Privately-held security vendor Cylance Inc announced an expansion of its’ security portfolio on May 24 with the launch of CylanceOPTICS, which provides threat hunting functionality.
The CylanceOPTICS technology complements the company’s flagship CylancePROTECT endpoint detection and response (EDR) platform. Cylance was founded in 2012 and has raised $177 million in venture funding to date, including a $42 million round in July 2015.
“While CylancePROTECT is a leader in the prevention space, CylanceOPTICS was designed to provide a threat hunting and visibility piece for enterprises,” Rahul Kashyap, Senior Vice-President and Chief Product Officer at Cylance, told eWEEK. “Everybody knows that there is no silver bullet for security and there is no prevention technology that can be 100 percent effective.”
Kashyap said that the goal with CylanceOPTICS is to provide an additional layer of instrumentation on top of its prevention technology. The premise is that with good prevention technology up front, an organization can reduce the amount of noise and threats. With full visibility, the promise is that even if an attack got through the prevention layer, it could be discovered by a threat hunting team.
As opposed to the CylancePROTECT product which provides defences against threats, CylanceOPTICS provides visibility by showing metadata from a a system endpoint that when analyzed may reveal indications that it has been compromised.
The whole approach also has a feedback loop so that new attack techniques detected by a threat hunting team using CylanceOPTICS can be blocked in the future with CylancePROTECT.
In the current iteration of CylanceOPTICS, Kashyap explained that there is a second endpoint agent that is separate from the CylancePROTECT endpoint agent. Cylance plans to consolidate the two agents, providing a single unified agent with the necessary capabilities for both prevention and threat hunting capabilities.
CylanceOPTICS can also integrate with an organization’s Security Information and Event Management (SIEM) system, though it’s the threat intelligence that comes from each endpoint that delivers the greatest value exists. Kashyap said that the InstaQuery (IQ) capability in CylanceOPTICS enables security administrators to do live threat hunting on every endpoint. The system is powered at the backend by an Elasticsearch service to rapidly deliver insight.
While the IQ search is done via Cylance’s cloud console service, all of the actual endpoint data resides on-premises.
“Nothing gets stored in the cloud until you actually query the machine,” Kashyap said. “So instead of sending logs to the cloud, we are doing the opposite.”
Kashyap explained that logs are stored locally on the endpoint with a fast interface that enables the logs to be queried from the cloud.
Among the different types of attacks that can sometimes be missed by prevention technologies are privilege escalation attacks, where attackers aim to elevate their permissions in order to execute malicious actions. Kashyap said that Cylance has an artificial intelligence engine as part of the CylancePROTECT product that aims to identify potential risks. Every time there is an alert that is generated, the CylanceOPTICS piece will have a complete historical analysis available for organizations to evaluate.
The market for next generation security technologies and EDR in general, is very competitive. One of Cylance’s primary competitors is CrowdStrike, which announced a new $100 million round of funding on May 17. CrowdStrike’s Falcon platform also has both EDR and threat hunting capabilities. Kashyap said that Cylance’s focus to date has been on prevention and antivirus replacement. In his view, Cylance’s machine learning artificial intelligence capabilities are a key differentiator.
“Cylance is more of a data science company that is tackling the security problem,” Kashyap said. “Ultimately we believe that the company that has better prevention and visibility capabilities will have a better shot at the market.”