AI + Si Level Telemetry - An Emerging Frontier in Cybersecurity | InTechnology | Intel
(rhythmic chiming music) - [Announcer] Welcome to "What That Means" with Camille, where we take the confusion out of tech jargon and encourage more meaningful conversation about cybersecurity. Here is your host, Camille Morhardt. - Hi, and welcome to this episode of "Cybersecurity Inside," "What That Means: Threat Detection" Today, we have with us Ram Chary. He is Senior Director of Engineering in the Product Assurance and Security Group at Intel which is part of the Security Center of Excellence.
Now Ram has a background in computer science and also physics, and he's kind of done a whole bunch over his career in engineering, but what might be interesting, or particularly interesting, to people now, is he and his team actually invented threat detection technology. Now, we typically don't talk about product in this "What That Means" podcast, and true to form, we're going to open with, really, Ram's definition of threat detection. We'll also talk a little bit about platform security and authentication, which he also works on.
We really want to talk about it, and kind of understand the broader scope. Welcome to the show, Ram. - Thank you, Camille, good to be here to talk about the technology. - Ransomware is generally this notion of you get some kind of a cyber attack that basically locks up your system, or makes it inaccessible, or your data inaccessible, - Correct. - and then you have to pay, usually in a cryptocurrency, - Yes.
- but it wouldn't have to be, - That's right. - You have to pay somebody to re-access it. - Yep. So how, actually, does it work technically? Like, what's happening and how does it get onto the system in the first place, or into the network? - One of the things that happens quite often is you may get an email from... it looks very legitimate... that's maybe coming from your bank or e-commerce vendor, and you click on it; that's what we call the phishing emails, and you click on it, and you click on the link, and unbeknownst to the end user, there is this malware that actually gets loaded onto their system, and oftentimes, that malware is dormant, and its main goal, of course, is, particularly in an organization, a large company, you know, it's goal is to spread to as many of the systems as possible, so it gets onto email and other mechanisms to spread around, and to avoid, to kind of evade the detection barriers that I've put in. Many of them will stay dormant for a while and then they activate themselves.
And as you noted, one of the things they do is go around and encrypt the whole drive, or, you know, partially encrypt files. Some of them even exfiltrate the data, you know, they move the data to the cloud. So at the end of the day, it's primarily to get a ransom but things, as you know, recently, have gotten beyond that. As we get to just those in it for the few Bitcoins, it can be a state-sponsored attack, in which case, the goal is to bring down, and more than. It's not just money at that point, there are other agendas, but the entry point is always, as I said; it's something innocuous that comes into your system that then launches it, unbeknownst to the user.
- Malware is a piece of software, correct? - Yes. - So how does a piece of software or an application find its way into the hardware to encrypt something? - The first thing that they do is they will usually connect to a backend server somewhere, you know, which is to get those encryption keys, and one thing they may do is sometimes they may copy files over, but oftentimes, they'll start the encryption process. It just runs like any other program, any legitimate program that'll be going around... let's say you're using a program to encrypt some file or to compress some files to send them over as part of an attachment; so it just goes through the process and starts running, and it starts from directory A, and kind of chunks its way through the entire system and it can happen quite quickly. In a few minutes, that entire system may be corrupted, and the problem there is if you can't detect it right away, imagine a company like ours where, you know, you may have 100,000 employees, and let's say, wouldn't it be great if a ransomware, you know, somewhere, I accidentally clicked on one of these emails, and something is launching on my machine, won't it be nice if within a few seconds the AV on that machine that's running one of our partner solutions can detect that attack right away, and not just remediate my machine, but can help protect the 100,000 other machines in the enterprise? That's what we are trying to achieve is to catch it right as soon as that problem occurs. - How does it catch it? - In our CPUs, in our case, Intel® CPUs, there is something called a performance monitoring unit, which is way down in the CPU, and it's tracking exactly, you know, microarchitectural details of what is actually happening.
For instance, you know, example would be you had a level three cache miss, or something like that, right, which, for most people, it doesn't matter, that it actually helps is... let's say I'm a developer and I'm actually writing my program, and I want to see what is it doing in order for me to optimize it? In those cases, I can use a tool, like VTune™ is one of Intel's own tools, and it's in fact using, under the hood; it's using this PMU to get that data so that I can see, okay, this is what my program is doing, and I'm going to optimize it. We are kind of flipping this on its head. As I said earlier, you know, malware is, at the end of the day, software, it's going to, you know, whatever it's doing, when it's encrypting files, it has to run on the CPU, and it's doing some strange behavior, right? Unlike most regular programs, it's going through entire directories and it's chunking through, and it's actually compressing or encrypting a lot of these files, and we use that capability in the PMU to now look for that pattern that encryption is going through, and we kind of program that, and as I said, there is some machine learning models that we built, based on that.
We can then detect, anytime in the future, there is a variant that's something like that, right, and we can, this is, this is, machine learning is no different than you teaching it to recognize a dog while showing, you know, pictures of 50 dogs, and it's going to detect another 50 dogs without you telling it. That's exactly what we're doing, except we are training it to the various types of attacks we know of, and then eventually, it detects any new variant that might come in. And the crux of your question, Camille, is, the reason we are able to do that is at the end of the day, those encryption algorithms, they don't change all that much, right? They use AES or, you know, Salsa20. I mean, there are these few types of encryption algorithms that they use, but those malwares just reuse the same thing over and over, right? They look different, but ultimately, when they start executing, they have this commonality, and that's what we are trying to catch.
- So how do you know that it's not encryption that you're doing on purpose on your own system? - One of the things, when we talk to our partners, you know, they kind of have three requirements, you know. One is it has to be proactive, it has to catch something as quickly as possible. The second important thing is it has to have low false positives, because if it's crying wolf all the time, it's actually sometimes worse than it not logging anything, and what you're asking is the crux of this whole solution, is any machine learning model is only as good as the data that you train it on, right? At least initially, that's what we are trying to train before we let it loose in the world, and this is where working with our partners has been critical, right? The first set of data that we have to train on is the malware itself. There are publicly available databases of, you know, take ransomware; there are so many variants of it.
We take all of them; we are a subscriber to it, as a lot of other AV companies are, and we train the models with it, right? The second thing we have to do, which is... That is just to catch any new variants, but the more important part, as we brought up, is how do we train for all the... make sure it it discards the good applications from that. So we actually do a lot of that in-house, You know, we run it, for instance, in our case, it's very closely tied to our commercial platforms, right, to vPro® Platforms, in particular, so we train it on a whole ton of commercial applications that are out there that you and I would be using, or other companies, in general, use, so that it knows how to differentiate between the good apps and the malware. And the other important part, and this is why a partnership with our key AV vendors and EDR vendors is critical, is because they then deploy it on hundreds of millions of systems out there, and different geography running in a small company set up, running an app that we would never see in our labs.
But we get that data, right? We get that data working with our partners, and we can then train our models to say hey, you know, ignore these types of... new types of attacks. So it's kind of a, you know, it's a cyclic, you know, it's something that we work together with our partners so that it very quickly gets to the point where it's able to tell the good apps from the bad ones, and we have trained it so that when we detect that app and it's fairly certain, you know, it knows which process actually is running it, and it gives that handle to our partners so they can remediate. - So as fast as you're kind of training and designing training, I assume that there's bad actors out there adjusting the ransomware so that you think it's good, versus bad, so how do you kind of keep track of that, or keep up with it, or keep ahead of it? - Good point as well, the two aspects to it, right? The first part is, that's why machine learning is critical, right? We cannot be programming this, you know, as opposed to the standard case where you're telling it to look for a particular pattern, here, we want it to go beyond that. We're going to train it on all the samples that we know of. That's why machine learning is critical, because we are now telling it, "Look for other things you haven't seen yet," and over time, it kind of learns; it kind of detects these new samples, and every once in a while, we have to go and retrain it, because there may be a new variant, but oftentimes, we find that there may be a new variant that uses the same encryption algorithm that we've already trained it on.
Ultimately, when that encryption algorithm gets triggered, we are able to detect it, and we can flag it. And the advantage of doing it in the CPU is, you know, the typical bypass mechanism that many malware would have is it can back off, so rather than running continuously, it can run, and then stop, and run. The granularity of the CPU at which we are monitoring is so fine that it doesn't matter, I mean, we can detect them even if they do that. Of course, if they do it at the point where they are not encrypting at all for a long time, we have succeeded, because that's the whole goal of the malware is to encrypt the system, so we can stop it that way, too.
So that's one thing. The second part, as I said, is we do work with our partners so that when there are new variants, and we kind of monitor them, too, but we work very closely with our partners so that when there's a new variant, we can very quickly train it in case it's something that's, let's say it's using a new encryption algorithm, we can update our models and we share it with our partners, and it's an over-the-air update, so they can update it in minutes if they choose to. - Is this a technology that goes across computers and servers? - Oh, the performance monitoring unit that I was referring to, that's across Intel. The same thing is true on our endpoint or PCs. It's also, you know, a lot of our PC chips are also used by our Edge products, like our Internet of Things groups, and it's applicable there.
It's also applicable to the servers, absolutely. - I know you probably can't get into the architecture of it, - Right. - specifically, but is it a different; is each architecture sort of unique across each one of these with the same kind of end benefit, or is it actually the same architecture, regardless of the endpoint? - There are commonalities. For instance, the fact that there is a performance monitoring unit across all our systems is definitely a commonality, but there are differences too, because the performance that we have to train, as your earlier question was alluding to, is we have to train it for the bad actors, but we also have to train it for the good applications, and that means it's a combination of the applications and the operating system that is actually running underneath, so a lot of what I talked about, for instance, the deployed components have been very much focused on our PC side of the fence, so these are running either Windows 10 or 11, and they're primarily our core PCs. As we go to, say, servers, and servers, even though the Zion™ PCs have the same underlying capabilities, you have a very different model.
You have phenomenally high levels of cash; there is a lot of threading that is happening in those environments, and it's usually running Linux, in many cases, and it's running, you know, virtualized containers on top of that, so the payloads are very different. Some of the events that we are monitoring at the PMU, sometimes they're the same across the clients and servers, but usually, we have to fine-tune it to make sure for that particular environment, say servers in a CSP environment, it's optimized for the kind of operating system environment and the workloads that run there. - So it can end up being pretty custom, depending on, like, the industry or the use case that the- - That's absolutely correct, yeah, yeah. - Okay That's very interesting.
I guess let me just ask you kind of a high-level question. I actually just recently read the World Economic Forum Cybersecurity Report published in January 2022, and, you know, they mentioned that ransomware is kind of still on the rise. I remember, last year, kind of looking at trends and seeing that ransomware was sort of all over all the security conferences. Why is it suddenly such a big deal and continuing to trend up? - It's an easy way, for those who are interested in making money, it's a very easy way to do that, because it's one of those things where, these days, ransomware is almost as a service. As I was saying, there is an underlying architecture which may be using the same encryption algorithms, a lot of commonality.
Somebody can very quickly put a wrapper on it, and come up with a different variant very quickly. They can deploy it, and, you know, until this technology like ours gets very broadly deployed, they can work around just enough of the systems out there. Maybe those systems don't have the latest software; there are always gaps in those systems out there, and they're able to hold it for ransom, because one thing that all of us need, especially in a corporate environment, it's true for us outside of work, too, is, you know, our data that we have is the most precious thing we can have, right? It could be our photographs or emails in our home environment; at work, it could be business data. It's software.
It's an area where they can attack and they know that they will... You know, no company wants to be held ransom, but at the same time, their business is at stake, so they are very aggressively targeting it, but as we have seen, it sometimes goes beyond just a corporate environment. There are attacks that are going after a national infrastructure, so their motivations there are different and they'll probably continue, so that's the case.
- I guess, what do you think the future of ransomware is going to be? Is it going to be the same kind of thing? Is it going to expand to... Heavens, you mentioned personal photos. Like, - Yes. - I never really thought about the fact that somebody might lock up my photos and say, "Hey, five bucks, you can have your photos back." It's like, well, that's a pretty mass scale. I mean, - Yes.
- Where are you seeing it head? - Yeah, I think all of those places because of the fact that they can very easily spin up new variants, and there isn't yet a definitive way to stop all of them. I mean, our partners are doing a heroic job in catching most of these attacks, but they just have to get through sometimes, and just for enough time, to be able to catch some of those corporations. There are some, you know, best known methods and techniques that people can use, but, you know, everybody knows, you know, the software has to be always updated, but doesn't always happen that way. I think given the ease with which, you know, you can just make a claim for a Bitcoin payment, it can be done.
So that's what, when we talk to our partners who are in the front lines of this, that's what they're telling us, that they don't see this abating in the near future. - Is anybody arguing over, like, how best to detect threats? Are there other approaches in industry? I mean, is looking for encryption kind of the holy grail and the only way it's done? Are there other methods? - There are quite a variation of these partners. They're all trying their best to detect these attacks using all kinds of techniques. I mean, they're using behavior analysis just based on software techniques today, and that's why they have been successful at detecting many of these attacks. The challenge in that approach is sometimes, it ends up being reactive. You know, you may have a scenario where, you know, that particular day when that attack happens, you know, a particular AV may not necessarily have caught it.
They're having techniques to detect it. What we're adding to the mix is, because the hardware we believe has... because, from an execution perspective, we have some great signals that we can give them, so our goal is to augment the great work our partners are already doing it so that we can make ours a little bit more proactive.
It's always about that edge. - That's pretty cool. Like, if you start to go, okay, something's starting to encrypt, - Yes. - Like you're looking at that
down at the processor levels. That's pretty interesting. - And the fact we can eliminate the fact it's not a a good application that's actually doing it, and based on the machine learning models, we can tell it's the bad guy. That's the information we give to them. And there are other aspects to the technology itself, which I can mention, right, which is...
The one question we may get from our audience is, you know, machine learning sometimes is CPU intensive, right? That's one of the reasons people don't like to run it all the time, but the great thing, for instance, in our endpoints and the CPUs on our PCs which is where our technology is currently deploying on ransomware and so on, is there is this fantastic integrated graphics that for instance, Intel has, you know. What we find is a lot of these machine learning algorithms that you're developing, you can run it on the CPU, and it can take, you know, 5, 6, 7% of your CPU, but we can offload it to this integrated graphics that's just there and you can drop the CPU consumption to almost, you know, less than 1%, so it's not perceptible. And that's another, by the way, that's another important requirement from our partners is how do I leave this running all the time without necessarily being a CPU hog, right? So it's that third leg of that solution, which is also important, but the primary goal at the end of the day is to make sure we are being proactive; that we eliminate the false positives using machine learning, and the third point is do that in a performance way, so that's kind of the aspects of threat detection. - So one other final question for you is, another thing, since I just read this World Economic Forum report, it's kind of top of mind for me... another thing that they brought up is this kind of shift from just talking about cybersecurity to talking about cyber resilience. The first thing that I kind of note with that is okay, now we're saying it's inevitable to some degree.
No matter what you do, you will not be able to protect 100% 100% of the time - Right. - So you have to have a way to, you know, mitigate, you have to have a way to triage, you have to have a way to bounce back, or, you know, have a fail-safe, alternative plan, whatever it is. I want to kind of get your opinion of what is really important in that resilience space.
I mean, you're working on detecting threats, - Right. - so from your perspective, what is really the key thing people should be looking at from, I guess maybe it's the other side, the resilience side? - The whole idea of detection is we can give this immediate notification to our partners to do remediation, right? So the first thing to do is to make sure that your software is up to date and you have... and oftentimes, when you work with these partners, particularly, like, at home, for instance, you know, our AV is probably getting pushed and updated by default, but it's always good to verify that it is. The second thing, of course, to always... there needs to be a plan B for these cases, which I think people do very well in a commercial environment, but not as much, sometimes, at home, back up all your data. This is what I tell anybody I know is make sure you're backing it up and you're not having that connected to your PC, because, you know, it shouldn't be an extensible system, and that at least takes care of the fact that you're...
the recovery part of it, right? And the first part, of course... of course, they make these attacks so innocuous and enticing. It's very...
nobody knowingly will click on the email, but, you know, use as much as possible, as you touched on earlier, you know, use biometrics in your platform if it's available. The authentication becomes more reliable. You can authenticate it's you when you log into, could be any website or, you know, at work or outside, and likewise, the website can actually trust you. So I think there are other attributes to this whole thing.
And by the way, the larger security ecosystem is working diligently on that. Those are other aspects that I don't also need to pursue, correct? - So let me ask you a personal question, because you're sure such a techie... what do you do in computing that you know you shouldn't, or what do you not do that you know you should? - I've been in the security space for some years, so I should know this, but out of the blue, sometime, maybe three years ago, I got a call from someone saying, "Okay, I'm calling you from from this bank," which is a legitimate bank that I have a an account in, and they said, "We have a compromise, you know, we need to know your account number," right? And I was running from one building to another, from meeting to meeting; I didn't think about it, and I just gave the account number, and then they started saying Social Security number, and I've been in this space enough to say, "Wait a minute, this doesn't make sense."
I was just not in the moment when I was doing that. So I tell, you know, everybody I know, just, you know, there are, just don't give away your personal information, because that's the easiest way to compromise your system. But that's something we have to be...
It's like driving, you know, you can't... You know, every day you have to be focused, and likewise, I think, with security, we have to be deliberate in what we do, and use the tools that are available. You know, use the biometrics. If it's second factor authentication, use it. And that's what I try to do. I try to do those as much as I can.
- Thank you very much, Ram Chary, joining us from Intel, where he and his team invented threat detection technology, and he's Senior Director of Engineering in the Product Assurance and Security group within the Security Center of Excellence. Thanks so much for your time today. - Great! Thank you Camille. It was a great pleasure talking to you.
- [Announcer] Never miss an episode of "What That Means" with Camille by following us here on YouTube. You can also find episodes wherever you get your podcasts. - [Announcer] The views and opinions expressed are those of the guests and author, and do not necessarily reflect the official policy or position of Intel Corporation. (chiming music)
2024-08-10 11:13