- Good morning, everyone;
thank you for surviving
the Ritz presentation, my
presentation is going to talk
about how we integrate AI
technologies into cyber security,
at Check Point, intelligently,
and let me start off
with a few quotes from
individuals that we've all
learned to respect, starting
with Stephen Hawking;
he believed that the
development of full artificial
intelligence could spell
the end of the human race,
here's another quote from
Steve Wozniak, he believes
that computers are definitely
going to take over humans,
there's no question about it.
Elon Musk, he believes that
AI is the most likely cause
of World War III, and even
Vladimir Putin has noted
that the country that will
lead AI is the most likely
ruler of the world, so
clearly, we're doomed,
we're all going to succumb
to some evil computer,
sooner or later, and
whether you believe in this
bleak future or not,
one thing is undeniable,
and that is that everywhere
you go, everybody is talking
about artificial intelligence.
In fact, we're not just talking
about it, we're actually
putting our money where
our mouth is, with billions
of dollars that are
being invested currently
in AI technologies, and into
the companies that drive them,
and this is because when
we think of AI, we think
of the next industrial
revolution; if we look back
at the original industrial
revolution, it was all about
replacing muscles with machines,
machines that were stronger,
machines that were more
accurate, machines that do not get tired.
When we look at the AI
revolution, we're trying to do
something similar by replacing
human brains with machines,
machines that are smarter,
machines that are capable
of a much larger scale and are
faster, machines that do not
get bored, they do not
take a weekend break,
and while AI may seem like
a very futuristic concept,
the reality is that AI
is already around us,
everywhere we look, starting
with things like shopping
predictions; every online
retailer today offers
shopping predictions that
are based on AI technologies,
and when I go into my image
repository, in order to brag
about the cakes that I baked
for my girls over the years,
I no longer have to tag
each and every image,
I can just type cakes, and
all of the images that contain
a cake will show up immediately,
even this one, there
at the bottom that's shaped like a dog.
Speech recognition; personal
helpers such as Siri
and Cortana, and Alexa, we all
know they're still, somewhat
at their infancy, but
they are actually capable
of human like conversation, already today,
and this is just the tip
of the iceberg; really, AI
technologies are around us,
everywhere we look, touching
on every facet of our human existence;
with autonomous cars that
protect themselves using AI
technologies, and with the
entire financial sector
moving to AI based calculation
of your insurance risk,
and your loan eligibility,
and with robot lawyers
that are driven by AI algorithm
and offering legal advice,
and robot doctors that offer
AI based medical diagnostics.
Everywhere you look, AI is
there to take us to the next
level, and you have to ask yourself,
all of these technologies didn't used
to exist just a few, short
years ago, so why now?
That's the big question that
we need to ask ourselves,
why now?
And the reason is, much
like with many technological
breakthroughs, is that we
needed several technologies
to finally mature together,
and in the case of AI,
we're talking about three,
specific technologies,
or key technologies; the
first of which, is storage,
we are now capable of storing
gigantic amounts of data
at a fraction of what it
used to cost in the past,
just a few years ago; the
second thing that we needed
is compute, we now have
access to compute power
that was previously dream
like, and is capable,
allowing us to actually process
those gigantic mountains
of data that we've collected,
and the third and key
technology that needed to
mature, is the mathematics.
The math that drives all
of the AI algorithms,
and we've seen major
breakthroughs in the mathematics
in just the last four to
five years, and all of these,
together, mean that what
used to only be available
for academic research,
is now a viable baseline
for actually introducing
it into commercial product,
which is what we see all around us.
So let's ask the next question;
is artificial intelligence
magic, has the breakthrough
that we've seen in the past year
make it so that we now have an
engine, where we put data in,
and get the correct answer
out of it, every single time?
And in order to answer that,
I want to share with you
a couple of examples from recent
time, here's the first one.
This is Tay Bot; Tay Bot
is a Twitter chat bot
that was introduced by
Microsoft in March 2016,
and Tay Bot started chatting
with people on the internet,
and you know the internet
is a wonderful place
where you can meet all sorts
of people, and they can teach
you all sorts of things, so
this is what Tay Bot learned;
and these are some of the Tweets
that it started generating,
after just a few, short
hours of Tweeting with people
on the internet, and I
won't read it out loud,
but if you look at it, you can
see that it actually learned,
and then excelled, mostly at
profanity and racial bias.
So here's what you can learn
from this, and of course,
a few hours later, Microsoft
realized this is a catastrophe;
they shut it down, never to be seen again;
here's another example,
this is Google Translate,
a tool that we all love
and use on a daily basis
to help us translate the
world around us to a language
that we can understand,
and what you see here,
is a bunch of phrases
in the Turkish language.
Now, what you may not know,
is that Turkish is a gender
neutral language, that
means that both he and she
are referred to as "o" in Turkish,
and this is what we see
when we put these phrases
into Google Translate, and
we ask it to translate it
to English, and take a look
at the right hand side,
she's a cook, he's an
engineer, he's a doctor,
she's a nurse, look further
down, my favorite at the bottom;
he's happy, she's unhappy.
You can see the bias
throughout those translations,
and you have to ask yourself,
again, are the Google
engineers sexist?
Of course they're not, but
the way their engine learned
its language skills is by
reading and digesting every,
possible piece of text that
was made available to it,
and the gender bias, that
just exists in our culture;
okay, so we can agree that
AI with today's technology,
is still not magic, we're
decades away from that magical
engine that will always generate
the correct and the proper
response, but we can also agree
that it's far from useless,
in fact, it's very useful;
so how do we know which
application AI will be
the most useful for?
When should we apply AI in
order to get the best result?
So here's what a good AI
solution requires, it really
requires two things in
order to be a good solution,
the first of which is data,
and I don't just mean any data,
we need a lot, a lot
of data, and that data
needs to be rich enough that
it covers the entire scope,
and the entire versatility
of the problem that we
are trying to address, and
the second thing that we need
is expertise; we need two
types of expertise, in fact,
we need AI expertise, people
that actually understand
the mathematics, and how
to fine tune the algorithm,
those are key people that
you have to have when you're
building an AI based
solution, and the second thing
that you need is domain expertise.
Now, this may be counter
intuitive to the concept
of artificial intelligence,
but with today's technology,
we're still decades away
from having that self tuning,
self learning machine
that can learn anything,
and can then apply it to
solve a problem; with today's
technology, in order to solve
a problem, you need someone
that understands the domain,
so if you want to do proper
speech recognition, you need
somebody that understands
human speech pattern, and
if you want to do image
recognition, you need somebody
that understands digital
photography.
And when you want to apply
AI to cyber security,
you need somebody that
understands the cyber landscape,
and that brings me to my next
section, let's talk about
how we can use AI in cyber security,
and certainly, there's no
shortage of hype around use of AI
in cyber security, in fact,
every offender out there
will tell you that they're using
AI, some will tell you this
is what the core of what they're offering,
others will say this is just
part of a broader picture,
but everybody is talking
about it at some capacity
or another.
It would please me to ask
the same question, again;
is AI in cyber security magic;
is this the silver bullet
that our industry has been searching for,
and is trying to offer its customers?
Have we managed to overcome
all of the underlying problems
with AI in cyber security?
And of course, I don't need
to keep you in suspense,
the answer is, of course, no;
AI in cyber security suffers
from many of the same,
inherit, underlying problems
that we see in other fields, and sometimes
even more so; why?
Here are the key problems
with cyber security AI,
and it's no surprise, I'm
using the same graphics
just to tell you, that we
often don't have enough data,
and we don't have enough expertise.
Access to cyber security
training data is extremely
difficult; it is certainly
difficult if you're a small
start up, you simply don't have
access to that kind of data,
and there is no public
domain data that is relevant,
and that you can train
your engine based on,
and even if you're a major
vendor, it's still very
difficult, because customers
are very reluctant to share
their data with their vendors,
and even when they do,
they would typically
obfuscate it to death,
to the point where it becomes
useless, in order to train
your algorithm.
So access to data is a key
thing, and it's very difficult,
and you can only see the
amount of data that you need
if you're a major vendor,
with many customers that
has access to enough data
that would cover, again,
the entire scope of the problem
that we are trying to solve;
the other issue with AI
systems is that the verdict
that they offer is very
obscure, meaning AI systems
do not tend to explain themselves,
so you can either choose
to manually validate every
verdict that you get out
of the AI system, which of
course, is not very practical,
or you have to take a
certain leap of faith,
you have to trust the system
that whenever it gives
a verdict, this is the correct verdict,
and that would have been
okay, except the other thing
is that AI systems are kind
of notorious for having
a fairly high false detection rate.
They're very often, offering
the wrong conclusion
to the problem that
they're trying to address,
not always, but higher than
other engines that tend
to be more accurate, so if you
think of AI in other domains,
if among my images, my cake
images, I will have an image
or two of an ice cream cone, no harm done,
but in cyber security, a false
detection, a mis-detection,
a false positive; those can
have a very significant penalty
on an organization.
So AI is not the cyber security
magic that we would wish
that it will be, maybe it
will be in a few years,
but it's not there quite now,
but it is far from useless,
very far, and when we
actually look down, into it,
all of these algorithms,
the machine learning,
the deep learning, the
deep, big data analytics,
all of these are actually
revolutionizing cyber security,
and why do I say that they
are revolutionizing it?
Because they are offering us
the opportunity to actually
address the problem at
a much larger scale;
they're allowing us to automate
tasks that were previously
only handled by human analysts,
and smart ones, at that,
and there is very few of
those people running around
that you can actually use, so
we can scale our operation,
and we're now able to finally
make sense of those gigantic
amounts of log data that
we've so diligently collected,
only to never look at, again.
These are all things
that we can do with AI,
and of course, at Check
Point, we've acknowledged
the potential of AI to
address those problems
in the modern world, and
we started investing in it
a few years ago, which
takes me to my last segment
of this presentation, which
is how we use AI technologies
at Check Point, in order to
offer our customers the benefit
of the latest, most advanced
technologies out there
in the market, in the most
practical manner possible.
So as we strive to offer
you the best security,
we've started introducing
AI based engines into our
threat prevention products
week, already a few years ago,
and some of these
technologies exist today,
under the hood, which you
may or may not be aware of,
and I want to share with
you, some details about three
of these engines that might interest you,
and the success that
we've seen through them.
And here's the first one;
this is an engine that we call
Campaign Hunting, and the
purpose of this engine,
is to offer predictive
threat intelligence,
and what does that mean?
If I see an indicator of
compromise, for example,
a malicious URL, and I'm a
smart analyst, and I have the
skills and the intuition
to go look for additional
IOCs, I will very often find
similar IOCs that are part
of the same campaign;
those will be URLs that are
probably registered by the same person,
probably the same time
frame, maybe using a similar
lexicographic pattern,
and it's very easy for me,
using my intuition to say,
okay, these 20 are identical
to this first one that I've
seen in one of the attacks,
therefore, I should incriminate these 20,
and add them to my threat intelligence.
So what we've done with Campaign Hunting,
is we've mechanized this
process; we've taken that human
intelligence and intuition,
and taught it to a machine
that is now capable of digesting
not just a few dozen IOCs
per day, but rather thousands
and hundreds of thousands
and millions of IOCs, and
look through every single one
of them, and deduce whether
we can find similar ones,
as well, and the result
is that we now have
an additional feed, in
our threat intelligence,
that allows us to expose
additional, unknown,
malicious domains.
We are capable of attributing
an attack to a particular
campaign, because we know they
are part of the same family,
and we are able to enrich
our threat intelligence
with predictive campaign prevention,
meaning this is offering
us first time prevention
through IOCs that were never
seen as part of an attack
before, but we still know
that if we will see them,
they should be blocked.
And here are some numbers
to associate with that;
these are the various
feeds that we use in threat
intelligence, and this is
a unique contribution that
they offer to our block
rate, and what you can see,
is that 10% out of the
attacks that we block,
are blocked based on
intelligence that we wouldn't
have had without Campaign
Hunting, so it doesn't mean
that we catch only 10% with
those IOCs, it means that 10%
of the attacks that we
block, are blocked solely
based on this engine, and we wouldn't have
blocked them, otherwise.
So that's the benefit,
and this is one of our top
performing feeds, and we're
very proud of this feed,
and continue to enhance it
and improve the technology
and the AI that's behind
it, in order to give it
even better results; here's
another engine, we call this
engine Huntress, and Huntress
is designed to uncover
malicious executables,
now, determining whether
an executable is malicious or
not, is one of the toughest
problems in our cyber
security; unlike documents
that need to adhere to
a certain set of rules,
and are limited by the operating
system and what they are
allowed and not allowed to
do, executables are designed
to be allowed to do
anything, so deciding if what
they're doing is malicious
or not, is not trivial;
luckily, for us, we have
the domain expertise,
and we understand how hackers operate,
and we therefore know that
hackers rarely, if ever, write
the entire code from scratch.
What they would usually do
is either reuse preexisting
pieces of code, or they
will use preexisting logic
that drives similar action,
that is part of their
malicious attack, and we
use those similarities,
in order to identify whether
an executable is malicious
or not; how do we do it?
We let the executable run in
our dynamic, runtime simulation
environment, our sandbox,
while it's running,
we collect hundreds of
different runtime parameters,
every API code, the sequence,
whatever it's touching
on the operating system,
and we feed those hundreds
of parameters to an AI based
engine, that is then able to
classify this executable,
and say whether it's similar
to a malicious executable or not,
and the results, on average,
13% of the executable
that our system is now capable
of determining as malicious,
are determined as such by Huntress.
Again, it's not that this
engine only identifies 13% of
the malicious executables,
but the unique contribution,
the one that we wouldn't
have had without this engine,
comes up to roughly 13% on average,
and here's the third one;
this one is called Cadet,
Cadet stands for Context Aware Detection,
and this is an engine we
are particularly proud of,
because this is where we are
harnessing the real power,
the true power of Check
Point, and as you all know,
with our infinity platform,
Check Point covers
the entire IT spectrum, and
gives us access and invisibility
into every part of your
It, from your networks,
to your data centers, to
your cloud environments,
your endpoints, your mobile
devices; we have the ability
to see the full picture,
and get the right context.
So rather than expecting
an element on its own,
and trying to determine
whether it's malicious or not,
we take the element itself,
and the entire context
that surrounds it; how did
this element get into my IT?
Did it come through an
email attachment, or is it
a web download?
And if it's a web download,
how did this user get
to that link?
Was it in an email, a URL
that he received in an email
that he clicked on?
Maybe it got through an SMS
message with a link in it;
all of this context actually
matters and gives us valuable
information, that allows us
to make better determination,
and what we do, is we now
inspect the full context,
and the element itself, we
collect thousands of different
parameters from these things,
and together, we feed them
into our Cadet AI based
engine, and ask it to reach
a verdict; a single, accurate verdict,
and this technology is
currently being introduced
into our products, so we
only have preliminary results
for it, but already, they
are very promising results,
and we see that in terms
of our detection rate,
there's a twofold increase in
that in our detection rate,
and a staggering tenfold
decrease in our false
positive rate.
So these are very impressive
results, but what's more
impressive is to say that
these are not just numbers
that I get to put on a slide
and brag about in front
of an audience, this is
not a mathematical game;
this is all about making
security practical,
and the accuracy of an
engine, is the key thing
that makes it practical.
If an engine is too noisy,
it simply will not be put
into production, it
creates too much chaos,
it creates too much overhead
for the It department,
so it won't be put into
production, and it certainly
will not be put into prevent mode,
and the only way to have
security in your organization,
is if you make it practical,
so that the IT team
is willing and capable
to actually introduce it
into their environment, so
when we, at Check Point,
look at AI technologies, we
rarely put them on their own;
we combine them with a
bunch of expert systems
and other engines, that
when combined, will deliver
the right metrics that we
think our customers deserve.
We only put AI technologies
where we can prove to ourselves
that we can actually improve
the metrics that actually
matter, the metrics that
actually make our security
consumable and practical
for our customers,
and this is why intelligent
use of AI technologies
is just one more reason why,
when it comes to prevention,
Check Point is the vendor to choose;
thank you very much.
(applause)
