General security

CylancePROTECT – Product overview

Claudio Dodt
November 17, 2018 by
Claudio Dodt

Malicious code can have a devastating effect on organizations. This has been clearly demonstrated again and again in recent cases such as the ransomworm WannaCry, which in 2017 exploited the vulnerability known as EternalBlue and infected more than 200,000 computers in 150 countries. Another ransomware that had a strong impact last year, Petya, infected the Danish company A.P. Moller-Maersk, resulting in losses estimated between $250 million and $300 million.

In fact, these two examples do not even represent a worst-case scenario. It is reasonable to imagine a situation where a stealthy piece of malware spreads across any organization's computers, allowing them to be controlled by a remote attacker and leading to scenarios such as information leakage or destruction, critical infrastructure outages or even making the corporate infrastructure part of a botnet that will serve to spread new attacks.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

With the continuing emergence of new threats, it is necessary to adopt different tactics capable of dealing even with the unknown. This is exactly what CylancePROTECT proposes.

What Is CylancePROTECT?

CylancePROTECT is an advanced threat protection solution that, unlike other traditional endpoint protection software, makes no use of malware signatures. Instead, it employs techniques such as machine learning and artificial intelligence, which allows the identification of malicious code based on its behavior. In theory, this ensures protection even against zero-day codes, malware that has never been seen before.

Among its key features, Cylance includes:

  • True zero-day prevention
  • AI-driven malware prevention
  • Script management
  • Device usage policy enforcement
  • Memory exploitation detection and prevention
  • Application control for fixed-function devices

Understanding how CylancePROTECT works

Configuration and distribution: Cylance makes use of a centralized cloud console where you can define all the policies for the aforementioned key features. From here you can create custom installation packages, which greatly facilitates the software distribution if you have a large number of endpoints to protect.

 Once installed, CylancePROTECT performs an initial scan on all files on the computer to identify potential malware. In theory, this is the only scan needed and further scans are not performed, except when there is a significant change to Cylance AI algorithms. For organizations subject to specific regulations such as PCI-DDS, which require periodic scans, you can enable this functionality manually.

Since it does not need to perform regular scans or check a malware signature database when properly configured, CylancePROTECT consumes far less resources than the conventional anti-virus software, taking far less time to analyze threats and making distribution easier on older computers with limited capacity. The Cylance compatibility list includes Linux Red Hat/CentOS versions 6 and 7, Mac OS X and MacOS 10 and Windows releases all way back to Windows XP SP3.

True Zero-Day prevention: One of the great advantages of using a solution that is not based on malware signatures is the possibility of ensuring protection against Zero-Day (unknown threats). Since Cylance makes use of artificial intelligence models for threat prevention, it is possible to prevent Zero-Days from being executed.

AI-driven malware prevention: The most popular feature of CylancePROTECT is its use of artificial intelligence and machine learning for advanced threat prevention. The fact that the solution does not have to identify malware using signatures not only allows blocking of Zero-Day threats, but also makes the solution more efficient in the use of resources such as processor and memory while providing a high level of protection.

Script management: Many threats are distributed through the execution of scripts. CylancePROTECT allows complete control of script execution, identifying those that are authorized and ensuring that no other scripts are executed.

Device usage policy enforcement: Removable storage devices, such as USB sticks, portable disks or even smartphones, are a common vector for spreading threats. CylancePROTECT allows you to perform policy-based management, defining which devices can be used and blocking everything else. Simple as that.

Memory exploitation detection and prevention: Fileless malware limits its activities to the memory of the infected device, as no writing is done on the computer's disk. This type of threat is quite elusive, making it difficult not only to detect but also limiting other security-related activities such as forensics. CylancePROTECT can be used to identify malicious memory usage, such as malware using PowerShell scripts, and immediately prevent the threat from being executed.

Application control for fixed-function devices: At its highest level of protection, CylancePROTECT policies can be set so that no unknown application or executable can be run. Obviously, this approach may not work well for all of the organization's endpoints, but those with a fixed role (such as the computers used by critical infrastructure solutions) can benefit greatly from this type of protection.

Integrating CylancePROTECT with education and user awareness

CylancePROTECT is an excellent solution for advanced threat protection, but not even the most advanced technology can guarantee 100% protection. One point that should never be overlooked is the need to continuously educate users, ensuring that they are not only able to recognize situations that may compromise information security but known how to deal with them. This, of course, includes dealing with malware.

One smart way to do this is to integrate employee training with real events such as threats that have attempted to exploit enterprise security flaws. This is possible by integrating Cylance with SecurityIQ, InfoSec Institute's anti-phishing and security awareness training platform.

SecurityIQ uses an Event-Activated Learning approach, which integrates leading Endpoint Protection (EPP) solutions, and instantly enrolls users in training when they perform actions such as attempting to download or run malware, fall for phishing, run hostile browser add-ons, open macro- or malware-embedded attachments or fall victim to any other EPP-monitored security event.

Concluding thoughts

CylancePROTECT is one of the best endpoint protection solutions currently available in the market. The combination of features such as easy distribution and management, low hardware resource consumption and high threat detection/prevention capability is undoubtedly something highly sought-after by organizations wishing to be free of advanced malware.

A key point about CylancePROTECT is to understand how its artificial intelligence-based approach works: If something behaves like a malware, it will be treated as malware. Unfortunately, this can lead to false positives, especially in the case of legacy applications or even valid applications that behave outside of what is expected because of a bad development cycle. Like any AI-based solution, CylancePROTECT will need some time to “learn” the specifics about your environment, requiring the support of the security team to avoid blocking valid applications.

In times where new security threats do not stop being developed, linking your endpoint protection platform to employee education is a strategy that will significantly elevate corporate data protection levels. This is an approach that every CISO should consider seriously; the alternative is risking becoming a possible victim of the next advanced malicious code that might be launching right now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


NotPetya Ransomware Attack Cost Shipping Giant Maersk Over $200 Million, Forbes

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.