This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invincea Purchase, is it Possible to use Machine Learning on a UTM? Request for a future feature?

I am very excited to hear that Sophos purchased Invincea, as it complements Sophos use of Sandstorm and Intercept X. The positive for all Sophos UTM users is that Sophos should be able to more readily detect new, zero-day malware threats on the endpoint, allowing heuristics and signatures on the Sophos UTM to be updated quickly as samples are submitted to Sophos. Much the same way Sophos uses Sandstorm and Intercept X samples from users to improve traditional signature detection.

My question is, is it possible for Sophos to add the Invincea machine learning to the Sophos UTM? They already announced they plan to integrate it with Heartbeat for the XG boxes, which would seem to be a given.

My question is, is it possible for Sophos to integrate these machine learning capabilities to the Sophos UTM?

When I submit samples to Virustotal, I sometimes see detection results like, "crowdstrike: 99% chance malicious." To me, this would be an awesome asset for the Sophos UTM and would set it apart from its competitors. If the UTM could quarantine all malware detected above a certain probability threshold, i.e., 95% and have the UTM upload the file to Sophos for further inspection, to me, it seems like a win-win for everyone.

I mention all this now, as Sophos just announced the purchase Invincea and to me, it seems like a fantastic time to make a feature request.



This thread was automatically locked due to age.
Parents
  • I've used Invincea for a few years now, and for me their real strength is in their sandboxing. It doesn't really matter if it detects the malware or not, it's not going anywhere. I have our employees configured for 24 hour resets, so every morning they get "fresh" new installs of their Internet Explorer / Excel / Word / Reader (their bookmarks & settings remain intact). Any malware gets deleted along with the previous day's sandbox. No muss, no fuss.

    I can't say I share your enthusiasm on Invincea being acquired. They have been my secret weapon and I hope they are able to remain as lean and mean as they have in the past.

    You can try their free little brother (at least for now)... SandBoxie. It takes some learning, it's not as polished or user friendly as Invincea X but it is essentially the same product.

     “Stay paranoid, my friends.”

Reply
  • I've used Invincea for a few years now, and for me their real strength is in their sandboxing. It doesn't really matter if it detects the malware or not, it's not going anywhere. I have our employees configured for 24 hour resets, so every morning they get "fresh" new installs of their Internet Explorer / Excel / Word / Reader (their bookmarks & settings remain intact). Any malware gets deleted along with the previous day's sandbox. No muss, no fuss.

    I can't say I share your enthusiasm on Invincea being acquired. They have been my secret weapon and I hope they are able to remain as lean and mean as they have in the past.

    You can try their free little brother (at least for now)... SandBoxie. It takes some learning, it's not as polished or user friendly as Invincea X but it is essentially the same product.

     “Stay paranoid, my friends.”

Children
  • The reason for my enthusiasm about the Invincea purchase is not because of their sandboxing tech; I am excited that Sophos bought a vendor who is a leader in the field of deep learning artificial intelligence.

    I am 99% sure Sophos bought Invincea because of the Machine Learning, not the sandboxing, just based off the press release, "Sophos Adds Advanced Machine Learning to Its Next-Generation Endpoint Protection Portfolio with Acquisition of Invincea."

    https://www.sophos.com/en-us/press-office/press-releases/2017/02/sophos-adds-advanced-machine-learning-to-its-next-generation-endpoint-protection-portfolio.aspx

     

    Invincea is doing the same thing that Cylance and Crowdstrike are doing. They use previous malware samples to help their Machine Learning system score new files to determine if they are malicious before they run. The entire AV industry is headed in this direction, and I honestly believe every major anti-malware vendor will use a combination of both traditional signature/heuristics detections and AI deep learning within five years.

    If Sophos incorporates this tech into the UTM, it could stop and quarantine files above a certain probability threshold, for further analysis. Merging both old and new detection methods together, which should significantly decrease the effectiveness of zero-day malware attacks and malware that Sandstorm fails to detect.

    My hope is that Sophos struck gold here. Invincea is a rising star in the field of machine learning. Cylance is clearly the market leader, but with the purchase of Invincea, I believe Sophos is doing what Symantec has failed to do on the endpoint. Merge traditional signature/heuristics, with behavior based (the Surfright purchase), and Next-gen machine learning AV detection, into one product.

     

    This Machine Learning/Deep Learning/AI is some really cool stuff and is the same tech that is used in SPAM filters. I am hoping that Sophos adds it to the UTM. More info about Invincea's Machine Learning can be found here:

    https://www.invincea.com/wp-content/uploads/2016/12/X_by_Invincea_Datasheet.pdf

  • You need not hope Sophos struck gold, I can assure you they absolutely did. That assurance is coming from real world experience using Invincea's product. My concern is what Sophos does with this precious metal. Hopefully they don't transmute it into lead.

    I agree the AI aspect is much more interesting than the sandboxing. But sometimes boring is what actually gets the job done. Running employees strictly as limited users and sandboxing them may not be nearly as exciting, but it's what has worked for me. I already had Symantec Enterprise Endpoint in place along with the limited user policy and was still seeing occasional infections. The day I rolled out Invincea was the day infections stopped cold and haven't had one since. Invincea is the real deal.

    I have other layers in my goodie bag as well, but each layer was staged individually and many moons apart, so there was no doubt that it was Invincea that stopped the madness.

    Although I've had a long running distaste for Symantec, in their defense, I don't run Endpoint to it's full potential (whitelisting, locking down limited user install points, etc). I just don't have the time to manage it like it is intended to be run. It is quite powerful in it's own right.

    As far as the AI vs Sandbox aspect, watch any presentation from any security pro / researcher / company and what you will see 100% of the time is them running infection demo in a virtual machine? Why? Because it's a sandbox. What you will never see is them running an infection demo of their "deep learning" on their own live machine, why not?

    Security philosophy now rests in two camps, those who still think we can block, and those who know we can't. I'm firmly in the latter and since joining the contrarians my life is much simpler.

     “Stay paranoid, my friends.”

  • Agreed with you both.  I've just assumed that the AI runs in a sandbox, but I don't know that for a fact.  GP takes this a step further in creating new sandboxes every day.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I would think also that AI is within. As far as creating new sandboxes every day, that's set and forget automated. You can dial up frequency or time of day.

    For those unfamiliar with Dell Protected Work Space, this is a branded version of Invincea and is how I had the good fortune of stumbling across Invincea, I had ordered a slew of Dell Optiplexes and a free year of it came preloaded on each of them. I remember thinking "Oh great, more bloatware to peel off", then I started playing with it and realized this was actually amazing stuff. If you're in a small corporate setting and you are a Dell shop, this is an excellent way to stealth it into your company when you're doing hardware refresh. Free and clear for a year. I didn't like the red tape with Dell on the annual renewals, so after a couple of years I switched to Invincea proper.

    IMHO Sophos stole this company for the price they paid. Sister company Invincea Labs does DARPA projects for the military and in the past some of their research was shared with Invincea. Now that they are being separated I fear they will lose this symbiosis.

     “Stay paranoid, my friends.”

  • I believe we are all right on this one. I think that Invincea is using an approach similar to Crowdstrike's and using a "deep learning algorithm" to stop malicious file execution before the file executes and at the same time, using machine learning/AI to look for malicious behavior after execution.

    Microsoft has now started including AI in their ATP client to stop malicious behaviors, after execution. Their client does not give a probability that a file is malicious before execution, but looks for malicious behaviors after the file has executed:

    "The system also strives to understand malicious behavior, too. More than 1 million suspicious files are automatically executed and examined within sandboxed environments in the cloud to build a better picture of the abnormal activities that malware and hacks can cause. All this data is crunched and analyzed using machine learning techniques to build models of normal and abnormal system activity. This means that not only can unusual PC behavior be identified, it can also be cross referenced against particular malware."

    https://arstechnica.com/information-technology/2016/03/windows-defender-advanced-threat-protection-uses-cloud-power-to-figure-out-youve-been-pwned/

     

    To compare and contrast, Cylance does not look at behaviors at all and instead uses deep machine learning to determine a probability that a file is malicious pre-execution. This information comes from a Cylance vendor who corrected me on Spiceworks about Cylance's use of AI:

    "Windows Defender ATP is a great advancement in Microsofts' endpoint technology with it finally bringing in some aditional layers, utilizing Microsoft's strong computing power and cloud tech. The product is utilizing a heavy layer of behavioral analysis and cloud-based lookups and analytics. There is also a layer of machine learning, but from what I have heard and read, this layer is built on integrations from other companies and not in-house. The unknowns/0-Days are being handeled in a post-execution model as well, meaning the potential malware needs to execute before the determination is made.

    For a similarity, it's closer to Webroot's product than anything else, especially Cylance Protect.

    Cylance is not behavioral, and the machine learning portion of our technology is not connected at the endpoint detecting threats. We use ML and AI to produce a mathematical understanding of a file (algorithm) which then becomes the basis of the endpoint product. That algorithm allows Cylance Protect to make determinations pre-execution."

    https://community.spiceworks.com/topic/1961618-windows-defender-advanced-threat-protection

     

    Lastly, if I understand this excerpt from Invincea's sales information correctly, they are also following Cylance's example and doing malware detection pre-execution:

    "Moving Beyond Traditional Antivirus

    Attackers have been easily evading traditional antivirus solutions for years, which is why almost every breach originates at the endpoint. Invincea realized that a new way of detecting malware was critical. Created by data scientists, X by Invincea leverages deep learning, an advanced form of machine learning, as part of the industry’s most advanced next-generation anti-virus solution. This gives X by Invincea the ability to detect and stop malware – even previously unknown variants - without relying on signatures. Deep learning mimics the way the human brain thinks. Recent advances in deep learning have allowed breakthrough results, including advancements in facial recognition and natural language processing. Invincea uses similar deep learning technology to differentiate malware from benign programs. This means Invincea can detect previously unknown malware and polymorphic variants that evade signature-based solutions. In essence, X by Invincea stops malware before it can impact an endpoint, without affecting performance. This includes ransomware, weaponized Office documents, and other prominent endpoint threats

    Preventing Known and Unknown Malware without Signatures

    X by Invincea leverages machine learning to identify and block suspicious files before they execute. Every program found on the endpoint is automatically analyzed. First, Invincea extracts unique file features about the program and its capabilities. Second, the extracted features are then run through Invincea’s multi-stage deep learning algorithm to determine how similar the file is to other malware families. X by Invincea then returns a similarity score for the suspicious program. The higher the score, the greater the likelihood that it is malware. If a file exceeds the risk threshold, it is automatically quarantined or deleted. X by Invincea will even identify the malware family the file belongs to. The entire process, from feature extraction to quarantine, takes only 20 milliseconds."

    https://www.invincea.com/wp-content/uploads/2016/12/X_by_Invincea_Datasheet.pdf

     

    If I am reading this all correctly, Invincea does the same thing as Cylance and can determine if the file is malicious before it even executes. The only potential issue I see with including Invincea's malware detection on the UTM is if Invincea does not currently have a Linux engine. If Sophos does include Invincea's detection on the UTM, it would set it apart in a way that no other vendor can currently match. Real, next-gen detection on the UTM.

  • That would be nice if they incorporate it into the UTM. I just hope Sophos sticks to the strategy they made in their public announcement and leaves Invincea intact along with continuing sales of their existing endpoint product. Then we would have the best of both worlds.

     “Stay paranoid, my friends.”

  • I hope so too. Sophos has handled the SurfRight acquisition well, and I hope they follow that model. They left Surfright/HitmanPro.Alert so intact, that the service that InterceptX runs under is listed as "HitmanPro.Alert"

    My hope is that they do the same with Invincea, with the addition of adding the pre-execution machine learning engine to the UTM, just as you mentioned, GetParanoid.

    BTW, I added the feature request and would love the additional votes!

    ideas.sophos.com/.../18583828-include-invincea-s-deep-learning-engine-machine-l