How it works
CylancePROTECT sits on the endpoint device and waits for files to arrive. It can then inspect the files as they arrive or when they are executed. The preference is to have both turned on to make sure nothing slips through. Warner claims that the average number of attributes used by CylancePROTECT is around 80,000 per file. As soon as it locates a file with a suspicious attribute it sandboxes or deletes it based on the users security preference.
Warner admits that there are times when it is hard to identify files with problems. Packed files and encrypted files are a challenge especially as some viruses trigger as soon as the unpacking happens. Part of the solution would be to partner with edge device manufacturers such as ExtraHop and deal with files hidden in SSL by decrypting them in real-time on the network.
What is really interesting is that the product is also being used by developer teams to extend their internal testing. In one case cited by Warner:
“A Fortune 100 company purchased the forensic version of the product to use as their last step for code verification on internally built software. It identified a number of backdoors in code written by third-parties to who they had outsourced part of the project.”
This is something that should get a lot of CISO’s excited as it means they can raise the security level of internally written code especially around complex ERP and CRM suites.
As it is running all the time Cylance have worked to make it small and very lightweight. It currently uses less than 3% of a single core on a machine and requires just 40MB of disk space. This makes it an attractive option for embedded devices such as kiosks, switches, network edge devices as well as traditional endpoint security on user devices.
The pricing is currently set at £40 per device per year which changes based on volume discounts. Unfortunately there is no SaaS option for small businesses or for when contractors are on site. This is a shame as a price point of £4 per user per month would not only be extremely accessible but would enable ISPs to consider adding it to the software they supply to customers. This would help Cylance take a big jump forward in market penetration.
Conclusion
Cylance certainly seems to be able to stand up its claim of doing things differently. The small footprint of CylancePROTECT and the fact it uses a wide range of attributes to detect malware means that it can deal with zero-day attacks. Its ability to be used by developer teams will also raise its profile.
There are two big challenges for Cylance. The first will be converting the doubters which it is confident it can do. The second is success will inevitably bring suitors such as HP, Symantec, Kaspersky and IBM to the table. How long it can resist offers remains to be seen especially as they currently want to go IPO rather than sell out.
This is a product that seems to deserve a look by all security teams. So much so that we have taken the step of ordering copies for all of our machines in order to compare it to the existing security systems we run in house.
