The program has taught us a lot, so our team has become more knowledgeable about what's happening in our environment and what is or isn't a threat with the solutions and the services provided to us. There's also an excellent learning process with the EDR wherein they encourage the users to learn what's happening to, I think, be more confident when mitigating any threats or any problems in the environment. Before we had the solution, we were largely unaware of what was happening. Now we are more confident and better grasp what's happening in our environment.

Cybereason EDR helps us isolate and mitigate on the fly, which is essential because we're a small team, and we don't always have a spare IT person waiting to work. We need our team to be proactive in those situations.

Cybereason's operation-centric approach has helped us move beyond chasing multiple alerts and visualize the entire timeline of malicious operations. We can see when they started when they were detected, and if there's any lateral movement. It uses behavior indicators to detect attacks which is an innovative approach. I believe the indicators help remediate attacks quickly, but then again, we have the complete monitoring solution, so they're the ones doing the remediation and sending us recommendations.

It has cut down on the time we spend hunting and responding to threats, which has increased our efficiency because we spend less time thinking about it or managing the system. Cybereason is helpful to us as a small team because we don't necessarily need a dedicated person to analyze threats. Cybereason's monitoring service takes care of that. If there's a threat, we don't need to investigate to see if it's a false positive,

We shifted our traditional antivirus-type operations over to the Information Security Department from the PC and server tech area. We then built our operations around this shift.

Cybereason has given me visibility into some things I didn't know about.

They do a very good job of providing multi-stage visualizations of malicious operations that immediately show all attack details across all devices and users. Since it is MalOp-centric model, you can see if there has been a similar operation across multiple machines. If it is the same thing appearing on multiple machines, you see all the machines and users affected in one screen.

It is a very effective tool. I have a level of comfort in the way it is detecting and finding things at an early stage. Different tools find different things. When we installed this, we found different things going on that we didn't know about previously, some more nefarious than others. 

The best example of how it has helped is that we can do searches via the API. And so we have our automation tool do a lot of searches automatically based on alerts so that when the SOC analyst goes to review, they have a lot of the information already pulled for them.

It leverages indicators of behavior as a means of detecting attacks. It's very good at detection. It's not so great at prevention. They're a very detection-focused company. So that may or may not work in your environment depending on if you're a prevention-based organization or detection-based.

The leveraging of indicators of behavior helps remediate against attacks faster. One of the things we can do is if we have a process or a hash or something that we know is bad, it's very quick to search for it across the environment. And then we can either have Cybereason yank the file off, quarantine it, or whatever we think we need to do based on the severity of the issue.

Cybereason is helpful to organizations with a small security team. With a single portal to manage and with it being a cloud portal, it really reduces the amount of overhead versus having a traditional on-prem solution.

We have some automatic prevention, where you can just set it to how confident you are in the product based on how many false positives you are getting, etc. At this point, I think we are getting a little more comfortable with doing automatic prevention since we don't see a lot of false positives anymore. Now, I don't have to chase every single malware that shows up on a user's machine. We are only worried about those that are proactively trying to move around. So, it really lets us focus on the more important things when some automation is involved.

Visibility is such a big thing for us, which we didn't have previously. One of the greatest additions to our environment is having that visibility for the processes running across our network.

Cybereason is helpful to organizations who have a small security team, especially if you have the SOC behind you doing their analysis as well. It is tremendously helpful to have top-notch security advisors help you identify threats in your environment.

This product is somewhat new for us, so we haven't been able to secure deals with our customers for it yet. We have proposed it to one customer because it was requested.

Also, I think that Cybereason only has perhaps 500 employees, and there are not many technical people in the Middle East. There is only one regional manager and he is based in the U.A.E., and within the past four or five months, they hired a new service engineer (SE).

It has a practical use. If a file was infected on somebody's laptop or workstation, then it is now easier for us to understand what the impact is on the environment. 

The Cybereason product enables me to go directly into the software and execute it. I can look up the process, who were the dealers, what were the websites, and what were the IP addresses which were contacted. I can also detect if there were other systems which were impacted or if my environment was compromised.

Cybereason "communicates" with other endpoints to gather anonymous activities that run within the organization that normal AV fails to detect. It accumulates and compacts this into a single event case, where it is easy for the SOC team to do an investigation. This drastically reduces the time required to find the root cause of the event. This is one of the features that most of the other vendors lack, but allows the SOC team to receive an alert with the relevant details of the incident within a short period of time.