Feature Focus: Context Analysis Engine. Powering CylanceOPTICS Dynamic Threat Detection and Automated Response

Similar documents
Fast Incident Investigation and Response with CylanceOPTICS

The Artificial Intelligence Revolution in Cybersecurity

Quick Start Guide. Cylance Smart Antivirus

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Netwrix Auditor for SQL Server

Symantec Advanced Threat Protection: Endpoint

QUICK START: SYMANTEC ENDPOINT PROTECTION FOR AMAZON EC2

ACTIONABLE SECURITY INTELLIGENCE

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Symantec Protection Suite Add-On for Hosted Security

USM Anywhere AlienApps Guide

ForeScout Extended Module for Carbon Black

Reducing the Cost of Incident Response

ForeScout Extended Module for Qualys VM

QUICK START: VERITAS STORAGE FOUNDATION BASIC FOR AMAZON EC2

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

McAfee epolicy Orchestrator

Integrate Trend Micro Control Manager. EventTracker v8.x and above

Enhanced Threat Detection, Investigation, and Response

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

This Cylance Is Headline This Is. Products and

SOLUTION OVERVIEW. Manage your network security for up to 250 seats from a single cloud-based console

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Comprehensive Citrix HDX visibility powered by NetScaler Management and Analytics System

Symantec Endpoint Protection

ALERT LOGIC LOG MANAGER & LOG REVIEW

Making Remote Network Visibility Affordable for the Distributed Enterprise


EXPLORING MONITORING AND ANALYTICS VMware Horizon

SIEMLESS THREAT DETECTION FOR AWS

REDUCE TCO AND IMPROVE BUSINESS AND OPERATIONAL EFFICIENCY

ForeScout App for IBM QRadar

GDPR: An Opportunity to Transform Your Security Operations

Get Started with Cisco DNA Center

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Windows Intune Trial Guide Getting the most from your Windows Intune trial. Simplify PC management. Amplify productivity.

Novetta Cyber Analytics

OUR SECURITY DELIVERED YOUR WAY

Competitive System Resource Impact Testing. CylancePROTECT Goes Head-to-Head with Signature-Based Antivirus Solutions.

The McAfee MOVE Platform and Virtual Desktop Infrastructure

AppDefense Getting Started. VMware AppDefense

Register for your 30 day FREE TRIAL today.

Forescout. Configuration Guide. Version 3.5

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Enterprise Security Solutions by Quick Heal. Seqrite.

Transforming Security from Defense in Depth to Comprehensive Security Assurance

SonicWall Capture Client 1.0. Operations

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Excel, Lync, Outlook, SharePoint, Silverlight, SQL Server, Windows,

McAfee Skyhigh Security Cloud for Citrix ShareFile

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

Petroleum Refiner Overhauls Security Infrastructure

Netwrix Auditor for Active Directory

SOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.

Math vs. Malware. Is There a Better Way?

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

Deep Security Integration with Sumo Logic

McAfee MVISION Mobile Microsoft Intune Integration Guide

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

SIEM: Five Requirements that Solve the Bigger Business Issues

McAfee MVISION Mobile Microsoft Intune Integration Guide

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

WHAT S NEW WITH OBSERVEIT: INSIDER THREAT MANAGEMENT VERSION 6.5

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

VMware Identity Manager Administration

Trends and challenges Managing the performance of a large-scale network was challenging enough when the infrastructure was fairly static. Now, with Ci

ForeScout App for Splunk

Quick Heal Mobile Device Management. Available on

McAfee Advanced Threat Defense

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Imperva Incapsula Website Security

ForeScout Extended Module for Tenable Vulnerability Management

McAfee Skyhigh Security Cloud for Amazon Web Services

McAfee Network Security Platform Administration Course

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Managed Security Services - Endpoint Managed Security on Cloud

Help Your Security Team Sleep at Night

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

McAfee Cloud Workload Security Product Guide

Forescout. eyeextend for Splunk. Configuration Guide. Version 2.9

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Seqrite Endpoint Security

THE ACCENTURE CYBER DEFENSE SOLUTION

Securing the World s Largest Airport with Cisco Advanced Malware Protection (AMP)

Cisco Network Assurance Engine with ServiceNow Cisco Network Assurance Engine, the industry s first SDN-ready intent assurance suite, integrates with

Pieter Wigleven Windows Technical Specialist

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

CAS Quick Deployment Guide January 2018

CloudSOC and Security.cloud for Microsoft Office 365

ForeScout Extended Module for Splunk

McAfee Endpoint Threat Defense and Response Family

OSComponentCleanup Add-on for Windows 10 IoT Enterprise Redstone 1

Quick Start Guide for Administrators and Operators Cyber Advanced Warning System

ForeScout Extended Module for ServiceNow

Transcription:

Feature Focus: Context Analysis Engine Powering CylanceOPTICS Dynamic Threat Detection and Automated Response

The ability to quickly detect threats and initiate a response can make the difference between a small compromise and a massive, headline-stealing breach. Unfortunately, many of the security products in the market today that promise speedy threat detection and response are built on an infrastructure that is prone to latency issues, false positives, and limited enterprise-wide visibility. To address these issues, Cylance has developed a new approach to threat detection and response, known as the Context Analysis Engine, that pushes down both the threat detection and response to the endpoint. Now, every endpoint in your organization acts as its own virtual security operations center with the ability to dynamically detect threats and take response actions without human intervention, around the clock. Your security team can now focus on investigating advanced threats, improving your overall security infrastructure, or any other business critical project, with the confidence that the CylanceOPTICS Context Analysis Engine is working to keep the endpoint, and the business, secure. A Closer Look at the Context Analysis Engine The CylanceOPTICS Context Analysis Engine (CAE) is a high-performance analysis and correlation engine that monitors events as they occur on an endpoint in near real time to identify malicious or suspicious activities. With the engine deployed on the endpoint, this 24x7 monitoring occurs with zero reliance on, or need for, a cloud connection. Without requiring an active network connection to make intelligent decisions, the CAE s architecture allows you to monitor multiple suspicious behavior paths continuously without posing potential performance impacts. When the CAE identifies potentially malicious activity, automated response actions against the associated artifacts of interest can begin without any human intervention. These response actions are initiated from the endpoint with no cloud connection required, eliminating the latency that can occur with other products when threat detection and response are initiated from the cloud. The CAE s functionality and configuration can be found in the Detections tab in the Cylance cloud-based management console. The Detections dashboard allows users to quickly understand and view trends of events that are occurring across their environment. From this dashboard, users can investigate and respond to these events in a meaningful manner without needing to leave the management console. The CAE can be easily configured to fit many environments by creating Detection Rule Sets that can be applied to one or more Device Policies. To create a unified experience, the new Detections section of the console was designed with integration into other CylanceOPTICS features in mind. As such, events and artifacts identified by the CAE can be extended upon by creating additional Focus Views, retrieving files of interest with the File Retrieval features, or quarantining an endpoint on the network by issuing a Device Lockdown. Note: The CylanceOPTICS Context Analysis Engine and Response Actions require CylanceOPTICS 2.1.1000 or greater installed. Configuring the Context Analysis Engine By default, the CylanceOPTICS Context Analysis Engine does not have any Rules or Response Actions configured. As such, when a user first navigates to the CylanceOPTICS section of the Cylance Management Console, they will be presented with a Detection Environment onboarding page. Figure 1: CylanceOPTICS Detection Environment Onboarding 2

The onboarding page gives an overview of the currently configured CAE settings, including: The number of devices with CylanceOPTICS version 2.1.1000 or greater installed The number of Detection Rule Sets configured The number of Device Policies with a Detection Rule Set selected Note: After the minimum requirements to enable Detections from the Context Analysis Engine have been met, the onboarding page will not be displayed by default. It can be accessed at any time by clicking the Settings slider and selecting the Detection Environment option. Configuring Detection Rule Sets The center box of the onboarding page displays the number of Detection Rule Sets that exist in the tenant. Detection Rule Sets are the central configuration point for the Context Analysis Engine that determine the Detection Rules, Automated Responses, and Endpoint Notifications that are applied to endpoints. Detection Rule Sets are ultimately applied to endpoints on a Device Policy basis; that is, a user will select a Detection Rule Set to apply to a Device Policy. Endpoints will automatically receive the desired Detection Rule Set when the policy is applied. CylanceOPTICS includes a default Detection Rule Set that has the following attributes: All rules are enabled All automated response actions are disabled All endpoint notifications are disabled This configuration is designed to act as a tuning or monitor-only mode for testing and initial deployment purposes. Users will gain an understanding of areas of their environment that may trigger false positives so that automated response actions can be tuned accordingly. Custom Detection Rule Sets can be created by navigating to the Settings slider and selecting the Detection Rule Sets option. This menu will list all the current Detection Rule Sets as well as provide the option to copy, delete, or edit current Detection Rule Sets; it also contains a link to create a new Detection Rule Set. Figure 2: Detection Rule Set Listing 3

The Create New button displays a configuration wizard where users can select which rules they would like enabled, as well as which automated responses to take on a per-rule basis. The user also must provide a unique Set Name and Description. After completing the wizard, the new Detection Rule Set will be visible in the list where it can be applied to a Device Policy. Figure 3: Create a Detection Rule Set Applying a Detection Rule Set To a Device Policy Once a user has sufficiently configured a Detection Rule Set, they can associate it with a Device Policy to complete the final step needed to receive detection alerts from endpoints with CylanceOPTICS installed. When the Device Policy is saved, it will prompt all endpoints with the policy applied to retrieve the Detection Rule Set, consisting of rule, automated response, and endpoint notification configurations, from Cylance s cloud services. Any devices that are added to the policy will also have these configurations applied upon connection to Cylance s cloud services. Viewing and Interacting with Detection Alerts The default Detections tab in CylanceOPTICS provides users with a clean, yet detailed, view into alerts triggered by endpoints configured with the Context Analysis Engine. From this dashboard, users can see trends in events over varying time frames, the severity of different detections, and a summary view of each of the detections that has occurred. Filtering and sorting features present in the dashboard allows users to further drill into the data presented to further identify trends throughout the environment 4

Figure 4: Detections Dashboard Each detection event contains an entire series of data that can be viewed by clicking the View button in the rightmost column of the dashboard s table. The resulting Detection Details page displays a wealth of information about the detection, including the detection s name, severity, and description, as well as the number of events, artifacts of interest, and automated responses associated with that detection. The Detection Details page also allows for further interaction and investigation by acting as a platform to launch Device Lockdowns, File Retrievals, and Focus Views where applicable. Supporting events and artifacts associated with the detection can be further analyzed to provide users with additional context around why the detection was triggered so that further investigations or responses can be taken if needed. Figure 5: Detection Details +1-844-CYLANCE sales@cylance.com www.cylance.com 18201 Von Karman Avenue, Suite 700, Irvine, CA 92612 2017 Cylance Inc. Cylance and CylancePROTECT and all associated logos and designs are trademarks or registered trademarks of Cylance Inc. All other registered trademarks or trademarks are property of their respective owners. 20170926-1765

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback