Cybereason Announces Unified Threat Hunting and Investigation

Cybereason is excited to announce a significant development in its approach to storing long-term hunting data (telemetry collected by our sensors not ‘benign data' detected by and related to a malicious operation, or MalOp™). Long-term hunting data can now be queried directly from the Cybereason investigation UI, providing analysts with a truly unified threat-hunting and investigation experience. 

Until now, if an analyst wanted to search their long-term hunting dataset, they would’ve had to pivot into a separate application known as Historical Data Lake (HDL). The enhancements mean that all searches - whether across recent or long-term hunting data - can be conducted from the Investigation UI in the Cybereason Defense Platform. 

A unified threat-hunting and investigation experience considerably streamlines the analyst workflow and allows analysts to take advantage of the defense platform capabilities when searching long-term hunting data. Benefits include:

  • One UI - No context switching between the Cybereason Defense Platform and HDL is required - all searches can now be conducted through the Investigation UI to provide a consistent experience.

  • A single, powerful query builder - Analysts no longer have to use different query builders depending on the time periods they wish to search. The query capability in the Investigation UI can be used to search data for all time periods. This capability facilitates search across a rich set of elements and features and allows seamless pivoting between elements. For example, an analyst can easily pivot from a process to the associated child processes and then to all connections associated with those processes with minimal clicks.

  • Fully contextualized data - Now with this unified experience all data available through the Cybereason Defense Platform is fully contextualized with information from our industry-leading MalOp™ detection engine. Leveraging our standardized categorization approach off ‘Evidence’, ‘Suspicions’, and MalOps’.

  • Full API support - Cybereason’s investigation functionality can be leveraged through the UI or through the Investigation API. Now queries can be executed against long-term hunting data programmatically.

  • Federation - The Cybereason Defense Platform provides a federation which allows Cybereason users to filter and view data based on user-defined groups. This functionality can be leveraged to segment the data available to different analysts through the investigation capabilities.

Storing hunting data for extended periods of time is an important aspect of an organization’s cybersecurity strategy for multiple reasons, including:

  • It allows organizations to proactively surface suspicious/malicious activity that has evaded existing controls and that may be associated with a breach. By embedding threat hunting as an ongoing process, if such activity is identified early on, this increases the likelihood of being able to disrupt the attacker and minimize damage.

  • It allows organizations to reactively apply intelligence from newly discovered historical attack campaigns to their datasets. For example, details surrounding an attack campaign may only become public knowledge months after the initial intrusion. In such situations, organizations will want to take the known Indicators of Compromise (IOCs) and search for them in their hunting data to understand if they were and still are impacted.

  • If an organization suffers a breach, having access to hunting data will maximize the visibility into the attacker’s activity - when the attack began, patient zero, how machines and users were compromised over time, etc. Without access to such data, establishing the fact pattern and understanding the impact on the business will be extremely challenging.

Learn more about threat hunting with Cybereason or request a one-on-one demonstration.

Paul Bottomley
About the Author

Paul Bottomley

Paul is the Senior Product Manager for Threat Hunting and joined Cybereason in September 2021. Paul has over 10 years experience developing Threat Hunting products and services to global customers, which involved helping them surface attacker activity and cyber risk in their IT networks.

All Posts by Paul Bottomley