Cybereason Endpoint Detection & Response Reviews

We are a big organization and it is very critical to manage security. So, we mostly we are identifying the suspicious problems we saw running in the system.

The most valuable feature is the antivirus and instant isolation of the PC to gather the malicious. We are updating the hash file and unknown hash file to block it. 

With Cybereason, we can never fail any business type because of the antivirus detection. That's one thing we can commend the product for. Also, it's subduing menial processes. Like when we are doing any manual job the first process was launched on the last year so it's still wanting to process any linked or not. It's got a really clear intel lifecycle.

It will detect anything that can be malicious, from build ups and videos to anything that can be viruses and some malware. Like communicating to the malicious websites. So such logs shows such clear cut review and what it shows like what are the hosting packets. Immediately we can pick up the computers in the network if any malicious operation that is triggered.

The graphics are a little lacking. This is one of the problems of this solution.

There are no issues with the stability of the product.

It is scalable. We use this solution for over 20,000 workers who are employed at our company.

The set up is a bit complex. We were using cloud when we setup the solution. As we implemented the product, we had to tell them what are the requirements so they understand and they are creating the package. It initially took some time to deploy.

It will alert if any computer contacting this malicious host so immediately it cut off this computer to the network. It will kick off the system from the network, so it will become deficient from the network, then email it to us. It can easily help you do so. So, we integrated the Cybereason and our ideas are integrated too.

I am not personally responsible for the licensing of the product. I have no opinion.

The Cybereason learning tools are fun to use. The tutorials are helpful. There is an open onboarding and training with Cybereason.

The primary use case is endpoint protection and production.

It has a practical use. If a file was infected on somebody's laptop or workstation, then it is now easier for us to understand what the impact is on the environment. 

The Cybereason product enables me to go directly into the software and execute it. I can look up the process, who were the dealers, what were the websites, and what were the IP addresses which were contacted. I can also detect if there were other systems which were impacted or if my environment was compromised.

I found the features of this console to be good. In the chain of actions, if I click on something, it will provide more options for other things. 

In addition, it gives all the information in a clear response. These functionalities are quite good and impressive.

• There can be problems with the Electronic Data Interchange (EDI).
• The reporting feature needs improvement. 

The scalability is good. 

I previously used CylancePROTECT. In comparison, Cybereason is new, and has a couple of things which are not good. However, it detects false positives in the end and gives all of the information in a clear response. Its functionality is impressive.

The initial setup was easy and straightforward. It took about two months. 

In terms of cost, this is a good choice for our needs.

I previously considered CylancePROTECT and CrowdStrike. However, we found Cybereason a better solution for our needs. 

An organization seeking a product like this needs to evaluate its standpoint. It must decide whether it is looking for flexibility or ease of administration. 

Malop analysis and the detection part are the most valuable features.

Technical support needs to improve.

I have used this solution for around six months.

The technical support team is overall good and co-operative.

The setup is straightforward, provided you have the required infrastructure support as prerequisites.

It’s a good product, so you can go for it.

Please go for it as this is an efficient product in the cyber security space.

Capture DB - they all use NoSQL db and hence solve the ad hoc query and 'go back in time' problem with current best of breed SIEM and DLP solutions that rely on real time analysis of incoming logs (and don't store them). This means deeper and quicker iterative threat analysis and assessment that resolves the provenance and impact of a risk and threat elevated by incoming logs

Anomaly detection - using a baseline and anomalies to surface and rank incoming logs and associated threat/risk - these tools are better able to 'separate the chaff from the wheat' and avoid alarm fatigue and false positives plaguing current log aggregate type of security solutions. Further these security analytics 'learn' in the background and with much more agility than current solutions which must have an explicit 'learning mode' for an extensive period of time as part of set up.

'Fuzzy Logic' rules - morphing the term to describe how these solutions are much more agile and relative in interpreting risk and threats than current generation correlation rules with rely on very discrete criteria to treat incoming logs priority. Very important as malware and cyber criminals are equally agile at morphing there attack vectors.

Shop floor to top floor - the UI and dashboards tend to move the querying and decision making and resulting assessments up to the executive suite (C level) as opposed to backrooms SIRT, InfoSec tool. Goes to response time and TRA.

Kill Chain - these solutions build a non linear attack 'genealogy' showing direct chain of custody of events leading to a data breach AND related events, users, end points involved passively or as middle men over time. This not only gives the provenance of breach but points to future weak spots in your surface area to proactively in advance of future attacks.

Like any new product the traditional enterprise readiness criteria around scaling, support, robustness, integration and deployment need to be proven out over their maturity curve. That being said their architecture provides confident remedies for scaling and robustness. Further as a 'pro to the con' these tools 'play nice in the security sandbox' in that they have public apis that easily integrate into existing security suites to add value to existing log aggregation solutions in place in an enterprise with significantly reduced set up cycles to their predecessors.

Security Analytics;

Assessed/Used the following next gen security analytics tools. There may be more competitors in space but these are the ones I am most familiar with and endorse:

• Interset (formerly Filetrek)
• Cybereason
• SQRRL

This is a compare and contrast relative to best of breed DLP/SIEM solutions in Garner MQ and widely deployed

Differentiators

Interset - further to above key differentiator of this product is focus on insider threat - by tracking file activity and correlating against user end points and risky activities (read file exfiltrations) the resulting dashboards present an organizational risk profile with actionable events prioritized by risk = probability X impact. If one supports the notion that layered security needs to focus on inside out risk instead of trying to securing the perimeter - a very compelling tool for where to focus your infosec/forensic brain power.

Cybereason - similar in mindset to above (inside out risk) this application focuses on Malops - ie the notion that malware has and will continue to penetrate the perimeter - but will exhibit tell tale patterns of behaviour trying to exfiltrate files (in a manner similar to an insider) - this tool excels at identifying potential attacks in a manner easily understandable at an executive level and again maximizing efficiency of your deep security talent.

SQRRL - similar in intent to Cybereason. Major differentiator is tight AD coupling and labeling functions that can decisively evaluate impact and importance of data under attack and provenance of attack (what users are involved, what machines are infected)

As a final thought - my recommendation would 'either or' selection - they all support the notion of a security ecosystem where every tool gets better with more data. So using these tools in a sort of proactive round robin log assessment and pushing logs to each other would provide the best all round solution.

We use the product for enhancing security postures by leveraging behavioral analytics and security engines effectively minimizing false positives and detecting threats.

The product's most valuable features are its effectiveness in threat detection and the small number of false positives it generates. Its nine security engines and contextual descriptions of detected threats are beneficial for our clients' security teams.

There is room for improvement in the product features related to device control, particularly USB management.

I have been using Cybereason Endpoint Detection & Response for about one and a half years.

The product has excellent stability. 

The solution scales well, as evidenced by our implementations for large organizations with thousands of users and servers.

The technical support services are good. 

We have experience working with FireEye and Trellix EDR solutions, as well as Palo Alto. After analyzing functionality and effectiveness, we found Cybereason to be superior.

The initial setup was straightforward. Although we encountered a few issues initially, they were quickly resolved, leading to a smooth overall implementation process.

We implemented the solution as a partner of Cybereason, and our in-house team handled the deployment.

We evaluated other options, including Symantec, CrowdStrike, and SentinelOne.

I rate Cybereason Endpoint Detection & Response a nine out of ten.