In 2012, Stuart McClure founded Cylance, a company which applies artificial intelligence to predicatively identify and stop cyber attacks prior to execution. He gave us some of his top tips for what to expect in 2015.
He was visiting Australia for the Australian Information Security Association (AISA) national conference held in Melbourne where he shared his 13 deadly sins of security: separating myth from truth, and to launch Cylance into the Australian marketplace.
Prior to starting up Cylance, McClure launched security consulting services provider, Foundstone, which was purchased by McAfee in 2004 for $US86 million. He has also published a book, Hacking Exposed: Network Security Secrets and Solutions.
What are you doing in Australia?
I was in Melbourne for a talk I gave at AISA, which was all about the top myths of cyber security.
All of us have been brainwashed to believe that certain things exist and they really don’t. My goal is to try and highlight which are myths and not truths.
One of the things that I brought up, and I got a bit of push back when I spoke about it, was independent testing agencies. I didn’t name them in my talk, but they just don’t test products, they don’t test efficacy.
They’ll tell the public that these products will protect you against 100 per cent of security threats, but it’s not true - not by any stretch of the imagination and I can prove it a thousand times - live and all.
The problem is, the public doesn’t know the truth. The public just follows what these testing agencies tell them is true and they are lying. I don’t think they mean to lie, but the problem is they get their money from antivirus vendors, not from the public, so their interests are aligned with antivirus companies and they’re going to pass them because there’s no such thing as a 98 or 99 per cent score as acceptable.
My big push is challenge these vendors, don’t accept these 100 per cent scores because they’re fallacy, myth, a fantasy, and I can prove to you all day long, in any form.
What drove you to startup Cylance?
I’ve been embarrassed with previous companies that I’ve worked with and trying to pitch technologies that really didn’t help anyone. I used to joke and call myself the chief apology officer. I would just travel around the place and say “sorry we couldn’t protect you here and had problems there, etc, etc” - that’s all I really did. It was very disheartening, especially when you knew how to solve this problem, but we just couldn’t do it.
I used to do all these talks and would always get one question “Stuart, you’re the Hacking Exposed guy and I’m sure everyone targets you - what software do you use to protect your own computer?” I don’t say anything, because I never used any technology. But here I was working for the number one antivirus vendor globally, and I was their Chief Technology Officer, and I have to stand there and say I don’t use any of our own products. It’s embarrassing, but it’s the truth, because they just don’t work.
I always explain it away because I know what to not click on or open and not execute and I know where the threat factors are. As I left, I thought 'why couldn’t I get a computer to think like me?' and that was the impetus behind Cylance. I’m a programmer by education and I think about solving problems with software, this was one of them.
We use advanced algorithms to allow a computer to learn on its own and because of that, it allows us to do pre-execution prevention. We never have to run or open or start anything that isn’t safe.
There is a brand new ways to think about the problem and there’s a revolutionary way of doing this, and don’t listen to the masses, just trust yourself.
Technologically, Cylance is at least a couple of years ahead of the market.
The security market is huge with lots of players, what makes Cylance any different to anyone else?
Everyone keeps telling everyone they have a better solution, but ultimately what they’re doing is taking a different slice of the problem and saying we do this the best, whereas no one is really taking a look at the core of the problem and hitting it at the core. That’s what we’re doing, we look at everything that tries to execute on a computer system and we can tell you if it’s going to be malicious or not.
What our technology does is silences the hackers and cyber attacks. Our technology is blocking these known attacks and unknown attacks that haven’t been seen before.
We’re also internationally expanding our US-based company into Sydney, Melbourne, Singapore and Japan and a few other APAC and EMEA countries in the next three to six months.
We challenge the world to test us out, run any virus, worm, attack, advanced threat, anything - adware, spyware - and let’s see if we catch them. It’s that simple - a throw down challenge.
What are some of those top security myths?
There’s a myth that all of these attacks are so sophisticated, advanced, you just can’t understand how they work because they’re just so brilliant, all these hackers are just brilliant. And that’s just not true. 99.9 per cent of people just use the same things that everyone else has been using all day long. There’s no uniqueness, creativity, individuality or sophistication, all the techniques that are being used today, are well known in the industry and have been well known for decades.
There’s nothing new. It’s just unfortunate that the whole industry has perpetuated this myth because their technologies don’t prevent it. “I’m so sorry that we couldn’t get that attack, it’s just these guys are so sophisticated and it’s so hard to keep up, but we have people working around the clock for you and all you need to do is just install this new update and we’ll get you protected.”
It’s just ridiculous and not true. So I’ve been a big proponent of trying to diffuse that myth and it was main driving myth behind writing my book, Hacking Exposed. I would get so sick and tired of seeing all these newspaper articles where a 13 year-old in a basement, a brilliant hacker, hacked the ABC. Then when I looked into it, they used a free tool that anyone can download - there’s no brilliance in that. I wanted to expose the hacking.
Another myth that’s interesting and we keep hearing about is ‘antivirus is dead.’ I wanted to clarify this - AV as we know it is dead, the need for AV on an endpoint, is always going to be there. But AV as we know it, just doesn’t work anymore.
'Attribution matters' is another big myth, but really the only people that need it is law enforcement. A lot of companies want to know who did it, who hacked into my banking website. Not that they’re going to go after them legally or try and hack back or punish them - it’s psychological comfort. You will never really know who the real source is because you can be so anonymous. You end up losing countless hours, days and weeks - it’s counter productive.
My other frustrustration is 60 per cent of attacks or more never use malware of any sort.
Malware is defined as malicious software, it can be used maliciously in any way shape or form and the only people that are perpetuating that myth are the ones that don’t look at malware because it just doesn’t happen that way. 99 plus percent of all the incidents that we look at as a company, there is some form of malware in those attacks.
What are your expectations for the Australian market?
I have short and long term expectations. Our long term expectation marries up to our goal as a company to protect every computer globally. Our short term goal is to stand up a regional team out of Sydney to not just represent the country, but to also run our APAC operations out of here.
We’ve been hiring frantically and we’ve got some big customer names that are already testing our product here. We have three or four Australian customers and now that we’re picking up steam, we have about two dozen evaluations going on in very large companies. We’re well on our way to having some major deployments here. Government will take longer, but the goal is to get them to see what we have.
We have a premier partnership with Aquion.
We’re at 175 employees at the moment. We’ve got operations here, we’re starting up in Sweden, EMEA and then heading to London. That will all happen in the next couple of months.
What are the markets that you’re targeting?
The short term is enterprise, mid-market and a bit of SMB. Long term, it will be all markets - consumer, SMB, federal and so on.
Typically most security companies sell into the ‘Chief Security Officer’, but we usually sell to the CIO. The way our technology works, dramatically reduces operational overhead. What it takes to maintain technologies in currently environments, can be adjusted based on our technology, because you just don’t need that many people any more.