T O M PA C E

V P, G L O B A L E N T E R P R I S E S O L U T I O N S

THE ROLE OF AI IN INCIDENT RESPONSE

The webinar will start momentarily. Please stand by.

S AF E H AR B O R

The information in this presentation is confidential and proprietary to BlackBerry ® Cylance® and may not be disclosed without

the permission of BlackBerry Cylance. This presentation is not subject to your license agreement or any other service or

subscription agreement with BlackBerry Cylance. BlackBerry Cylance has no obligation to pursue any course of business

outlined in this document or any related presentation, or to develop or release any functionality mentioned therein.

This document, or any related presentation and BlackBerry Cylance's strategy and possible future development, product,

and/or platform direction and functionality are all subject to change and may be changed by BlackBerry Cylance at any time for

any reason without notice. The information on this document is not a commitment, promise, or legal obligation to deliver any

material, code, or functionality. This document is for informational purposes and may not be incorporated into a contract.

BlackBerry Cylance assumes no responsibility for errors or omissions in this document.

AG E N D A

Current State of Incident Response (IR) Services

Impacts of AI in the BlackBerry Cylance IR Methodology

Forrester Wave Report Analysis of

BlackBerry Cylance IR Services

Q&A

W H O I S T O M ?

▪ 14 Years of Security Experience

▪ Multiple Verticals (Government, Law Enforcement, Financial)

▪ 4 Years in the Marine Corps

▪ Infantry / Intelligence Work

▪ Afghanistan ’06 / Iraq ’07

▪ Education:

▪ MS, University of Pittsburgh

▪ Certifications:

▪ SANS: GCFA, GCIH, GCIA, GCWN, GCISP

▪ CISSP, SFCP

▪ Adjunct Professor at Tulane University

▪ RSA & Black Hat Speaker/Trainer

CURRENT STATE OF IR SERVICES

▪ How many repeated ransomware incidents

have you had?

▪ How many multiple variants of same

malware have you had to deal with

over the years?

▪ How many incidents have you done

forensics and found out data was exfiltrated

months before you detected it?

1 Source: Ponemon Institute | 2018 Cost of a Data Breach Study

C U R R E N T S TAT E O F I N C I D E N T R E S P O N S E S E R V I C E S

THE AVERAGE

HACK TAKES

197 DAYS

TO BE DETECTED1

CYLANCE: STRONG PERFORMER IN IR

▪ Cylance has well-defined processes and tooling to

ensure effective incident response. Cylance is a global

company who will only have greater reach with their recent

acquisition by BlackBerry.

▪ They have a wide range of products and services, and

established partnerships with law firms as well as

insurance brokers as well as carriers.

▪ Cylance has demonstrated incident response expertise

including investigating industrial control system (ICS)

environments.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's

call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave.

Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

T H E F O R R E S T E R WAV E :

C Y B E R S E C U R I T Y I N C I D E N T

R E S P O N S E S E R V I C E S , Q 1 2 0 1 9

B L AC K B E R RY C Y L AN C E D I F F E R E N T I AT O R S

ICS Expertise.

Some of the leaders are

outsourcing this capability with

other vendors like Dragos. We

have our own internal ICS team

which allows us to provide a

much more streamlined

approach.

Containment,

Remediation and

Prevention based

approach.

Almost all of the vendors in this

Wave have inferior containment

technology; our ability to rapidly

quarantine known and unknown

malware as well as leverage

detection rules and REFRACT

packages and playbooks

provides a massive

differentiator.

Product expertise.

Being intimately familiar with the

tools you are using from an IR

perspective is critical, and thus

a differentiator.

ICS EXPERTISE

Artificial intelligence/machine learning approach –

revolutionary for this industry

Three pronged approach:

▪ Discover the business impact of a cyber threat on

the ICS

▪ Identify vulnerabilities and indicators of

compromise within the control system

environment

▪ Identify and prioritize mitigation strategies

E M P L O Y E E E X P E R T I S E :

I N D U S T R I AL C O N T R O L S Y S T E M S

ICS Security Fundamentals

ICS Red Team Services

ICS Compromise Assessment

ICS Incident Containment (Response)

ICS Component Testing & Analysis

ICS Security Assessment

Building Automation Assessment

ICS Policy Gap Analysis

ICS Security Monitoring

ICS Backup and Recovery

ICS Incident Response Program

Review

I C S S E R V I C E S

▪ Keynote speaker at SANS Oil and Gas Summit

▪ ICS Security Program and Standards (including NIST CSF, C2M2, IEC 62443, etc.)

▪ ICS Network and Security Architecture Design and Implementation

▪ ICS Standards Development and Deployment

▪ Process Development and Integration

▪ Designing and Implementing IT and Security Technology into ICS

▪ Multiple ICS Vendor Technologies and Platforms (Embedded Hardware and Application Software)

▪ Multiple ICS Specific Protocols

▪ Operations experience across many ICS industries

▪ Primary course creator for SANS 515 Incident Response in ICS environments

E M P L O Y E E E X P E R T I S E :

I N D U S T R I AL C O N T R O L S Y S T E M S

What specific

tooling is required

to operate in an ICS

environment?

E M P L O Y E E E X P E R T I S E :

I N D U S T R I AL C O N T R O L S Y S T E M S

▪ All the benefits of CA process and P1 scripts

▪ Lightweight agent (CylancePROTECT®)

▪ We analyze network traffic (IT and ICS protocols) using

commercial, open source and custom tools

▪ Specific hardware around specific PLC devices, and

other ICS hardware

▪ Leverage client or vendor supplied tools as appropriate

INCIDENT RESPONSE METHODOLOGY

M O N I T O R

Proactive services to identify

potential infection vectors

Alerts on new vulnerabilities

The solution to solving an organization’s security problem includes….

I D E N T I F Y

Compromise Assessment

Assess compromise activity

P R E V E N T

Containment and

Remediation

Predict and prevent

future attacks

R E M E D I A T E

Incident Containment

Remediate compromises

I N C I D E N T R E S P O N S E PAT H WAY T O P R E V E N T I O N

I N C I D E N T C O N TAI N M E N T P R O C E S S

Deploy Tools Collect Data Analyze Data Report

Known IOC

AI/ML

File Meta data Findings

Recommendation

CylancePROTECT,

Collection Scripts,

CylanceOPTICS™

AI & T H E E V O L U T I O N T O P R E V E N T I O N

LEGACY

▪ One of the tools detects “something”

▪ Reactive

▪ Image the entire disk and/or memory

▪ Time consuming

▪ Large amount of data

▪ Requires hardware/appliances in

environment for additional visibility

▪ Increase in capital costs

▪ “Seize all, find all”

PREVENTION-BASED INCIDENT CONTAINMENT

Oxymoron?

AI & T H E E V O L U T I O N T O P R E V E N T I O N

LEGACY

▪ One of the tools detects “something”

▪ Reactive

▪ Image the entire disk and/or memory

▪ Time consuming

▪ Large amount of data

▪ Requires hardware/appliances in

environment for additional visibility

▪ Increase in capital costs

▪ “Seize all, find all”

PREVENTION-BASED INCIDENT CONTAINMENT

▪ No network taps or monitoring of egress points

▪ Assesses every endpoint

▪ Leverage your software deployment to push out

dissolvable scripts and/or through the agent

▪ Principle of least data

▪ Speed in analysis – we’re TWICE as fast!

▪ Use AI for detection of malware, PUPs and

compromised credentials

▪ Containment with a single mouse click

I R P R O C E S S / F L O W

1. Hunt - Determine the Scope of the (P1)

Incident with Confidence:▪ Cylance Compromise Assessment

▪ Acquire critical artifacts

▪ Leverage AI to find compromise(s)

2. Investigate the Trail, INSPECT (P2)▪ Further utilize AI to work smarter

▪ Collect additional artifacts

▪ Enrich the data

▪ Pivot across all data points

Suspect Systems

CylanceINSPECTCylanceV

CylanceINVESTIGATE

Actionable Results Manual Analysis

Scope Identified

Compromise Assessment

Remediation/Prevention

• Has data been stolen or destroyed?

• Were systems, services, or applications sabotaged?

• Were administrative or security controls subverted?

• How are threat actors exerting external command of the environment?

• Did adversarial lateral movement between systems or networks occur?

• How prevalent are user accounts throughout the environment?

• Were any users’ accounts compromised?

• Were user accounts leveraged in lateral movement?

• What indicators of compromise or persistence are present within the

environment? How were they delivered?

• Are there occurrences of known indicators of compromise?

• What was the intended usage of malware and persistence mechanisms?

• What applications, configurations, or operating systems contain

potential security risks?

AR E A S O F AN A LY S I S

C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S

▪ Leverages artificial intelligence

▪ Determines anomalies, correlations and root causes

▪ Provides the fastest results in the industry

▪ Lightweight, quiet scripts without tipping off attacker

▪ Once environment is remediated, we’ll move it to a

state of PREVENTION

▪ Assists in determining depth and breadth of the

incidentLEVERAGED IN IR AND CA

ENGAGEMENTS

C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S

We can assess every endpoint

▪ Servers

▪ Workstations

C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S

Use system

commands to

gather data

2 – 5

minutes

whoami

date /T

dir /R /a /s /tc

ipconfig

/displaydns

netstat /ano

tasklist

tlist

schtasks /query /v /fo csv

route print

nltest

reg

xcopy Metadata is sent

to Cylance for

Compromise AI

Analysis

I N S P E C T – P H AS E 2 E X E C U TAB L E

Deep dive into

suspect systems

~30

minutes

$MFT

Evtx

Memory

Prefetch

Processes

CylanceV

Network

Schtasks and Job files

Internet

History

$LogFile

Hashes

Registry Physical artifacts for

additional analysis

I R P R O C E S S / F L O W

1. Hunt - Determine the Scope of the (P1)

Incident with Confidence:▪ Cylance Compromise Assessment

▪ Acquire critical artifacts

▪ Leverage AI to find compromise(s)

2. Investigate the Trail, INSPECT (P2)▪ Further utilize AI to work smarter

▪ Collect additional artifacts

▪ Enrich the data

▪ Pivot across all data points

Suspect Systems

CylanceINSPECTCylanceV

CylanceINVESTIGATE

Actionable Results Manual Analysis

Scope Identified

Compromise Assessment

Remediation/Prevention

I R P R O C E S S / F L O W

▪ The remediation/Prevention Phase is solved by

CylancePROTECT

▪ CONTAINMENT of the threats

▪ Detection and response

▪ Identification of malicious/anomalous behavior

▪ Automated playbook and response capabilities

14

18

6

18

17

20

18

21

0 5 10 15 20 25

Goldeneye

Sauron/Strider/Remsec

Zcryptor

GlassRat

Shamoon 2

WannaCry

QakBot 17

NotPetyaPetya /

CylancePROTECT has been able to detect and block new threats before they were first seen “in the wild” –

without any updates or special configuration.

I N C I D E N T C O N TAI N M E N T O F U N K N O W N T H R E AT S

I N C I D E N T R E S P O N S E D E P L O Y M E N T O P T I O N S

Environment, incident type, severity and time dictate which use case should be applied

to each particular situation.

Options (Subset):

▪ Scripts

▪ Scripts + CylancePROTECT

▪ Scripts + CylancePROTECT + CylanceOPTICS

Use cases

▪ Malware containment

▪ Root cause analysis

▪ Patient 0 identification

Using BlackBerry Cylance products which

occurs in almost all IR engagements provides

these incredibly fast MTTD, MTTR and

MTTC.

The combined approach that BlackBerry

Cylance takes is also a differentiator.

BlackBerry Cylance employs teams of ICS

consultants, pentesters and IoT/Embedded

experts – all of whose expertise is brought to

bear as needed during an IR engagement.

P O S T I N C I D E N T R E P O R T I N G AN D S U P P O R T

▪ Integrated Practice Areas

▪ Dedicated Engagement Manager

▪ Holistic Approach

▪ Customized Solutions

▪ World-Renowned Security Authorities

▪ Global Coverage with Local Attention

ThreatZERO™ ICSEDUCATION

IoT /

EMBEDDEDRED TEAM

SERVICES

INCIDENT

CONTAINMENT

& FORENSICS

P O S T I N C I D E N T R E P O R T I N G AN D S U P P O R T

PRODUCT EXPERTISE LEVERAGING THE CYLANCE AI PLATFORM™

S U P P O R T I N G P R O D U C T S AN D S E R V I C E S

CylancePROTECT

Enterprise Prevention

CylanceOPTICS

Consistent Visibility and

Preventative EDR

CylanceV™

Malware Detection

CyTriage

Phase 1 Scripts

Cylance INSPECT

Phase 2 standalone

executable

Cylance COLLECT

On-demand full disk

imaging capabilities

CyNTH

Cylance Novel Threat Hunting

ELK Analysis Platform

▪ Custom Data Science Models

integrated into the platform

▪ Phase 1 and 2 data ingested

into the platform for scalable

analysis and timelining

Antivirus replacement

Utilizes Machine Learning

Most admin features and reporting

Protects against executable, memory,

script, and USB attacks

W H Y C Y L AN C E P R O T E C T

▪ 96.8% success rate vs.

malware (NSS Labs)

▪ 0.001% False Positive Rate

▪ Malware

▪ Fileless Malware

▪ Advanced Persistent Threats

▪ Zero-Days

EFFECTIVENESS

▪ Replaces Traditional AV

▪ Increases ROI Up To 250%*

vs. Traditional AV

▪ Remove Additional Layers

▪ Reduce Help Desk Calls by

98%*

▪ Stop Emergency Patching

*Source: Forrester Consulting Total Economic Impact Report

SIMPLICITY

▪ Lightweight Agent

▪ User Systems Run Faster

▪ Extends Hardware Lifespan

▪ Network Bandwidth Reduction

PERFORMANCE

Threat visibility

Hunt and kill workflow

Detection and response

Integrated with CylancePROTECT

Retrieve Forensic Artifact Capabilities

C Y L AN C E O P T I C S M AC H I N E L E AR N I N G

▪ One-liner ML Module

▪ Scripting engines are the workhorses of IT operations, but they expose a significant amount of

functionality that can be leveraged by malicious actions. This module evaluates the content of

command line scripts with an emphasis on the language of the script and the command line

context of the script

▪ Malicious Application Behavior ML Module

▪ An overwhelming number of attacks target a small, predictable number of trusted applications

commonly found in enterprise environments. This model learns legitimate actions between

common software and the operating system and blocks anything that veers to far of course.

C Y L AN C E V B E N E F I T S

▪ On-demand scanning

▪ Automated scanning

▪ Scan drives or directories for new/changed files

▪ Option to move/delete threats when detected

▪ Threat notifications can be sent to syslog

▪ Ensure you have the latest version of CylanceV –

2.7.0.3 is the current version

Bad/Good executable scanner

Utilizes Machine Learning

Used for threat hunting on machines without Protect

Has extra models such as OLE and PDF

S U P P O R T I N G P R O D U C T S AN D S E R V I C E S

ELK Analysis Platform

S T R AT E G I C P R O D U C T R O AD M A P F O R I R

BlackBerry

▪ Mobile security and response offerings

▪ Penetration of net new client base, specifically

government, IoT and Automotive

▪ Integration of BlackBerry technology into IR tool stack

Integration of

CylancePERSONA™

technology into the IR process

Additional EDR machine learning

models built from input from IR

engagements and fed into the

CylanceOPTICS PM team

Fully integrated threat research

capabilities

I N N O VAT I O N :

T H R E AT R E S E AR C H I N T E G R AT I O N

▪ Sharing of CIMS (BlackBerry Cylance Incident Management

Sheet) reports between IR and TR teams

▪ Assists in deriving intelligence based on threats identified in

client environments

▪ Leverages telemetry from all client environments to determine

risk and prevalence of particular threats

▪ Assists in malware analysis, reverse engineering and research.

USES AI FOR CLASSIFICATION

▪ Ability to quickly derive IOCs and share back with the IR team

Is this malware unique?

How many machines is it on?

I N N O VAT I O N :

D ATA S C I E N C E I N T E G R AT I O N

Data science team requires well labeled malicious

data, IOCs, etc. as well as benign data from various

types of environments, verticals and company sizes.

This data can be derived from:

▪ IR engagements

▪ CAs

▪ Pentests

▪ Vulnerability assessments

Data flows from the IR

team to the data

science team

Models and other analytical

techniques flow back to the

IR team

I N N O VAT I O N :

D ATA S C I E N C E I N T E G R AT I O N

Models

▪ User Clustering leveraging the K-Means algorithm

▪ DGA Detection using Neural Networks

▪ Process Anomaly Detection using Random Forests

▪ Malware Nearest Neighbor Identification leveraging HDBSCAN

P R E S S R E L E AS E

“We’re so pleased to see Forrester reinforce, in our opinion, the effectiveness of our proven AI

incident response methodology based on containment, remediation, and prevention. Our expert

consultants work quickly to not only resolve incidents and restore operations, but also to leverage

BlackBerry Cylance’s first-of-its-kind artificial intelligence to get ahead of the kill chain and prevent

incidents before they happen.”Corey White

Chief Customer Officer, BlackBerry Cylance

Sasi Murthy

VP of Product Marketing, BlackBerry Cylance

“We believe Cylance Consulting is one of the few vendors listed in the Forrester Wave that

licenses and shares its machine learning based tools and methodologies. Our continued

commitment to sharing these tools and techniques, as well as collaborating with our strategic

consulting partners is helping to create a stronger and more effective incident response

community around the world.”

QUESTIONS

A N D

ANSWERS

Contact Us

proservices@cylance.com

+1-877-973-3336

Learn more about Cylance Consulting

Additional Resources

Incident Containment and Forensics –

Incident Containment

Incident Containment Retainer

Compromise Assessment

T H AN K Y O U