DAY 1

Cylance Partner-led Training

Deceber 12, 2019 What is needed?
-mobility
CylancePROTECT -visibility
CylanceOPTICS -MOBILE APP

Traditional AVS What is CylanceGUARD?

-Byte Matching -managed detection and response
product
-Heuristics
-SLA
-Hash Matching

COMPONENTS(Cylance Portal)
Cylance uses machine learning by
-mobile app
creating a maze with 2.7 quadrillion
turns versus 1 -transparent, proactive threat hunting
-automated rapid response
CylanceOPTICS endpoint detection -ThreatZERO
response system

integrate not replace

-----------------------------------------------------

PROTECT + OPTICS + ThreatZERO

TOM PACE
VP, Global Enterprise Solutions
CylanceGUARD Service Description
24x7 threat hunting
CylanceGUARD
email alerts
Network effect
mobile alerts and escalation
-benefits business through the value of management IOS ANDROID
collective feedback
Configuration and Assurance
provied by many usesrs of an offering (ThreatZERO)
 Ans: use cases
CylanceGUARD Advanced Description -No finite number of customizations, to
be ahead of the attacks-/
Alers, Intelligence and Methodology
Hunting ThreatZERO
Analysts for IR Guidance and Strategy
CylanceGUARD reports Dave Alfaro
Quarterly Prevention Review Worldwide Managing Director,
ThreatZERO
Proactive Outreach for Critical Alerts
Defined SLA
Ransomwars:
+(CylanceGUARD)
-GandCrab
-WannaCry
Existing Customers
-Sodinokibi
-Upsell PROTECT to GUARD
-Upsell PROTECT and OPTICS to
GUARD -tuning
-prevention
New Customers -stickiness (no reason to move)
-Standard SKU offering in terms of 1 or
3 year terms
EDR - enterprise detection and
-Lead sales with GUARD offerings response
-prevention
Sold as Product Subscription
-alert fatigue
/-TANONG: -implementation woes
-pag nag customize ba ng rules
naaapply siya
-health checks/reports
sa lahat ng clients under guard??
Ans: No, pwede ka gumawa ng
THREAT REPORTING
individual rules per client under 1 portal
-Rapid handling of Pups and Malwares
-Methodology hunting?
-AQT quickly and easily
-Bulk decision making, review and SCRIPT CONTROL
approval
-whitelisting
-Accelarated threat decision item entry
-exclusions
-More automation coming
-siganatures

REPORTING MARK UP
/-How does cylance classifies threats?
-critical to the process
threat research group, automation
-designed to guide the end customer to processes, machine analysis
decisions on:
if not enough we put in human analysis,
-Threats more detailed breakdown
-Memory afterwards-/
-Script Events
PROGRESS STATUS REPORTS
THREAT ACTIONS -project management
-quickly action items -macro driven spreadsheet
-bulk decisions -week over week creates a new tab that
tracks progress
-bulk decision making, review and
approval
-accelerated threat decision item entry THREAT PREVENTION FRAMEWORK
-more automation -report cards
-tracks status
EXPLOIT REPORTING -threatZERO
-reviews memory protection violations -provable ROI
-work with end users to create exclusion -threat handling status
-report by violation type or zone -display policy progression
-move to memory block/terminate no -unique value and ROI
application impact
-displays outcome

OPTICS REPORTING
HEALTH CHECK REPORT
-impact of the solution Tom Pace
-value prop VP, Global Enterprise Solutions
-potential issues
-highlights value Compromise Assessments and Incident
Response
-executive action report
-Profitable engagemets
-Multiplier effect - additional services
ThreatZERO tool set
-provide a net new services
-Threat data reports/bulk API
offering and methodology
-makes script control tangible
-net new product and services
pull through strategy

Get directory from settings on web -To enable partners to deliver services
admin, then insert token on url

-PartnerLedServices@Cylance.com
Health Check (Service distribution list)

-Report Card
-threatZERO is done at 95% Thomas Pace
(threatZERO score/grade)
Derek McCarthy
-Threat Assessment Summary (full
Trevin Mowery
system health check)
Ryan Gibson
-summary value of whats going on
Brennan Lynch

OPTICS DETECTION CHART (OPTICS

REPORT) What is a compromise assessment?
-edr and visibility -am I currently compromised?
-prevention seperates signal from noise -have I been compromised?
-what is the likelihood that I will be
compromised in the future?
DAY 2
Dec 13, 2019 Cylance Partner Led
Training process of compromise assessment
-deploy tools -Technically we don't support
everything, but scripts are tweekable.
-collect data
Just getting a script to run is good
-analyze
to collect data.
-report
What is we have IR team can we avail
Level 3 discount (75%) on CA?

(Servers, workstations) -Yes.

MacOS
Linux CylanceINFINITY API - all the collected
files on the system are hashed and run
Windows on it

Deployment Partner requirements

-Scripts only -Become a registered partner if not
-Products only already

-Scripts and products -Conducts a "free" CA

-Resource required

Work with Gary with pricing

CA Components

Value to the partner -Playbooks

-upsell other products and services -Tools

-indetify various types of risk in the -Practice builder

environment
-clear path to PROTECT and OPTICS TECHNICAL OVERVIEW
POC/Implementation
Derek McCarthy
-Onboard client to MSP
-Allow partners to assist Cylance when
IR team is overburdened and need -Hunt
assistance - PLIR (Partner Led IR)
-Investigate
-Acquire
TANONG:
Can your CA support all os?
-File and operating system audit REPORTING
-Network logs audit -Executive summary, ARE WE
COMPROMISED?
-Host memory analysis
-Technical analysis
-Host disk forensics
-Network forensics
(PHASE 1 TOOL)
SCRIPTING (for collecting data)
PHASE 1
-straight forward
-collection
-whitelist the script if blocked by cylance
-processing
-gets data from client thgrough SFTP
-analysis and reporting
-firewall based errors (client side)
-".sys" file extension for the data outputs
COLLETCION
-logs
-Deployment
-can be configured
-Execution
-Output
(PHASE 2 TOOL)
CylanceINSPECT
PHASE 2
-forensic tool
-inspect
-always run as admin
-logs
TIMELINE
1. Project start, script testing and
deployment What happens after we get the data?
(Backend sneekpeak)
2. Data collection begins
-ELK (data processing pipeline) backend
3. Analysis
-basically a webapp on top of an ELK
4. Preliminary findings and feedback
backend
5. Draft report review
-alerts
6. Final report review
-generate findins, in general
7. Executive review and project close
-review data
OPTICS PACKAGE
DEPLOYMENT/REFRACT (retrieve
forensic artifacts)
-anything you can do with PYTHON you
can do with REFRACT
-custom packages
-package playbooks
-customizable rules in optics for
anytime a rule triggers a package also
triggers