This is a pure-play endpoint protection tool with a strong focus on malware. It is a hybrid with sensors at the endpoints that communicate with a "hunting engine" in the cloud. The hunting engine uses its collected data, malicious activity models and threat intelligence to analyze events. These events are analyzed for malicious activity which Cybereason refers to as "malops," or malicious operations.
This is a tool that has as much value as an analysis tool as it does as an alerting tool. When we launched the product we had a variety of screens to which we could go. We started with the discovery board, which has a summary of what the endpoints are seeing and focuses on malops. It shows what - if any - malops are in process or have been and have not been addressed. This board is one of the best we've seen. It takes each malop and describes, at a high level, what is happening. Users see such things as infections, lateral movement and privilege escalation as examples. Then the drill-down starts.
The drill-down gives a lot of detail, at least in general terms. However, you can go much farther. For example, you can get an excellent graphical map of unknown malware that might be the result of your drill-down and an underlying cause of a malop. The map shows the infected file, a description of the problem, where the infected file came from, what endpoint it infected and the root cause of the malop. There are similar drill-downs for unauthorized users. All of this information comes together in the investigation screens.
This is an excellent tool for forensic investigation of malops. It provides detailed evidence of a particular process suspected of being a malop. Because a malop likely is inclusive of multiple elements rather than a single piece of malware, details of all of those elements are a necessary part of any forensic investigation. This tool has multiple drill-downs that get you where you need to be over the course of your investigation.
While this does not do DLP per se, it does look for exfiltration as part of a malop. Cybereason refers to this as "data theft" and it is part of an investigation. That piece is not limited to malware exfiltration. An unauthorized user could, as part of an intrusion, exfiltrate data as well. All of these capabilities are included in the malicious operation dashboard, the malop visualizer, the investigation workbench and the single-click remediator.
Support is eight-hours-a-day/five-days-a-week and is included in the annual cost. It comprises phone and email. An extra cost option provides active monitoring and a managed monitoring service. The website is, generally, quite complete. However, it is missing a couple of things we'd like to see, such as a support portal. We'd also like a knowledge base or FAQ. However, that gap is well-filled by a collection of white papers, case studies and an active blog.
The blog, for example, carried a preview of some interesting research that was presented at Black Hat. Cybereason has an active research program and research reports are available on the website. As well, there are some interesting videos - separate the good stuff from the marketing, though - and it is clear that this is an evolving company with a product that is evolving with the threatscape. We are used to seeing this in next-generation threat analytics tools but not as frequently in something potentially as prosaic as endpoint security. This is a good sign.