Post on 19-Aug-2020
T O M PA C E
V P, G L O B A L E N T E R P R I S E S O L U T I O N S
THE ROLE OF AI IN INCIDENT RESPONSE
The webinar will start momentarily. Please stand by.
S AF E H AR B O R
The information in this presentation is confidential and proprietary to BlackBerry ® Cylance® and may not be disclosed without
the permission of BlackBerry Cylance. This presentation is not subject to your license agreement or any other service or
subscription agreement with BlackBerry Cylance. BlackBerry Cylance has no obligation to pursue any course of business
outlined in this document or any related presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation and BlackBerry Cylance's strategy and possible future development, product,
and/or platform direction and functionality are all subject to change and may be changed by BlackBerry Cylance at any time for
any reason without notice. The information on this document is not a commitment, promise, or legal obligation to deliver any
material, code, or functionality. This document is for informational purposes and may not be incorporated into a contract.
BlackBerry Cylance assumes no responsibility for errors or omissions in this document.
AG E N D A
Current State of Incident Response (IR) Services
Impacts of AI in the BlackBerry Cylance IR Methodology
Forrester Wave Report Analysis of
BlackBerry Cylance IR Services
Q&A
W H O I S T O M ?
▪ 14 Years of Security Experience
▪ Multiple Verticals (Government, Law Enforcement, Financial)
▪ 4 Years in the Marine Corps
▪ Infantry / Intelligence Work
▪ Afghanistan ’06 / Iraq ’07
▪ Education:
▪ MS, University of Pittsburgh
▪ Certifications:
▪ SANS: GCFA, GCIH, GCIA, GCWN, GCISP
▪ CISSP, SFCP
▪ Adjunct Professor at Tulane University
▪ RSA & Black Hat Speaker/Trainer
CURRENT STATE OF IR SERVICES
▪ How many repeated ransomware incidents
have you had?
▪ How many multiple variants of same
malware have you had to deal with
over the years?
▪ How many incidents have you done
forensics and found out data was exfiltrated
months before you detected it?
1 Source: Ponemon Institute | 2018 Cost of a Data Breach Study
C U R R E N T S TAT E O F I N C I D E N T R E S P O N S E S E R V I C E S
THE AVERAGE
HACK TAKES
197 DAYS
TO BE DETECTED1
CYLANCE: STRONG PERFORMER IN IR
▪ Cylance has well-defined processes and tooling to
ensure effective incident response. Cylance is a global
company who will only have greater reach with their recent
acquisition by BlackBerry.
▪ They have a wide range of products and services, and
established partnerships with law firms as well as
insurance brokers as well as carriers.
▪ Cylance has demonstrated incident response expertise
including investigating industrial control system (ICS)
environments.
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's
call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave.
Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
T H E F O R R E S T E R WAV E :
C Y B E R S E C U R I T Y I N C I D E N T
R E S P O N S E S E R V I C E S , Q 1 2 0 1 9
B L AC K B E R RY C Y L AN C E D I F F E R E N T I AT O R S
ICS Expertise.
Some of the leaders are
outsourcing this capability with
other vendors like Dragos. We
have our own internal ICS team
which allows us to provide a
much more streamlined
approach.
Containment,
Remediation and
Prevention based
approach.
Almost all of the vendors in this
Wave have inferior containment
technology; our ability to rapidly
quarantine known and unknown
malware as well as leverage
detection rules and REFRACT
packages and playbooks
provides a massive
differentiator.
Product expertise.
Being intimately familiar with the
tools you are using from an IR
perspective is critical, and thus
a differentiator.
ICS EXPERTISE
Artificial intelligence/machine learning approach –
revolutionary for this industry
Three pronged approach:
▪ Discover the business impact of a cyber threat on
the ICS
▪ Identify vulnerabilities and indicators of
compromise within the control system
environment
▪ Identify and prioritize mitigation strategies
E M P L O Y E E E X P E R T I S E :
I N D U S T R I AL C O N T R O L S Y S T E M S
ICS Security Fundamentals
ICS Red Team Services
ICS Compromise Assessment
ICS Incident Containment (Response)
ICS Component Testing & Analysis
ICS Security Assessment
Building Automation Assessment
ICS Policy Gap Analysis
ICS Security Monitoring
ICS Backup and Recovery
ICS Incident Response Program
Review
I C S S E R V I C E S
▪ Keynote speaker at SANS Oil and Gas Summit
▪ ICS Security Program and Standards (including NIST CSF, C2M2, IEC 62443, etc.)
▪ ICS Network and Security Architecture Design and Implementation
▪ ICS Standards Development and Deployment
▪ Process Development and Integration
▪ Designing and Implementing IT and Security Technology into ICS
▪ Multiple ICS Vendor Technologies and Platforms (Embedded Hardware and Application Software)
▪ Multiple ICS Specific Protocols
▪ Operations experience across many ICS industries
▪ Primary course creator for SANS 515 Incident Response in ICS environments
E M P L O Y E E E X P E R T I S E :
I N D U S T R I AL C O N T R O L S Y S T E M S
What specific
tooling is required
to operate in an ICS
environment?
E M P L O Y E E E X P E R T I S E :
I N D U S T R I AL C O N T R O L S Y S T E M S
▪ All the benefits of CA process and P1 scripts
▪ Lightweight agent (CylancePROTECT®)
▪ We analyze network traffic (IT and ICS protocols) using
commercial, open source and custom tools
▪ Specific hardware around specific PLC devices, and
other ICS hardware
▪ Leverage client or vendor supplied tools as appropriate
INCIDENT RESPONSE METHODOLOGY
M O N I T O R
Proactive services to identify
potential infection vectors
Alerts on new vulnerabilities
The solution to solving an organization’s security problem includes….
I D E N T I F Y
Compromise Assessment
Assess compromise activity
P R E V E N T
Containment and
Remediation
Predict and prevent
future attacks
R E M E D I A T E
Incident Containment
Remediate compromises
I N C I D E N T R E S P O N S E PAT H WAY T O P R E V E N T I O N
I N C I D E N T C O N TAI N M E N T P R O C E S S
Deploy Tools Collect Data Analyze Data Report
Known IOC
AI/ML
File Meta data Findings
Recommendation
CylancePROTECT,
Collection Scripts,
CylanceOPTICS™
AI & T H E E V O L U T I O N T O P R E V E N T I O N
LEGACY
▪ One of the tools detects “something”
▪ Reactive
▪ Image the entire disk and/or memory
▪ Time consuming
▪ Large amount of data
▪ Requires hardware/appliances in
environment for additional visibility
▪ Increase in capital costs
▪ “Seize all, find all”
PREVENTION-BASED INCIDENT CONTAINMENT
Oxymoron?
AI & T H E E V O L U T I O N T O P R E V E N T I O N
LEGACY
▪ One of the tools detects “something”
▪ Reactive
▪ Image the entire disk and/or memory
▪ Time consuming
▪ Large amount of data
▪ Requires hardware/appliances in
environment for additional visibility
▪ Increase in capital costs
▪ “Seize all, find all”
PREVENTION-BASED INCIDENT CONTAINMENT
▪ No network taps or monitoring of egress points
▪ Assesses every endpoint
▪ Leverage your software deployment to push out
dissolvable scripts and/or through the agent
▪ Principle of least data
▪ Speed in analysis – we’re TWICE as fast!
▪ Use AI for detection of malware, PUPs and
compromised credentials
▪ Containment with a single mouse click
I R P R O C E S S / F L O W
1. Hunt - Determine the Scope of the (P1)
Incident with Confidence:▪ Cylance Compromise Assessment
▪ Acquire critical artifacts
▪ Leverage AI to find compromise(s)
2. Investigate the Trail, INSPECT (P2)▪ Further utilize AI to work smarter
▪ Collect additional artifacts
▪ Enrich the data
▪ Pivot across all data points
Suspect Systems
CylanceINSPECTCylanceV
CylanceINVESTIGATE
Actionable Results Manual Analysis
Scope Identified
Compromise Assessment
Remediation/Prevention
• Has data been stolen or destroyed?
• Were systems, services, or applications sabotaged?
• Were administrative or security controls subverted?
• How are threat actors exerting external command of the environment?
• Did adversarial lateral movement between systems or networks occur?
• How prevalent are user accounts throughout the environment?
• Were any users’ accounts compromised?
• Were user accounts leveraged in lateral movement?
• What indicators of compromise or persistence are present within the
environment? How were they delivered?
• Are there occurrences of known indicators of compromise?
• What was the intended usage of malware and persistence mechanisms?
• What applications, configurations, or operating systems contain
potential security risks?
AR E A S O F AN A LY S I S
C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S
▪ Leverages artificial intelligence
▪ Determines anomalies, correlations and root causes
▪ Provides the fastest results in the industry
▪ Lightweight, quiet scripts without tipping off attacker
▪ Once environment is remediated, we’ll move it to a
state of PREVENTION
▪ Assists in determining depth and breadth of the
incidentLEVERAGED IN IR AND CA
ENGAGEMENTS
C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S
We can assess every endpoint
▪ Servers
▪ Workstations
C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S
Use system
commands to
gather data
2 – 5
minutes
whoami
date /T
dir /R /a /s /tc
ipconfig
/displaydns
netstat /ano
tasklist
tlist
schtasks /query /v /fo csv
route print
nltest
reg
xcopy Metadata is sent
to Cylance for
Compromise AI
Analysis
I N S P E C T – P H AS E 2 E X E C U TAB L E
Deep dive into
suspect systems
~30
minutes
$MFT
Evtx
Memory
Prefetch
Processes
CylanceV
Network
Schtasks and Job files
Internet
History
$LogFile
Hashes
Registry Physical artifacts for
additional analysis
I R P R O C E S S / F L O W
1. Hunt - Determine the Scope of the (P1)
Incident with Confidence:▪ Cylance Compromise Assessment
▪ Acquire critical artifacts
▪ Leverage AI to find compromise(s)
2. Investigate the Trail, INSPECT (P2)▪ Further utilize AI to work smarter
▪ Collect additional artifacts
▪ Enrich the data
▪ Pivot across all data points
Suspect Systems
CylanceINSPECTCylanceV
CylanceINVESTIGATE
Actionable Results Manual Analysis
Scope Identified
Compromise Assessment
Remediation/Prevention
I R P R O C E S S / F L O W
▪ The remediation/Prevention Phase is solved by
CylancePROTECT
▪ CONTAINMENT of the threats
▪ Detection and response
▪ Identification of malicious/anomalous behavior
▪ Automated playbook and response capabilities
14
18
6
18
17
20
18
21
0 5 10 15 20 25
Goldeneye
Sauron/Strider/Remsec
Zcryptor
GlassRat
Shamoon 2
WannaCry
QakBot 17
NotPetyaPetya /
CylancePROTECT has been able to detect and block new threats before they were first seen “in the wild” –
without any updates or special configuration.
I N C I D E N T C O N TAI N M E N T O F U N K N O W N T H R E AT S
I N C I D E N T R E S P O N S E D E P L O Y M E N T O P T I O N S
Environment, incident type, severity and time dictate which use case should be applied
to each particular situation.
Options (Subset):
▪ Scripts
▪ Scripts + CylancePROTECT
▪ Scripts + CylancePROTECT + CylanceOPTICS
Use cases
▪ Malware containment
▪ Root cause analysis
▪ Patient 0 identification
Using BlackBerry Cylance products which
occurs in almost all IR engagements provides
these incredibly fast MTTD, MTTR and
MTTC.
The combined approach that BlackBerry
Cylance takes is also a differentiator.
BlackBerry Cylance employs teams of ICS
consultants, pentesters and IoT/Embedded
experts – all of whose expertise is brought to
bear as needed during an IR engagement.
P O S T I N C I D E N T R E P O R T I N G AN D S U P P O R T
▪ Integrated Practice Areas
▪ Dedicated Engagement Manager
▪ Holistic Approach
▪ Customized Solutions
▪ World-Renowned Security Authorities
▪ Global Coverage with Local Attention
ThreatZERO™ ICSEDUCATION
IoT /
EMBEDDEDRED TEAM
SERVICES
INCIDENT
CONTAINMENT
& FORENSICS
P O S T I N C I D E N T R E P O R T I N G AN D S U P P O R T
PRODUCT EXPERTISE LEVERAGING THE CYLANCE AI PLATFORM™
S U P P O R T I N G P R O D U C T S AN D S E R V I C E S
CylancePROTECT
Enterprise Prevention
CylanceOPTICS
Consistent Visibility and
Preventative EDR
CylanceV™
Malware Detection
CyTriage
Phase 1 Scripts
Cylance INSPECT
Phase 2 standalone
executable
Cylance COLLECT
On-demand full disk
imaging capabilities
CyNTH
Cylance Novel Threat Hunting
ELK Analysis Platform
▪ Custom Data Science Models
integrated into the platform
▪ Phase 1 and 2 data ingested
into the platform for scalable
analysis and timelining
Antivirus replacement
Utilizes Machine Learning
Most admin features and reporting
Protects against executable, memory,
script, and USB attacks
W H Y C Y L AN C E P R O T E C T
▪ 96.8% success rate vs.
malware (NSS Labs)
▪ 0.001% False Positive Rate
▪ Malware
▪ Fileless Malware
▪ Advanced Persistent Threats
▪ Zero-Days
EFFECTIVENESS
▪ Replaces Traditional AV
▪ Increases ROI Up To 250%*
vs. Traditional AV
▪ Remove Additional Layers
▪ Reduce Help Desk Calls by
98%*
▪ Stop Emergency Patching
*Source: Forrester Consulting Total Economic Impact Report
SIMPLICITY
▪ Lightweight Agent
▪ User Systems Run Faster
▪ Extends Hardware Lifespan
▪ Network Bandwidth Reduction
PERFORMANCE
Threat visibility
Hunt and kill workflow
Detection and response
Integrated with CylancePROTECT
Retrieve Forensic Artifact Capabilities
C Y L AN C E O P T I C S M AC H I N E L E AR N I N G
▪ One-liner ML Module
▪ Scripting engines are the workhorses of IT operations, but they expose a significant amount of
functionality that can be leveraged by malicious actions. This module evaluates the content of
command line scripts with an emphasis on the language of the script and the command line
context of the script
▪ Malicious Application Behavior ML Module
▪ An overwhelming number of attacks target a small, predictable number of trusted applications
commonly found in enterprise environments. This model learns legitimate actions between
common software and the operating system and blocks anything that veers to far of course.
C Y L AN C E V B E N E F I T S
▪ On-demand scanning
▪ Automated scanning
▪ Scan drives or directories for new/changed files
▪ Option to move/delete threats when detected
▪ Threat notifications can be sent to syslog
▪ Ensure you have the latest version of CylanceV –
2.7.0.3 is the current version
Bad/Good executable scanner
Utilizes Machine Learning
Used for threat hunting on machines without Protect
Has extra models such as OLE and PDF
S U P P O R T I N G P R O D U C T S AN D S E R V I C E S
ELK Analysis Platform
S T R AT E G I C P R O D U C T R O AD M A P F O R I R
BlackBerry
▪ Mobile security and response offerings
▪ Penetration of net new client base, specifically
government, IoT and Automotive
▪ Integration of BlackBerry technology into IR tool stack
Integration of
CylancePERSONA™
technology into the IR process
Additional EDR machine learning
models built from input from IR
engagements and fed into the
CylanceOPTICS PM team
Fully integrated threat research
capabilities
I N N O VAT I O N :
T H R E AT R E S E AR C H I N T E G R AT I O N
▪ Sharing of CIMS (BlackBerry Cylance Incident Management
Sheet) reports between IR and TR teams
▪ Assists in deriving intelligence based on threats identified in
client environments
▪ Leverages telemetry from all client environments to determine
risk and prevalence of particular threats
▪ Assists in malware analysis, reverse engineering and research.
USES AI FOR CLASSIFICATION
▪ Ability to quickly derive IOCs and share back with the IR team
Is this malware unique?
How many machines is it on?
I N N O VAT I O N :
D ATA S C I E N C E I N T E G R AT I O N
Data science team requires well labeled malicious
data, IOCs, etc. as well as benign data from various
types of environments, verticals and company sizes.
This data can be derived from:
▪ IR engagements
▪ CAs
▪ Pentests
▪ Vulnerability assessments
Data flows from the IR
team to the data
science team
Models and other analytical
techniques flow back to the
IR team
I N N O VAT I O N :
D ATA S C I E N C E I N T E G R AT I O N
Models
▪ User Clustering leveraging the K-Means algorithm
▪ DGA Detection using Neural Networks
▪ Process Anomaly Detection using Random Forests
▪ Malware Nearest Neighbor Identification leveraging HDBSCAN
P R E S S R E L E AS E
“We’re so pleased to see Forrester reinforce, in our opinion, the effectiveness of our proven AI
incident response methodology based on containment, remediation, and prevention. Our expert
consultants work quickly to not only resolve incidents and restore operations, but also to leverage
BlackBerry Cylance’s first-of-its-kind artificial intelligence to get ahead of the kill chain and prevent
incidents before they happen.”Corey White
Chief Customer Officer, BlackBerry Cylance
Sasi Murthy
VP of Product Marketing, BlackBerry Cylance
“We believe Cylance Consulting is one of the few vendors listed in the Forrester Wave that
licenses and shares its machine learning based tools and methodologies. Our continued
commitment to sharing these tools and techniques, as well as collaborating with our strategic
consulting partners is helping to create a stronger and more effective incident response
community around the world.”
QUESTIONS
A N D
ANSWERS
Contact Us
proservices@cylance.com
+1-877-973-3336
Learn more about Cylance Consulting
Additional Resources
Incident Containment and Forensics –
Incident Containment
Incident Containment Retainer
Compromise Assessment
T H AN K Y O U