Cylance POC: Frequently Asked Questions (FAQs)

Description

We offer (but don’t mandate) a twenty-one day Proof of Concept (PoC) to all of our prospect partners. The PoC is to evaluate the products.

 

How do I start a Proof of Concept (PoC)?
  • Our Accounting/Sales team gets a signed quote in place prior to the Proof of Concept beginning.
  • Once the quote is in place, Accounting/Sales creates a ticket and provides a Calendly link to the prospect to schedule an initial kickoff call.
    • The 21-day evaluation period starts on the day of the kickoff call.
What is the goal of the PoC?
  • The goal of the PoC is to evaluate products/tools that are used in this offering.
What is the timeline of the PoC?

A PoC is typically broken down into four phases over a 2 to 4-week period. Depending on the situation, multiple phases can be accomplished within one meeting, or a single phase can map to one meeting.

  • Phase 1 / Day 1 - Kick off Meeting.
    • Introductions
    • Tenant Creation and access for admins
    • Tenant navigation walk-thru
    • Review deployment process
    • Implement initial monitoring/learning phase policy (1 - Monitor NoMem)
    • Distribution and review of documentation
  • Phase 1 / Week 1- File Learning Phase
    • Endpoint Installs
    • Cylance monitoring/learning policy
  • Phase 2 / Week 2 - File Baseline/Memory Learning Phase
    • Review files that Cylance has identified as a potential threat.
    • Convict/Quarantine files and make appropriate policy exclusions.
    • Uninstall prior Anti-virus.
    • Modify/Enable phase 2 policy (2 - AQT MemA OPT1 SCA Prevent)
      • Enabling monitoring of memory processes in the environment
    • Deployment of the DATTO INFOCYTE agent (For MDR offering)
  • Phase 3 / Week 3 - File Baseline/Memory Baseline/Script Learning Phase
    • Review files and processes that Cylance has identified as a potential threat.
      • Modify phase 2 policy (2 - AQT MemA OPT1 SCA Prevent)
        • Add appropriate exclusions for application conflicts.
    • Review logged scripts and best practices for creating exclusions.
      • Modify phase 2 policy (2 - AQT MemA OPT1 SCA Prevent)
        • Add appropriate exclusions for scripts.
    • Apply phase 3 policy (3 - AQT MemT OPT1 SCA Prevent)
      • Replicate exclusions from phase 2 policy.
    • Modify protected prevention policy.
    • Apply final policy with Script Control Blocking (SCB) enabled.
  • Phase 4 / Week 4 - Final Baseline Phase
    • Continue monitoring for files, processes, and scripts identified as a potential threat.
      • Modify phase 3 policy (3 - AQT MemT OPT1 SCA Prevent)
        • Add appropriate exclusions for application conflicts.
    • Apply phase 4 policy (4 - AQT MemT OPT1 SCB Prevent)
      • Replicate exclusions from phase 3 policy.
Are SOC services included in the PoC?
  • Yes. SOC services are enabled during the PoC process.
  • PLEASE NOTE: 
    • If a compromise is identified during the PoC, the Proof of Concept will end.
      • The partner will have to decide whether to immediately convert the offering into production or cancel the services.
      • This PoC is not meant for or an alternative to an Incident Response event.
What if I don’t complete every step of PoC process?

We understand that unforeseen circumstances might arise during your PoC that might prevent you from focusing on/evaluating every feature. In many circumstances, PoC’s only progress to the 'baseline' process due to lack of time/availability of the evaluator. Unfortunately, we can only extend the PoC past the 30 days if there are technical issues that are related specifically to the Cylance product. We ask that all potential partners make the best effort to progress the PoC as far as possible to have a full evaluation of the products. The benefit to our offering model, is that a partner may proceed to evaluate the offering on a consumption based & month to month offering in a live offering until they have had enough time to decide if this is the right solution for their business.

What are the Deliverables from SonicSentry?
  • Architecture setup and configuration
    • Initial provisioning of Cylance tenants in a non multi-tenancy environment
    • Provisioning and staging of initial recommend policies and templates
    • Syslog/SIEM settings provisioning within the SIEM/SOAR platform
  • Training and Support
    • Provide training, support, and documentation as outlined per offering details.
  • Security Operations Center (SOC) services
    • Detection and alerting of identified abnormal, suspicious or malicious activity
    • Initial response as outlined by our EPP Alert Processing Summary
    • Implementation ‘Report Cards’ sent twice a month in assistance with monitoring of environment health
What are the responsibilities of the partner?
  • Management of the deployment process
    • Deployment of the Cylance & ARR agents to all workstations and servers
    • Creating a ‘Clean Baseline’ for the devices
    • Implementation of the Script Control feature
    • Creating and Assignment of tenant zones
    • Creation, assignment and maintaining of policy parameters.
  • Providing Tier 1 support to direct end-user customers that are part of the PoC
  • Contacting SonicSentry for any Tier 2 or Tier 3 issues that you are unable to resolve
  • Monitoring of environment health
    • Removal of duplicate or retired machines
    • Address issues or inconsistencies identified from the provided report card
  • Further investigate, respond and remediate alerts sent from the SonicSentry SOC
How do I move forward after the PoC?
  • Support team sends a Wrap-Up email at the end of the PoC indicating that the PoC is being converted to Production, and that Billing will be going live.
    • Support team Confirms the following has been setup and configured properly.
      • Preferred Contact info
        • General Contact
        • Audit Report
        • SOC Alerts
        • Emergency Contact Information
      • SOC services
What if I decide not to move forward?

While we hope everyone sees the value of the offering and tools we are using, there are times where it does not meet the requirements of some organizations. If a partner opts to not move forward after the PoC, the following actions will be taken before the PoC end date:

  • SonicSentry Actions
    • Apply a policy that allows the removal of Cylance.
    • Removal of login access to the PoC tenant
    • Removal of devices from the Cylance portal
      • This will not prevent the uninstall.
    • Set the Cylance tenant to shutdown.
  • Partner Responsibility
    • Uninstall all Cylance agents.
      • This can be achieved via an uninstall script.

Related Articles

  • MPSS Frequently Asked Questions (FAQs)
    Read More
  • Getting Started with MPSS
    Read More
  • MSS FMM: NSM - Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community