The latest release of the Cybereason Defense Platform is packed with new innovations to ensure that our customers have an advantage over attackers. The latest enhancements include improvements to prevention, data collection, investigation, and management capabilities.
For this post, we’ll focus on the recent improvements in prevention, data collection, investigation, and management. Customers can read the complete release notes on The Nest.
Variant Payload Prevention monitors the code being loaded into memory and uses Binary Similarity Analysis to identify previously unknown (obfuscated) malware based on its similarities to existing malware payloads such as a Cobalt Strike Beacon or Metasploit Meterpreter.
Watch the video below to see Variant Payload Prevention in action:
Learn more about Variant Payload Protection (VPP) here.
The Cybereason Device Controls are highly effective at reducing the overall attack surface and preventing threats that would be propagated through these vectors.
We’ve expanded this functionality to Mac, enabling the enforcement of block permissions on USB storage devices.
Learn more about Cybereason Endpoint Controls here.
If you see something, scan something. As end users perform their daily tasks, on some occasions, they will come across files that seem just a little odd.
With this release, end users can proactively scan directories for (and, as appropriate, clean or quarantine) malicious content. These scans can be initiated on-demand by right-clicking on a folder or from the command line.
To initiate a scan, in Windows File Explorer, right-click the relevant folder, file, or drive you want to scan and select Scan with Cybereason.
Or from the command line, the following command initiates a full scan:
C:\\Program Files\\Cybereason ActiveProbe> CrScanTool.exe scan full
And the following command scans a specific path
C:\\Program Files\\Cybereason ActiveProbe> CrScanTool.exe scan path C:\\Users\\john.doe\\Documents\\
Learn more about Cybereason NGAV here.
Threat intelligence will frequently include hashes of known malicious files. Previously this intelligence could be explicitly added to Cybereason using an MD5 file hash.
With this release, SHA-1 and SHA-256 hashes can now be added to the Cybereason blocklist via the UI or CSV, enabling you to prevent the execution of these file hash values with Application Control.
Learn more about Cybereason Application Control and NGAV here.
ESF is built into the macOS operating system and monitors system events for potentially malicious activity.
With this release, Cybereason can leverage this native capability to augment other data collection, ensuring you always have the most comprehensive understanding of what is happening on your endpoints.
With this release, both File events and Registry events collection are available by default, so you no longer need to contact Technical Support to enable these options in your environment.
Furthermore, the approach to File Event collection has been tuned to improve data collection performance.
Customers can learn more about configuring additional endpoint data collections here.
Machine Timeline has been improved in this release further streamlining investigation workflows by showing a unified timeline of events on a machine of interest around the time of a key or lead event. Events can be starred so the analyst can seamlessly transition between the high-level review and deeper investigation phases. Three new filters can now be applied to results, surfacing activity related to Suspicions and MalOps.
Learn more about Cybereason Machine Timeline here.
When you build a query, if you have multiple values for the selected filter Feature in your query, you can now join the values with the AND operator. For example, you can add Command line contains ‘abc’ AND Command line does not contain ‘xyz’ to the same filter to return items whose command line contains the string ‘abc’ but not the string ‘xyz.’
Additionally, the timeline filter is now applied to all Elements in the query chain that have time-based components (such as Connection, Logon Session, Detection Events, Malop Process, and Process) instead of the last Element in the query chain.
Customers should visit the Understanding query parts documentation for details on the operator changes.
With this release, users can now upload Incident Response (IR) or Forensic Data Integration (FDI) tools to the Cybereason IR Tools screen without the need to use API requests or scripts.
The IR Tools functionality enables you to deploy tools to selected machines, run tools as needed on selected machines, and retrieve and upload tool execution results to your own GCP bucket. These capabilities reduce the management burden of Incident Response engagements, enabling you to complete these time-sensitive tasks quickly.
Learn more about the Cybereason DFIR module here.
With this release, users can remotely uninstall sensors from Windows machines directly from the Sensors screen.
Furthermore, we’ve updated the “Last Update status” column on the Sensors screen to simplify monitoring the progress of sensor upgrade operations.
And finally, we’ve added sensor upgrade prerequisite checking. Now before installation proceeds, the system will check to ensure the target machine:
Any failures will be noted in the “Last Update status” column on the Sensors screen.
To provide greater visibility into system settings without the risk of unauthorized configuration changes, Cybereason added a new System Viewer user role. Users with the System Viewer role have read-only permissions for screens to which the users with the System Admin role have access. While users with the System viewer role can view the Cybereason platform’s system and sensor settings, they cannot change any settings or perform actions.
Customers can learn more about the System Viewer role and other roles by viewing the User roles documentation.
Customers can view the complete list of support operating systems here.
This latest release is our next step to empowering defenders and reversing the adversary's advantage. Customers can read the complete release notes in The Nest.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, and everywhere the battle takes place.
Schedule a demo today to learn how your organization can benefit from Cybereason’s unique innovations.
Justin Buchanan, Director of Product Marketing, is responsible for the go-to-market strategy of Cybereason’s Endpoint Protection Platform (EPP) offerings. Driven by his background in IT and his deep understanding of customers’ desired outcomes, Justin is passionate about how Cybereason can help customers—and the security industry as a whole—reverse the adversary advantage and empower defenders.
All Posts by Justin Buchanan
Cybereason and the MITRE Engenuity Center for Threat-Informed Defense launch the Attack Flow Project to develop a common data format for describing adversary behavior and improve defensive capabilities...
The Cybereason Defense Platform offers multi-tenancy capabilities to enable SOC teams to divide workflows based on roles...
