We’ve written about Cylance before (bunches – look here & here). One of the things we haven’t done yet is look at the software objectively. At least not…entirely objectively. So, do we think that CylancePROTECT is better than Malwarebytes? Do we think CylancePROTECT is better than Kaspersky? Find out below in our honest review of CylancePROTECT.
So What is CylancePROTECT?
CylancePROTECT is a piece of next-generation end-point protection software published by Cylance Inc. That much is easy.
What does Cylance do?
CylancePROTECT leverages Machine Learning and Algorithmic Science to stop things like Malware proactively before they wreak havoc on your environment.
Services include things like:
- AI Driven Malware Prevention
- Script Management
- Memory Exploit Prevention
- USB Device Usage Policy Enforcement
- Application Control for Fixed-Function Devices
- Management Console Reporting
Is Cylance a Positive (+) or Negative (-) Security Control?
CylancePROTECT is a Positive Security Control. That means Cylance knows what should be running on your machine and what shouldn’t be. If Cylance discovers something running on your computer that shouldn’t be there, it’ll shut that little bit of software or code down, quarantine it and await further instruction.
Ideally, this allows your end-point to operate in relative harmony, protecting it from the nasty bad actors it might encounter.
But I’ve already got Kaspersky, McAfee, Symantec, Malwarebytes, etc. Why should I use Cylance?
We find many people who ask that question. So the honest answer (at least from our perspective) is this: Cylance does a better job discovering and stopping malicious entities than the others do, and as far as we know, isn’t possibly spying on you for a foreign power (yeah, we’re looking at you Kaspersky users).
Here’s a use case: a while back, we noticed one of our customers had an end-point that kept making callbacks to a botnet command and control server. The Fortinet firewall discovered the network traffic, blocked it and identified the user/computer the communication was originating from.
Great, right? Problem averted! Not exactly. If you’re wondering what this story has to do with Cylance, I’m getting there.
It is excellent the network appliance discovered the traffic. It stopped the botnet from taking over the end-point. The client was notified, and we were told they’d be running traditional security products on the machine to remove the infection. They tried Symantec, they tried Malwarebytes, and while both pieces of software found items that shouldn’t be there, neither found which piece of software that was calling back to the command and control network. They were stuck.
That is until we got them to try Cylance. Three minutes after Cylance was installed on the workstation the problem software was discovered, quarantined, removed safely, and the callbacks to the command and control server stopped immediately afterwards.
So what does Security7 like about Cylance?
Good question. There are bunches we like. Here are a few things we dig about Cylance (in no particular order)
1. It doesn’t use definition files to protect your endpoints – Keeping existing end-point security products up to date can be a hassle. They’re just too difficult to keep up with. As a result, Cylance doesn’t use them, and that’s a good thing. Instead, Cylance leverages machine learning and algorithmic science (as stated above) to truly learn what good and what’s bad for your computer.
Cylance proactively strives to understand how threats work and block them without relying on third party sources.
2. Automated application whitelisting – It’s as groovy as it sounds. Cylance has developed mathematical models that let’s CylancePROTECT whitelist apps automatically. That saves InfoSec personnel heaps of time, freeing them up to focus on other security-related tasks.
However, that doesn’t mean you don’t have to do ANY whitelisting at all. If you’re in an environment where you’re frequently updating or installing new software, you’ll have to be diligent and keep CylancePROTECT updated as well.
3. CylancePROTECT is incredibly lightweight – A lot of end-point protection software is heavy on a computer’s resources. If it’s running, you know it. Not CylancePROTECT. The actual application weighs in between 50 and 60mb. As for processor usage, we heard reports of some CPU spiking when the program initially scans the end-point (a few of our techs have noted the issue in specific environments), but overall we haven’t noticed anything significant to be concerned about.
4. Real-time scanning – People are conditioned to think that end-point protection programs need an on-demand scanning feature at their beckon call. Not so with Cylance. We like that the product performs an initial scan but after that scans each file as it encounters it.
You can, if you so choose, have the product scan on a periodic basis (great for PCI compliance situations) but you don’t have to if you don’t need that particular bit of compliance functionality.
5. USB device control – USB devices (like flash drives) can be the bane of your existence. All sorts of stuff tend to live on them and once they’re plugged in things typically spread quickly to other devices on the network.
Cylance has nipped the problem right in the butt with USB device control. Flip a switch and USB device problems are a thing of the past, your users will no longer be able to use the evil, little buggers. Does other software have this functionality? Yeah, but Cylance recently added it and we think it one of those tiny features that make an already excellent product better.
What doesn’t Security7 like about Cylance?
An even better question. Despite how much we like the product, there are a few things we’d like to see change. So what is it we don’t like about Cylance? Here you go:
That’s a bummer.
2. Lack of Implementation Guidance – Cylance is incredibly powerful but not all that intuitive.
It’s essential you know how to configure it correctly; otherwise, you can end up with something that might hamper you more than help. A little more implementation guidance could make the difference (since there currently isn’t any).
Rather than sending people in blind, we’d recommend Cylance (if they’re reading this) build in a workflow that walks people through the steps needed to implement the software. I’m not sure that’ll happen, but we can dream.
3. Problems with reporting on Script Control and Memory Control actions – Currently alerting are limited only to Potentially Unwanted Programs (PUPS). You have to deep dive into the console to see instances of script and memory control issues.
While you can’t see these easily in the admin reporting section, users are notified on their end-points of script and memory control issues. Why that functionality hasn’t crossed over to reports in the admin console, we’re at a loss. We have no idea because it should be there.
Is CylancePROTECT the ultimate solution to all your security problems?
No. It’s not. See, just one security product alone doesn’t cut it the mustard.* You need a mix of both Positive (+) and Negative (-) security controls to maintain a happy, healthy and secure environment. If you’re banking on CylancePROTECT being the end all be all you’ll be sadly disappointed.
That said, as far end-point protection software goes, it’s the cream of the crop, and we highly recommend it. Adding Cylance to your arsenal will beyond a reasonable doubt help keep your security posture healthy.
Who’s Cylance right for?
Pretty much anybody. The only real hold up might be for a software development house or someone who’s continuously installing new software (see the whitelisting issue we mentioned before).
If you’re in a relatively stable environment, you’re using golden images, and you’re not installing new software all the time Cylance could be right for you.
Is there a barrier to entry? How many seats does Cylance require you have before starting a conversation?
It was 250 seats. We hear rumors that’s about to change. We’ll let you know if and when it does.
So Security7 recommends CylancePROTECT?
Yes, very strongly. We think it’s a great program and we’re big advocates for other people trying it out. As we said above, Cylance isn’t the only solution you need to protect your end-points, but it is an excellent piece of a balanced security diet.
Want to find out more about Cylance?
Well, you’re in luck! We’ll be hosting a joint webinar with the fine folk at Cylance Inc in July. Check out the details here below. If you register, we’ll send you a free copy of Cylance’s 2017 Threat Report as well.
*I’ve never seen mustard you have to cut but heck; you know what I mean.