Home >
Enterprise >
Participants >
BlackBerry Cylance > Carbanak+FIN7 Configuration
|
BlackBerry Cylance Configuration
Product Versions
Cylance Enterprise with CylanceGUARD managed threat hunting.
-
Includes CylancePROTECT, CylanceOPTICS
- CylancePROTECT: 2.1.1574
- CylanceOPTICS: 2.5.3000.7502
Product Description
Cylance Enterprise is a comprehensive, unified agent, next generation endpoint security platform that possess the following capabilities:
- Machine learning driven detection and prevention of malware and PUPs
- Memory Defense for fileless malware and exploit attack detection and prevention
- Script Control for detection and prevention of malicious and unwanted scripts
- Device Control for removable media protection.
- Application Control for locking down specified systems from any additional changes
- CylanceGUARD for managed threat hunting and analysis
- Mapping detection techniques to advanced attacks targeted against specific operating systems and MITRE ATT&CK
- Comprehensive and highly extensible API for ease of automation and integration
- Root Cause Analysis and contextual awareness leveraging "flight data recorder-like" visibility
- Enterprise wide, distributed, instantaneous query capability using Cylance's proprietary CEMENT protocol
- Comprehensive forensic artifact tracking and contextual data integration such as:
- PowerShell Tracing
- WMI Attributes and Parameters
- Enhanced PE Parsing
- Win32 API and Kernel Audit messages
- Fast Incident Response: Take incident response actions fast, quarantining, acquiring suspicious files, and/or isolating compromised endpoints from the network.
-
Automated Response: Customize automated response actions associated with rule sets to eliminate the dwell time between threat detection and incident response actions, examples include:
- Logging off users
- Deploy packages to collect additional data and/or forensic artifacts
- Terminate processes and/or process trees
Product Configuration
All Windows and Linux, MITRE, CylanceGUARD and Machine Learning detection rules were enabled. Most customers will also need to implement exceptions within some rules depending on the configurations, applications and activity that is present on their systems being used in the environment. During testing no configurations were performed to support MSSP related actions. During the re-test portion of the evaluation, Cylance created an additional 24 rules which are all available to the public as well as alteration of the Optics Config xml to increase the scope of the Read Sensor.