Cylance MDR: Frequently Asked Questions

Description

Frequently Asked Questions about our Cylance MDR offering.

General

Is a Proof of Concept (PoC) available?

Yes, we offer a 21-day Proof of Concept for new partners.

What is involved with a Proof of Concept?
Will my licensing automatically convert to production at the end of the PoC?
  • Yes, the Cylance implementation will be automatically converted to production at the end of the 21 day PoC unless canceled before the conversion
What are the responsibilities of the partner?
  • Management of the deployment process
    • Deployment of the Cylance & DattoEDR agents to all workstations and servers
    • Creating a ‘Clean Baseline’ for the devices
    • Implementation of the Script Control feature
    • Creating and Assignment of tenant zones
    • Creation, assignment and maintaining of policy parameters.
  • Providing Tier 1 support to direct end-user customers
  • Contacting SonicSentry for any Tr 2 or Tr 3 issues that you are unable to resolve
  • Monitoring of environment health
    • Removal of duplicate or retired machines
    • Address issues or inconsistencies identified from the provided report card
  • Further investigate, respond and remediate alerts sent from the SonicSentry SOC
What are the deliverables from SonicSentry?
  • Architecture setup and configuration
    • Initial provisioning of Cylance tenants in a non multi-tenancy environment
    • Provisioning of multi-tenancy environment (Where applicable per offering details)
    • Provisioning and staging of initial recommend policies and templates
    • Syslog/SM settings provisioning within the SM/SOAR platform
  • Training and Support
    • Provides training, support, and documentation
  • Security Operations Center (SOC) services (Where applicable per officering details)
    • Detection and alerting of identified abnormal, suspicious or malicious activity
    • Initial response as outlined by our EPP Alert Processing Summary
    • ‘Report Cards’ sent twice a month in assistance with monitoring of environment health
What are the differences between the endpoint offerings?
  • Cylance Tr 1
    • Licensing for PROTECT
    • Training & Support (M-F 8AM-8PM EST)
      • No emergency after hours support
    • No SOC Services
  • Cylance Tr 3
    • Licensing for PROTECT, FOCUS (Formerly OPTICS), & DattoEDR
      • FOCUS is the primary EDR
      • DattoEDR agent in a passive mode only
    • Training & Support (M-F 8AM-8PM EST)
      • Emergency after hours support available
    • SOC Services
      • Ingestion and Analysis of security logs
        • 1 Year log retention
      • Detection of anomalistic security events
      • Initial Mitigation Steps Performed
      • Implementation ‘Report Cards’ sent twice a month
  • MDR for Endpoint (Primary Offering)
    • Licensing for PROTECT, FOCUS (Formerly OPTICS), & DattoEDR
      • DattoEDR primary EDR agent in real-time scanning
      • FOCUS not required
    • Training & Support (M-F 8AM-8PM EST)
      • Emergency after hours support available
    • SOC Services
      • Ingestion and Analysis of security logs
        • 1 Year log retention
      • Detection of anomalistic security events
      • Initial Mitigation Steps Performed
      • Implementation ‘Report Cards’ sent twice a month

Implementation

What are the differences between the agents with my offering?
  • PROTECT
    • This is the AV product/agent
  • FOCUS (Formerly OPTICS)
    • This is the EDR agent developed by Cylance to integrate with the PROTECT agent
    • This is managed in the same dashboard as the PROTECT agent
    • Used for additional investigation of files that are quarantined/blocked by the PROTECT agent
  • DattoEDR
    • This agent is separate from Cylance and is not managed in the same dashboard
    • This is used by our SOC team to respond and isolate a device when a Critical incident is identified
    • This is the primary EDR agent for our MDR offering.
Do I need to install all of the agents?
  • PROTECT
    • Should be deployed on all devices
  • FOCUS (Formerly OPTICS)
    • Should only be deployed by Tr 3 partners.
      • Should NOT be deployed by MDR partners.
    • Should be deployed to any devices that have CylancePROTECT installed, as long as the following hardware requirements are met
      • i5 equivalent or better
      • 4 GB of Memory
      • 1 GB of Disk space for indexing and local caching
  • DattoEDR (Formerly Infocyte)
    • For our Tr 3 and MDR partners, should be deployed on all devices that have CylancePROTECT installed
Can I manage all the agents from the same portal?
  • No. Cylance and DattoEDR are two separate organizations with separate consoles.

Cylance Agent Implementation

What are the methods that I can deploy the agents?
  • PROTECT
    • Download the install file from the Cylance console
      • Settings > Deployments
    • Install can be run manually or through a scripted command prompt
  • FOCUS (Formerly OPTICS)
    • Download the install file from the Cylance console
      • Settings > Deployments
    • Install can be run manually or through a scripted command prompt
Is there a Multi-tenancy option for the Cylance Portal?
  • A Multi-Tenant Console (MTC) is available by request
  • Multi-tenancy is setup with a ‘Parent-Child’ architecture
    • Partners will be able to create their own customer tenants and maintain template policies
    • Customers will not be able to create their own tenants within the partners MTC
  • The benefits of multi-tenancy include
    • Granular separation of customers for management and reporting
    • Single login capabilities for multiple customer tenants
    • Enhanced reporting capabilities
Can I use 2FA/MFA to log into a Cylance console?
  • Native OTP/2FA is now available for logging into the Cylance Tenant level.
  • There is the ability to configure an SSO (Single Sign On) and enforce 2FA/MFA through the SSO
    • The SSO must support SAML 2.0
    • Available documentation to assist with setting up an SSO can be found here: Enhanced Authentication

DattoEDR (Formerly Infocyte) Implementation

What are the methods that I can deploy the agents?
Your DattoEDR Portal (Formerly Infocyte)
  • Your Portal is hosted through Datto Partner Portal. If you currently have a Datto account, it is best to use the same account for your DattoEDR Portal to integrate with single sign on.
  • Each portal will have a minimum of ONE Administrator assigned. Due to the scope of access this role has in the instance, we strongly urge this role be limited to those necessary to the capabilities.
  • Partner responsibilities in the Portal are limited to the Creation and Management of Organizations, Locations, policies, user accounts, and device upkeep ( removing decommissioned devices, ensuring agent communication with the portal, Location assignments, etc)
  • There are NO alerts to monitor out of the portal.
  • All logs/alerts are pushed to our XDR platform and that is where our SOC processes alerts.
  • Any modifications a partner makes to areas outside of the Partner Responsibilities of the DattoEDR portal could cause a degradation in alerting and cause a compromise to be missed.
Why are there so many alerts showing? Why do I have hosts listed as ‘Compromised’? Why isn’t the SOC doing anything about this?
  • There will always be alerts listed if you are on our MDR offering.
  • DattoEDR (like a true EDR) is very chatty and we love that!
    • The stronger the baseline we have, the easier it is to identify anomalistic behavior.
  • We ingest all alert data from the hundreds of DattoEDR portals we manage to our XDR platform.
    • This is where our SOC triggers and processes/triages actionable alerts.
  • There will be many times where we log into the DattoEDR portal and start ‘acknowledging’ alerts while performing investigations.
    • We do not want partners doing this as it can affect our investigations.
  • Just because the portal says ‘Compromised’ does not mean it’s actually compromised.
    • One single alert will enable ‘compromised’ flag on the endpoint.
Is there a Multi-tenancy option for the DattoEDR console?
  • No. All DattoEDR agents are deployed to one console
Can I use 2FA/MFA to log into a DattoEDR console?
  • Yes native OTP/2FA is required through the Datto Partner Portal.
Am I billed for DattoEDR agents?

No, we bill based off of PROTECT agents.

  • There needs to be a one-to-one match between Cylance and DattoEDR agents
  • If machines are uninstalled, they will be removed from the DattoEDR portal after 90 days.
Can I use the DattoEDR agent in a VDI environment?
  • The recommended way of deploying DattoEDR Agents on virtual machines is to install them as a standalone package (Installing Agents on each virtual machine separately).
  • Pre-installing the Agent on a Base machine and cloning the virtual machine, results in inherited agent IDs from the master image, and the result will be machines not presenting themselves to the the web UI.
  • Reference: Infocyte: Agent on VDI or VM Deployment (datto.com)

Support

How do I contact support?
  • To initiate a support request, visit https://msssupport.myportallogin.com
    • When prompted, select Endpoint Security, and then Cylance Support.
  • Schedule a Meeting:
    • 30 minute meeting: https://calendly.com/sgi-cylance/cylance30
    • 45 minute training session: https://calendly.com/sgi-cylance/cylancetraining
  • Emergency Support:
    • Available 24/7 for our MDR and Tr 3 Partners: Please call 703.565.2395
  • Standard Support Hours for Cylance:
    • Monday - Friday, 8:00 AM - 8:00 PM EST
How do I access Cylance documentation?
Is training provided?
  • SonicSentry provides training on both administrative and technical operations related to the service.

 

Monitoring

How are the logs retained?
  • Cylance logs are maintained on each endpoint on a rotating 30 day schedule
    • C:\Program Files\Cylance\Desktop\Log (Requires Admin Rights)
  • Cylance and DattoEDR syslogs are sent from the central management console to our SM/SOAR for SOC services
    • These logs are maintained for 1 year
Do I get access to the SM?
  • Tr 3 and MDR partners are granted access to our SM (by request) for visibility and reporting purposes
Is your SOC outsourced?
  • No. Our SOC is a 24x7x365 in-house Security Operations Center.
    • NOAM partners work with our US based and full time employees.
    • EMEA partners work with our EMEA based and full time employees.
Can you monitor Windows Defender if it’s still enabled with Cylance?
  • Not yet. We are working on a solution (MDR partners only) to also have visibility into actions taken by Windows Defender.
How will partners be contacted about alerts or incidents?
  • Each partner should provide designated contact information for the following:
    • Cylance General: General communications, updates and release notes
    • Cylance Audits: Delivery of regular implementation reports twice a month (opt-out available)
    • SOC Alerts: Notification of detected threats or alerts from the SOC
    • SOC Emergency Contact: After-hours or emergency phone contact
  • More details are available here: SOC EPP Alert Processing Summary

Billing

How is licensing handled?
  • For Monthly Billed Partners:
    • Licensing is based on the number of active PROTECT devices,  pulled monthly on the last business day of the month.
    • Invoices are issued on the first business day of each month, for the previous month's usage.
  • For Yearly Committed Partners: 
    • If your monthly usage is over your annual commit, you will be invoiced for the overage for that month.
    • Licensing is based on the number of active PROTECT devices, pulled monthly on the last business day of the month.
How can I view a breakdown of the number of devices per customer?
Will duplicate or retired devices be billed?
  • Retired devices that are still in the portal ARE included in invoice numbers
  • Duplicate devices with the same DNS Hostname are NOT included in invoicing numbers
  • It is recommended to routinely audit and remove duplicate or retired devices from the portal to avoid unnecessary charges.

Related Articles

  • MPSS Frequently Asked Questions (FAQs)
    Read More
  • Getting Started with MPSS
    Read More
  • MSS FMM: NSM - Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Endpoint Managed Detection and Response
MDR for Cylance
not finding your answers?
Ask the Community