AI and Big Data Wage the War on Cybercrime

Joe Head is co-founder of INTRUSION, a cybersecurity company that approaches cyber defense from the inside out, leveraging real-time AI to kill cyberattacks before they become breaches. He has served as a director since the company’s inception in September 1983. Prior to co-founding INTRUSION, Joe held the positions of product marketing manager and marketing engineer of Honeywell Optoelectronics from 1980 to 1983. 

Recent metrics report that 95% of today’s compromises are either zero-days or malware-free attacks, meaning that traditional signature behavioral defenses only work with 5% of these attacks. Analyzing this statistic, Head explains how INTRUSION uses large lists of historical data to train their AI to spot and stop malicious activity.

“By going with our inside-out approach, we’re basically saying your machine is making these calls to hinky places. Let’s go ahead and stop those. For that reason, we were able to stop the Microsoft mail breach, the SolarWinds, as well as a lot of the more recent ones. … because we have this embarrassment of riches in terms of inventory the Internet, and have declared in advance that there are 5.1 billion things that are safe and 3.4 billion that are not safe. And then we add AI on top of that.”

In this episode of Cybersecurity Unplugged, Head discusses:

  • The difference between trying to modify human behavior and implementing robust security;
  • How INTRUSION’s product, Shield, satisfies the principles of zero trust;
  • How big data, historical reputation references and AI will win the war on cybercrime.

CLICK HERE for a transcript of the conversation.

Steve King 00:13
Good day everyone. I’m Steve King, the managing director here at CyberTheory and today’s episode is going to focus on a different way to approach cybersecurity defense. Joining me today is Joe Head, the co-founder and CTO of Intrusion, a cybersecurity company that approaches cyber defense from the inside out, leveraging real-time AI to kill cyberattacks before they become breaches. And we’re going to talk about that with Joe. Prior to co-founding Intrusion, Joe worked in a product management marketing engineering roles for Honeywell Optoelectronics and earned his bachelor’s degree in electrical engineering from Texas A&M University. So welcome, Joe. I’m glad you could join me today.

Joe Head 01:01
Thanks, Steve.

Steve King 01:02
So let’s start with email. The industry has taught us to you know not open attachments and not to fall for emails, spear phishing attacks. Intrusion’s inside out approach, I think assumes that I’m already infected. Can you explain that difference in terms of human behavior and security?

Joe Head 01:22
Sure, it’s always drove me a little crazy when I go to a seminar and they tell me that I should train all my employees not to open their email. It’s hard to know good from bad. And that’s where the spear phishers live, it’s how do they get you to open a thing by having a come from a close friend and be believable. And you know, all the tests kind of show that with mixed result, in terms of how trainable people are in general. But what we’re finding now is there’s just a whole host of things that you don’t have to open, you know, there’s source links and web pages that you don’t have to click on anything. If you go there. They run, you know, automatically. And I think the statistics are sort of showing that a huge amount of the previously done spear phishing world has moved to paid advertisements. So we know that on a given day, if I just go to Google News and start reading articles, I’m going to see 11 and a half to 12% of the source links on the news pages I visit are going to take me to malicious, known infectious website. I think it’s really important to go the direction we have done, which is as if you got your platform already infected when you bought it. We need to be focused on the inside out, you know, assume you’re already hooked. And you’ve got to call home to papa going on, that the adversary then rides in an SSH is in over an outbound connection that your machine maintains. So regardless of how it got there, we think we need to mitigate it in real time. Whether it comes from spear phishing or advertisements or pre-infections. So the idea is don’t blame the victim for activities they do just shelter them from whatever it is that may come their way.

Steve King 03:07
Yeah, well, that’s a interesting approach, certainly. And the downside of that is that I think all of us need to up our game is in as much as we now live in a completely digital world that seems like the responsibilities are back on individual user to make sure they understand the environment in which they operate. A big topic these days, and also supported by the expert on cyber from the president of zero trust. I also know you have a view about how to implement zero trust. How does your product, Shield, satisfy the principles of zero trust in a way that makes it both affordable and effective.

Joe Head 03:47
I mean, our company and myself have been big proponents of the logic of zero trust for a long time, the complication comes in when you decided that you want to implement, it gets to be very expensive and very tedious. We have a massive database that we’ve maintained, we started the work in 1993 to build a thorough inventory, the internet that was called trace comp. And so from a history, we’ve got a good head start on understanding the subtle relationships between everybody and everything on the internet. And so we started building a reputational history database so that we know which domains are owned by the same criminal that owns a well publicized you know, spear phishing, spamming, port scanning, exploit Dropbox, you name it. So we’ve started out with just approaching the problem from a massive database standpoint. And so we’ve got 60 to 80 trillion quads of history, so we can understand you know, what is this machine or this hostname? What’s its whole history what language topic Was this history of maliciousness? So we’ve gone at it from an approach of let’s use massive data to understand reputation and inheritance of bad reputation. And so we’ve approached the problem of zero trust by saying, Let me fully understand our data centers, on webpages, all Ahrefs, what is the JavaScript call from a DNS perspective and a hard IP call perspective, and basically assigned trust based on all of those. And so we’ve done that in a way that our product is done in the background and takes its action in real time. So the neat thing there is, you inherit a massive amount of work on zero trust that keeps you safe, and then doesn’t increase the load on your staff.

Steve King 05:49
Yeah, that’s a cool way to go about it. I think that those metrics I’ve seen are like 95% of today’s compromises are either zero days or malware free attacks, meaning that traditional signature behavioral defenses only work with 5% of these. Warren Buffett says this era of cybercrime is more of a threat to business today, the nuclear weapons and I think he’s referring to IP vs. ransomware. Why do you think he has that view?

Joe Head 06:20
I mean, he’s dead on he owns lots of businesses, and he sees the threats. You know, and in the context of his quote, it was hard to tell whether he was just referring the intellectual property theft, or if he’s just talking about ransomware. We know from a ransomware perspective, FBI says 60% of the companies that are hit by ransomware, are completely out of business within six months, and just don’t come back. I like to think of intellectual property theft vs. is ransomware is sort of a fast death versus a slow death, you sort of look at ransomware as sort of Ebola, it kills you really quick. And there’s not much you can do about it if you don’t have an offline backup to restore your world from. But intellectual property theft is more of a silent killer, you work for years to come out with a new product. And before you ship it, it’s already shipped from China as a direct clone from them stealing your intellectual property and your plans and your manufacturing techniques and your sources and all that sort of stuff. So either way, it’s fatal to businesses. Probably the bad thing right now from a society behavior, modern perspective, is the slow theft of intellectual property is a silent killer. You’re not really sure why you went bankrupt, you just did. Those are motivations that I think Buffett was was talking about. The other thing you mentioned, which is the known signature versus zero day versus malware free. What we’re finding in our installations in the field, is that if you look at the total number of alerts that are generated by legacy IDs, IPS, firewalls, and the rest, if a company was seeing 50,000 alerts, from all the stuff they had before, we’re typically seeing and stopping about 2 million. And so our ratio is about the 20 to 1 to represent the 5% that the industry pundits are saying, which leaves 95% is either malware free or zero days. So the current stats shows zero days or about 61% of the successful which means malware free is 34%. So everybody knows zero day, it’s a new exploit that hadn’t been published before. And therefore signature based descent defenses don’t work. Malware free is an interesting category. And it basically includes backdoors installed on your hardware when it was manufactured, or simple backdoor, side doors into your VPN or other accesses for which no malware had to be introduced. So by us going with our inside out approach, we’re basically saying your machine is making these calls to hinky places. Let’s go ahead and stop those. From that reason we were able to stop the Microsoft mail breach, the SolarWinds, as well as a lot of the more recent ones. So so far, we’ve been batting 1000 on stopping unpublished new breaches. And that’s simply because we have this embarrassment of riches in terms of inventory the Internet, and have declared in advance that here are 5.1 billion things that you should stay away from are 5.1 billion things that are saved and 3.4 billion that are not safe. And then we add AI on top of that.

Steve King 09:38
Yeah, the IP theft has been going on for a long time. It’s surprising to me that we haven’t either awoken to that threat for these many years or have chosen not to do anything about it or don’t know what to do about it. You and I spoke earlier this month and you said that Both and big reputation references lists were essential to winning the war on cybercrime something about you know, eight and a half million robots and AI, tell our listeners how your products, Trace, Cop and Shield work together to help win this war.

Joe Head 10:18
Sure. So back in ’93, I caught one of the first large breaches. And the problem back then, as it didn’t have an inventory of the internet. So I saw a breach happen. And I saw the exfiltration of secrets from one of the big auto firms to compuserve Dropbox which they then picked up, and then went to their new employer with all the purchasing contracts from their previous employer, the back then there was no inventory of the internet. So I had to go grab through a bunch of tar Gz files from the old ARPA repositories to find a block of IPS. So what we found is essential to understanding is that this isn’t a game of shortcuts, you can’t use generalizations to find a one of a kind new thing, without understanding everything that’s come before. So on the 8.5 billion list, as I was saying a minute ago, we’ve got a massive allow us to 5.1 billion things that we view as safe. And then we likewise have a 3.4 billion list of IP addresses that are historically unsafe. But if you just go with allow list and block list, those are static and cause you to lose again. So what we found very essential, is we take our massive amounts of historical reputation, both static and dynamic activity, to train our AI, what we practically see as you can be communicating with a site that’s been good forever. And it’s on everybody’s allowed list. But behavior changes. So a big trick the Russians do is they’ll take over a mom and pop website, and then use that as ex fill and command and control for a new set of breaches. And so they’re basically communicating through a hacked website. And so we use the AI to look at real time at behavior, and then realize that we need to flip the polarity of what was historically good is now turned evil two minutes ago, or one packet ago. And that has to be done in real time by AI, or you just can’t win the war.

Steve King 12:26
Yeah, but how do you determine that if your IP address is on an allow list? You know, I mean, how do you what behaviors are you looking for that are indicators of a switch like that?

Joe Head 12:39
It’s a number of things. And I would say that the tricks number in the 1000s in terms of behavioral analytics to know when something has changed from benign to bad. During the plague, I sat and wrote patents for months. And so we’ve got about 190 pages of new patents that cover how we do it. In essence, it’s things like, you know, I’ve gotten DNS call homes out of my machine, that somebody’s SSH-ing in over the DNS outbound. And it’s behavioral changes, to be able to tell, “Hey, this appears to be DNS outbound, but it’s really SSH inbound,” where I’m using the DNS answers as the commands and the DNS questions as the responses. And so we’ve trained our AI to recognize, if you would, polar reversals in the direction of a flow, or, you know, the client server versus remote control. As you see a lot of that in the SIP voice world where you have stun does outbound call homes to allow an inbound ring to reach you through an app. And so we’ve gone through and looked in fairly excruciating detail about changes in behavior that are actually easy for AI to spot. That’s been a big change over the last five years, is things that you used to try to do and in SQL on Hadoop are now done with AI to much greater effectiveness and in real time.

Steve King 14:08
Yeah, so that ability to to have those algorithms working in in real time is the is really the differential between your ability to recognize behavioral change or anomalistic behavior. And not Is that right?

Joe Head 14:23
Yes, correct.

Steve King 14:25
Okay, so what’s the number the average company gets? I don’t know what 11,000 or something security alerts per day, which is you know, maxing out even companies with large SOC, you know, security analysts teams. You have told me that shield can stop attacks in real time, of course, and then free those folks up for more strategic tasks, which is great. But what are your false positive and false negative rates and how can you accomplish this when when others can’t? Are you the only company in the world that is doing what you do with real time AI?

Joe Head 15:01
I think so. But anytime you make a claim that you’re the only company, it’s sort of like, No, you can’t buy a hammer without saying they use blockchain in the production of it. And, you know, AI and blockchain and all those things become buzzwords in the industry. But from our perspective of how well are we doing it, there’s a number of folks that use AI to sort through their alerts. And the best of those claim about a 30% false positive rate, we actually have a documented point .001 false positive rate. So we’re five nines in terms of accuracy, currently, which means that we falsely stop one out of 100,000 call outs. And so we have put the provision in our product where any user can override our AI when they try to get to a typically when we install Shield at a customer, there’ll be one or two domain names that they use internal to their company, to do payroll to do IRS withholding to do vacation planning. And it’ll be a website that we’ve never heard of before, that we couldn’t reach from outside their company. So we’ll assign it zero trust. And so from those companies specific things, we will shun them, because we have no reason to trust them. So that when we measure those overrides done by our customers, it’s currently measuring .001% false positive, we expect to add two more nines to that. So we’re at five nines now. And we expect to get into more nines this year. In terms of the false negative rate, that’s a strange one in that we, like I said before, when you look at the 5% of successful attacks, have known signatures are known behaviors, and 95 don’t, we’re typically stopping 20 times as many things as our customers previously got alerts. So our false negative rate, I’m not sure how you calculate the upside down. So I’d say that competition has a 95% false negative rate, where we have close to 100% accuracy in terms of shutting things. I mean, nobody’s perfect. But so far, we’ve been a, you know, 100%, on stopping new undocumented. On how can you accomplish this when others can’t? I think, because we’ve focused on building tre scops, since 1993, and it’s the world’s largest inventory of the internet. And we update it every 15 minutes, it gives us – You know, if you’ve worked in the AI field, your AI is only good as your labeled, tagged training set. And we have by far the largest inventory of the Internet, and the largest, passively learned behavioral analytics store. Put those two together, we had an amazing training set for setting up our AI. Plus we have a massive staff of folks that have worked cyber defenses and offensive studies for decades.

Steve King 18:06
Yeah, right. A lot of cybersecurity companies make that claim as well. And, you know, we regularly hear about the CrowdStrikes and FireEyes, and then Pings and Octas of the world. But I’ve never heard about Shield or you guys. And if these claims that we’re making are true, how come the world doesn’t know about you guys? How come you’re not in the conversation among the top 20 cybersecurity vendors who are trying to solve the great problem here?

Joe Head 18:41
It’s a matter of newness. So we were in stealth mode on beta, all of 2020. And we started to publicly announce and shipping Shield in January. So I think awareness is taken off, as awareness does, slow at first and then ramps rapidly. The best answer though, is I think, just like the old joke, you know, you’re promised a date with a supermodel and you get a pig with a skirt on. So all brand new things that sound radically better and radically different turn out to more often disappoint than not. So, I think when you come out with something that’s just radically better, there’s a “I don’t believe you until I see it.” And so that’s the reason we offer, you know, free emails, you know, So plugging this in for five minutes, even important error monitor mode will show you all the things that you never saw before, and will show you 20 times as many things as you ever thought about worrying about and we’ve already stopped them in real time. So we’re seeing some fairly rapid growth and fairly radical changes in opinion when folks go from “I don’t believe you” to “Dang you can’t take that with you. I’m leaving it plugged in here.”

Steve King 20:02
Yeah, there’s this kind of positive and negative challenge you have as a early stage company and I say early stage meaning to market not in your existence where you know, you’ve got a fix somebody DarkTrace, for example, who just, you know, recently went public for gazillion bazillion dollars, and they made their bonds, basically on network threat detection with a lot of, as you characterize it, “AI” thrown in. So you know, they have this amazing sort of market credibility, and you come in and say, “That’s loaded with problems that, you know, it’s got all of these includes whatever threats you’ve had in the landscape on it as its baseline, it’s got the wrong approach. It does deductive reasoning, or Bayesian reasoning versus abductive. And our product does all of these fabulous things. And in five minutes, you’ll see is when we turn this on for you, Mr. buyer, that this is like the most amazing thing you’ve ever seen.” That’s really hard to get you to wrap your mind around as a buyer. How many customers do you have now? If you can tell us that? And what industries have you been particularly successful in?

Joe Head 21:18
Sure. I mean, being a public company ourselves, we got to talk about customers during the quarterly numbers release. And today is not such a day. But we’ve found the growth has been in lots of industries, manufacturing has had an early lead as has education. Surprisingly, we’ve also had a number of companies that have just gotten hit by ransomware, a number of Riot folks and others that did just either refuse to pay the ransom, or did. And what we find in plugging into those is when they think they’re clean, they’re still calling home to Russian men in the middle control sites. So plugging them in stops a second ransom event. So I guess it’s all over. And we’re seeing pretty good growth internationally, there’s a number of countries that are actually in worse shape than the US. Because one element that I think’s good to talk about is, if you just look at the industry, most of the products are focused outside in. And if you’ve got call homes going on, there’s hardly any product that will show you that. And so there’s this feeling amongst IT professionals that they’ve they’ve done things better than others. And the reason they haven’t gotten hit is because they’re more competent than others. But you know, there’s a new compromise every 37 seconds in the US. So we’re, we’re really going into a battle without the proper instrumentation. And so one of the things that we’ve had from some of our partners or resale partners around the world, as they plug our product, into their own network for demo, then they realized that they were in much worse shape than they could possibly imagine. And so I like to tell people, you know, when Rankin invented the X ray, it didn’t make all the doctors incompetent the day before, and that they couldn’t see breaks and bones just had a new tool that made visible what has been previously invisible. And so yes, we are doing real time response and fixing things. So you don’t have to fix them yourself and takes the human out of the response time loop. But it also gathers a bunch of data that lets you proactively look at the health of your network, and where’s your data flowing to. So you can make some more eyes wide open decisions about in the range of allowable, what seems strange. And so that’s what I was talking about freeing up your employees to do more proactive things.

Steve King 23:56
Yeah, well, I mean, based on what you’ve just described here, this is like the Holy Grail. And you probably don’t need a lot of those outside-in solutions if this is operating, as you describe it. And in an environment, it seems to me that your product would be a natural sort of remedy for a national program on like, how do you, you know, what’s the best security posture in terms of technology? Well, if you started with you guys, you know, you wouldn’t have to go very far with the outside-in kind of technologies. I’m conscious of the time here, Joe, what has been your approach to marketing the product, and making sure that folks are aware that you really are offering a kind of a night and day alternative approach to traditional cybersecurity defense models?

Joe Head 24:50
We’ve hired a large team of folks and we’re focusing heavily on the channel. And my partner Jack Blunt was at Novell in the early days when they actually created the channel. That now the world uses. So our goal is to eradicate cybercrime from the world, we’ve talked about the inside out, but we’re not ignoring the outside in either. So our product actually looks at every field in every packet and doesn’t do any sampling. So we’re looking for all the ways that covert signaling can be occurring, both from a remote control standpoint, from a exfiltration standpoint, we’ve tried to take a higher level approach. And we went to Gartner, they told us what a product like this would be worth. And we priced it at maybe 30% of what they thought the market price should be. Because we’re really annoyed at how horribly we’re getting booked by international adversaries as a country. And we wanted to basically lower the threshold for doing an excellently and then lower the price barrier so everybody could do it. Because I really like our country and want it to continue to exist. You know, we’re doing it right now. We’re losing the war on cybercrime horribly. And we believe that changing approaches is radically important to the country and to the survival of businesses and government organizations.

Steve King 26:14
Yeah, indeed. And I love it too. I’m rooting for you guys, for sure. And Jack has an amazing background also. You were at this from kind of the get go, weren’t you?

Joe Head 26:27
Correct, I was co-founder of the company in ’83. So just a couple years out of college for me, and been at cybersecurity for a long time. But you know, we’re at the point now, where everybody’s tried shortcuts, and there just really aren’t any shortcuts, you got to have massive data, massive training sets, and then have machines that can run real time with bigger, allow and block list than products do so we had to do a lot of this from scratch. There was just no way to do it unless you build it yourself.

Steve King 26:57
So and you were part of that architectural design. I mean, that was kind of your baby.

Joe Head 27:03
Yes.

Steve King 27:04
That’s truly amazing. So gosh, congratulations, Joe. I’m just amazed at the product. I rarely, we rarely put product companies on this podcast. It’s not the intent here to proselytize on a particular product. But I was just so blown away by the way you guys go about it, and how it makes so much sense. And I think you have a lot of patent protection, as I understand it. So I wish you all the best here in the future. And thank god you guys are doing what you’re doing.

Joe Head 27:39
Appreciate it Steve, appreciate the time.

Steve King 27:42
Well, sure, it was my pleasure. And I want to thank our listeners for joining us in another episode of CyberTheory’s exploration into the weird world of cybersecurity. And Joe, we’d love to have you back in a bit. I want to track how you guys do. I will do everything I can to promote and assist you guys and getting the kind of visibility that we need for you to have.

Joe Head 28:07
Thanks Steve look forward to talking some more. T

Steve King 28:10
errific. Until next time, I’m your host Steve King, signing out.

Category: Podcast
Previous Post
Cybersecurity Impacts on the Global Economy
Next Post
Art of the Possible: Autonomous Real-time Patching
Menu