Skip to content
InTechnology Podcast

#86 – What That Means with Camille: Threat Detection Technology – Stopping Cyber Risk at the CPU

In this episode of What That Means, Camille discusses Silicon Threat Detection & Intel® Threat Detection Technology with Ram Chary, Senior Director of Engineering, Intel Software & Advanced Technology Group at Intel. The conversation covers:

  • Cyber threat detection at the silicon level.
  • Mitigating risks from malware and ransomware attacks.
  • Applying PMU (Performance Monitoring Unit) to CPU across all Intel architecture.
  • Advantages of using Intel Threat Detection Technology.

And more. Don’t miss it!

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

Here are some key takeaways:

  • Ram Chary and his team at Intel invented threat detection technology.
  • Ransomware used to be on the fringe of security threats, now it touches everyone from small business to enterprises and everything in between – including supply chain.
  • Intel has utilized CPU programming to detect malware and ransomware threats.
  • Machine learning algorithms are also trained to detect false positives.
  • Ransomware most often will lay dormant until it can connect to a backend server somewhere to get encryption keys. Intel Threat Detection is trained to find those dormant programs and attack them before they infect entire enterprise systems.
  • Intel CPUs have a “performance monitoring unit” (PMU), which is on the CPU and it’s tracking micro-architectural details happening in real time.
  • Machine learning models are only as good as the data they are trained on.
  • 2 Major Advantages:
    • Using PMU within the CPU provides the ability to track and detain malware before it encrypts the system, or gets a hold of any information.
    • Working with our partners enables us to update for new threats as they occur.
  • The PMU (Performance Monitoring Unit) is across all Intel CPU’s from PC to server architecture.

Some interesting quotes from today’s episode:

“The whole idea of detection is we can give this immediate notification to our partners to do remediation.” – Ram Chary

“Every day you have to be focused: You have to be deliberate in what you do and use the tools that are available. Use the biometrics; if it’s second factor authentication, use it.” – Ram Chary

Share on social:


variant, partners, detect, ransomware, malware, running, attacks, cpu, system, train, pcs, encryption algorithm, encrypt, camille, security, case, data, important, encryption, machine learning
ANNOUNCER, Camille Morhardt, Ram Chary

Welcome to What that Means with Camille, where we take the confusion out of tech jargon and encourage more meaningful conversation about cybersecurity. Here’s your host, Camille Morhardt.

Camille Morhardt 00:16
Hi, and welcome to this episode of cybersecurity inside what that means threat detection. Today we have with us Ram Chary. He is Senior Director of Engineering in the Product Assurance and Security Group at Intel, which is part of the security center of excellence. Now, Ram has a background in computer science and also physics. And he’s kind of done a whole bunch over his career in engineering. But what might be interesting or particularly interesting to people now is he and his team actually invented threat detection technology. Now, we typically don’t talk about product and this what that means podcast and true to form, we’re going to open with really Ram’s definition of threat detection. We’ll also talk a little bit about platform security and authentication, which he also works on, we really want to talk about it and kind of understand the broader scope. Welcome to the show.

Ram Chary 01:12
Thank you Camille, good to be here to talk about the technology.

Camille Morhardt 01:15
Could you first just help everybody out by level setting on threat detection, that’s a pretty broad phrase.

Ram Chary 01:22
Used to be the fringe a few years ago, but off late, it’s been hitting, you know, the Colonial Pipeline was one of the big ones that was in the news few months ago. So it’s hitting large companies, it’s hitting infrastructure. It’s hitting small, medium, businesses, school districts, you know, everybody’s getting hit. And we worked very closely with our partners, the antivirus developers, as well as what they call EDRs, which is endpoint detection and response companies, they have been doing a great job trying to detect these attacks. But oftentimes, as you’ve noticed, there are new variants coming out on a daily basis. And these variants sometimes get around the protections that our software vendors built around it. So then we have been talking to the to our partners for over three years. And one of the questions or one of the requests we’ve had from them, as you know, is there something that we can do from a hardware perspective that will give some kind of a real time proactive signal that can feed into their algorithms so that they can very quickly respond to new attacks that they’ve never seen before. So that was a problem that we started addressing. And over the last two or three years, we started one of the smaller attacks called a crypto mining detector, and off lately been, which has been deployed by multiple of our partners. And offline we’ve been working on on ransomware detection, you know, the high level, what we’re doing is we are using certain features in the CPU, which actually is designed for some other purpose for actually seeing very spending time in your code, right, it was meant for performance optimization, but we’ve kind of repurposed that to detect any kinds of malware attacks and particular ransomware attacks. Ultimately, Ransom that is software to it runs on the CPU, and it leaves a fingerprint, what we’ve been using is to be able to use some of those events or capabilities in the CPU. And we then apply machine learning algorithms on top of it to kind of eliminate false positives. And the minute we get the signal, and we can do that within seconds of an attack that you’ve never seen before, and you give that notification to our partners, and they can then do the remediation. And our solution is rolled out as part of our partner solutions.

Camille Morhardt 03:28
Ransomware is generally this notion of you get some kind of a cyber attack that basically locks up your system or makes it inaccessible or your data inaccessible. And then you have to pay usually in a cryptocurrency but it wouldn’t have to be you have to pay somebody to re access it. So how actually does it work technically, like what’s happening? And how does it get onto the system in the first place or into the network.

Ram Chary 03:55
One of the things that happens quite often is you may get a an email from it looks very legitimate, that’s maybe coming from your bank or ecommerce vendor, and you click on it, that’s, that’s what we call the phishing emails. And you click on it, and you click on the link and unbeknownst to the end user, there is this malware that actually gets loaded onto their system. And then oftentimes that malware is dormant. And its main goal, of course, is particularly in an organization, large company, you know, its goal is to spread to as many of the systems that’s as possible so it gets onto email and other mechanisms to spread around. And, and to reward to kind of evade the detection barriers that are put in many of them will, they’ll stay dormant for a while, and then they activate themselves. And as you noted, one of the things they do is go around and encrypt the whole driver, you know, partially encrypt, encrypt files, and some of them even exfiltrate the data you know, they move the data to the cloud. So that end of the day it’s it’s primarily to get a ransom but but things as you have known recently have gotten Beyond that, as we get to just those in it for the few Bitcoins, it can be a state sponsored attack, in which case, the goal is to bring down and more than it’s not just money at that point, it’s there are other agendas. But the entry point is always, as I said, it’s something innocuous that comes into your system that just launches it. Unbeknownst to the user.

Camille Morhardt 05:21
The malware is a piece of software. Correct. So how does a piece of software or an application find its way into the hardware to encrypt something.

Ram Chary 05:31
The first thing that they do is they will usually connect to a back end server somewhere, you know, which is to get those encryption keys. And one thing they may do is sometimes they may copy files over but oftentimes they’ll start the encryption process, it just runs like any other program, any legitimate program that will be going around, let’s say you’re using a program, encrypt some file, or to compress some files to send them over as part of an attachment. So it just goes through the process and starts running. And it starts from directory a and kind of chunks its way through the entire entire system. And it can happen quite quickly, in a few minutes, that entire system may be corrupted. And the problem there is if you can detect it right away. Imagine a company like ours where you know, you may have 100,000 employees, and let’s say what would be great if ransomware, you know, somebody had I accidentally clicked on one of these emails and something is launching on my machine, it’ll be would it be nice if within a few seconds, the AV on that machine that’s running one of our partner solutions can detect that attack right away. And not just remediate my machine, but can help protect the 100,000 other machines in the enterprise. That’s what we are trying to achieve is to catch it right. As soon as as that problem occurs.

Camille Morhardt 06:43
How does it catch it?

Ram Chary 06:45
In our CPUs, in our case, Intel CPUs, there’s something called a performance monitoring unit, which is very down on the CPU. And it’s tracking exactly, you know, micro architectural details of what is actually happening, for instance, you know, example would be had a level three cache miss, or something like that, right, which for most people, it doesn’t matter, that it actually helps us. Let’s say I’m a developer, and I’m actually writing my program. And I want to see, what is it doing in order for me to optimize it. In those cases, I can use a tool like VTOL is one of Intel’s own tools. And it’s in fact, using under the hood, it’s using this PMU to get the data so that I can see, okay, this is what my program is doing. And I’m going to optimize it, you’re kind of flipping this on its head. As I said earlier, you know that that is the end of the day software, it’s going to, you know what it’s doing, when it’s encrypting files, it has to run on the CPU. And it’s doing some strange behavior, right, unlike most regular programs, it’s going through entire directories. And it’s chugging through. And it’s actually compressing or encrypting a lot of these files. And we use that capability in the PMU. To now look for that pattern that encryption is going through. And you can program that and as I said, there is a machine learning models that we build based on that, we can then detect anytime in the future, there is a variant that’s something like that, right. And we can this is this machine learning is no different than you’re teaching it to recognize a dog by showing you pictures of 50 dogs, and it’s going to detect another 50 dogs without you telling and that’s exactly what we’re doing, setting the training into the various types of attacks we know of and then eventually detect any new variant that might come in. And the crux of your question to me is, the reason we are able to do that is the end of the day, those encryption algorithm, they don’t change all that much, right? They use a yes or no salsa 20. I mean, there are these few types of encryption algorithms that they use. But those malware just reuse the same thing over and over. Right? They look different. But ultimately, when they start executing, they have this commonality and that’s what we’re trying to catch.

Camille Morhardt 08:55
So how do you know that it’s not encryption that you’re doing on purpose on your own system? One of

Ram Chary 09:00
One ofthe things when we talk to partners, you know, they’re kind of three requirements, you know, one is it has to be proactive, it has to get something as quickly as possible. The second important thing is it has to have low false positives, because if it’s crying wolf all the time, it’s it’s actually sometimes worse than not liking anything. And what you’re asking is the crux of salt solution is any machine learning model is only as good as the data that you train it on. Right? At least initially. That’s what we’re trying to train before we let it loose in the world. And this is why working with our partners has been critical. Right? The first set of data that we have to train on is the malware itself. Kimmy there are publicly available databases of fake ransomware. There are so many variants of it, we take all of them, we are subscribing to it, as a lot of other AV companies are and we train the models with it, right. The second thing we have to do, which is that is just to catch any new variants, but the more important point as you brought up is, how do we train for all the make sure it discards a good application? So we actually do a lot of that in house, you know, we run it, for instance, in our case, it’s very close to tie to our commercial platforms, right to the platforms in particular. So So we train it on a whole ton of commercial applications that are out there that you and I would be using or other companies in general use, so that it knows how to differentiate between the good apps and the malware. And the other important part. And this is why a partnership with our key AV vendors and EDR vendors is critical, is because they then deploy it on hundreds of millions of systems out there, and different geography running on a small company setup running an app that we would never see in our labs. But we get that data, right, we get the data working with our partners, and we can we can then train our models to say, you know, ignore these types of new types of attacks. So it’s kind of a, you know, it’s a, it’s something that we work together with our partners so that it very quickly gets to the point where it’s able to tell the good apps from from the bad ones and be trained it so that when we detect that tab, and it’s fairly certain, you know, knows which process actually running it, and it gives that handle to our partners so they can review.

Camille Morhardt 11:09
So as fast as you’re kind of training and designing training, I assume that there’s bad actors out there, adjusting the ransomware so that you think it’s good versus bad. So how do you kind of keep track of that or keep up with it or keep ahead of it?

Ram Chary 11:24
Good point, that’s one of the two aspects to it. Right. The first part is, that’s why machine learning is critical, right? We cannot be programming this, you know, as as opposed to the standard case, you’re telling it to look for a particular pattern. Here, we wanted to go beyond that, you’re going to train it on all the samples that we know, that’s why machine learning is critical, because we are now telling it, look for other things you haven’t seen yet. And overtime, it kind of learns it, it kind of detects these new samples. And every once in a while, we have to go and retrain it because there may be a new variant but But oftentimes, we find that there may be a new variant that uses the same encryption algorithm that we’ve already trained it on. Ultimately, when the encryption algorithm gets triggered, we are able to detect it and we can flag it. And the factors are doing it the CPU is, you know, the typical bypass mechanism that many malware could have is it can back off. So rather than running continuously, it can run and then stop and run, the granularity of the CPU at which we are monitoring is so fine that it doesn’t matter. I mean, we can detect them. Even if they do that. Of course, if they do at the point where they are not encrypting at all for a long time, we have succeeded, because that’s the whole goal of the malware is to enter the system. So we can stop it that it’s that’s one thing. The second part, as I said, is we do work with our partners so that when they have new variants on V V, kind of monitor them too. But we work very closely with our partners so that when there’s a new variant, we can very quickly train it in case it’s something that’s it’s it’s in using a new encryption algorithm, we can update our models, and we share it to the partners, and it’s an over the air update. So they can update it in minutes. They just …

Camille Morhardt 13:01
Is this technology that goes across computers and servers?

Ram Chary 13:05
Our the performance monitoring unit that I was referring to? That’s cross Intel, the same thing is true on our endpoint or PCs. It’s also you know, a lot of our PC chips are also used by our edge products, like our Internet of Things groups, and it’s applicable there. It’s also applicable to the servers. Absolutely.

Camille Morhardt 13:25
I know, you probably can’t get into the architecture of it, specifically, but is it different? Is each architecture sort of unique across each one of the with the same kind of end benefit? Or is it actually the same architecture, regardless of the endpoint?

Ram Chary 13:40
There are commonalities. For instance, the fact that there is a performance monitoring unit across all our systems is definitely a commonality. But there are differences too, because the performance that we have to train, as your earlier question was alluding to is, we have to train it for the bad actors. But we also have to train it for the good applications. And that means it’s a combination of the applications and the operating system that is actually running underneath. So a lot of what I talked about, for instance, the deploy components have been very much focused on our PC side of the fence. So these are running either Windows 10, or 11. And they’re primarily our core PCs. As we go to say servers and servers, even though the Xeon PCs have the same underlying capabilities. You have a very different model. You have phenomenally high levels of cash. There are a lot of a lot of threading that is happening those environments and it’s usually running Linux in many cases. And it’s running, you know, virtualized containers on top of that. So the payloads are very different. Some of the events that we are monitoring the PMU sometimes they are the same across clients and servers, but usually we have to fine tune it to make sure for that particular environment, say servers in a CSP environment. It’s optimized for the kind of operating system environment and the world clothes that are out there.

Camille Morhardt 15:01
So it can end up being pretty custom depending on like the industry or the use case. That’s correct. Yeah. Okay. That’s very interesting. Why, I guess let me just ask you kind of a high level question. I actually just recently read the World Economic Forum cybersecurity report, published in January 2022. And they mentioned that ransomware is kind of still on the rise. I remember last year kind of looking at trends and seeing that ransomware was sort of all over all the security conferences. Why is it suddenly such a big deal and continuing to trend up.

Ram Chary 15:37
It’s an easy way, for those who are interested in making money, it’s a very easy way to do that, because it’s one of those things where these days ransomware is almost as a service as saying there is another underlying architecture, which may be using the same encryption algorithms, a lot of commonality, somebody can very quickly put a wrapper on it and come up with a different variant very quickly, they can deploy it. And, you know, until this technology, like ours gets very broadly deployed, they can work around just enough of the systems out there, maybe those systems don’t have the latest software, that always gaps in those systems out there. And they’re able to hold it for ransom. Because one thing that all of us need, especially in a corporate environments true for us outside of work to is, in our data that we have, is the most precious thing we can have, right? It could be our photographs or emails in our home environment or at work, it could be business data, its software, it’s an area where they can attack and they know that they will, you know, no company wants to be held ransom. But at the same time, the business is at stake. So they are very aggressively targeting it. But as we have seen it sometimes it goes beyond just a corporate environment, there are attacks that are going after national infrastructure. So their motivations, there are different. And they will probably continue. So that that’s the case,

Camille Morhardt 17:01
I guess, what do you think the future of ransomware is going to be? Is it going to be the same kind of thing? Is it going to expand to heavens? You mentioned personal photos, like I never really thought about the fact that somebody might lock up my photos and say, Hey, five bucks, you can have your photos back? It’s like, well, that’s a pretty mass scale. I mean, where are you seeing it head?

Ram Chary 17:22
I think all of those places, because of the fact that they can very easily spin up new variants, and there isn’t yet definitely a way to stop all of them. I mean, our partners are doing a heroic job in catching most of these attacks. But they just have to get through a sometimes and just for for enough time to be able to catch some of those, those corporations that are some, you know, best known methods or techniques that people can use. But, you know, everybody knows, you know, this often has to be always updated, but doesn’t always happen that way. I think given the the ease with which, you know, you can just make a claim for a Bitcoin payment, it can be done. So that’s, that’s what when we talk to our partners, we’re in the frontlines of this. That’s what they’re telling us that they don’t see this abating in the near future.

Camille Morhardt 18:08
Is anybody arguing over? Like how best to detect threats? Are there other approaches in industry, I mean, is looking for encryption, kind of the Holy Grail. And the only way it’s done, are there other methods?

Ram Chary 18:23
There are quite a, quite a variation of these partners, they’re all trying their best to detect these attacks using all kinds of techniques. I mean, they’re using behavior analysis, just based on software techniques today, and that’s why they have been successful at detecting many of these attacks. The challenge in that approach is sometimes it ends up being reactive, you know, you may have a scenario where, you know, that particular day when that attack happens, you know, it particularly we may not have necessarily have got it here having techniques to detected what we’re adding to the mixes. Because the hardware we believe has because from an execution perspective, we have some great signals that we can give them. So our goal is to augment the great work, our partners are already doing it so that we can make ours a little bit more proactive. It’s always about that age.

Camille Morhardt 19:13
That’s pretty cool. Like if you’re you start to go, okay, something starting to encrypt. Yes. Like you’re looking at that down at the processor level. That’s pretty interesting.

Ram Chary 19:22
And the fact that you can eliminate the fact it’s not a good application that’s actually doing it, it’s based on the machine learning models, we can tell. It’s the bad guy. That’s the information you get to them. And there are other aspects to you know, the technology itself, which I can mention, right, which is the one question we may get from our audiences. Machine learning sometimes is CPU intensive, right? That’s, that’s one of the reasons people people don’t like to run it all the time. But the great thing, for instance, in our endpoints and the CPUs on our PCs, which is that technology is currently deploying on on ransomed and so on, he says it’s fantastic and integrated graphics that, for instance, Intel has, you know, what we find is a lot of these machine learning algorithms that you’re developing, you can run it on the CPU, and it can take 567 percent of your CPU, but you can offload it to this integrated graphics such as there, and you can drop the CPU consumption to almost, you know, less than 1%. So it’s it’s not perceptible. And that’s another whether that’s a that’s another important requirement for our, from our partners is how do I leave this running all the time without necessarily being a CPU hog, right, so it’s that third leg of that solution, which is, which is also important. But the primary goal at the end of the day is to make sure we are being proactive, that we eliminate the false positives using machine learning. And the third part is do that in a performant. way. So that’s kind of the the aspects of detection.

Camille Morhardt 20:49
So one other final question for you is another thing, since I just read this World Economic Forum report, it’s kind of top of mind for me. The other thing that they brought up is this kind of shift from just talking about cybersecurity, to talking about cyber resilience. The first thing that I kind of note with that is okay, now we’re saying it’s inevitable to some degree, no matter what you do, you will not be able to protect 100% 100% of the time. So you have to have a way to mitigate, you have to have a way to triage you have to have a way to bounce back or, you know, have a fail safe alternative plan, whatever it is, I want to kind of get your opinion of what is really important in that resilience space. I mean, you’re working on detecting threats. So from your perspective, what is really the key thing people should be looking at from, I guess maybe it’s the other side, the resilient side.

Ram Chary 21:40
The whole idea of detection is we can give this immediate notification to our partners to do remediation, right. So the first thing to do is to make sure that your software is up to date, and you have an oftentimes, when you work with these partners, particularly like at home, for instance, you know, our AV is probably getting pushed and updated by default. But it’s always good to verify that it is. The second thing, of course, to always there needs to be a plan B for these cases, which I think people do very well in a commercial environment, but not as much sometimes at home, backup all your data, this is what I tell anybody I know, is make sure you’re backing it up, and you’re not having that connected to your PC. Because you know, it shouldn’t be an extensible system. And that at least takes care of the the fact that you’re the recovery part of it. Right. And and the the first part, of course, of course, they make these attacks. So innocuous and enticing. It’s very nobody knowingly will click on that email. But you know, use as much as possible, as you touched on earlier, you know, use biometrics in your platform, if it’s available, the authentication becomes more reliable, you can authenticate it to you, then you log into could be any website or work outside. And likewise, the website can actually trust you. So I think there are other attributes to this, this whole thing. And by the way, our the larger security ecosystem is working diligently on that those are other aspects and that adults need to pursue.

Camille Morhardt 23:07
So let me ask you a personal question, because you’re such a techie. What do you do in computing that? You know, you shouldn’t? Or what do you not do? That? You know, you should?

Ram Chary 23:20
I’ve been in the security space for some years. So I should know this. But out of the blue sometime, maybe three years ago, I got a call from someone saying, Okay, I’m calling you from from this bank, which is a legitimate bank that have an accountant. And they said, we have a compromise, you know, if you need to know your account number, right. And I was running from one building to another from a meeting to meeting, I didn’t think about it, and I just gave the account number. And then they started saying social security number. And I’ve been in this space enough to say, wait a minute, this doesn’t make sense. I was just not in the moment when I was doing that. So I tell you know, everybody I know just you know better. Just don’t give away your personal information, because that’s the easiest way to to compromise your system. But that’s something we have to be it’s like driving, you know, you can you know, everyday you have to be focused. And likewise, I think that security, we have to be deliberate in what we do. And use the tools that are available to us the biometrics if it’s second factor authentication, use it. That’s what I tried to do. I try to do those as much as I can.

Camille Morhardt 24:25
Thank you very much. Ron Chari joining us from Intel, where he and his team invented threat detection technology. And he’s Senior Director of Engineering and the product assurance and security group within the security center of excellence. Thanks so much for your time today.

Ram Chary 24:41
Great. Thank you Camille, it was a great pleasure talking to you.

never miss an episode of what that means with Camille by following us here on YouTube. You can also find episodes wherever you get your podcasts. The views and opinions expressed are those of the guests and author and do not necessarily reflect the views policy or position of Intel Corporation.

More From