Cyber-security firm Cylance works to read hackers’ minds
Stuart McClure is chief executive of Cylance. The Irvine firm hopes to tap the burgeoning market for cyber security in crucial industries such as energy, communications, finance, healthcare and transportation. (Gary Friedman, Los Angeles Times / July 1, 2013)
    
Two hackers from Irvine gained access in April to the air conditioning and water systems of a Google Inc. office in Sydney, Australia.
Because Google had failed to install a security patch to a software program that remotely tracks and controls building systems, the hackers could have easily raised the office's temperature to an unbearable level or caused water pipes to burst by increasing pressure.
Luckily for Google, the hackers were working for Cylance Inc., an Irvine company that has been grabbing headlines for uncovering security holes that could allow malicious hackers to do serious damage to crucial infrastructure such as hospitals, oil pipelines and banking systems.
The hacking demonstrations are how the company (pronounced as "silence") showcases its work in developing what it says is the ultimate anti-virus warrior.
"We want to help avoid the cyber-Sept. 11," Chief Executive Stuart McClure said. "We have to silently protect — it's in our name."
The 1-year-old start-up says many facilities now use devices and companion software that are just as vulnerable as those used at several Google locations and in more ordinary local office spaces. In Los Angeles, hotels, USC classrooms and a major movie studio run the same computer program online as Google's Wharf 7 facility in Sydney.
"The software security in the Nintendo Wii or even iTunes far surpasses the security software in these devices," Cylance technical director Billy Rios said.
The company is hoping to tap a burgeoning market. Worldwide spending on cyber security should reach $46 billion this year in crucial industries such as energy, communications, finance, healthcare and transportation, according to an ABI Research report released in June.
In the six months that ended May 31, federal officials noted more than 200 attacks on crucial infrastructure. The previous 12 months saw 198 incidents.
Congress remains divided about whether to make cyber-security standards mandatory for crucial infrastructure operators. Analysts have called for more research, development and regulation — areas in which Cylance wants to lead. The company hopes to turn half of the most-crucial Fortune 1,000 companies into customers by 2015.
The start-up has received at least $15 million in venture capital. And as one of the few cyber-security firms in Southern California, Cylance has an easier time recruiting top talent than Silicon Valley cyber-security start-ups.
The company's main service is helping companies find vulnerabilities and attackers. McClure, who previously worked at popular anti-virus software maker McAfee Inc., said that in two-thirds of cases, a company already has an intruder lurking in its computer network.
"We're looking for flaws through a bad guy's glasses, exposing that dark and visible world, and looking for the bad guys and any other undesirables who might be there," he said.
Dozens of firms offer similar security services, but McClure says his company is focused on creating an artificial intelligence system capable of blocking future threats.
Typically, firewall or anti-virus software can stop only those intruders who have been seen before. Cylance's mission is like creating a vaccine for a virus that doesn't exist yet or using facial recognition to nab a future robber who hasn't even been born.
"We're using artificial intelligence to understand what's good and bad in real time and devising a model to predict what's good and bad in the future," McClure said.
The machine is fed with intelligence from its researchers.
In May, Rios and colleague Terry McCorkle publicly revealed the Google incident with permission from the technology giant. Rios, who once worked for Google's security team, says Cylance is finding new problems every week.
Badge readers, security cameras and anything else loosely connected to the Internet can be an entrance for hackers. The systems weren't necessarily designed to be Internet-facing, and they've become a blind spot for organizations. Rios said the best solution is placing the devices within a virtual private network, a slice of the Internet accessible to only credentialed users.
"I don't want to be in a building that doesn't like me," Rios said. "Even a simple thing like turning off the air conditioning could be really disruptive to a business."