Exploring the new era of endpoint security: Dell and Cylance Protect

Catching up with Dell about their Cylance partnership shows that big vendors are fully behind the new era of endpoint security. Are you?

After speaking with Bromium a few weeks ago and writing about their partnership with HP, I wanted to reconnect with Dell on their partnership with Cylance. A few years ago, Dell announced that Cylance would be included in their Endpoint Security Suite Enterprise for physical desktops, and in May of last year they announced that ESSE had been extended to include both traditional and VDI desktops. For the most part, the Dell version of Cylance Protect is the same. The differences reside in management (Dell is on-premises, Cylance is in the cloud) and pricing (Dell is perpetual, Cylance is subscription only). Apart from that, everything is the same.

How it works                 

If you’re not familiar with Cylance Protect, it is among the new breed of endpoint security platforms that use artificial intelligence to detect viruses and malware as opposed to traditional signature-based products. In a recent CUGC event, their name came up alongside Palo Alto Networks’ Traps, and they are often compared to Bromium (though Bromium’s approach is fundamentally different, they all can be grouped together as new approaches to endpoint security).

Cylance uses its artificial intelligence engine to classify executables as potentially dangerous by observing the behavior of the application itself. Depending on whom you ask, this either happens before or during execution––I’ve heard both. What I can tell you is that while some types of malware can likely be detected before they are executed, the behavior analysis that Cylance’s AI does almost certainly leans hard on watching code execute in real time. If it detects unusual behaviors, it will quarantine the malware and prevent it from executing.

The important thing to note here is that this method of prevention doesn’t use traditional antivirus signatures, which basically ensure that you’re behind the times. Cylance observes the code as it executes and decides based on its behavior whether or not it is good or bad rather than looking for known patterns in existing executables. That means that the need for regular updates is reduced from daily (or even hourly) to monthly or quarterly. Ultimately, this means that managing endpoint security is a more hands-off process.

I spoke with a Cylance user (not a Dell ESSE user, but a direct Cylance customer), and they had great results when they put Cylance to the test against other traditional AV/AM products. In the six months prior to deployment, they’d dealt with numerous ransomware attacks, and in the year since the deployment they’ve had none.

An interesting takeaway, though, is that while Cylance doesn’t have traditional signatures, it still requires updates, and the frequency of those updates is increasing. When I first learned about the product, the interval between updates was 120-180 days. Today that’s down to around 60-90 days. The problem is that the virus and malware people (the “bad guys”) have AI, too, so there is an ever-increasing struggle to keep Cylance’s AI more advanced than the bad guys’ AI. In particular, according to Dell, 2016 was remarkably active in terms of ransomware, so their updates came more frequently than in the past. I don’t expect that to settle down in 2017, but 2-3 months between updates is a heck of a lot better than hourly.

Dell admits that their product isn’t completely foolproof. They recommend using something else to detect if anything makes it through, like RSA’s Endpoint Threat Detection & Response, though other products could certainly fill that role.

Why isn’t everyone doing this yet?

I posed this question to both Bromium and Dell, and the response was extremely similar. The primary roadblock to adoption here is business as usual. Ugh. That’s always the case, right? We’ve been doing things one way for 20 years, and even though it’s out of control and a complete mess to manage, we’re set up for it. I hate “business as usual.”

The next reason, and one that holds a bit more water, is regulatory. When endpoint security policies were written, they were based on what was available at the time. That means a policy might be a list of checkboxes that include things like “Daily signature updates” or “Deep scan capabilities.” Of course, these new products don’t do that because they don’t work that way, so bringing them in is a lot harder because to do so would require a new policy to be written.


In 2017, there is a razor-thin margin between a secure endpoint and an insecure one. Unfortunately for many companies, AV/AM is something you have, but it’s off the radar until something happens. At that point it becomes a mad scramble to get everything rectified, and you can only do that so many times before it becomes insufferable.

Anything that we can do to tip the balance back towards our side should be among the top priorities. Using products that basically user-proof our endpoints gives us more security with less interaction from admins and users alike, so we’ll all be better off. Products like Cylance Protect, Dell Endpoint Security Suite Enterprise, Palo Alto Networks Trap, and Bromium should be on everyone’s list of things to evaluate this year.

If you’re not ready yet, that’s fine, but keep an eye on this space. Buy-in from big vendors like Dell, HP, and Microsoft shows that it’s heating up.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I'd like to correct you in that Cylance's ML/AI assessments are done PRE-EXECUTION using static code analysis. This is done using a predictive algorithm based on the outcome of training machines on hundreds of millions of good and malicious files so that it can discern good from bad autonomously at the endpoint with NO cloud connection, with a high degree of efficiency, without allowing the file to run and monitor behavior. Allowing code to run is a very risky approach and results in loss of control over the application, and ultimately, the host. Also, updates are done every 30-60 days to the agent that houses the algorithm, not the algorithm itself. These include patches, feature updates, etc. The predictive algorithm is only updated twice a year, and that's to curb something known as "concept drift", or simply put the "model decay over time". Decay is minimal at about 0.5% every six months.