It has been a long time since last posting on the Wilders Security Forums. I am sharing this thread with the community because of a new and exciting cybersecurity venture. We are looking for interested security professionals and organizations who would like to collaborate with us as design partners. We are UpSight Security and our product analyzes an attacker's techniques like a language. By looking at an attack like a language, it predicts the next attack word (technique of the attack) to then interdict, preventing execution, and it fully evicts all of the attack's techniques by quarantining anything malicious, removing persistence, and any other steps that took place. Sanitation like this typically requires diligence and a lot of interaction from security teams. Our goal is to fight AI with AI. Threat actors are now leveraging generative AI and GPT type of tools to make their attacks more articulate, error-free, in the native language, and life-like with understanding of conversational context. These attacks don't just target email, they also go after Teams, Slack, Zoom, and many other collaboration tools. Here is a really interesting read about how ChatGPT can be used for offensive security, and it is a motivator to help create a technology that doesn't put all the pressure on the user to outsmart an AI assisted attack. https://www.linkedin.com/posts/dail...la?utm_source=share&utm_medium=member_desktop For anyone who is interested, we would like to share an early preview of what we are working on and we are recruiting design partners to collaborate with us as we refine the product. We are excited to invite you to a live preview of what the team has been working on this Friday, September 15th @ 11:30 am Eastern (8:30 am Pacific). We also are giving a live threat demo to show a glimpse of the product's capabilities. Fill out the form to request your invite. https://forms.gle/KbNn7rRdHxzGU8yi9
I must say it sounds interesting, but I'm also a bit skeptical. I remember that Cylance also claimed that it was better than existing solutions years ago, but it turned out to be pretty bad at blocking malware. And everyone is trying to jump aboard of this AI train nowadays. That being said, can you explain why this will work better than current EDR systems, or is it perhaps meant to augment this stuff? And why does it have to be cloud based, if it's such a smart AI system, it should be able to block attacks on the endpoint without the cloud. But I must say the website looks nice and simple, let's keep it this way. However, when you search for UpSight Security, you will get to see your old website on top of the Google search results, which is offline. So you guys need to fix this. And will you guys also release this tool for home user PC's?
I appreciate your reply Rasheed187 and your comment on the website. I'll look into how we can get the search results re-indexed to show the new upsight.ai domain as the result. Regarding your questions: EDR topic - We are different than an EDR in the sense that we are avoiding alert fatigue and the need for more human interaction to work those alerts. The industry is already hurting for resources and managed services are an attempt towards filling that gap. Instead, UpSight performs the heavy lifting and actionability. As it is reading the attack and predicting the next technique or stage, it is building what we internally call our attack sentences. Since we are using NLP, the product reads the techniques like an attack sentence. You can picture MITRE converted into a dictionary, with the words forming a sentence being the techniques and tactics that are used. The UpSight client streams what's happening to the cloud so that it can be visualized as an attack graph with the details about each event in the attack. The client also locally prevents the malicious execution of the attack, then unwinds the sentence (steps) that the attack took on the system. Things that an EDR would be used to detect then correlate so that a SOC analyst could manually clean them up or create rules to watch for and clean up, while the AV is preventing execution and malicious content. With the burden and challenges that security already places on the teams and people in those roles, we really want to deliver a product that works for them and will reduce pain in the industry. We aren't an EDR or AV replacement because our first iterations focus on high organizational impact attacks like phishing, credential theft, and ransomware. Cloud topic - Our product intelligence is at the endpoint in our client's NLP model. When using the term 'cloud based', we really just mean that we are a multi-tenant capable SaaS solution that the security users (team) can log into through a web portal to manage the client and access the attack events/graphs. During my time at multiple security vendors, I have seen the positives and the negatives of having the intelligence on the endpoint, in the cloud, or both. I agree that local is a preferred approach and we don't want to be reliant upon an available web connection to ensure prediction, interdiction, and eviction. Home user topic - UpSight first began as a home user product with our two founders. As they began sharing what they have been working on, the initial direction for the company has been adjusted to a B2B focus. We have internally discussed ways that we can also share this with consumers, but our first goal is to ensure value that secures organizations. Happy to chat more with you and others here who are interested in this new approach and we're excited to work with anyone who would like to have influence on where we go with the product roadmap.
Thanks for the info, but to be honest it's still not clear to me. So here are a couple of more comments. But how will you block the malware attacks? It's still with an app running on the endpoint right? And I assume it's still using the exact same techniques as AV's and behavior blockers do? With that I mean, it doesn't use signatures but looks at suspicious behaviors and then blocks malware either post or pre execution? Yes, I understand that especially AV's rely heavily on the cloud, but when it comes to behavior blocking I think it makes more sense to do this locally. OK cool, perhaps I'm still misunderstanding what this product is about, and how it's different to other already existing solutions. But if you ever release it as home user product, you can perhaps copy the model that Sophos is using. Basically, Sophos Intercept X is based on HitmanPro.Alert which is meant to protect home user PC's. And they get quite a lot of feedback on this forum which they can use to improve their enterprise product.
BTW, I wonder if you can perhaps explain how your product is different from Deep Instinct, which also uses AI in order to protect endpoints. I think this might help me to understand it all better. https://www.deepinstinct.com/endpoint-security https://www.tomshardware.com/news/deep-instinct-deep-learning-malware-detection,31079.html
Are you still there? I haven't been able to find any technical information about your product, except for a couple of videos on your YouTube channel. Has the product been improved since then? https://www.youtube.com/channel/UCy2CJcecqre-XMuePAB9jVw
Hi @Rasheed187, I appreciate your patience and interest in our solution. We are working on a new demo video to show our solution in action, I expect it to be posted on our YouTube channel in a couple of weeks. I am also working on some content to share from our website. In a previous post you asked how we differ from Deep Instinct. My understanding of Deep Instinct is that they are leveraging AI to perform static analysis. When we look at the evolution of solutions, the method for analyzing threats has adapted and evolved over time so that we can better protect ourselves. As an example, we as an industry have progressed from signature based AV, to application control, to sandboxing, to NGAV (static analysis using AI), and are now at the point of EDR. Yet, with this continued evolution the scale of threats is also growing larger by creating products that consume more data from devices to protect them. This in-turn also causes more alerts and more people power to work through the big data problem. I have seen the benefits of static analysis using AI models during my time as the product manager for CylancePROTECT, the industry definitely needed to evolve. EDR has been brought front and center though because it isn't enough to run only static analysis using whatever NGAV AI solution we pick. EDR gives detection visibility, and with that comes the big data as well as the noise issue. Our proposal is that Predictive AI is the answer to evolving the security approach. If we can use Predictive AI at the core of consumer tools like Amazon, Google, Tesla, Netflix, and others; we are proving that it is also extremely valuable to use as an AI to predict attack behaviors. A friend recently gave me the following analogy: Similar to how we as humans read, the old method was to memorize the dictionary and form signatures. The current method is to run as many words in a dictionary as possible through a machine learning model, then use that output to help identify the relation of newly created words. This is still challenging though because the models are regularly updated to ensure they don't false on a new word. At UpSight, we predict the meaning from our understanding of context. Even if a word (attack) is unfamiliar, but in the spot of a verb and from context we can deduce it is good or bad, we then protect from new attacks at scale. We then don't need a solution that is at the scale of every attack permutation. Regarding your earlier questions about where the product and intelligence operates, you are correct, the UpSight client runs on the device and the local AI protects the device without needing cloud interaction or massive amounts of events pushed to the cloud for intervention. Our goal is to remove pain, time, and data costs with this new era approach to protection. We are able to run alongside any endpoint prevention and EDR solution that is in place and we do not collide or conflict with those solutions. This is a contextual based approach to security using a Predictive AI model. MITRE did a good job of showing the world that attacks are techniques and it is like a periodic table, from that we literally look at attacks like a sentence. We predict based upon context of what is happening the next step of an attack so that we can then block malicious execution. But the extremely unique super power of UpSight, because of that context we can also unwind the attack techniques from the machine like a CTRL+Z. Imagine the attack modified a registry entry to create persistence, then a malicious file was executed. We prevent the malicious file and then remove the persistence by fixing the registry modification, and it is all done automatically in real-time as the attack chain is trying to take malicious steps on the device.
Thanks for taking the time to provide this information and can't wait for the demo. I will not pretend I fully understood everything, for example you say there is indeed a difference between Deep Instinct and your product when it comes to the way AI is being used, so it sounds interesting. And good to know that your product will be able to run alongside AV's and EDR's, and does not depend on the cloud. I think this is a smart move. Because competing directly with the bigger companies is quite hard, unless you can differentiate yourself, so that's why I wondered about this aspect.
BTW, here is another product that claims to rely heavily on AI. Is this also a bit comparable to UpSight? To clarify, if you say there is no difference, that's fine with me. As long as your product is indeed able to block most malware/phishing attacks, that's all I care about. https://darktrace.com/pducts/detect
Hi @Rasheed187, my limited understanding of Darktrace is that they have some machine learning that performs some anomaly detection, analyzing if something does not look normal on your organizations network. They also pair that with a predefined set of rules to trigger alerts on suspicious network activity. From looking further at what their product does, it also looks like tuning is required to ensure you don't get false positive alerts. The positive aspect of potential noise though is that their customers are able to see detail on what is happening in their network. I could see it as something a large enterprise would be able to assign resources and time to using in their organization. Small and medium size organizations likely don't have those specialized resources to monitor or tune a security product, and would benefit from an MDR provider if they wanted to leverage such a tool. We are also different than Darktrace in our approach. UpSight's predictive intelligence lives directly on devices in a customer's organization through the use of our Natural Language Processing built into our thin client that is installed on and runs on devices. We taken this approach for a number of reasons. Attacks happen at the device level and we want our predictive capability to perform the analysis locally without needing to rely on intelligence in the "cloud". Following that, we also don't want to tax our customers environments by gathering tons of events that may be benign or hinder budgets by sending a ton of data upstream to a cloud application to correlate, use for detections, and store. This allows us to focus on the attack and send only the attack behaviors (events) to the cloud for display in our attack graph. This enables our client to perform the automatic correlation locally, reducing data sent to the cloud and any further work needed to perform an investigation. Imagine if an attack modifies the registry to create a scheduled task that executes a credential stealer a few days or weeks later. In many cases, an EDR or XDR tool collects this data but cannot correlate the events due to how the behaviors occur and the time between them. From an actionability perspective, it is also important that the attack is addressed in real-time locally. We correctly correlate these behaviors, predict that it will execute a credential stealer at some point as the next possible behavior so that we can block it, and then our local client also sanitizes the malicious registry edit so that the attack is fully remediated. An EDR and XDR tool would require manual work on an investigation to remediate this attack or the creation of an automated response rule that specifically looks for the scenario. The UpSight customer instead looks at their portal to see what has already been actioned upon (prevented and remediated). Importantly, these savings benefit the local device because event capture and transfer is heavy and expensive. UpSight was founded on the motto that we deliver "security that works for people." We see this as a differentiator as well for the reasons mentioned above. Attacks continue to increase and take malicious action more rapidly (at an attacker's AI scale), lowering dwell time which equates to less time to respond. The industry is in need of more security professionals. Yet, all of the latest and greatest tools require time, energy, and a lot of data to secure an organization. It is honestly a giant mountain for many organizations to climb. We are taking a completely different approach by using UpSight's predictive AI locally to detect, prevent, and evict attacks in entirety. Customers can continue to leverage their existing tools and intelligence in the cloud that analyzes their large sums of data, and meanwhile we will act in real-time locally to only "alert" on attacks that were stopped. We see those detection tools as useful, there is no such thing as perfection in security and the benefit is that a customer can leverage those conventional tools for uncovering possible threats. This is better than using the tools as a primary means to respond to any or all attacks after their harmful actions.
We are excited to host another upcoming UpSight Demo Day on December 7th and look forward to having the Wilders Security community join us. Here is a link to more information and our signup form. You can also message me directly if you would like to be included on the meeting invite. https://www.linkedin.com/feed/update/urn:li:activity:7132772051274113024 Details When: Thursday, December 7th @ 11 am Eastern (8 am Pacific) Where: online remote Zoom meeting
Thanks for all of the info, so basically if I understood correctly, the major difference between UpSight and others is that it's not depending on the cloud and signatures in order to protect the endpoint? So it's basically a smart behavior blocker, cool. Too bad that you guys are not planning to release it for home user PC's, but I'm not sure what the hardware requirements will be. I look forward to the demo.
I saw the demo, but to be honest it still wasn't completely clear to me how AI is being used in a new way. So let's say someone downloads some infostealer that is able to bypass AV. I assume UpSight will monitor for all kinds of malicious behaviors that are mentioned in MITRE. And let's say this infostealer tries to access cookies and passwords and then tries to inject code into the browser in order to bypass the firewall. I assume UpSight will block these possibly malicious behaviors just like any other behavior blocker. So where does AI come into play?
I see you guys will be on RSA2024, let me know how it goes. Do you guys already have any customers or do you guys hope for a takeover? I mean AI is a pretty hot buzzword nowadays. Did you see that Darktrace got bought by investment company Thomas Bravo, who also bought Sophos 4 years ago? BTW, I still need to look at your latest video. https://www.thisismoney.co.uk/money...ace-agrees-4-3bn-private-equity-takeover.html https://www.linkedin.com/posts/upsi...omware-with-activity-7192267834624770048-ch7R
