As many of our readers know, we've been Cylance fans ever since we designated them SC Lab Approved a couple of years back. In fact, we recently looked at them again in our One Year Later segment, so we won't spend a lot of time on the basic Cylance product, leaving us time for the new CylanceOPTIC option. One note of caution: While we have been at some pains to point out pricing among next-generation endpoint products - taking the position that they are a bit pricey for large enterprises - please note that the pricing here, while decidedly at the high end, is for the combination of CylancePROTECT and CylanceOPTICS. This makes the price a bit more reasonable, especially, as you will see, given the significant level of analysis and protection the combination provides.
CylanceOPTICS is, to put it simply, a set of sophisticated analyst tools that takes everything provided by CylancePROTECT and assists in the task of understanding what the data mean. CylancePROTECT is a next-generation anti-malware endpoint tool that has evolved into several other areas of endpoint protection, such as host-based intrusion detection monitoring and blocking, as well as remediation. With its backend AI engine and big data management in the Cylance cloud, the tool can perform deep analysis of a variety of malware, scripted and other events that may signal an attack against an endpoint. CylancePROTECT is predominantly an alerting tool, although there are some analytical capabilities exposed for the analyst and SOC engineer. CylanceOPTICS puts that relatively small bit of exposed analytics on steroids.
Cylance has all of the data necessary to perform advanced analytics and, in fact, it must do so to provide the level of alerting that it does. However, CylanceOPTICS applies those analytics in a user environment and they appear on the CylancePROTECT dashboard menu as an added option - if you deploy the new tool.
CylanceOPTICS is run from the administrator dashboard. When you select the CylanceOPTICS icon, and go to the InstaQuery, you see a form that lets you insert Search Term, Artifact, Facit, Zone, Name and Description. For the search term, you can enter a file, hash, registry values, etc. For example, if you get an alert that shows that a file has been quarantined, you can enter the filename into CylanceOPTICS and search on it. The artifact could be a file, network path, registry key and so on. These fields allow you to define the thing for which you are looking so that you can analyze its behavior.
Once you have an artifact in analysis you can go to Focus and see all of the related events that preceded and followed the alert. This is laid out on a timeline with graphics that are quite clear. The chart shows the CylancePROTECT and all of the network events and running processes on the timeline. For example, we copied a file from our zoo - a zero-day version of the executable for SATAN RaaS ransomware - onto our protected desktop. We did not execute it but CylancePROTECT found it and quarantined it. Examination of the CylanceOPTICS view showed us all of the applications that were running at the time that could have been affected. Since it was on a timeline we were able to see that no infection had occurred and no processes were impacted.
Each device can be managed individually and details about the device can be viewed easily. As we have reported before, the support and website for this product is first-rate. The CylanceOPTICS add-in can be downloaded or pushed out from the CylancePROTECT dashboard in exactly the same way that you deploy CylancePROTECT. When we have needed support from Cylance, it always has been fast and completely appropriate to the problem we were having. We needed a little help with this one and it was rapidly forthcoming.