention that Sophos is open to using the machine learning tech, outside of just the endpoint, so there is hope they might eventually add it to the UTM.

https://www.facebook.com/securitybysophos/videos/1269348986489362/

Also, the initial announcement with additional audio commentary:

https://www.facebook.com/securitybysophos/videos/1263930303697897/