KEMBAR78
Tuning Memory Protectionpdf | PDF | Computer Security | Security
Scribd
Upload
47 views24 pages

Tuning Memory Protectionpdf

The document outlines a customer webinar hosted by Cylance, focusing on the Memory Protection feature of CylancePROTECT, which monitors process behavior in memory. It emphasizes the importance of enabling Memory Protection, understanding observed behaviors, and following best practices for managing alerts and exclusions. Additionally, it provides links to resources, upcoming events, and support options for users.

Uploaded by

insanemechanic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views24 pages

Tuning Memory Protectionpdf

The document outlines a customer webinar hosted by Cylance, focusing on the Memory Protection feature of CylancePROTECT, which monitors process behavior in memory. It emphasizes the importance of enabling Memory Protection, understanding observed behaviors, and following best practices for managing alerts and exclusions. Additionally, it provides links to resources, upcoming events, and support options for users.

Uploaded by

insanemechanic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Monthly

Customer Webinar
Please stand by.
Webinar will start momentarily.
The information in this presentation is confidential and proprietary to Cylance ® and may not
be disclosed without the permission of Cylance. This presentation is not subject to your license
agreement or any other service or subscription agreement with Cylance. Cylance has no
obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein.

This document, or any related presentation and Cylance's strategy and possible future
development, product, and/or platform direction and functionality are all subject to change

Safe
Safe and may be changed by Cylance at any time for any reason without notice. The information
on this document is not a commitment, promise, or legal obligation to deliver any material,

Harbor
Harbor code, or functionality. This document is for informational purposes and may not be incorporated
into a contract. Cylance assumes no responsibility for errors or omissions in this document.
HOUSEKEEPING

✓ Visit the Customer Support Portal


https://support.cylance.com under the
Knowledge Base tile for
- Webinar presentation
- Webinar recording
- Online Q&A session: post webinar questions

✓ All participants are muted.


✓ Slides and webinar recording will be made
available approximately 72 hours after we
conclude.

✓ Feedback: please complete the webinar


survey and include your future webinar topics.
CylancePROTECT®
Tuning and Enabling
Memory Protection

Sean Kalinich
ThreatZERO™ Consultant
What is Memory Protection?
Memory protection is a function of
CylancePROTECT that watches process
behavior as it happens in memory and alerts
on specific bad behavior patterns.
Enabling Memory Protection

Find Memory Actions1 in the policy you are working with, then check the Memory Protection2 option.

1
2
Memory Protection vs. Auto Quarantine

• Auto Quarantine uses AI to break down a binary/process to determine its threat indicators.

• Memory Protection currently has no AI and only shows observed behavior.

• Observed processes can be legitimate (although what they are doing might not be).

• Memory Protection is less about what the is process than what the process is doing.

• CylanceOPTICS™ can be leveraged effectively via focus data to get a better understanding of process behavior.
Memory Protection and Observed Behaviors

Memory Protection: what to consider when process behavior is


observed. Is it
• Unhealthy?
• Unsafe?
• Potentially malicious?
Reviewing Console
Threats
Devices Page

Memory Protection Alerts


CylanceOPTICS Focus Data

Leverage CylanceOPTICS Focus Data to identify potentially dangerous process behavior vs.
required process behavior.
Threat Data Reports

Settings > Application > Threat Data Report > Copy link for threats with token to download csv
for review.
Open-Source Intelligence (OSINT)

• Search Google
• Other OSINT
Best Practices
Recommended Approach

• Complete Memory Protection in Alert Mode


• Memory Protection Exclusion BP
• Devices with 0 Alerts enable Memory Protection in Blocking Mode
• Follow Change Management Process
Complete Memory Protection in Alert Mode

• Review Process Behavior


• Review Devices with large alert counts first
Waive/Safelist
Recommendations
• Should the process be behaving in the manner observed?

• Will there be any impact if the behavior is blocked?

• Use CylanceOPTICS focus data to confirm behavior.

• Block over exclusion unless there is a noted impact.

NOTE: Due to known vulnerabilities we no longer recommend


excluding Werfault or any scripting engine.

• Exclusions must include the process name for Windows and


the process container for OSX/Linux.
Additional
Recommendations

• Devices with 0 Exploit Attempts


enable Memory Protection Blocking

• Follow Change Management Process


Helpful Links

FAQ - What processes are monitored by memory protection?


https://support.cylance.com/s/article/FAQ-What-processes-are-monitored-by-memory-protection-46

How to Add Exclusions for Memory Protection?


https://support.cylance.com/s/article/How-to-Add-Exclusions-for-Memory-Protection3

FAQ - What are the Different Violation Types within the CylancePROTECT Memory Protection Settings?
https://support.cylance.com/s/article/FAQ-What-are-the-different-Violation-Types-within-the-PROTECT-Memory-Protection-Settings-88

CylancePROTECT - Compatibility Mode for Memory Protection


https://support.cylance.com/s/article/CylancePROTECT-Compatibility-Mode-for-Memory-Protection0

Known Memory Protection and Script Control Incompatibilities


https://support.cylance.com/s/article/Known-Memory-Protection-and-Script-Control-Incompatibilities-14
Wrap Up
Somer Pyron
Cylance User Group Updates

UPCOMING EVENTS

• September 13 @ 12:00 PM MST at


Pulte Homes in Tempe, AZ

• Visit Cylance User Groups to register


and view upcoming dates

GET INVOLVED
• Host or speak at a Cylance User Group
• Contact us at usergroups@cylance.com
Resources & Next Steps

Community Portal
• Log in to PROTECT and visit https://support.cylance.com
• Visit the Knowledge Base tile for the webinar presentation and recording
• Post questions, engage in discussions, and request for assistance

Upcoming Webinars
Reserve your seat at www.cylance.com/webinars
June 20th: Consulting Services Enhance Threat Prevention*
27th: Cybersecurity Strategies for Healthcare Organization
July 11th: Introducing CylanceGUARD™: The 24x7 Threat Hunting Solution
18th: Prevent Cybersecurity Compromises on Government Agency
25th: Better Security. Fewer Resources.

Account Support
• Contact your Cylance account executive, technology business partner,
or for general information call +1-844-CYLANCE (295-2623) or email sales@cylance.com

*The Forrester Wave™: Midsize Cybersecurity Consulting Services, Q2 2019 Report


THANK YOU!
Save-the-date!
Next customer webinar: Script Control
July 23, 2019
©2019 Cylance Inc. All Rights Reserved.

You might also like