Invincea Purchase, is it Possible to use Machine Learning on a UTM? Request for a future feature?

I've used Invincea for a few years now, and for me their real strength is in their sandboxing. It doesn't really matter if it detects the malware or not, it's not going anywhere. I have our employees configured for 24 hour resets, so every morning they get "fresh" new installs of their Internet Explorer / Excel / Word / Reader (their bookmarks & settings remain intact). Any malware gets deleted along with the previous day's sandbox. No muss, no fuss.

I can't say I share your enthusiasm on Invincea being acquired. They have been my secret weapon and I hope they are able to remain as lean and mean as they have in the past.

You can try their free little brother (at least for now)... SandBoxie. It takes some learning, it's not as polished or user friendly as Invincea X but it is essentially the same product.

The reason for my enthusiasm about the Invincea purchase is not because of their sandboxing tech; I am excited that Sophos bought a vendor who is a leader in the field of deep learning artificial intelligence.

I am 99% sure Sophos bought Invincea because of the Machine Learning, not the sandboxing, just based off the press release, "Sophos Adds Advanced Machine Learning to Its Next-Generation Endpoint Protection Portfolio with Acquisition of Invincea."

https://www.sophos.com/en-us/press-office/press-releases/2017/02/sophos-adds-advanced-machine-learning-to-its-next-generation-endpoint-protection-portfolio.aspx

Invincea is doing the same thing that Cylance and Crowdstrike are doing. They use previous malware samples to help their Machine Learning system score new files to determine if they are malicious before they run. The entire AV industry is headed in this direction, and I honestly believe every major anti-malware vendor will use a combination of both traditional signature/heuristics detections and AI deep learning within five years.

If Sophos incorporates this tech into the UTM, it could stop and quarantine files above a certain probability threshold, for further analysis. Merging both old and new detection methods together, which should significantly decrease the effectiveness of zero-day malware attacks and malware that Sandstorm fails to detect.

My hope is that Sophos struck gold here. Invincea is a rising star in the field of machine learning. Cylance is clearly the market leader, but with the purchase of Invincea, I believe Sophos is doing what Symantec has failed to do on the endpoint. Merge traditional signature/heuristics, with behavior based (the Surfright purchase), and Next-gen machine learning AV detection, into one product.

This Machine Learning/Deep Learning/AI is some really cool stuff and is the same tech that is used in SPAM filters. I am hoping that Sophos adds it to the UTM. More info about Invincea's Machine Learning can be found here:

https://www.invincea.com/wp-content/uploads/2016/12/X_by_Invincea_Datasheet.pdf

You need not hope Sophos struck gold, I can assure you they absolutely did. That assurance is coming from real world experience using Invincea's product. My concern is what Sophos does with this precious metal. Hopefully they don't transmute it into lead.

I agree the AI aspect is much more interesting than the sandboxing. But sometimes boring is what actually gets the job done. Running employees strictly as limited users and sandboxing them may not be nearly as exciting, but it's what has worked for me. I already had Symantec Enterprise Endpoint in place along with the limited user policy and was still seeing occasional infections. The day I rolled out Invincea was the day infections stopped cold and haven't had one since. Invincea is the real deal.

I have other layers in my goodie bag as well, but each layer was staged individually and many moons apart, so there was no doubt that it was Invincea that stopped the madness.

Although I've had a long running distaste for Symantec, in their defense, I don't run Endpoint to it's full potential (whitelisting, locking down limited user install points, etc). I just don't have the time to manage it like it is intended to be run. It is quite powerful in it's own right.

As far as the AI vs Sandbox aspect, watch any presentation from any security pro / researcher / company and what you will see 100% of the time is them running infection demo in a virtual machine? Why? Because it's a sandbox. What you will never see is them running an infection demo of their "deep learning" on their own live machine, why not?

Security philosophy now rests in two camps, those who still think we can block, and those who know we can't. I'm firmly in the latter and since joining the contrarians my life is much simpler.

You need not hope Sophos struck gold, I can assure you they absolutely did. That assurance is coming from real world experience using Invincea's product. My concern is what Sophos does with this precious metal. Hopefully they don't transmute it into lead.

I agree the AI aspect is much more interesting than the sandboxing. But sometimes boring is what actually gets the job done. Running employees strictly as limited users and sandboxing them may not be nearly as exciting, but it's what has worked for me. I already had Symantec Enterprise Endpoint in place along with the limited user policy and was still seeing occasional infections. The day I rolled out Invincea was the day infections stopped cold and haven't had one since. Invincea is the real deal.

I have other layers in my goodie bag as well, but each layer was staged individually and many moons apart, so there was no doubt that it was Invincea that stopped the madness.

Although I've had a long running distaste for Symantec, in their defense, I don't run Endpoint to it's full potential (whitelisting, locking down limited user install points, etc). I just don't have the time to manage it like it is intended to be run. It is quite powerful in it's own right.

As far as the AI vs Sandbox aspect, watch any presentation from any security pro / researcher / company and what you will see 100% of the time is them running infection demo in a virtual machine? Why? Because it's a sandbox. What you will never see is them running an infection demo of their "deep learning" on their own live machine, why not?

Security philosophy now rests in two camps, those who still think we can block, and those who know we can't. I'm firmly in the latter and since joining the contrarians my life is much simpler.