- Good morning, everyone;
thank you for surviving the Ritz presentation, my
presentation is going to talk about how we integrate AI
technologies into cyber security, at Check Point, intelligently,
and let me start off with a few quotes from
individuals that we've all learned to respect, starting
with Stephen Hawking; he believed that the
development of full artificial intelligence could spell
the end of the human race, here's another quote from
Steve Wozniak, he believes that computers are definitely
going to take over humans, there's no question about it. Elon Musk, he believes that
AI is the most likely cause of World War III, and even
Vladimir Putin has noted that the country that will
lead AI is the most likely ruler of the world, so
clearly, we're doomed, we're all going to succumb
to some evil computer, sooner or later, and
whether you believe in this bleak future or not,
one thing is undeniable, and that is that everywhere
you go, everybody is talking about artificial intelligence. In fact, we're not just talking
about it, we're actually putting our money where
our mouth is, with billions of dollars that are
being invested currently in AI technologies, and into
the companies that drive them, and this is because when
we think of AI, we think of the next industrial
revolution; if we look back at the original industrial
revolution, it was all about replacing muscles with machines, machines that were stronger,
machines that were more accurate, machines that do not get tired. When we look at the AI
revolution, we're trying to do something similar by replacing
human brains with machines, machines that are smarter,
machines that are capable of a much larger scale and are
faster, machines that do not get bored, they do not
take a weekend break, and while AI may seem like
a very futuristic concept, the reality is that AI
is already around us, everywhere we look, starting
with things like shopping predictions; every online
retailer today offers shopping predictions that
are based on AI technologies, and when I go into my image
repository, in order to brag about the cakes that I baked
for my girls over the years, I no longer have to tag
each and every image, I can just type cakes, and
all of the images that contain a cake will show up immediately,
even this one, there at the bottom that's shaped like a dog. Speech recognition; personal
helpers such as Siri and Cortana, and Alexa, we all
know they're still, somewhat at their infancy, but
they are actually capable of human like conversation, already today, and this is just the tip
of the iceberg; really, AI technologies are around us,
everywhere we look, touching on every facet of our human existence; with autonomous cars that
protect themselves using AI technologies, and with the
entire financial sector moving to AI based calculation
of your insurance risk, and your loan eligibility,
and with robot lawyers that are driven by AI algorithm
and offering legal advice, and robot doctors that offer
AI based medical diagnostics. Everywhere you look, AI is
there to take us to the next level, and you have to ask yourself, all of these technologies didn't used to exist just a few, short
years ago, so why now? That's the big question that
we need to ask ourselves, why now? And the reason is, much
like with many technological breakthroughs, is that we
needed several technologies to finally mature together,
and in the case of AI, we're talking about three,
specific technologies, or key technologies; the
first of which, is storage, we are now capable of storing
gigantic amounts of data at a fraction of what it
used to cost in the past, just a few years ago; the
second thing that we needed is compute, we now have
access to compute power that was previously dream
like, and is capable, allowing us to actually process
those gigantic mountains of data that we've collected,
and the third and key technology that needed to
mature, is the mathematics. The math that drives all
of the AI algorithms, and we've seen major
breakthroughs in the mathematics in just the last four to
five years, and all of these, together, mean that what
used to only be available for academic research,
is now a viable baseline for actually introducing
it into commercial product, which is what we see all around us. So let's ask the next question;
is artificial intelligence magic, has the breakthrough
that we've seen in the past year make it so that we now have an
engine, where we put data in, and get the correct answer
out of it, every single time? And in order to answer that,
I want to share with you a couple of examples from recent
time, here's the first one. This is Tay Bot; Tay Bot
is a Twitter chat bot that was introduced by
Microsoft in March 2016, and Tay Bot started chatting
with people on the internet, and you know the internet
is a wonderful place where you can meet all sorts
of people, and they can teach you all sorts of things, so
this is what Tay Bot learned; and these are some of the Tweets
that it started generating, after just a few, short
hours of Tweeting with people on the internet, and I
won't read it out loud, but if you look at it, you can
see that it actually learned, and then excelled, mostly at
profanity and racial bias. So here's what you can learn
from this, and of course, a few hours later, Microsoft
realized this is a catastrophe; they shut it down, never to be seen again; here's another example,
this is Google Translate, a tool that we all love
and use on a daily basis to help us translate the
world around us to a language that we can understand,
and what you see here, is a bunch of phrases
in the Turkish language. Now, what you may not know,
is that Turkish is a gender neutral language, that
means that both he and she are referred to as "o" in Turkish, and this is what we see
when we put these phrases into Google Translate, and
we ask it to translate it to English, and take a look
at the right hand side, she's a cook, he's an
engineer, he's a doctor, she's a nurse, look further
down, my favorite at the bottom; he's happy, she's unhappy. You can see the bias
throughout those translations, and you have to ask yourself,
again, are the Google engineers sexist? Of course they're not, but
the way their engine learned its language skills is by
reading and digesting every, possible piece of text that
was made available to it, and the gender bias, that
just exists in our culture; okay, so we can agree that
AI with today's technology, is still not magic, we're
decades away from that magical engine that will always generate
the correct and the proper response, but we can also agree
that it's far from useless, in fact, it's very useful;
so how do we know which application AI will be
the most useful for? When should we apply AI in
order to get the best result? So here's what a good AI
solution requires, it really requires two things in
order to be a good solution, the first of which is data,
and I don't just mean any data, we need a lot, a lot
of data, and that data needs to be rich enough that
it covers the entire scope, and the entire versatility
of the problem that we are trying to address, and
the second thing that we need is expertise; we need two
types of expertise, in fact, we need AI expertise, people
that actually understand the mathematics, and how
to fine tune the algorithm, those are key people that
you have to have when you're building an AI based
solution, and the second thing that you need is domain expertise. Now, this may be counter
intuitive to the concept of artificial intelligence,
but with today's technology, we're still decades away
from having that self tuning, self learning machine
that can learn anything, and can then apply it to
solve a problem; with today's technology, in order to solve
a problem, you need someone that understands the domain,
so if you want to do proper speech recognition, you need
somebody that understands human speech pattern, and
if you want to do image recognition, you need somebody
that understands digital photography. And when you want to apply
AI to cyber security, you need somebody that
understands the cyber landscape, and that brings me to my next
section, let's talk about how we can use AI in cyber security, and certainly, there's no
shortage of hype around use of AI in cyber security, in fact,
every offender out there will tell you that they're using
AI, some will tell you this is what the core of what they're offering, others will say this is just
part of a broader picture, but everybody is talking
about it at some capacity or another. It would please me to ask
the same question, again; is AI in cyber security magic;
is this the silver bullet that our industry has been searching for, and is trying to offer its customers? Have we managed to overcome
all of the underlying problems with AI in cyber security? And of course, I don't need
to keep you in suspense, the answer is, of course, no;
AI in cyber security suffers from many of the same,
inherit, underlying problems that we see in other fields, and sometimes even more so; why? Here are the key problems
with cyber security AI, and it's no surprise, I'm
using the same graphics just to tell you, that we
often don't have enough data, and we don't have enough expertise. Access to cyber security
training data is extremely difficult; it is certainly
difficult if you're a small start up, you simply don't have
access to that kind of data, and there is no public
domain data that is relevant, and that you can train
your engine based on, and even if you're a major
vendor, it's still very difficult, because customers
are very reluctant to share their data with their vendors,
and even when they do, they would typically
obfuscate it to death, to the point where it becomes
useless, in order to train your algorithm. So access to data is a key
thing, and it's very difficult, and you can only see the
amount of data that you need if you're a major vendor,
with many customers that has access to enough data
that would cover, again, the entire scope of the problem
that we are trying to solve; the other issue with AI
systems is that the verdict that they offer is very
obscure, meaning AI systems do not tend to explain themselves,
so you can either choose to manually validate every
verdict that you get out of the AI system, which of
course, is not very practical, or you have to take a
certain leap of faith, you have to trust the system
that whenever it gives a verdict, this is the correct verdict, and that would have been
okay, except the other thing is that AI systems are kind
of notorious for having a fairly high false detection rate. They're very often, offering
the wrong conclusion to the problem that
they're trying to address, not always, but higher than
other engines that tend to be more accurate, so if you
think of AI in other domains, if among my images, my cake
images, I will have an image or two of an ice cream cone, no harm done, but in cyber security, a false
detection, a mis-detection, a false positive; those can
have a very significant penalty on an organization. So AI is not the cyber security
magic that we would wish that it will be, maybe it
will be in a few years, but it's not there quite now,
but it is far from useless, very far, and when we
actually look down, into it, all of these algorithms,
the machine learning, the deep learning, the
deep, big data analytics, all of these are actually
revolutionizing cyber security, and why do I say that they
are revolutionizing it? Because they are offering us
the opportunity to actually address the problem at
a much larger scale; they're allowing us to automate
tasks that were previously only handled by human analysts,
and smart ones, at that, and there is very few of
those people running around that you can actually use, so
we can scale our operation, and we're now able to finally
make sense of those gigantic amounts of log data that
we've so diligently collected, only to never look at, again. These are all things
that we can do with AI, and of course, at Check
Point, we've acknowledged the potential of AI to
address those problems in the modern world, and
we started investing in it a few years ago, which
takes me to my last segment of this presentation, which
is how we use AI technologies at Check Point, in order to
offer our customers the benefit of the latest, most advanced
technologies out there in the market, in the most
practical manner possible. So as we strive to offer
you the best security, we've started introducing
AI based engines into our threat prevention products
week, already a few years ago, and some of these
technologies exist today, under the hood, which you
may or may not be aware of, and I want to share with
you, some details about three of these engines that might interest you, and the success that
we've seen through them. And here's the first one;
this is an engine that we call Campaign Hunting, and the
purpose of this engine, is to offer predictive
threat intelligence, and what does that mean? If I see an indicator of
compromise, for example, a malicious URL, and I'm a
smart analyst, and I have the skills and the intuition
to go look for additional IOCs, I will very often find
similar IOCs that are part of the same campaign;
those will be URLs that are probably registered by the same person, probably the same time
frame, maybe using a similar lexicographic pattern,
and it's very easy for me, using my intuition to say,
okay, these 20 are identical to this first one that I've
seen in one of the attacks, therefore, I should incriminate these 20, and add them to my threat intelligence. So what we've done with Campaign Hunting, is we've mechanized this
process; we've taken that human intelligence and intuition,
and taught it to a machine that is now capable of digesting
not just a few dozen IOCs per day, but rather thousands
and hundreds of thousands and millions of IOCs, and
look through every single one of them, and deduce whether
we can find similar ones, as well, and the result
is that we now have an additional feed, in
our threat intelligence, that allows us to expose
additional, unknown, malicious domains. We are capable of attributing
an attack to a particular campaign, because we know they
are part of the same family, and we are able to enrich
our threat intelligence with predictive campaign prevention, meaning this is offering
us first time prevention through IOCs that were never
seen as part of an attack before, but we still know
that if we will see them, they should be blocked. And here are some numbers
to associate with that; these are the various
feeds that we use in threat intelligence, and this is
a unique contribution that they offer to our block
rate, and what you can see, is that 10% out of the
attacks that we block, are blocked based on
intelligence that we wouldn't have had without Campaign
Hunting, so it doesn't mean that we catch only 10% with
those IOCs, it means that 10% of the attacks that we
block, are blocked solely based on this engine, and we wouldn't have blocked them, otherwise. So that's the benefit,
and this is one of our top performing feeds, and we're
very proud of this feed, and continue to enhance it
and improve the technology and the AI that's behind
it, in order to give it even better results; here's
another engine, we call this engine Huntress, and Huntress
is designed to uncover malicious executables,
now, determining whether an executable is malicious or
not, is one of the toughest problems in our cyber
security; unlike documents that need to adhere to
a certain set of rules, and are limited by the operating
system and what they are allowed and not allowed to
do, executables are designed to be allowed to do
anything, so deciding if what they're doing is malicious
or not, is not trivial; luckily, for us, we have
the domain expertise, and we understand how hackers operate, and we therefore know that
hackers rarely, if ever, write the entire code from scratch. What they would usually do
is either reuse preexisting pieces of code, or they
will use preexisting logic that drives similar action,
that is part of their malicious attack, and we
use those similarities, in order to identify whether
an executable is malicious or not; how do we do it? We let the executable run in
our dynamic, runtime simulation environment, our sandbox,
while it's running, we collect hundreds of
different runtime parameters, every API code, the sequence,
whatever it's touching on the operating system,
and we feed those hundreds of parameters to an AI based
engine, that is then able to classify this executable,
and say whether it's similar to a malicious executable or not, and the results, on average,
13% of the executable that our system is now capable
of determining as malicious, are determined as such by Huntress. Again, it's not that this
engine only identifies 13% of the malicious executables,
but the unique contribution, the one that we wouldn't
have had without this engine, comes up to roughly 13% on average, and here's the third one;
this one is called Cadet, Cadet stands for Context Aware Detection, and this is an engine we
are particularly proud of, because this is where we are
harnessing the real power, the true power of Check
Point, and as you all know, with our infinity platform,
Check Point covers the entire IT spectrum, and
gives us access and invisibility into every part of your
It, from your networks, to your data centers, to
your cloud environments, your endpoints, your mobile
devices; we have the ability to see the full picture,
and get the right context. So rather than expecting
an element on its own, and trying to determine
whether it's malicious or not, we take the element itself,
and the entire context that surrounds it; how did
this element get into my IT? Did it come through an
email attachment, or is it a web download? And if it's a web download,
how did this user get to that link? Was it in an email, a URL
that he received in an email that he clicked on? Maybe it got through an SMS
message with a link in it; all of this context actually
matters and gives us valuable information, that allows us
to make better determination, and what we do, is we now
inspect the full context, and the element itself, we
collect thousands of different parameters from these things,
and together, we feed them into our Cadet AI based
engine, and ask it to reach a verdict; a single, accurate verdict, and this technology is
currently being introduced into our products, so we
only have preliminary results for it, but already, they
are very promising results, and we see that in terms
of our detection rate, there's a twofold increase in
that in our detection rate, and a staggering tenfold
decrease in our false positive rate. So these are very impressive
results, but what's more impressive is to say that
these are not just numbers that I get to put on a slide
and brag about in front of an audience, this is
not a mathematical game; this is all about making
security practical, and the accuracy of an
engine, is the key thing that makes it practical. If an engine is too noisy,
it simply will not be put into production, it
creates too much chaos, it creates too much overhead
for the It department, so it won't be put into
production, and it certainly will not be put into prevent mode, and the only way to have
security in your organization, is if you make it practical,
so that the IT team is willing and capable
to actually introduce it into their environment, so
when we, at Check Point, look at AI technologies, we
rarely put them on their own; we combine them with a
bunch of expert systems and other engines, that
when combined, will deliver the right metrics that we
think our customers deserve. We only put AI technologies
where we can prove to ourselves that we can actually improve
the metrics that actually matter, the metrics that
actually make our security consumable and practical
for our customers, and this is why intelligent
use of AI technologies is just one more reason why,
when it comes to prevention, Check Point is the vendor to choose; thank you very much. (applause)