On March 30th the SANS Community named CylancePROTECT the Best Endpoint Protection Product of 2016. It’s no surprise really, the company, led by Stuart McClure and Ryan Permeh, has been shaking up their respective industry since they took the field in 2012.
Cylance isn’t your run-of-the-mill endpoint protection software. Their singular focus has been to block computer viruses or malware before they effect a user’s computer and they’ve been wildly successful.
The big companies like McAfee and Symantec use pre-existing definitions and signatures of already detected threats to determine whether or not software one of your end-users downloaded is malicious. Cylance doesn’t do that. CylancePROTECT uses machine learning to protect endpoints.
Math modeling has enabled Cylance to stay ahead of the curve. Their predictive analysis process allows them to quickly and accurately identify what is safe and what is a threat as opposed to using pre-existing signatures to determine what’s blacklisted or whitelisted.
The SANS Community was right to name them the best endpoint protection product of 2016, they deserve it and they definitely earned it. Cylance is the best of the best.
“Being selected the best endpoint security product by the information security community – those using CylancePROTECT to defend their organizations’ information every day – means more to us than any other type of award we receive,” said McClure, co-founder and CEO at Cylance in a recent press release. ”All of us at Cylance grew up in that community and nothing pleases us more greatly than knowing we are helping these skilled specialists fight and win this battle.”
The past month hasn’t all been good news for Cylance though. They’ve had to defend themselves from attack and accusations of fraud. Some of their competitors have made statements that the files Cylance solicits to partners for testing CylancePROTECT and the testing methodology itself (outlined on Cylance’s Test for Yourself page https://www.cylance.com/knowthetruth) are flawed and the company has been cheating its way to good reviews and high praise.
We won’t get into the nitty gritty of what’s being said. We’ll leave that up to the articles in ArsTechnica [https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/] and Forbes [https://www.forbes.com/sites/tonybradley/2017/04/21/dont-shoot-the-messenger-cylance-didnt-break-av-testing/#78970b077f26]
However we did reach out to Chad Skipper, Cylance’s VP of Industry Relations and Product Testing, to get a better grasp on what exactly Cylance sends out to its partners and what’s going on with these accusations.
Skipper said in order to learn rapidly the company has an internal process where they download malware samples via an API from a well known virus aggregation site to feed it to CylancePROTECT.
The samples are sent through an automated packing system to alter the malware and create new, mutated version. He said this was done so Cylance could test the efficacy of their own product as well as others, against unknown threats.
“In other words, while the industry standard is to compare anti-malware products by detecting and blocking a library of known threats, the files from Cylance are actually a more authentic reflection of what an organization will be faced with in the real world,” Skipper said. “The reality is that attackers are constantly adapting and mutating threats, so being able to detect and block a threat that is already known is almost useless. It’s like shutting the barn door after the horses have already escaped.”
These files were then sent out to partners and third party sources to use while testing CylancePROTECT. Unfortunately, some of these files (the ones being critiqued by their competitors) were broken and Skipper fully admits to that.
“We distributed samples that were broken, yes, but only by accident, and any testing or analysis would show they are broken, if the sample doesn’t run, you can’t use it to test efficacy,” Skipper said. “Once the samples were shared externally we realized that there were issues where broken pieces of malware were getting distributed. Automatically UPX packing or MPRESS packing a potentially already packed piece of malware sometimes caused an issue where the malware would not execute, or the packing process would corrupt the sample in a way that prevented execution.”
Skipper said Cylance isn’t trying to sweep anything under the rug and it’s why he took the time to talk to Integris as well as Forbes and ArsTechnica.
“We aren’t trying to hide anything, but we are disrupting the industry in a major way… antivirus companies have never distributed samples before to allow customers to test for themselves and that’s all we are trying to do,” he said.
When it comes to the negativity being spread around from their competitors, Skipper has a pretty defined stance.
“Don’t believe a report that was written or paid for by a marketing department,” he said. “You are a technical decision maker, make your own decision, don’t let someone else do it for you.”
Skipper also encouraged people to sign up for Cylance’s upcoming Underworld Tour Demo. People in attendance will be able to see a live test and ask questions about the product directly.
“We do a live demo right in front of you,” Skipper said. “And if you bring a flash drive we’ll even let the malware go home with you for your own analysis.”