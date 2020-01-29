Cyber ​​security company RiskSense, which has been at the forefront of diagnosing persistent threats for years, has announced a dashboard on Tuesday to warn companies of the potential risks of different types of ransomware.

The service, available as an update to the company’s SaaS software, is a visual monitor that displays various data, such as the number of vulnerabilities in a company’s systems. It can not only be used to assess the situation, but also to plan a series of steps to improve the way. The dashboard is based on signals from typical company security monitors, such as those sold by Rapid7.

CEO and co-founder Dr. Srinivas Mukkamala told ZDNet that at some point the intention is to fold in the product’s neural networking capabilities for additional types of analysis, such as regression analysis. This can allow the company to predict with some degree of usable precision how long it takes for a certain vulnerability to actually be ‘armed’, which means that it becomes a threat in the wild.

Currently, the dashboard is being rolled out to customers with a focus on detecting and classifying vulnerabilities: systems run the risk of ransomware, given that ransomware is spreading primarily as a lack of attention to vulnerable systems.

“This is not an interesting problem,” Mukkamala commented in a telephone conversation. “It comes down to basic hygiene: most ransomware depends on vulnerabilities” and how to exploit them before they are patched.

On the one hand, the dashboard combines signals from sensors such as Rapid7 about which vulnerabilities exist in a computer system, with a variety of data about exploits in the wild. It uses those different pieces of information to reduce the list of around 25,000 known exploits in the world to a short list of 100 ransomware exploits that a chief security officer should check.

“The way we look at it is like an expert system,” says Mukkamala, with a traditional term from the AI ​​literature for software programs with a lot of domain expertise. “What are my signals?” he asks rhetorically. “First, there would be a strong signal that endpoint sellers are detecting and blocking, second is that Microsoft is paying attention and raising criticism, third is that people are chatting in the dark web, and fourth is pentester [people performing professional penetration tests for system weaknesses] to be measured] are interested and examine it. ”

The dashboard had its origins in a RiskSense report that organized ransomware based on family of malware, supplier and product, and many other ways to organize thinking in September. One thing that prompted the report was dissatisfaction with regular reporting on the phenomenon, said RiskSense vice president responsible for products and marketing, John Dasher, in an interview with ZDNet.

RiskSense’s dashboard display of system vulnerabilities.

RiskSense

“We had seen more and more news coverage [from ransomware], and it was usually high coverage, with occasional references to the exploit family, but there was not much detail, especially if you are a practitioner,” Dasher said.

The answer was quite positive to the report, Dasher said, however, “people came back and said, Please give it to us in a product.” Hence the dashboard.

It’s the right time for such a tool, Dasher said, given that the increase in ransomware has made the phenomenon a problem at board level. That means that chief security officers must now respond to the company’s directors about risks where once those CSOs roamed in the dark of IT.

“We are now seeing CSOs at board meetings and they are getting questions about ransomware,” said Dasher, “so the flip side is the vision of business leadership and how to put your exposure into words.”

However, as mentioned earlier, there is a limit to deeper analysis that needs to be developed urgently. Today’s classification is carried out by older machine learning techniques, also called “support vector machines”. SVMs were the popular approach to machine learning in the 1990s and Mukkamala introduced its use in cyber security in the early years of this century. It was the core of his PhD and he has a patent on the design of a system built on SVMs to detect threats.

SVMs work reliably for classification. And unlike most in-depth learning forms of neural networks, they can learn from very few data samples. “One of the fundamental things in favor of them when I first picked up SVMs was that they were very well studied for drug prediction and cancer research and the like,” Mukkamala recalled. “My father was a gastroenterologist and I thought that if it could work for cancer, it should work well for cyber security.”

But SVMs, as good as they are, do not offer the power of regression analysis that is needed to see how a vulnerability turns into a live threat in the wild. Mukkamala realizes that. RiskSense is working hard, he said, to bring neural networks to regression analysis.

“What nobody has done is regression” in terms of security, Mukkamala said. “Many security people still talk about classification, but you very rarely see us talking about something like whether a certain exploit is armed in the next six months.”

“People will say, it will happen in the next 12 months, but I’m sorry, that’s nonsense, everything can happen within 12 months.”

Last year’s BlueKeep vulnerability is a perfect example of the uncertainty, he said. “It was the most talked about [vulnerability], but it had no exploitation for nearly 90 days,” he recalled. In fact, RiskSense was the one who wrote the exploit to prove that it was possible.

How does a machine or something like BlueKeep be armed? RiskSense is working on a system that calculates three different signals, Mukkamala said. The industry as a whole, he noted, “machine code scanning, we actually pay bugs to find certain types of software vulnerabilities, and then traditional pen tests are also spent on issued software.”

By combining these three signals, the goal is to “train the model to behave like a pentester,” said Mukkamala, “to predict real risk, to do the real regression.” RiskSense hopes to be able to talk about some results within a few months, he said, and the company is likely to apply for a technology patent to measure individual application risk.

According to him, such techniques are needed to match the evolution of ransomware, which spreads beyond the operating system level. “They go beyond the operating system to use JBoss and Elastic and Adobe products,” said Mukkamala of malware authors. “If we don’t explore new methods” to follow that evolution, “we look back.”