Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two Solution Strategy (Trend & Cylance)


  • Please log in to reply
13 replies to this topic

#1 wilwal1314

wilwal1314

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 28 March 2016 - 09:40 AM

We have been trying to do everything possible to avoid the onslaught of Ransomware.  We had a nasty infection of Cryptlocker last year and have been re-evaluating our AV\Malware strategy.  Trend is our standard.  They have made noticeable improvements in their behavioral module that has caught a lot of cryptoware lately.  I'm doing a POC on Cylance right now which works on a math model and is a really cool technology.  Cylance is young and I'm not willing to put all my eggs in their basket yet. 

 

I am very close to pulling the trigger on having Cylance be a supplement and going with a two solution approach.  Is this crazy to try to do?  Does this make sense for better coverage or is the idea overkill?

 

Thanks

 

Brian



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:27 PM

Posted 28 March 2016 - 03:40 PM

For the best defensive strategy to protect yourself from malware and ransomware infection, see my comments (Post #2) in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Richard_Cylance

Richard_Cylance

    Authorized Cylance Representative


  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:03:27 PM

Posted 30 March 2016 - 06:40 PM

Hey Brian

 

Richard here from Cylance. Glad to see you are POCing CylancePROTECT. In the case of running two AVs, Cylance is more than capable of running in a layered environment. Because our methodology is quite a bit different than those of traditional AV, they services won't be interfering with each other. Your deployment method is actually one we recommend to many of the new customers coming on board as well.

 

As for Trend, as nobody has answered that, I reached out to my buddy Gavin, Trend's social media manager, to check on their capability, but in my research on Spiceworks and other groups, I think you should be fine and it won't be interfered by Cylance (and vice-versa).

 

God luck with the POC, don't hesitate to post up more questions here, or you can reach me at rmelick@cylance.com.

 



#4 packmatt73

packmatt73

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 31 March 2016 - 07:18 AM

Hi Brian...

 

Matt from Cylance here (Captain America to Richard's Iron Man). I wanted to add that the nature of Cylance is malware prevention rather than protection. It may seem like semantics, but it's an important distinction. CylancePROTECT works pre-execution, so it won't be constantly running in the background causing a drag on your network. This is one of the ways that we can work as a layer in conjunction with our esteemed competitors, be it Trend or other security solutions.

 

As Richard said, feel free to hit us up here with any questions you may have. You can reach me at mstephenson@cylance.com



#5 wilwal1314

wilwal1314
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 31 March 2016 - 03:00 PM

Thanks for the replies. So far so good on the POC.  I was mainly trying to gauge if am being crazy trying to implement two solutions.



#6 ZachForsyth

ZachForsyth

    Authorized Comodo Representative


  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 PM

Posted 22 April 2016 - 05:28 PM

Thanks for the replies. So far so good on the POC.  I was mainly trying to gauge if am being crazy trying to implement two solutions.

 

A 2 solution strategy like you are looking at is definitely a valid approach to increasing security through an additional layer, and makes sense if those layers use different techniques to protect you.

 

However you are relying on 2 programs that are designed to operate using a default-allow architecture, and as such they can't offer you truly effective security against new and unknown threats.

For example, if neither of them can identify a file as "bad" or identify behaviors/indicators/patterns/attributes as "bad" then that file is allowed to run on your system and has a chance at infecting your system.

Default-allow leaves the door open for new and unknown malware to run and infect you no matter how good the signatures/heuristics/behavioral analysis/machine learning/etc is

 

Detecting "good" and "bad" files is the easy part of malware protection. What everyone needs to focus more on is really "unknown" files, because every new piece of malware starts as an unknown file.

You should ask both Trend and Cylance how they treat unknown files, and what the behavior of their products is if they can't give them a "good" or "bad" verdict.



#7 Itguy2016

Itguy2016

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 18 May 2016 - 10:17 PM

We have been trying to do everything possible to avoid the onslaught of Ransomware.  We had a nasty infection of Cryptlocker last year and have been re-evaluating our AV\Malware strategy.  Trend is our standard.  They have made noticeable improvements in their behavioral module that has caught a lot of cryptoware lately.  I'm doing a POC on Cylance right now which works on a math model and is a really cool technology.  Cylance is young and I'm not willing to put all my eggs in their basket yet. 

 

I am very close to pulling the trigger on having Cylance be a supplement and going with a two solution approach.  Is this crazy to try to do?  Does this make sense for better coverage or is the idea overkill?

 

Thanks

 

Brian

 

Trend now has specific anti-ransomware technology. Have you updated your Trend Server to SP2 or SP3? Are you running Trend MSP or Hosted? Check in the Behavioral Options, and enable the anti-ransomware technologies. That should be all you need to protect your gear. Also consider Fortinet. Fortinet has been very aggressive at stopping new ransomware variants at the edge with their AV aspect. They seem to snag a good 90% of the ones we've seen. Zemana (Paid) with Realtime Protection and Pandora enabled is pretty close to 100% on ransomware from what we've seen. I'd look into that and it can run perfectly well alongside Trend Micro.


Edited by Itguy2016, 18 May 2016 - 10:28 PM.


#8 Itguy2016

Itguy2016

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 18 May 2016 - 10:33 PM

FYI...  :whistle:

 

Cylance was started by former McAfee executive Stuart McClure in 2012. The company has since been in stealth mode, though it has previously talked about some of its products. It officially announced its board members today, including Stewart Baker, formerly of the National Security Administration, and former chief information security officer for the CIA Robert Bigman.
 
and
 
Earlier this year, Cylance -- creator of an endpoint intrusion detection system used by Dell, among others -- signed a strategic investment and technology development agreement with CIA's In-Q-Tel. "The partnership is intended to simplify the review process for intelligence agencies seeking more effective endpoint security technology for preventing the success of today's new breed of cyberattacks. The investment does not restrict Cylance's business or technology in any way," said Stuart McClure, founder and CEO of Cylance.


#9 wilwal1314

wilwal1314
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 19 May 2016 - 08:28 AM

Thx Itguy, We are using the behavior module in Trend, and have been impressed so far with the results.  We are doing a small\medium rollout to Cylance to try to see if it can back stop Trend. I'll checkout Fortinet.  I have also been looking at Fireye for better mail protection.  Malicous e-mails seems to be 99% of the problem at this point.



#10 Itguy2016

Itguy2016

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 19 May 2016 - 08:39 AM

Thx Itguy, We are using the behavior module in Trend, and have been impressed so far with the results.  We are doing a small\medium rollout to Cylance to try to see if it can back stop Trend. I'll checkout Fortinet.  I have also been looking at Fireye for better mail protection.  Malicous e-mails seems to be 99% of the problem at this point.

 

Fireye is also a CIA/NSA entrenched company. CIA's investment wing (In-Q-Tel) also helped fund Fireye.

 

I'd avoid anything with even a casual link to any of the intelligence firms. Unit8200, NSA, CIA, DISA, etc. Bluecoat, Checkpoint, Palo Alto are also Unit8200 firms. Lookout Mobile Security, Fireye, Cylance, etc are CIA affiliated (in some way, small or large) firms. Especially after the Snowden revelations, but even before that part of our vetting process was to ensure no spooks or ex-spooks held higher level positions in the firms we used and they weren't funded in any way by them. Sometimes you need to browse the SEC disclosures to find this information but I believe it's prudent to do so.

 

I'd go with Trend Hosted Email Security for email protection. Pay close attention to the file sizes of traditional ransomware and set blacklisting for attachment sizes that will pull out most of the malware attachments while leaving most of the document size parameters the company needs. Many email protection suites neglect minimum file size setting capabilities focusing exclusively on maximum file size. We've eliminated a majority of ransomware attacks at one of our firms by setting minimum attachment size to 350k as we found in their case, most of the ransomware attachments came in under 340k while most(99%) of their inbound legitimate business attachments were between 450k-15Mb. Just some advice. We service 32,000 servers/workstations for thousands of clients and deal with this on a pretty big scale.


Edited by Itguy2016, 19 May 2016 - 08:40 AM.


#11 Itguy2016

Itguy2016

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 23 May 2016 - 12:44 PM

So now Dell's will be bundled with govt. funded bloat? Just more bloat for us to uninstall when we deploy Dell. As if the rootCA fiasco wasn't enough to turn Dell off from bundle deals and tinkering with new PC's, now they want to drop the CIA funded Cylance on every system they ship. Seriously?

 

Early next year, Dell will wrap Cylance’s Protect product in its Data Protection Endpoint Security Suite, said Brett Hansen, Dell’s executive director of data security solutions. The suite is an integrated package with encryption capabilities, authentication features and malware detection."



#12 RolandJS

RolandJS

  • Members
  • 4,478 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:04:27 PM

Posted 23 May 2016 - 01:38 PM

Richard_Cylance, I bookmarked your web site, which is very cool and informative!  The only suggestion for your webmaster:  some of the foreground lettering and background coloring makes some of the text very difficult to read.  My school isp blocks outboard email.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

"I heard Spock finally got colander!"  "I believe the word is Kolinahr."  "Oh."


#13 MajesticFailure

MajesticFailure

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 25 May 2016 - 06:48 PM

 

...

 

... We've eliminated a majority of ransomware attacks at one of our firms by setting minimum attachment size to 350k as we found in their case, most of the ransomware attachments came in under 340k while most(99%) of their inbound legitimate business attachments were between 450k-15Mb. Just some advice. We service 32,000 servers/workstations for thousands of clients and deal with this on a pretty big scale.

 

 

 

Could that be why some spam emails have a few paragraphs of random text at the bottom of the message?



#14 MajesticFailure

MajesticFailure

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 25 May 2016 - 06:49 PM

Either way, the cat is out of the bag now!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users