Most of us associate the Blackberry brand name with its relative dominance in the early 2000s when almost everyone who had a smartphone had a Blackberry. Nothing lasts forever. Unfortunately for the brand, 2007 marked the introduction of touch screen phones with the new iPhone unveil. Android phones also arrived on the scene soon after.
What most of us do not know is that Blackberry also provided
to their users a secure and at the time revolutionary way for users of
Blackberry devices to communicate with each other. In essence, security has
always been a part of the Blackberry brand.
It takes a lot of courage, work, and time to reinvent
yourself as a company. Many do not succeed. For Blackberry, the road to
reinventing itself as a cybersecurity brand has not been without its few bumps.
Today, Blackberry is recognized as one of the top cybersecurity companies offering
protection for enterprises and consumers alike.
This review will look at Blackberry | Cylance’s ratings
against its peers as well as the validity of some of the claims made on their
website. Let’s begin…
First, we will take a look at how BlackBerry | Cylance
measures up against the competition.
Gartner is a global research and advisory firm providing
information, advice, and tools for leaders in IT, finance, HR, customer service
and support, communications, legal and compliance, marketing, sales, and supply
chain functions. Gartner is the leading authority on providing reviews,
grading, and recommendation on most cybersecurity tools used by big enterprises
and governments around the world.
The simplest way I can explain this is to use a sports
analogy. If endpoint protection was the NFL, the vendors on the above quadrant
would be the playoff teams. Just to be listed here means you are doing things
better than a bunch of other teams. The quadrant rates companies on their
vision and ability to execute that vision. However, the ratings are sometimes
not entirely indicative of the product. For example, if a company has a great
product but the company is young, then the vision might not be clear and its
ability to execute that vision cannot be properly quantified. For me, again
going back to the NFL, I feel that any team in the playoffs has a chance to win
the Super Bowl.
In my opinion, any of the technologies in the
Gartner Magic Quadrant would be a great choice for endpoint protection.
Here are some, but not all, of what Gartner describes as
Blackberry | Cylance strengths.
Small, lightweight, artificial intelligence (AI)-based
detection agent that is easy to deploy and manage and can work offline, which
is popular with customers who have isolated/air-gapped systems.
This means that the tool can use behavioral analysis, in
addition to just looking for malicious signatures.
What is a signature? All applications on your machine have a
unique identifier. For example, when you try to download an installer from the
internet, you are sometimes presented with the option to compare the signature
of the executable downloaded with a signature provided by the technology vendor
as a reference to make sure they match. This is like looking at the signature
in a check to make sure it matches what they have on record as the signature
for a customer. Unfortunately, just like a signature in real life, on a check,
digital signatures can also be faked. Additionally, what if you show up at a
bank to cash a check and the bank has no reference of the signature on the check
because they have never seen it before.
In the context of endpoint protection, the way that behavioral
analysis v. signature-based analysis works is somewhat like this: Signature-based
tools are looking for known malicious signatures within the device that they
are protecting. If they find one, they deal with it. It is that simple. Where
do they get the signatures from? Usually, from a cloud repository hosted by the
technology vendor, and that is what you pay for in your subscription. This is
why when it comes time to renew, you start to receive warning messages saying
that if you do not renew, your device might be vulnerable due to the out-of-date
definitions. Most people think that this is just some marketing fluff to get users
to continue their subscriptions, but the reality is that new attacks will have new
signatures and if your tool does not have those new signatures, how can it determine
that something is bad.
Enter behavioral analysis.
All of the so-called next-generation endpoint protection
solutions are moving to use machine learning algorithms to look at what the
software on your device is trying to do rather than what its signature is. It
goes something like this, let’s say you have a doll with a red dress. If you
are using a signature-based approach for the discovery of malicious software on
a device, and you tell it to look for dolls with a red dress, then the tool
will identify the doll as malicious and block it from doing anything to the
device. But, what if I change the dress color to yellow? Now, the security tool
is not sure, because its mandate is to identity dolls with a red dress. This is
a problem which machine learning aims to solve. With a machine learning behavioral
analysis approach, the security tool does not care for the color of the dress
on the doll, but rather what the doll is trying to do in the machine. As soon
as the doll pulls out a knife, the security tool will identify the behavior as
bad, flag it, and deal with it. Once the doll has been taken care of its
signature will be cataloged for even faster recognition of future attacks.
If I am using a machine learning-based security solution,
then why do I need to pay for a subscription? That’s a great question, and the
answer is simple. The machine learning algorithm models need to be recalibrated,
just like a child needs to learn to understand and exhibit new behaviors.
BlackBerry Protect has a strong reputation for machine
learning (ML)-based protection. This protection uses agent-side algorithms with
machine learning to detect file-based malware. BlackBerry Optics uses ML to
provide user and entity behavioral detection capabilities.
The point being made here basically reinforces what was said
earlier. It is important to note the agent-side detail. This means that the
intelligence is built-in into the agent on the protected devices. This is what
allows tools like this one to operate without an internet connection, even
though they can and are often available with a centralized cloud management
portal.
BlackBerry Optics delivers EDR capabilities to provide
endpoint visibility and incident response facilities. Its recent release
expanded custom detection logic and added new response capabilities that
incorporate the MITRE ATT&CK framework.
What is the MITRE ATT&CK framework?
MITRE ATT&CK stands for MITRE Adversarial Tactics,
Techniques, and Common Knowledge (ATT&CK).
Just like Gartner which can and is considered by many as a standard
and guideline to choosing the best available technologies. MITRE is a framework
or set of cataloged adversary behaviors that are commonly observed in cybersecurity
attacks. Without getting too much into the details, MITRE categorized all known
tactics, techniques, and behavioral patterns exhibited by all known attacks
that can be executed against cyberinfrastructure (computers, mobile devices, IoT,
network devices, etc.).
This helps also to explain why there is still licensing
involved in behavioral analysis tools. As new behaviors are exhibited, understood,
and subsequently cataloged, they are added to the tools’ behavioral analysis algorithm
models.
MITRE ATT&CK Framework Reference: https://attack.mitre.org/
Gartner does also presents amongst others, the following
cautions.
BlackBerry continues to suffer from branding problems across
its entire product range as most clients do not associate Cylance with being
part of BlackBerry. The removal of the Cylance brand requires significant
client education as most users know BlackBerry as a historic mobile device
manufacturer.
To read the full Gartner report for endpoint protection you
can simply search for the 2021 Gartner Magic Quadrant for Endpoint Protection
Platforms. This is a paid report, however, you can click on any of the links
that will gladly offer it to you in exchange for your email so they can send
you ads about their security tools.
Next, let’s examine some of the claims being made on the
Blackberry | Cylance website.
Stops infections before they can attack
Traditional antivirus waits for you to be infected before
it can act. Cylance observes the behavior of programs in real-time, detecting
threats in milliseconds before they can execute.
While I disagree with the first part (not all traditional AV
is entirely reactionary, many have built-in scanning that can be set up to inspect
a system periodically), I can see the point that they are making here, which I believe
is that their behavioral analysis is faster in discovering and stopping attacks
against a system.
Protects against never-before-seen malware
Proactive AI protection from all types of malware, existing
threats and those yet to be developed. Cylance prevents attacks before they
happen rather than relying on other users becoming infected to 'discover'
threats.
This claim is again based on how their tool’s ability to
leverage machine learning to discover patterns of malicious behavior is a better
approach than “users becoming infected to 'discover' threats.” In a signature-based
approach patient zero is almost always lost, because the signature of that
attack is unknown. With ML-based behavioral analysis, you can save patient zero
from a previously unknown attack as long as the behaviors on that attack are
already known and have been coded into the ML algorithm model.
Unobtrusive protection
We know you just want your antivirus to keep your safe -
not waste your time. That’s why we guarantee to never bother you with unwanted
alerts or pop-up ads. Promise.
As a consumer, there are very few things that annoy me more
than constant alerts for no reason. Blackberry | Cylance claims that they do
very little of that. Gartner however does list a concern (which might not apply
to home users, but rather enterprise customers.) about the aggressiveness of
the tool leading to in some cases ‘false positives, which is where the security
tool will treat a suspicious but not necessarily malicious software as a
threat. This is like arresting someone that looks like they are about to commit
a crime before they do. On the one hand, you can prevent a crime that can
result in the loss of innocent life. On the other hand, however, there is the
chance that the person might change their mind and never commit the crime,
which makes them innocent.
Light on RAM and CPU
We’ve done all the computational heavy lifting in the cloud.
As a result, Cylance uses much less RAM and CPU than other AV solutions, making
it perfect for gamers or alongside other intensive processes. You won't even
notice we're there.
This is hard to verify. In my experience, next-generation endpoint
protection tools do a better job with resource consumption than older legacy
solutions. The days of starting the PC and waiting 30 minutes because your AV
would slow down the boot process to a crawl are over. SSD drives also help with
this. Lastly, because ML behavioral analysis tools can detect patterns of behavior
in real-time as they happen they do not need to rely on scanning the endpoint
in the way that legacy AV solutions would. AV scanning is usually very resource-intensive.
In conclusion, Blackberry | Cylance should provide a great
solution for all the devices in your home with an easy enough way to deploy and
manage on PC, and mobile devices.
I hope this review is helpful, please feel free to leave a comment.
If you are in the market for a new Endpoint Protection Solution, check out the deals that Blackberry has going on below…
On a BSD based system using a RISC CPU, what security measures do you implement?
ReplyDeleteHave you ever used a BSD system? Just being cautious before I continue. Have you ever designed on and used RISC CPU architectures?
ReplyDeleteBSD systems are not Linux variants.
ReplyDeleteI have a preference for FreeBSD; so, let's go for that basic setup with minimalist yet practicle security.
Root comes first and you add it to Wheel - the central administrative group - then to other necessary groups. Use discernment and limit Root's access to the computer's physical location.
A user with administrative privileges becomes the next to be created. System upgrades, creating jails - chrooted environments, port building, et al are better delegated to this account.
The third account is the normal, everyday user without any special privileges.
If you are worried about the internet, there is a tutorial in the How-to section of the FreeBSD forums on building Firefox in a jail. If you use Chrome, Midori, Opera, Konqueror, et cetera adjust what the tutorial states for that browser.
On CPU architectures, there are more available than the average nerd is able to dream.
Unfortunately, the average nerd only knows about CISC with subarchitectures being developed by AMD and Intel.
Whenever possible, my preference is for a PowerPC/ POWER based system.
One can still get in trouble with IRC and other messaging software. These also should be sandboxed.
Assembly hackers like to stay or stick to x86/x86_64. RISC CPUs require them to be actually capable of using logic.
Scite was used to read the rootkit that I had picked up on the CISC laptop. Messages and code were next to each other.
I removed the user and the problem.
I did not check the file size or the SHA sum.
PowerPC/ POWER systems do not use the same instruction sets. The CPU learns; and, you also will learn.
What language is being used in the firmware and what is the structure?
Kernel hertz rate determines latency and response. If you desire a rate above 2499 hertz, you will need to ask about patching the kernel. Even the majority of the BSD users are similar to the Linux community: CISC exposure only.
Your blog is pretty dope, I like the reality of it.
Tchau tchau
Thanks!
DeleteRight, so for environments like that I guess you can either put a dedicated appliance in front (virtual or physical) to handle access, traffic filtering, etc., this way you don't to sacrifice systems resources of the env. for that, or you can do what you described.