Deep Learning Framework

Cameron D’Ambrosi [00:00:04] Welcome everyone to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct. Chuck, welcome to State of Identity.

Chuck Everette [00:00:15] Well, thanks for having me. This is great.

Cameron D’Ambrosi [00:00:17] It’s my pleasure. You know, you are are sitting at the intersectionality of, you know, one of I think the most relevant areas across the economy today, which is cybersecurity. I don’t think there is a a C-suite executive that isn’t losing some amount of sleep on a weekly or monthly basis, thinking about cyber risks and threats to their business from this side of things. So very timely. A lot of hacks in the news as always, and really excited to get your perspective on kind of the state of affairs in and how folks should be thinking about these challenges. But before we do that, you have quite the distinguished resume, if you don’t mind me saying over 25 years in the broader I.T. industry, would you mind walking us through a little bit of that background, kind of how you came to become the director of cybersecurity advocacy at Deep Instinct and what that career path that got you here looks like?

Chuck Everette [00:01:20] Absolutely. Yeah, I know. I started back in pre college and during college running networks at the local college and I worked for manufacturer Kraft Foods, Philip morris, I worked on the automation side there. Then I got involved with the security of the networks of separation between manufacturing productivity and office, corporate networks, those type of things. And it just naturally evolved more to a security role with firewalls evolving from there. And then I moved into the financial space. So I worked with two of the largest financial companies that handle banking traffic in the world. That’s us and Pfizer. I manage a 60 person SOC. They’re managing about 80% United States banking traffic. And with that, I got exposure into money laundering, laundering, cyber espionage, working with a lot of three letter agencies, tracking money where things are going on when there’s major breaches happening, because typically those transactions would have gone across my networks working with them. And with that I got involved a little bit further into security in the roles of incident response and threats, really digging into it that really got my catalyst going and then I jumped into the vendor space. I help stand up Carbon Black, which was purchased by VMware and then I was approached by Deep Instinct when they basically came out and said they had this technology that nobody else had and kind of called them out on it. And I went toe to toe with the. CEO for a couple of our chat and get my hands on the software toward a apart. And I’ve actually been here for five years now, which in the cybersecurity industry being five years of one company is extremely rare. But I’m here because of the technology and what it can do, you know, what we’re what we’re doing for the future of cybersecurity.

Cameron D’Ambrosi [00:03:15] So I love it. Yeah, five years is practically, you know, gold watch and and lifetime achievement award territory especially these days a very excited to kind of continue unpacking some of your broader perspectives on the space and and what you have learned more holistically throughout your time and in touching on all these different facets of this, you know, cybersecurity challenge that that all enterprises are, quite frankly, facing, or if they’re not facing them, they’re facing the consequences of of having a poor security posture. But before we do that, would you mind sharing just a little bit about deep instinct? You know, you mentioned the platform, this really unique approach that they’re taking to cybersecurity. What’s a 15,000 foot overview of of what you’re building if deep instinct?

Chuck Everette [00:03:59] Absolutely. Best way to put it is. It’s using a new form of advanced AI that we built from the ground up, which is recognized as a new framework called Deep Learning. And it’s a deep learning framework specifically built for cybersecurity. There’s a lot of deep learning used out there. Always use the analogy of, Hey, everybody’s got an iPhone. Five years ago, were you using Siri? And most answers are no is because it really wasn’t relevant and people didn’t start using it until deep learning was adapted into it and it became usable. It was productive. Deep learning is the same way when it’s applied to cybersecurity, but it’s got to be built the proper way and built from the ground up. There’s a lot of different avenues, you know, using TensorFlow and building your own. There’s language recognition, image recognition, self-driving. But for cybersecurity, you can’t take any of these existing models. And so we had to build it from the ground up. So we got one of the top experts in the world, along with some cyber research, our cofounders out of Israel, and they developed this product that utilizes deep learning and it literally can predict because it trains, it actually mimics the human brain. That’s the caveat with deep learning. It’s not machine learning. It doesn’t work off of basically like a flow chart. It literally thinks like the human brain, you know, neuron connectors between them, different layers. And because of that complexity, it can actually identify malicious files when others would only be looking for patterns. And so it’s it’s really changing the landscape out there. And it’s been evolving and growing for the past eight years.

Cameron D’Ambrosi [00:05:44] That’s super fascinating. So I guess to to unpack a little bit about that, maybe it would be helpful to get some more context from you as to the evolving threat landscape. And maybe I’ll take a stab at this as a, you know, an advanced layman, if you will, and and you feel free to jump in and tell me, Cameron, you have no idea what we’re talking about here. But it seems to me that that these cybersecurity technologies are becoming necessary specifically because of how this threat landscape has evolved. Threat actors are becoming that much more skilled at making sure that their payloads are not detectable through the standard mechanisms. Legacy antivirus, which really is is about, you know, almost right having a dictionary of here are the signatures of these malicious files in. If I see one of these files, that’s bad, we’re going to keep it out. The problem is they’re getting really good at obfuscating the signatures on an evolving basis to keep, you know, even known payloads from being detected. And beyond that, a slight tweak to make that signature completely different means that you are vulnerable to to this attack unless someone else has fallen prey to it first, and then Microsoft or Norton or whoever else propagates that threat signature across their network, which, you know.

Chuck Everette [00:07:03] For.

Cameron D’Ambrosi [00:07:04] Major companies, that’s that’s too late. That’s that’s not enough. That’s not enough protection. You can’t rely on someone else having been compromised first in order to defend yourself. And then the second element is this ever expanding set of endpoints, you know, with whether it’s remote work, whether it’s Iot sensors, whether it’s mobile channels, whether it’s BYOD. You cannot draw a hard perimeter around your network in the ways that you used to be able to. There’s too many end points in assuming that you’re going to build an impenetrable wall around them and only keep the bad guys out and only let the good guys in is a is a paradigm that seems untenable and that goal is is unachievable. And so correct me if I’m wrong, but, you know, the approach that deep instinct is taking is we are going to apply this advanced machine learning to these challenges to, say, the brains of a human analyst that can detect patterns and suspicious behaviors proactively before something happens, before the signature of this malware is propagated out and before. Or because you’re unable to seal off the endpoint. This is the only way that you’re really going to counter these next level threats, whether it’s nation states or kind of advanced, well-funded criminal gangs, for lack of a better word. Is that my over the target here?

Chuck Everette [00:08:30] Yeah, you’re absolutely. And, you know, as you had multiple points there, the issue is literally like an onion and it’s just getting thicker and thicker and building up. And you kind of have to kind of dig down to there’s not just one problem, there’s multiple, but they’re all kind of leading to the same thing. And how do you solve these multiple issues? Because as you put it, the threat landscape is changing. It’s evolving. The digital transformation, the the cloud migrations, the you know, the pandemic and the knee jerk reaction to get everybody to work from home changed the landscape. And that’s you know, it had like a three was it 600% increase in phishing attacks because of that, clients and organizations? Assets are no longer within the four walls of their data center or within their organizations. They don’t have the same security controls that they did now that they moved to the cloud or their data. Now the data arrest is sitting on laptops in places. You know, we have, you know, digital nomads, basically meaning employees can work anywhere in the world they want. So they’re sitting on these other dirty networks, cross-contamination, things popping through. So, you know, that’s the whole threat landscape. But on top of that, you have the evolving threats and the sophistication and the frequency that they’re increasing coming in, but also to the level of what we’re calling every A.I. that these cybercriminals now are employing to get around the more sophisticated tools. As you kind of start off with the history of antivirus and endpoint protection was the legacy of what we call it, and that’s typically signature based, some little bit of machine learning. Harris sticks looking for minor patterns. But it was it was all about, hey, we know this is bad, we’re going to blacklist it. And then basically we come across the come from there. Problem is, there’s like 2.5 million different variants coming out on a weekly basis, new variants. And a lot of those are polymorphic meaning that they change they change themselves every 15 minutes, 5 minutes. They’ll flip when they go someplace else. So you can no longer track them. So that whole analogy of, you know, blacklisting at the door and not letting on, not letting the bad people in from which you can’t tell who the bad people are anymore. And so how do you defend against this as well then, as the threats are getting more sophisticated? Because we’re having nation states developing techniques and tactics just, you know, two or three years ago we saw with some of those techniques, it would take about two weeks to a month before some of these criminal gangs would pick those up and start utilizing that. Now we’re seeing like when the log for GE came out in November, December, we saw within 2 hours. Two of the well-known cyber gangs out there had actually already picked up, put it in their code within 2 hours and already infected two additional hospitals within the first 6 hours of that vulnerability exploit coming out. So how do organizations keep up with that when a vulnerability is just detected? It comes through and they’re picking up on it even faster because, you know, there’s chains, controllers, other things. You have to identify where you need to patch. How can you protect against that? And that’s the challenge where y deep instinct kind of evolved or what it does because of the threats are coming in. You need to be able to identify them not in a delayed because traditional machine learning that a lot of the next gen endpoint products or EDR products uses machine learning which has to go to the cloud, make a decision or look for multiple different types of triggers before then it will react. And the problem is that takes time and what we call dual time, it allows basically the malicious actors to be on your network, doing other things, putting backdoors in. It’s expanding, sending out crypto worms, looking for other places. And a lot of times it’s cat and mouse where they’ll do something over in the left hand side, but they’re actually doing something else over here on the side that you’re not noticing because they’re trying to distract you or they start blasting on so many different, you know, lay of the land attacks which basically normal operation but it’s hard to tell is this malicious or not for it out there and then they’ll sleep they’ll sneak in a couple other little commands. I mean, I just was talking to organization last week that, you know, they get 500,000 alerts a week and they can’t tell good from bad. They’re just 100% reactive. And it takes them sometimes days to react to an alert or by then it’s too late. So you need something that can make that decision almost immediately. But it has to be done in a way that doesn’t create false positives because false positive you block something that’s actually legitimate, you’re interfering with production, you’re interfering with some of these job. In some cases, this critical stuff for even and hospitals, it’s life and death. So it has to be a decision that is made firmly, incorrectly. Hey, this is benign or malicious, and that’s where deep learning comes in. When it’s done right and done from the ground up. It is absolutely phenomenal. As I said, I’ve been doing this for 25 years. I’ve never seen anything else like it.

Cameron D’Ambrosi [00:13:32] So from that deployment perspective, I mean, I think that’s what’s most interesting to me about using deep learning is and correct me again if I’m wrong here, this is it’s unstructured learning in the sense that you are not training like when you go to deploy the solution, you do not have to train it up on a defined set of good and bad example cases. Do you just kind of let it loose on the network and it sniffs normal operations for a set period of time and then that’s what it’s using, excuse me, moving forward to to make these decisions or or how do you how do you get this, this platform up to speed to make sure that it is, you know, detecting ransomware deployment, but not, you know, shutting off Mimi’s ventilator on the in the COVID ward?

Chuck Everette [00:14:20] Exactly. We do not do any training in clients environments. Everything we’ve done is in the lab. And so what we’re doing there is that we have a large team of some of the world class threat hunters out there. They’re collecting new threats from the dark web, from other, you know, threat actors, things like that. We’re getting those and we’re testing against our solution. Our solution has been training now for over eight years. And just like a human brain, it’s getting smarter and smarter to the point where we feed in hundreds of millions of samples and it’s able to determine this is benign or this is malicious without any training or supervision from our self. We’ve regularly been training this, as I said, and we put out an update typically 1 to 4 times a year. We don’t have to put out daily updates for, you know, signature updates like other vendors. We don’t have to put up, you know, daily or weekly machine learning algorithm model changes, our deep learning learns and is able to sit there and be just as effective today that it would be in six months from now. And that’s the magic of deep learning. And these algorithms that we use, we call them our brains. And our brains have just this capability of knowing this is malicious or this is benign by scanning entire file. But they do it so fast and they can detect and prevent something pre execution. And that’s the key here is that. All the other products out in the market right now. The file has to be downloaded and then executed and then it watches what it does looking for these triggers. We actually look at the entire file and say, you know what? We can tell that there’s some watches code in here. We can tell and we’ll let you break it down and we’ll actually classify and say, hey, you know what, this is a very high threat here is 50% spyware, 25% ransomware, and, you know, another 25% crypto worm. We actually break it down and tell you what it is. So you’re not getting these random blocks and preventions. We’re actually breaking it down, telling you, hey, this is what it is and this is why it’s malicious. We stop it. I’ve been personally tracking for the past 18 months, since January of 2021, every major IOC. That’s indicator of compromise that’s been released to the press. All the big ones you hear out there, you know, every week you’re hearing about somebody new coming out there. We begin your hands and then we test it. And when we test it, say, hey, would we have prevented this? We test it with a brain or algorithm that six months. To a year old. And I can tell you that we would have prevented those those major attacks out there from conti and hive and loc bit 2.0. Last year, you know, dark matter. All those attacks, all those major ones out there. These are all attack patterns. You know, they modify and they change them. Some of them they put out weekly updates on cyber criminals, have, you know, subscriptions to them. They can get, you know, weekly updates on the ransomware attacks. We stay in front of that and we have that predictive model. So we’re making clients and environments now instead of being 100% reactive and counting, chasing after these alerts, these are out there. We’re stopping initial attacks within 20 milliseconds before it’s executed. And then as a result, all of the white noise and the other traffic, the East-West lateral movements going on, the spreading out, all the other triggers are on there are dropping down. And so not only do our customers get the protection of this hyper advanced deep learning to prevent threats, but also they’re getting back valuable time because of their IVR systems their sims are not being inundated with. All of this white noise and all these other alerts. Some of our customers are reporting 25 to 60% drop in alerts coming in, allowing them basically to get deep instincts, high fidelity alerts. And then from there, they can figure out, okay, I just blocked something. Where is this coming from? And so, you know, Vulnerabilities is a big one right now. Well, we don’t patch the vulnerabilities, but what we do is that those are entry points. And as soon as a cybercriminal goes to utilize or exploit one of those vulnerabilities, we can see as they’re writing to memory, as they’re writing to disk before they do an executed, that some type of malicious activity is going on. We stop it and prevent it. We then give the security teams a high fidelity alert saying, hey, this just happened. Go find out what happened. Okay. Did an employee misconfigured server leave something open or do we have a new vulnerability? Where is this coming from? And it really allows them to hone in and find out where it came from, what’s going on. Regardless of the entry point, it could be somebody clicking on a phishing email. It could be a vulnerability. It could be somebody misconfigured, a server because you know, most, you know, 90% of successful cyber attacks either get their start in some type of human error.

Cameron D’Ambrosi [00:19:14] On that human piece. I think one of the more interesting elements where this type of technology has a tremendous amount of applicability is insider threats. You know, where, again, traditional, whether it’s rule based or even identity based systems, cannot necessarily defend against an internal threat. It sounds like this the deep instinct platform excels at identifying folks who are, you know, Breaking Bad, you might say, in the parlance of our times. And that’s because malicious behavior looks malicious, no matter who is is perpetrating it or what log in or credentials they might be attempting to use to initiate the attack. Is that safe to say?

Chuck Everette [00:20:01] Absolutely. And there’s actually been a rise on that because of these ransomware gangs, the operating as a ransomware, as a service or ransomware as a company. They actually have marketing teams, they have weekly meetings, R&D meetings, those type of things. But they also have an affiliation program, meaning basically if you can come in and help get their foot in the door, meaning that basically you allow an attack take place, you help perpetrate that, or you do a misconfiguration or you click on something to allow them come in. They’ll give you a percentage of the ransom that they get. And just two years ago, that was 20, 30%. It’s up to 80, 90% in some cases now that we’re seeing. And so, hey, you come in, you know, they’re going to help you. You know, the insider threat is going to help you get to the keys in the city, asset your domain controllers, your production servers, your Web servers, things that are going to make the most pain for you. Therefore, you’re going to go do a knee jerk reaction and pay that ransom as fast as possible, cause that’s all they want. They’re all about making money, literally. It’s on their English facing marketing websites. It says right there, they bring together people for one purpose, and that is to making money. And so the sooner they get the money, they can do that. So, you know, you get somebody that’s, you know, making minimum wage or not happy. They’re disgruntled, hey, they get passed up for something. They then go to execute something because they have the right to do so. Or they open the doors. Once that malicious payload gets inside there and we start seeing it, bingo, we prevent it, we stop it, and then we identify that threat before it can be taken advantage of. And that’s a key thing with defense. Does it make a difference where the entry point is, as I said, phishing, insider threat, misconfiguration vulnerability, deep instinct knows it’s a malicious activity and stops it in those malicious files. One thing to know out there is like 80% of all successful breaches. Are from zero or unknown attacks, zero day, which basically means a vulnerability or unknown attacks or basically means that 80% of them that nothing’s been seen before. And that’s where a lot of the current next generation security solutions are failing because they work off of machine learning. These cybercriminals have their own machine learning algorithms, and they’ve learned how to trick the systems and saying, hey, you know what, this is benign. They know how to get around and evolve the system first. When they give you the system actually looks at, Hey, they’re Slavic keyboard, yes or no. If there is one, they drop it. They typically come out of a Russian. They don’t attack from the second ones. They look for Microsoft. Shadow copy basically means your backups. They’re going to corrupt those. They still look that they’re happening, but they’re not. It’s going to prevent rollback features, those type of things. So other security solutions, 76% of ransomware has that built in. So you can’t even depend on your backups and they’ll sit there for X amount of days until they get past that point of, okay, you can’t rollback. It’s going to be extremely painful you to roll back two weeks now to do that. And then, you know, they’re continuously evolving. But these attacks that are coming in are that 80%, 60% of those are on the endpoint. Endpoint is where it comes from, either be workstation, laptop or server, even mobile devices now or has a huge uptick on it is where they’re attacking. And so you need to be able to identify that and stop that. Well, the problem is, as work from home has gone out, spread out, a lot of the things are out there and the problem is delayed reporting coming in and by the time it gets reported is that it’s already too late. As I said, a lot of the solutions I’m seeing five, six, seven minute delay. But a tablet, if it’s a newer zero day, they’re going to bypass it. They’re going to get full access to the system and it’s going to be out of luck. Machine learning takes weeks to program out a new model that can pick it up. Yeah, the blacklisted. But the problem is, as soon as you change, one little change, like you said earlier, they’re able to get around it. So having something like our deep learning that is predictive allows the owner of the enterprises and the environments out there to be proactive instead of reactive is the next generation because you had to get in front of it. Because that’s one thing you got to realize, too, is that these successful attacks coming in, over 50% of them are ransomware attacks. And then once you get that ransomware attack, 77% of the time they’re hit again more than once. There’s been some large, let’s just say, cruise ship companies out there. They’ve been hit four or five times now. They originally got in a year and a half ago. They’ve been hit multiple times because once they got inside there, the cybercriminals ran rapid. They put backdoors in, they extracted other data, they’ve gone back and your double extorted triple. Now they’re going after some passengers because they got medical and financial data. It just it gets from there and then the reputation damage that these. Companies and organizations suffer, sometimes they can’t recover from it. There was a a number in CNN Money a couple of years back of 22% of businesses. Small businesses that are hit by ransomware go under. They’re gone. They can’t recover from it. So why not prevent it instead of, you know, waiting for it to happen or responding after the fact? It’s it’s a fundamental mind shift out there. I myself as a deputy C, so I was out there. If you would have told me I could have prevented stuff. I would have laughed you out and said, absolutely has been beaten into us over the years. That you can’t prevent the unknown. You can’t do it. It’s not possible. That’s why everybody’s gone to EDR and that’s basically know endpoint detection and response. It’s not working. We’re seeing that over and over again that 80% of successful breaches really show us it is that the cybercriminals have moved on by that they know how to bypass it. The attacks are going up every year and we had to come up with a new solution. And that’s where deep learning and deep instinct fills that role.

Cameron D’Ambrosi [00:25:52] So what’s next? You know, I think you are very well positioned to to make some prognostications. I love asking my guests to pull their magic crystal ball out and make some calls on on what we can expect to see. You know, looking at the cybersecurity space, what do you see coming down the pike, either from the defensive angle as well as from the offensive cybercriminal angle? Do we expect all of these trends that we’re already seeing to accelerate? Are we about to hit an inflection point where finally platforms like Deep Instinct are going to be on the front foot? Or is this surge and continuing pressure from cybercriminals set to push forward unabated now and into the future?

Chuck Everette [00:26:37] I’ll address the evolving threats coming out there. They’re increasing and it’s a cat and mouse game. And remember what I said. Their main goal out there typically is make as much money as possible until there is an adaptation and a consensus of everybody getting together, putting up the defenses. They’re always going to be going after the weakest link, the easier targets. So other organizations that are adapting deep instinct that they’re elevating up, they’re getting out there. They’re. Getting the defenses built up because, you know, we have false positive guarantees. We actually offer, you know, $3 million ransomware warranty that we’ve had that backed by Munich Re now for 18 months. And no customers have to take advantage of it because we’ve had no customers breached by ransomware. Bold statements, but at the same time, not everybody is adapting a solution like ours. Therefore, they’re always gonna be going after the weakest link and one of the major weakest links I’m seeing right now. And that is the industrial control space. And the OTT space. And we’re seeing a huge, huge uptick on that in the past six months. It’s growing because those environments. Typically are set up and kind of forgotten about it in a sense, because their production lines, the running, they do the maintenance on it. But now with Industry 4.0, which is basically the automation of manufacturing plants, critical infrastructure, water, oil, energy, those type of things, they’re being these devices now are being connected to networks, to the weapons. And because of that, it’s putting them at risk. And the problem is there’s cross-contamination between the corporate and other environments, networks being combined with what they’re being exposed to, the World Wide Web, two local lands. That’s just given that a tech footprint. And because of that, we’ve seen a huge, huge uptick. I think right now the numbers when I ran them just earlier this week, it was like 70% of the attacks in the industrial control space is on the manufacturing side because they know these manufacturers, they have to, you know, the recovering from the pandemic. They have to keep up with production, any interruption they’re going to pay or, you know, that’s what they’re hoping. Or even take the automotive industry. Automotive industry. There are contracts built in for their suppliers that if there’s any interruption of the automotive companies getting these critical suppliers to build the vehicles, they can actually go into the suppliers plant, take it over, or remove their dyes and infrastructure and take it to another supplier to continue it on. Cybercriminals know this. And so they’re attacking automotive suppliers at a higher rate right now in the past three months because they know those guys are critical and any interruption. They know the automotive industry will come down on them. Those type of things. We’re seeing critical infrastructure. We’ve seen tools utilized by Russia in the war against Ukraine. We’ve seen that over and over again. We’ve seen applied both directions. And now we’re seeing those attacks being adopted by these cyber elements and being used throughout the world, including the United States, as a huge target for that has been coming up. So attacks on our critical infrastructure utilizing these industrial controls is absolutely huge growing risk that we really need to shore up and get in front of because it’s not going to get better. And it’s an easy target right now from the deep learning side and deep instinct side. Let’s just say what I can say here and deep learning as applied to cybersecurity, it can be applied beyond the end point. It can be applied to the cloud, it can be applied on the wire network side. It can be used multiple different spaces that is being explored and looked at. And I can definitely see where deep learning. Because of its sophistication and its ability to, in a sense, predict the threats and stay in front of them is absolutely critical to cybersecurity as a whole moving into the future. And it is the future.

Cameron D’Ambrosi [00:31:01] I love it. Couldn’t agree more. And look, this is only going to become more critical like everything is tied together, whether it’s ransomware, whether it’s data breaches, whether it’s just good old fashioned nation state espionage or or industrial espionage. It’s all tied together now in in this realm. Gone are the days in which the notion of security through obscurity was something you could count on as an enterprise to keep yourself protected. If you have a poor security posture, you will be found out. Someone will exploit it, and you will have want to say you have no one to blame. Obviously the criminals are to blame, but can’t just sit back and assume that you can skate by without having a more aggressive posture on your end. So. Chuck. For folks who are listening, who want to learn more about deep instinct, where to go, how to deploy it, you know, should they get in touch with you? Should they go to the Deep Instinct website? What’s the what’s the best place for them to go?

Chuck Everette [00:32:05] Absolutely. Deep Instinct website you. Deep Instinct comm. It’s out there. I’m on LinkedIn, guys. Feel free to look me up. I put out content on a weekly, daily basis quite a bit. Talking about threats, talking about new stuff. I typically, as I said, I don’t come across salesy. I am, you know, my hands rolled up. Threat researcher, slash advocate, educator, collaborator. We are all in this together because they’re going to be going after the weakest link. And the problem is that weakest link is still connected to us and we need to defend that. So we’re here to help.

Cameron D’Ambrosi [00:32:36] Amazing. We’ll be sure to include those links in the show notes below. Chuck, thank you so much for your time. Greatly appreciate it. And looking forward to talking again soon.

Chuck Everette [00:32:45] Great. Thank you very much for having me.

Cameron D’Ambrosi [00:00:04] Welcome everyone to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct. Chuck, welcome to State of Identity.

Chuck Everette [00:00:15] Well, thanks for having me. This is great.

Cameron D’Ambrosi [00:00:17] It’s my pleasure. You know, you are are sitting at the intersectionality of, you know, one of I think the most relevant areas across the economy today, which is cybersecurity. I don’t think there is a a C-suite executive that isn’t losing some amount of sleep on a weekly or monthly basis, thinking about cyber risks and threats to their business from this side of things. So very timely. A lot of hacks in the news as always, and really excited to get your perspective on kind of the state of affairs in and how folks should be thinking about these challenges. But before we do that, you have quite the distinguished resume, if you don’t mind me saying over 25 years in the broader I.T. industry, would you mind walking us through a little bit of that background, kind of how you came to become the director of cybersecurity advocacy at Deep Instinct and what that career path that got you here looks like?

Chuck Everette [00:01:20] Absolutely. Yeah, I know. I started back in pre college and during college running networks at the local college and I worked for manufacturer Kraft Foods, Philip morris, I worked on the automation side there. Then I got involved with the security of the networks of separation between manufacturing productivity and office, corporate networks, those type of things. And it just naturally evolved more to a security role with firewalls evolving from there. And then I moved into the financial space. So I worked with two of the largest financial companies that handle banking traffic in the world. That’s us and Pfizer. I manage a 60 person SOC. They’re managing about 80% United States banking traffic. And with that, I got exposure into money laundering, laundering, cyber espionage, working with a lot of three letter agencies, tracking money where things are going on when there’s major breaches happening, because typically those transactions would have gone across my networks working with them. And with that I got involved a little bit further into security in the roles of incident response and threats, really digging into it that really got my catalyst going and then I jumped into the vendor space. I help stand up Carbon Black, which was purchased by VMware and then I was approached by Deep Instinct when they basically came out and said they had this technology that nobody else had and kind of called them out on it. And I went toe to toe with the. CEO for a couple of our chat and get my hands on the software toward a apart. And I’ve actually been here for five years now, which in the cybersecurity industry being five years of one company is extremely rare. But I’m here because of the technology and what it can do, you know, what we’re what we’re doing for the future of cybersecurity.

Cameron D’Ambrosi [00:03:15] So I love it. Yeah, five years is practically, you know, gold watch and and lifetime achievement award territory especially these days a very excited to kind of continue unpacking some of your broader perspectives on the space and and what you have learned more holistically throughout your time and in touching on all these different facets of this, you know, cybersecurity challenge that that all enterprises are, quite frankly, facing, or if they’re not facing them, they’re facing the consequences of of having a poor security posture. But before we do that, would you mind sharing just a little bit about deep instinct? You know, you mentioned the platform, this really unique approach that they’re taking to cybersecurity. What’s a 15,000 foot overview of of what you’re building if deep instinct?

Chuck Everette [00:03:59] Absolutely. Best way to put it is. It’s using a new form of advanced AI that we built from the ground up, which is recognized as a new framework called Deep Learning. And it’s a deep learning framework specifically built for cybersecurity. There’s a lot of deep learning used out there. Always use the analogy of, Hey, everybody’s got an iPhone. Five years ago, were you using Siri? And most answers are no is because it really wasn’t relevant and people didn’t start using it until deep learning was adapted into it and it became usable. It was productive. Deep learning is the same way when it’s applied to cybersecurity, but it’s got to be built the proper way and built from the ground up. There’s a lot of different avenues, you know, using TensorFlow and building your own. There’s language recognition, image recognition, self-driving. But for cybersecurity, you can’t take any of these existing models. And so we had to build it from the ground up. So we got one of the top experts in the world, along with some cyber research, our cofounders out of Israel, and they developed this product that utilizes deep learning and it literally can predict because it trains, it actually mimics the human brain. That’s the caveat with deep learning. It’s not machine learning. It doesn’t work off of basically like a flow chart. It literally thinks like the human brain, you know, neuron connectors between them, different layers. And because of that complexity, it can actually identify malicious files when others would only be looking for patterns. And so it’s it’s really changing the landscape out there. And it’s been evolving and growing for the past eight years.

Cameron D’Ambrosi [00:05:44] That’s super fascinating. So I guess to to unpack a little bit about that, maybe it would be helpful to get some more context from you as to the evolving threat landscape. And maybe I’ll take a stab at this as a, you know, an advanced layman, if you will, and and you feel free to jump in and tell me, Cameron, you have no idea what we’re talking about here. But it seems to me that that these cybersecurity technologies are becoming necessary specifically because of how this threat landscape has evolved. Threat actors are becoming that much more skilled at making sure that their payloads are not detectable through the standard mechanisms. Legacy antivirus, which really is is about, you know, almost right having a dictionary of here are the signatures of these malicious files in. If I see one of these files, that’s bad, we’re going to keep it out. The problem is they’re getting really good at obfuscating the signatures on an evolving basis to keep, you know, even known payloads from being detected. And beyond that, a slight tweak to make that signature completely different means that you are vulnerable to to this attack unless someone else has fallen prey to it first, and then Microsoft or Norton or whoever else propagates that threat signature across their network, which, you know.

Chuck Everette [00:07:03] For.

Cameron D’Ambrosi [00:07:04] Major companies, that’s that’s too late. That’s that’s not enough. That’s not enough protection. You can’t rely on someone else having been compromised first in order to defend yourself. And then the second element is this ever expanding set of endpoints, you know, with whether it’s remote work, whether it’s Iot sensors, whether it’s mobile channels, whether it’s BYOD. You cannot draw a hard perimeter around your network in the ways that you used to be able to. There’s too many end points in assuming that you’re going to build an impenetrable wall around them and only keep the bad guys out and only let the good guys in is a is a paradigm that seems untenable and that goal is is unachievable. And so correct me if I’m wrong, but, you know, the approach that deep instinct is taking is we are going to apply this advanced machine learning to these challenges to, say, the brains of a human analyst that can detect patterns and suspicious behaviors proactively before something happens, before the signature of this malware is propagated out and before. Or because you’re unable to seal off the endpoint. This is the only way that you’re really going to counter these next level threats, whether it’s nation states or kind of advanced, well-funded criminal gangs, for lack of a better word. Is that my over the target here?

Chuck Everette [00:08:30] Yeah, you’re absolutely. And, you know, as you had multiple points there, the issue is literally like an onion and it’s just getting thicker and thicker and building up. And you kind of have to kind of dig down to there’s not just one problem, there’s multiple, but they’re all kind of leading to the same thing. And how do you solve these multiple issues? Because as you put it, the threat landscape is changing. It’s evolving. The digital transformation, the the cloud migrations, the you know, the pandemic and the knee jerk reaction to get everybody to work from home changed the landscape. And that’s you know, it had like a three was it 600% increase in phishing attacks because of that, clients and organizations? Assets are no longer within the four walls of their data center or within their organizations. They don’t have the same security controls that they did now that they moved to the cloud or their data. Now the data arrest is sitting on laptops in places. You know, we have, you know, digital nomads, basically meaning employees can work anywhere in the world they want. So they’re sitting on these other dirty networks, cross-contamination, things popping through. So, you know, that’s the whole threat landscape. But on top of that, you have the evolving threats and the sophistication and the frequency that they’re increasing coming in, but also to the level of what we’re calling every A.I. that these cybercriminals now are employing to get around the more sophisticated tools. As you kind of start off with the history of antivirus and endpoint protection was the legacy of what we call it, and that’s typically signature based, some little bit of machine learning. Harris sticks looking for minor patterns. But it was it was all about, hey, we know this is bad, we’re going to blacklist it. And then basically we come across the come from there. Problem is, there’s like 2.5 million different variants coming out on a weekly basis, new variants. And a lot of those are polymorphic meaning that they change they change themselves every 15 minutes, 5 minutes. They’ll flip when they go someplace else. So you can no longer track them. So that whole analogy of, you know, blacklisting at the door and not letting on, not letting the bad people in from which you can’t tell who the bad people are anymore. And so how do you defend against this as well then, as the threats are getting more sophisticated? Because we’re having nation states developing techniques and tactics just, you know, two or three years ago we saw with some of those techniques, it would take about two weeks to a month before some of these criminal gangs would pick those up and start utilizing that. Now we’re seeing like when the log for GE came out in November, December, we saw within 2 hours. Two of the well-known cyber gangs out there had actually already picked up, put it in their code within 2 hours and already infected two additional hospitals within the first 6 hours of that vulnerability exploit coming out. So how do organizations keep up with that when a vulnerability is just detected? It comes through and they’re picking up on it even faster because, you know, there’s chains, controllers, other things. You have to identify where you need to patch. How can you protect against that? And that’s the challenge where y deep instinct kind of evolved or what it does because of the threats are coming in. You need to be able to identify them not in a delayed because traditional machine learning that a lot of the next gen endpoint products or EDR products uses machine learning which has to go to the cloud, make a decision or look for multiple different types of triggers before then it will react. And the problem is that takes time and what we call dual time, it allows basically the malicious actors to be on your network, doing other things, putting backdoors in. It’s expanding, sending out crypto worms, looking for other places. And a lot of times it’s cat and mouse where they’ll do something over in the left hand side, but they’re actually doing something else over here on the side that you’re not noticing because they’re trying to distract you or they start blasting on so many different, you know, lay of the land attacks which basically normal operation but it’s hard to tell is this malicious or not for it out there and then they’ll sleep they’ll sneak in a couple other little commands. I mean, I just was talking to organization last week that, you know, they get 500,000 alerts a week and they can’t tell good from bad. They’re just 100% reactive. And it takes them sometimes days to react to an alert or by then it’s too late. So you need something that can make that decision almost immediately. But it has to be done in a way that doesn’t create false positives because false positive you block something that’s actually legitimate, you’re interfering with production, you’re interfering with some of these job. In some cases, this critical stuff for even and hospitals, it’s life and death. So it has to be a decision that is made firmly, incorrectly. Hey, this is benign or malicious, and that’s where deep learning comes in. When it’s done right and done from the ground up. It is absolutely phenomenal. As I said, I’ve been doing this for 25 years. I’ve never seen anything else like it.

Cameron D’Ambrosi [00:13:32] So from that deployment perspective, I mean, I think that’s what’s most interesting to me about using deep learning is and correct me again if I’m wrong here, this is it’s unstructured learning in the sense that you are not training like when you go to deploy the solution, you do not have to train it up on a defined set of good and bad example cases. Do you just kind of let it loose on the network and it sniffs normal operations for a set period of time and then that’s what it’s using, excuse me, moving forward to to make these decisions or or how do you how do you get this, this platform up to speed to make sure that it is, you know, detecting ransomware deployment, but not, you know, shutting off Mimi’s ventilator on the in the COVID ward?

Chuck Everette [00:14:20] Exactly. We do not do any training in clients environments. Everything we’ve done is in the lab. And so what we’re doing there is that we have a large team of some of the world class threat hunters out there. They’re collecting new threats from the dark web, from other, you know, threat actors, things like that. We’re getting those and we’re testing against our solution. Our solution has been training now for over eight years. And just like a human brain, it’s getting smarter and smarter to the point where we feed in hundreds of millions of samples and it’s able to determine this is benign or this is malicious without any training or supervision from our self. We’ve regularly been training this, as I said, and we put out an update typically 1 to 4 times a year. We don’t have to put out daily updates for, you know, signature updates like other vendors. We don’t have to put up, you know, daily or weekly machine learning algorithm model changes, our deep learning learns and is able to sit there and be just as effective today that it would be in six months from now. And that’s the magic of deep learning. And these algorithms that we use, we call them our brains. And our brains have just this capability of knowing this is malicious or this is benign by scanning entire file. But they do it so fast and they can detect and prevent something pre execution. And that’s the key here is that. All the other products out in the market right now. The file has to be downloaded and then executed and then it watches what it does looking for these triggers. We actually look at the entire file and say, you know what? We can tell that there’s some watches code in here. We can tell and we’ll let you break it down and we’ll actually classify and say, hey, you know what, this is a very high threat here is 50% spyware, 25% ransomware, and, you know, another 25% crypto worm. We actually break it down and tell you what it is. So you’re not getting these random blocks and preventions. We’re actually breaking it down, telling you, hey, this is what it is and this is why it’s malicious. We stop it. I’ve been personally tracking for the past 18 months, since January of 2021, every major IOC. That’s indicator of compromise that’s been released to the press. All the big ones you hear out there, you know, every week you’re hearing about somebody new coming out there. We begin your hands and then we test it. And when we test it, say, hey, would we have prevented this? We test it with a brain or algorithm that six months. To a year old. And I can tell you that we would have prevented those those major attacks out there from conti and hive and loc bit 2.0. Last year, you know, dark matter. All those attacks, all those major ones out there. These are all attack patterns. You know, they modify and they change them. Some of them they put out weekly updates on cyber criminals, have, you know, subscriptions to them. They can get, you know, weekly updates on the ransomware attacks. We stay in front of that and we have that predictive model. So we’re making clients and environments now instead of being 100% reactive and counting, chasing after these alerts, these are out there. We’re stopping initial attacks within 20 milliseconds before it’s executed. And then as a result, all of the white noise and the other traffic, the East-West lateral movements going on, the spreading out, all the other triggers are on there are dropping down. And so not only do our customers get the protection of this hyper advanced deep learning to prevent threats, but also they’re getting back valuable time because of their IVR systems their sims are not being inundated with. All of this white noise and all these other alerts. Some of our customers are reporting 25 to 60% drop in alerts coming in, allowing them basically to get deep instincts, high fidelity alerts. And then from there, they can figure out, okay, I just blocked something. Where is this coming from? And so, you know, Vulnerabilities is a big one right now. Well, we don’t patch the vulnerabilities, but what we do is that those are entry points. And as soon as a cybercriminal goes to utilize or exploit one of those vulnerabilities, we can see as they’re writing to memory, as they’re writing to disk before they do an executed, that some type of malicious activity is going on. We stop it and prevent it. We then give the security teams a high fidelity alert saying, hey, this just happened. Go find out what happened. Okay. Did an employee misconfigured server leave something open or do we have a new vulnerability? Where is this coming from? And it really allows them to hone in and find out where it came from, what’s going on. Regardless of the entry point, it could be somebody clicking on a phishing email. It could be a vulnerability. It could be somebody misconfigured, a server because you know, most, you know, 90% of successful cyber attacks either get their start in some type of human error.

Cameron D’Ambrosi [00:19:14] On that human piece. I think one of the more interesting elements where this type of technology has a tremendous amount of applicability is insider threats. You know, where, again, traditional, whether it’s rule based or even identity based systems, cannot necessarily defend against an internal threat. It sounds like this the deep instinct platform excels at identifying folks who are, you know, Breaking Bad, you might say, in the parlance of our times. And that’s because malicious behavior looks malicious, no matter who is is perpetrating it or what log in or credentials they might be attempting to use to initiate the attack. Is that safe to say?

Chuck Everette [00:20:01] Absolutely. And there’s actually been a rise on that because of these ransomware gangs, the operating as a ransomware, as a service or ransomware as a company. They actually have marketing teams, they have weekly meetings, R&D meetings, those type of things. But they also have an affiliation program, meaning basically if you can come in and help get their foot in the door, meaning that basically you allow an attack take place, you help perpetrate that, or you do a misconfiguration or you click on something to allow them come in. They’ll give you a percentage of the ransom that they get. And just two years ago, that was 20, 30%. It’s up to 80, 90% in some cases now that we’re seeing. And so, hey, you come in, you know, they’re going to help you. You know, the insider threat is going to help you get to the keys in the city, asset your domain controllers, your production servers, your Web servers, things that are going to make the most pain for you. Therefore, you’re going to go do a knee jerk reaction and pay that ransom as fast as possible, cause that’s all they want. They’re all about making money, literally. It’s on their English facing marketing websites. It says right there, they bring together people for one purpose, and that is to making money. And so the sooner they get the money, they can do that. So, you know, you get somebody that’s, you know, making minimum wage or not happy. They’re disgruntled, hey, they get passed up for something. They then go to execute something because they have the right to do so. Or they open the doors. Once that malicious payload gets inside there and we start seeing it, bingo, we prevent it, we stop it, and then we identify that threat before it can be taken advantage of. And that’s a key thing with defense. Does it make a difference where the entry point is, as I said, phishing, insider threat, misconfiguration vulnerability, deep instinct knows it’s a malicious activity and stops it in those malicious files. One thing to know out there is like 80% of all successful breaches. Are from zero or unknown attacks, zero day, which basically means a vulnerability or unknown attacks or basically means that 80% of them that nothing’s been seen before. And that’s where a lot of the current next generation security solutions are failing because they work off of machine learning. These cybercriminals have their own machine learning algorithms, and they’ve learned how to trick the systems and saying, hey, you know what, this is benign. They know how to get around and evolve the system first. When they give you the system actually looks at, Hey, they’re Slavic keyboard, yes or no. If there is one, they drop it. They typically come out of a Russian. They don’t attack from the second ones. They look for Microsoft. Shadow copy basically means your backups. They’re going to corrupt those. They still look that they’re happening, but they’re not. It’s going to prevent rollback features, those type of things. So other security solutions, 76% of ransomware has that built in. So you can’t even depend on your backups and they’ll sit there for X amount of days until they get past that point of, okay, you can’t rollback. It’s going to be extremely painful you to roll back two weeks now to do that. And then, you know, they’re continuously evolving. But these attacks that are coming in are that 80%, 60% of those are on the endpoint. Endpoint is where it comes from, either be workstation, laptop or server, even mobile devices now or has a huge uptick on it is where they’re attacking. And so you need to be able to identify that and stop that. Well, the problem is, as work from home has gone out, spread out, a lot of the things are out there and the problem is delayed reporting coming in and by the time it gets reported is that it’s already too late. As I said, a lot of the solutions I’m seeing five, six, seven minute delay. But a tablet, if it’s a newer zero day, they’re going to bypass it. They’re going to get full access to the system and it’s going to be out of luck. Machine learning takes weeks to program out a new model that can pick it up. Yeah, the blacklisted. But the problem is, as soon as you change, one little change, like you said earlier, they’re able to get around it. So having something like our deep learning that is predictive allows the owner of the enterprises and the environments out there to be proactive instead of reactive is the next generation because you had to get in front of it. Because that’s one thing you got to realize, too, is that these successful attacks coming in, over 50% of them are ransomware attacks. And then once you get that ransomware attack, 77% of the time they’re hit again more than once. There’s been some large, let’s just say, cruise ship companies out there. They’ve been hit four or five times now. They originally got in a year and a half ago. They’ve been hit multiple times because once they got inside there, the cybercriminals ran rapid. They put backdoors in, they extracted other data, they’ve gone back and your double extorted triple. Now they’re going after some passengers because they got medical and financial data. It just it gets from there and then the reputation damage that these. Companies and organizations suffer, sometimes they can’t recover from it. There was a a number in CNN Money a couple of years back of 22% of businesses. Small businesses that are hit by ransomware go under. They’re gone. They can’t recover from it. So why not prevent it instead of, you know, waiting for it to happen or responding after the fact? It’s it’s a fundamental mind shift out there. I myself as a deputy C, so I was out there. If you would have told me I could have prevented stuff. I would have laughed you out and said, absolutely has been beaten into us over the years. That you can’t prevent the unknown. You can’t do it. It’s not possible. That’s why everybody’s gone to EDR and that’s basically know endpoint detection and response. It’s not working. We’re seeing that over and over again that 80% of successful breaches really show us it is that the cybercriminals have moved on by that they know how to bypass it. The attacks are going up every year and we had to come up with a new solution. And that’s where deep learning and deep instinct fills that role.

Cameron D’Ambrosi [00:25:52] So what’s next? You know, I think you are very well positioned to to make some prognostications. I love asking my guests to pull their magic crystal ball out and make some calls on on what we can expect to see. You know, looking at the cybersecurity space, what do you see coming down the pike, either from the defensive angle as well as from the offensive cybercriminal angle? Do we expect all of these trends that we’re already seeing to accelerate? Are we about to hit an inflection point where finally platforms like Deep Instinct are going to be on the front foot? Or is this surge and continuing pressure from cybercriminals set to push forward unabated now and into the future?

Chuck Everette [00:26:37] I’ll address the evolving threats coming out there. They’re increasing and it’s a cat and mouse game. And remember what I said. Their main goal out there typically is make as much money as possible until there is an adaptation and a consensus of everybody getting together, putting up the defenses. They’re always going to be going after the weakest link, the easier targets. So other organizations that are adapting deep instinct that they’re elevating up, they’re getting out there. They’re. Getting the defenses built up because, you know, we have false positive guarantees. We actually offer, you know, $3 million ransomware warranty that we’ve had that backed by Munich Re now for 18 months. And no customers have to take advantage of it because we’ve had no customers breached by ransomware. Bold statements, but at the same time, not everybody is adapting a solution like ours. Therefore, they’re always gonna be going after the weakest link and one of the major weakest links I’m seeing right now. And that is the industrial control space. And the OTT space. And we’re seeing a huge, huge uptick on that in the past six months. It’s growing because those environments. Typically are set up and kind of forgotten about it in a sense, because their production lines, the running, they do the maintenance on it. But now with Industry 4.0, which is basically the automation of manufacturing plants, critical infrastructure, water, oil, energy, those type of things, they’re being these devices now are being connected to networks, to the weapons. And because of that, it’s putting them at risk. And the problem is there’s cross-contamination between the corporate and other environments, networks being combined with what they’re being exposed to, the World Wide Web, two local lands. That’s just given that a tech footprint. And because of that, we’ve seen a huge, huge uptick. I think right now the numbers when I ran them just earlier this week, it was like 70% of the attacks in the industrial control space is on the manufacturing side because they know these manufacturers, they have to, you know, the recovering from the pandemic. They have to keep up with production, any interruption they’re going to pay or, you know, that’s what they’re hoping. Or even take the automotive industry. Automotive industry. There are contracts built in for their suppliers that if there’s any interruption of the automotive companies getting these critical suppliers to build the vehicles, they can actually go into the suppliers plant, take it over, or remove their dyes and infrastructure and take it to another supplier to continue it on. Cybercriminals know this. And so they’re attacking automotive suppliers at a higher rate right now in the past three months because they know those guys are critical and any interruption. They know the automotive industry will come down on them. Those type of things. We’re seeing critical infrastructure. We’ve seen tools utilized by Russia in the war against Ukraine. We’ve seen that over and over again. We’ve seen applied both directions. And now we’re seeing those attacks being adopted by these cyber elements and being used throughout the world, including the United States, as a huge target for that has been coming up. So attacks on our critical infrastructure utilizing these industrial controls is absolutely huge growing risk that we really need to shore up and get in front of because it’s not going to get better. And it’s an easy target right now from the deep learning side and deep instinct side. Let’s just say what I can say here and deep learning as applied to cybersecurity, it can be applied beyond the end point. It can be applied to the cloud, it can be applied on the wire network side. It can be used multiple different spaces that is being explored and looked at. And I can definitely see where deep learning. Because of its sophistication and its ability to, in a sense, predict the threats and stay in front of them is absolutely critical to cybersecurity as a whole moving into the future. And it is the future.

Cameron D’Ambrosi [00:31:01] I love it. Couldn’t agree more. And look, this is only going to become more critical like everything is tied together, whether it’s ransomware, whether it’s data breaches, whether it’s just good old fashioned nation state espionage or or industrial espionage. It’s all tied together now in in this realm. Gone are the days in which the notion of security through obscurity was something you could count on as an enterprise to keep yourself protected. If you have a poor security posture, you will be found out. Someone will exploit it, and you will have want to say you have no one to blame. Obviously the criminals are to blame, but can’t just sit back and assume that you can skate by without having a more aggressive posture on your end. So. Chuck. For folks who are listening, who want to learn more about deep instinct, where to go, how to deploy it, you know, should they get in touch with you? Should they go to the Deep Instinct website? What’s the what’s the best place for them to go?

Chuck Everette [00:32:05] Absolutely. Deep Instinct website you. Deep Instinct comm. It’s out there. I’m on LinkedIn, guys. Feel free to look me up. I put out content on a weekly, daily basis quite a bit. Talking about threats, talking about new stuff. I typically, as I said, I don’t come across salesy. I am, you know, my hands rolled up. Threat researcher, slash advocate, educator, collaborator. We are all in this together because they’re going to be going after the weakest link. And the problem is that weakest link is still connected to us and we need to defend that. So we’re here to help.

Cameron D’Ambrosi [00:32:36] Amazing. We’ll be sure to include those links in the show notes below. Chuck, thank you so much for your time. Greatly appreciate it. And looking forward to talking again soon.

Chuck Everette [00:32:45] Great. Thank you very much for having me.