Cybereason Endpoint Detection & Response Reviews

We primarily use the solution for security purposes.

I really like the features. It's quite different from any other solution. 

It's complex, but not in a bad way. I find it fascinating to explore all of the options they have on offer.

The solution is efficient.

The support is very responsive.

We're excited for the new features we'll be getting in version 20.1.

The user interface is very easy to understand and navigate.

The solution is great for tracking and tracing computers.

I can't tell how much it detects and how much it doesn't detect. This I don't know. However, this isn't my area of expertise. That said, detection could always be improved upon.

Reporting could be a bit more granular so that we had the ability to check regions and countries. I just noticed that, for instance, if I look at our servers, it's either "contained" or it's "not contained". I don't have the option, for instance, to look at countries. It only allows me to look at users as one big group.

It is useful to have a bit of training on the solution first. It's not as intuitive, as, say, your iPhone.

It would be helpful if, in the future, there was a more efficient way to upgrade the sensors directly from the cloud. Basically on each end device, you're deploying a sensor. They call it a sensor, other companies call it something else, but they call it sensor. That's where you have the version of the software. To upgrade, for instance from 19 to 20, today we have to do it internally. I know they have it in the pipeline to make the upgrades easier, but they don't know by when it will be released. If it could be done directly from the console to all servers, that it would be a nice feature.

While the company has been using the solution for two years, I haven't been using it for too long. At this point, I may have only been using it for two months or so.

The solution is quite stable. We haven't had any issues with it. It doesn't have bugs or glitches. It doesn't freeze or crash. I would consider it to be reliable. I can always access the console, I can check stuff. I don't have issues.

We're on version 19.1, and we're waiting on version 20.1 to be used a bit more and become a bit more stable before we upgrade. We're a pretty complex organization. Cybereason told us to hold off for a bit, and so we aren't changing versions just yet. 

We're a big, complex company, and even so, with this solution, scalability is pretty straightforward. I'm not dealing directly with this part of the solution. However, if an additional detection service is needed or if we need more disk space, it seems really, really easy to expand. 

The support that the company offers is very good. We've been quite satisfied. I find them to be exceptionally responsive. They are quite knowledgeable.

It's very straight forward to implement the solution. It's not complex at all. The solution provides you with a package once, tailored to how your network is working. They provide you with a dedicated package for your own organization and it's ridiculously simple to install.

Technically, the solution is already deployed, however, it's not on all servers yet. I'm deploying the machine servers worldwide while also making sure that the grid version of the sensors is set up. I would estimate that, at this point, the company has deployed the solution 90-95%. We're in the process of finishing off what's left.

I tend to deploy the solution myself to our servers around the globe. If I do need assistance, I have a manager that's available 24/7.

We're just customers. We don't have a business relationship with the client. I'm not a security expert. That said, I'm closely in touch with the company for training, etc. and I keep an eye on how it works for our company. 

The thing is with an EDR solution, it's kind of a new world for me. I've read up on Cybereason a lot, as well as other options. I was trying to understand the differences between the products. My understanding is that they are kind of a new generation of EDR, which are represented by Cybereason and by CrowdStrike. They are doing active monitoring which differentiates them from other solutions if I understood properly.

They are monitoring our environment effectively. We are monitoring it by ourselves as well, however, their SOC team is monitoring and pre-alerting us all the time, every day. 

From a user experience perspective, I'd rate the solution nine out of ten.

The primary use case of this solution is for Windows 10 platforms, any kind of Windows 10 platform, desktop edition, and some Windows servers for monitoring and protection.

The most valuable feature is the EPP part.

The integration with Microsoft solutions and Microsoft capabilities needs to be improved. Also, the agility to be ready for a new platform.

Stability needs to be improved.

The issue for me is the platform supportability. When there is a new version of OS, that is something that has to be improved.

The communication is not clear and we are not receiving the messages on the tests to know if it works or not.

Linux was a bad experience and Micro OS was a disaster.

The biggest issue is the platform for Micro OS and Linux are not supported.

I have known this solution for three years, more or less.

We are using the latest version.

I didn't like the stability. There were some problems and it was not responding correctly to integration.

Scalability seems to be ok. It's supporting more than 200,000 devices and in terms of scaling, it's ok.

For me, the technical support is good. I asked support for certain points to move on, in terms of new things, and I haven't received any good feedback.

I think that they are ok with the current platform and the current support, but they are not ok in terms of providing us with where they are evolving.

For antivirus projects, we were using Windows Defender and Skype for previous platforms such as Windows 7. Now, we are still using Windows Defender.

For additional features or features that are redundant with Defender, we are using Cybereason.

The initial setup was straightforward with plenty of issues.

It took between a few weeks and a few months to deploy.

We were using Cybereason directly.

In terms of pricing, it's a good solution.

We are evaluating the possibility of enabling Microsoft Defender ATP, which will cover most or all of the suites and the features that we have on Cybereason as well.

My advice is to evaluate carefully Microsoft Defender ATP and see if they are running fully with Microsoft. If they are evaluating anything at the endpoint level and they plan to use Mac, Windows, and Linux, they should pay attention to Microsoft solutions. Microsoft is becoming a leader in this area.

The cost of Microsoft is quite high, it is something that has to be discussed with Microsoft on a case by case.

I would rate this solution a seven out of ten.

We use Cybereason for endpoint detection, response, and protection.

All of the features are valuable. I like the managed detection response feature a little bit more than most. We have a small team and it allows us to confidently go on breaks and after-hours leaving the Cybereason team to manage it.

Cybereason absolutely enables us to mitigate and isolate on the fly. Our managed detection response telemetry has dropped dramatically since we began using it. It's very top-of-mind. We were running some tabletop exercises and none of the detections were getting triggered by the managed security services provider. So we needed to find a solution that would trigger high-fidelity alerts. That was Cybereason and it dramatically changed our landscape from the detection and response perspective.

We evaluated Cybereason based on our junior analysts. We had hands-on keyboard time with them and they provided feedback on use cases that we've given them. Cybereason came out on top as being the easiest to use out of the three solutions that we considered.

The main difference between them was the overall ability to detect the evolving threat in the kill chain was a lot easier to view and alert on for Cybereason. Whereas the others failed to trigger an event anywhere in the kill chain. It had to have a few of the dominoes fall in the kill chain prior to having the event triggered. So it was clear that Cybereason detects threats anywhere within the MITRE ATT&CK framework, whereas the other ones had to follow a series of events. 

Cybereason provides an operation-centric approach to security that enables us to instantly visualize an entire malicious operation from the root cause to every affected endpoint and in real-time. Their overall view within the threat landscape is very easy to understand and visualize. It helps the junior analysts respond and contain to it in a timely manner.

This approach also helped us to move beyond chasing multiple alerts. It came to a point where now we're in an almost set it and forget it stage where it just alerts us and we can direct our attention elsewhere, which is helping the business grow and reach its mission goals.

We have a level up on the attack adversaries with Cybereason due to its nature of detecting malicious user and process behavior analytics. It does a phenomenal job in detecting anomalous behavior on the network and alerting us immediately with the whole story behind it. So it definitely enables us to adapt to attacks and act more swiftly than the attackers can adjust their tactics.

It also leverages indicators of behavior as a means of detecting attacks. Its AI hunting engine does a exceptional job in weeding out the noise and giving us high-fidelity alerts based on indicators of compromise. Which also helps us to detect attacks earlier using this approach. It automates everything. 

The time it takes to detect attacks has been reduced through this approach. At least half if not 60% of our time is not spent on threat hunting anymore. It allowed us to be more business-focused and delivering products and solutions to market quicker for our clients.

Cybereason reduced our detection by 85%. Telemetry and reports are upwards of 90% reduced time.

Ad hoc higher-level reporting to senior management could be implemented. That's definitely an area of improvement that they need to focus on.

Their endpoint protection piece for device management and storage device protection could use maturation. 

I started using Cybereason EDR shortly over a year now. It was March of 2020.

The performance was better than the endpoint detection response of our previous solution. We've actually had comments from end-users once we deployed Cybereason, and we noticed the outgoing solution that their computers have increased in speed.

Scalability is endless, especially in a SaaS deployment. We scaled from zero to 2,900 in three weeks, and we saw no degradation in threat hunting query performance within the platform or any ill effects on the platform itself.

It does require maintenance for deploying upgraded sensors and for tweaking policies as new features come out. I don't think that would be maintenance. Upgrading endpoint sensors on mission critical device I recommend a maintenance window just to follow industry best practices, however all other devices can be completed during normal business hours.

Their technical support is very competent. They know the product inside and out and they try to understand the business's needs before any solution is provided.

Symantec was our previous provider. It was through tabletop exercises that we found that it just wasn't triggering alerts that it should have been, so it led us to review other products.

The setup was completely fast-paced and extremely straightforward. 

We were under a somewhat constrained timeline for rollout. It usually takes us six to eight weeks to roll something of this magnitude out to the organization, but having the pandemic upon us, we actually got it fully deployed in under three weeks. That's how easy it was to roll out and deploy.

The deployment was done all internally. It was a little bit more than just our security team. It was help from our tier-one support analyst as well, but we got it rolled out with a handful of people. Six people were involved in the project in deploying over 2,900 sensors.

We are currently looking at their mobile device management solution or their protection solution to expand usage.

We will see a positive ROI, I believe, in the next 12 to 24 months.

It's not the cheapest, but it's the best.

There are no additional costs to standard licensing. 

My advice would be: Don't hesitate. Pull the trigger and you won't be disappointed.

It's always watching the house. No matter what you throw at it, it will detect anything you give it. It detects anomalies within the environment.

I would rate it an 9.5 out of 10. 

The use cases vary. A lot of it depends on customer requirements and the customer environment. It’s tricky to pin down universal use cases.

We like that it is a hybrid. It’s flexible. You can really do whatever you need to do.

The initial setup is not overly complicated.

The solution can scale.

It is stable and reliable.

They need to improve their technical support services.

I’ve been using the solution for about one year.

The solution has been very stable. There are no bugs or glitches, and it doesn’t crash or freeze. It’s reliable. The performance has been good overall.

It is possible to scale the solution. If your company needs to expand, it can do so. It’s not an issue.

Technical support could be better. We’d like to see them be more helpful and responsive in the future.

It’s easier to set up that Cybereason Connect. It’s pretty straightforward. It didn’t take too long to deploy.

I don’t have any insights into the pricing of the product. I don’t handle the licensing aspect of the solution.

I would recommend the solution to other users and organizations. For the most part, we have been pleased with its capabilities.

In general, I would rate the solution eight out of ten.

We are a big organization and it is very critical to manage security. So, we mostly we are identifying the suspicious problems we saw running in the system.

The most valuable feature is the antivirus and instant isolation of the PC to gather the malicious. We are updating the hash file and unknown hash file to block it. 

With Cybereason, we can never fail any business type because of the antivirus detection. That's one thing we can commend the product for. Also, it's subduing menial processes. Like when we are doing any manual job the first process was launched on the last year so it's still wanting to process any linked or not. It's got a really clear intel lifecycle.

It will detect anything that can be malicious, from build ups and videos to anything that can be viruses and some malware. Like communicating to the malicious websites. So such logs shows such clear cut review and what it shows like what are the hosting packets. Immediately we can pick up the computers in the network if any malicious operation that is triggered.

The graphics are a little lacking. This is one of the problems of this solution.

There are no issues with the stability of the product.

It is scalable. We use this solution for over 20,000 workers who are employed at our company.

The set up is a bit complex. We were using cloud when we setup the solution. As we implemented the product, we had to tell them what are the requirements so they understand and they are creating the package. It initially took some time to deploy.

It will alert if any computer contacting this malicious host so immediately it cut off this computer to the network. It will kick off the system from the network, so it will become deficient from the network, then email it to us. It can easily help you do so. So, we integrated the Cybereason and our ideas are integrated too.

I am not personally responsible for the licensing of the product. I have no opinion.

The Cybereason learning tools are fun to use. The tutorials are helpful. There is an open onboarding and training with Cybereason.

We are a solution provider and we deal with three different vendors to supply security products for our customers. One of the products that we implement for them is Cybereason Endpoint Detection & Response.

It is used for endpoint protection, in general, and monitoring the endpoint. Those asking for EDR usually have a security operations center (SOC). They just want to see the dashboard, the incidents, and whether something has happened on the endpoint.

This product is somewhat new for us, so we haven't been able to secure deals with our customers for it yet. We have proposed it to one customer because it was requested.

Also, I think that Cybereason only has perhaps 500 employees, and there are not many technical people in the Middle East. There is only one regional manager and he is based in the U.A.E., and within the past four or five months, they hired a new service engineer (SE).

The dashboard is very good and you can consider it as an interactive UI.

There are not many resources in this region for Cybereason, although I have seen some webinars and technical sessions for it.

Cybereason is not flexible in terms of needing a lot of servers, or assets. My understanding is that it requires a lot of components to keep it alive. This is unlike BitDefender, which only needs one virtual machine that you upload and run. Some customers don't have the resources available for this.

They do not have anything related to mailbox security.

Cybereason does not have sandbox functionality.

We signed the contract with Cybereason to sell the Endpoint Detection & Response solution a year ago, although we have not had much experience with it yet. Most of our customers already have endpoint protection from Kaspersky and are asking for license renewals and support. It is similar for our customers that have BitDefender.

I have not been in contact with technical support.

We also deal with BitDefender and Kaspersky.

I have some hands-on work with BitDefender and have completed some implementations.

Both Trend Micro and BitDefender have support for mailbox security. For example, they have specific functionality for securing Microsoft Exchange, or mailboxes in general. Cybereason doesn't have this option. The same is true for sandboxing capabilities.

This is a product that requires a lot of resources when it is set up.

Some of our customers ask that Cybereason be installed with an air gap.

We do not yet have much hands-on experience with this product.

This product is somewhat expensive and should be cheaper. Having better pricing, in general, would be an improvement.

This is a product that I recommend for endpoint protection in general, and for the server. However, if they need mailbox security then I would recommend another product.

I would rate this solution a seven out of ten.

Capture DB - they all use NoSQL db and hence solve the ad hoc query and 'go back in time' problem with current best of breed SIEM and DLP solutions that rely on real time analysis of incoming logs (and don't store them). This means deeper and quicker iterative threat analysis and assessment that resolves the provenance and impact of a risk and threat elevated by incoming logs

Anomaly detection - using a baseline and anomalies to surface and rank incoming logs and associated threat/risk - these tools are better able to 'separate the chaff from the wheat' and avoid alarm fatigue and false positives plaguing current log aggregate type of security solutions. Further these security analytics 'learn' in the background and with much more agility than current solutions which must have an explicit 'learning mode' for an extensive period of time as part of set up.

'Fuzzy Logic' rules - morphing the term to describe how these solutions are much more agile and relative in interpreting risk and threats than current generation correlation rules with rely on very discrete criteria to treat incoming logs priority. Very important as malware and cyber criminals are equally agile at morphing there attack vectors.

Shop floor to top floor - the UI and dashboards tend to move the querying and decision making and resulting assessments up to the executive suite (C level) as opposed to backrooms SIRT, InfoSec tool. Goes to response time and TRA.

Kill Chain - these solutions build a non linear attack 'genealogy' showing direct chain of custody of events leading to a data breach AND related events, users, end points involved passively or as middle men over time. This not only gives the provenance of breach but points to future weak spots in your surface area to proactively in advance of future attacks.

Like any new product the traditional enterprise readiness criteria around scaling, support, robustness, integration and deployment need to be proven out over their maturity curve. That being said their architecture provides confident remedies for scaling and robustness. Further as a 'pro to the con' these tools 'play nice in the security sandbox' in that they have public apis that easily integrate into existing security suites to add value to existing log aggregation solutions in place in an enterprise with significantly reduced set up cycles to their predecessors.

Security Analytics;

Assessed/Used the following next gen security analytics tools. There may be more competitors in space but these are the ones I am most familiar with and endorse:

• Interset (formerly Filetrek)
• Cybereason
• SQRRL

This is a compare and contrast relative to best of breed DLP/SIEM solutions in Garner MQ and widely deployed

Differentiators

Interset - further to above key differentiator of this product is focus on insider threat - by tracking file activity and correlating against user end points and risky activities (read file exfiltrations) the resulting dashboards present an organizational risk profile with actionable events prioritized by risk = probability X impact. If one supports the notion that layered security needs to focus on inside out risk instead of trying to securing the perimeter - a very compelling tool for where to focus your infosec/forensic brain power.

Cybereason - similar in mindset to above (inside out risk) this application focuses on Malops - ie the notion that malware has and will continue to penetrate the perimeter - but will exhibit tell tale patterns of behaviour trying to exfiltrate files (in a manner similar to an insider) - this tool excels at identifying potential attacks in a manner easily understandable at an executive level and again maximizing efficiency of your deep security talent.

SQRRL - similar in intent to Cybereason. Major differentiator is tight AD coupling and labeling functions that can decisively evaluate impact and importance of data under attack and provenance of attack (what users are involved, what machines are infected)

As a final thought - my recommendation would 'either or' selection - they all support the notion of a security ecosystem where every tool gets better with more data. So using these tools in a sort of proactive round robin log assessment and pushing logs to each other would provide the best all round solution.

The primary use case is endpoint protection and production.

It has a practical use. If a file was infected on somebody's laptop or workstation, then it is now easier for us to understand what the impact is on the environment. 

The Cybereason product enables me to go directly into the software and execute it. I can look up the process, who were the dealers, what were the websites, and what were the IP addresses which were contacted. I can also detect if there were other systems which were impacted or if my environment was compromised.

I found the features of this console to be good. In the chain of actions, if I click on something, it will provide more options for other things. 

In addition, it gives all the information in a clear response. These functionalities are quite good and impressive.

• There can be problems with the Electronic Data Interchange (EDI).
• The reporting feature needs improvement. 

The scalability is good. 

I previously used CylancePROTECT. In comparison, Cybereason is new, and has a couple of things which are not good. However, it detects false positives in the end and gives all of the information in a clear response. Its functionality is impressive.

The initial setup was easy and straightforward. It took about two months. 

In terms of cost, this is a good choice for our needs.

I previously considered CylancePROTECT and CrowdStrike. However, we found Cybereason a better solution for our needs. 

An organization seeking a product like this needs to evaluate its standpoint. It must decide whether it is looking for flexibility or ease of administration.