Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Machine Learning CrowdStrike Joins VirusTotal

On May 4, VirusTotal (VT) made two specific changes to its policies that were at the time seen as particularly aimed at the nex

On May 4, VirusTotal (VT) made two specific changes to its policies that were at the time seen as particularly aimed at the next-gen (machine-learning, signature-less) endpoint security vendors. The first required that all companies wishing to make full use of the VT API would need to register their detection engines with the public-facing VT interface; while the second change effectively insisted on membership of the Anti Malware Testing Standards Organization (AMTSO). Crowdstrike has now become the first next-gen vendor to comply with both requirements.

The move by Google-owned VT was welcomed by the original signature-based anti-malware industry, who felt they were being unfairly treated by aggressive next-gen marketing — often based on public VT results and wrongly claiming that the traditional vendors are simply blacklist signature detection systems.

There are some signs that this aggressive marketing by the next-gen vendors is toning down, but it is still continuing today. Nevertheless, this move by CrowdStrike is a positive sign that at least one next-gen vendor is willing to integrate into the overall anti-malware market for the benefit of all users.

By ‘joining’ VirusTotal, CrowdStrike has committed to the VT policies; which include, “VirusTotal should not be used to generate comparative metrics between different antivirus products;” and “VirusTotal should not be used as deceptive means to discredit or to validate claims for or against a legitimate participant in the anti-malware industry.”

“We are the only machine learning signature-less vendor right now. We expect and encourage others to join,” CrowdStrike’s chief scientist Dr. Sven Krasser told SecurityWeek. “We want to work with the community to contribute to community standards. As a vendor offering next-gen AV solutions and advanced threat prevention, we should (and we are) also granting access to our data.”

A second criticism from the traditional anti-malware vendors is that next-gen vendors have been reluctant to submit their products to independent third-party testing. CrowdStrike is also leading a change in attitude over testing.

Simon Edwards, director of third-party testing company SELabs, told SecurityWeek, “Since the beginning of the year I’ve noticed a much greater interest in testing coming from these companies.” Indeed, CrowdStrike is an example of this, submitting itself for testing  by SELabs under AMTSO guidelines in July 2016. It did rather well, achieving 100% malware detection for both known and unknown samples, with a 0% false positive rate.

All of this begs a major question: if a next-gen endpoint security vendor can integrate its machine learning detection system into VT, why can’t the traditional vendors do the same? After all, all traditional anti-malware companies have employed machine learning techniques for many years.

Advertisement. Scroll to continue reading.

The answer would seem to be that traditional vendors employ machine learning to train logic bundles that are used on the client system, designed, said F-Secure’s Andrew Patel, “to detect suspiciousness based on the structure of a file or its behavior.” The logic bundles are then delivered to the client by regular updates — and it is this process that cannot easily be replicated on VirusTotal. It’s “not only super-resource intensive,” said Patel, “it’s hell to maintain; especially when you consider that VT’s systems already contain over 50 products. Even if VT had the infrastructure available to do this for 300,000 samples times 50 vendors per day, they’d still need to hire people to maintain the environment and products.”

So the big difference between the two models is that next-gen vendors design the algorithms and turn them loose on the customer, while the traditional vendors keep the machine learning at the back end; largely, said one vendor, “because we believe that machine learning still requires a degree of human oversight.”

Early machine learning generated a large number of false positives — but it has improved dramatically over recent years (as proven by CrowdStrike’s 0% false positive certificate from SELabs). It might be time for the traditional vendors to overhaul their marketing philosophy. CrowdStrike has agreed not to use VT results to promote its own ‘scores’ above other VT results (because that is misleading). But consumers have always done this, and they will continue to do this. CrowdStrike is effectively playing by the trad vendors’ rules to its own advantage.

CrowdStrike was involved in the incident response effort following the DNC hack, and discovered evidence of two separate Russian intelligence gathering actors: CozyDuke and Fancy Bear.

Related: What Machine Learning Can Bring to IT Security

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...