The console has a small pop-out menu on the left side that will direct you to a dashboard of discovered attacks, a “malops inbox” which is used by analysts to fix the problems, an investigation tab where you can examine in more detail what is going on with your endpoint, and a system tab where you can look for particular endpoints, see summary statistics, assign users and download agents and more than a dozen server logs. Compared to other products, this console is pretty lean and clean.
The top-level “discovery board,” which is what the company calls its dashboard, will show you a summary of infected endpoints, when the activities first hit your network, and classifies them by specific activity: pure infections, privilege escalation, file scanning, lateral movement, connections to command and control servers, and any data theft. While these classifications are nice to see, you need to click on the specific infections to go to a more detailed analysis screen.
Here you can drill down with most entries to explore what is going on: for example, view all your network interfaces of an infected PC, examine running processes, and see why the endpoint was tagged as infected. There is a nice graphical representation of the infection chain, similar to other products that show the progress of the malware.
There are four sections of this display: an overview, a section that dives deeper into the infected processes, and more details about users and machines that are linked to a particular exploit. For each endpoint you can observe disk, CPU and memory usage as small graphs to help flag oddball behavior. Rather than have its own reporting modules, some of this information can be exported as CSV files where you will need to process them further to understand your behavior.
Once you find some exploit, you just have to click on a small “remediate” button on the lower right corner of the screen: this is done for each infection. It is easy to first miss this button. You can select all the running processes that are misbehaving, or just select one in particular.
To help with evaluations, Cybereason has developed a sandbox that contains some pre-set malware along with instructions on how to use its product to identify these infections. That can be very helpful in getting started, as the management console is so sparse and without any help or other documentation.
Like other products, you can disconnect the endpoint via a newly added feature called Attack Blocker. And you can add your own security intelligence feeds to help with identifying infections through the TAXI format. One drawback: once a PC is disconnected from the network or the probe is disabled, you can’t manage it either.
Sign up for CIO Asia eNewsletters.