Skip Navigation
BlackBerry Blog

CylanceOPTICS Turns Detection and Response On Its Head

NEWS / 05.23.17 / Steve Salinas

Over the past ten years or so the number of new security products introduced has exploded. It seems that with every passing month, another tool is released that claims to finally solve your security challenges.

In fact, per the 2016 State of the Endpoint Report by the Ponemon Institute, organizations on average have six endpoint agents and management consoles to manage endpoint security. With so many ways to protect your business from attackers, your endpoints never get compromised and the attackers have finally been defeated, right? The war is over and you have won! Wait…

Since you are reading this, it must mean that the battle to keep attackers at bay rages on. The fundamental reason attackers still win is because we expect them to win.

Years ago, businesses began to adopt a “detect and respond” strategy to security. This was in large part due to the inability of current endpoint prevention solutions to prevent attacks. In the worst situations, you had endpoint prevention products - antivirus (AV) primarily - failing to block 50% of attacks. If you think about it, that puts organizations automatically into the realm of “inevitable victim,” which isn’t exactly a nice way to think about your business.

With no hope for prevention, businesses began building complex endpoint security stacks, adding layers upon layers, to try to cover all the gaps left by their failing AV products. Out of this approach came a new category of product, Endpoint Detection and Response (EDR).

VIDEO: See CylanceOPTICS in action against WannaCry ransomware:

VIDEO: OPTICS Takes on the New WannaCry/WanaCryptOr Ransomware

What is Endpoint Detection and Response?

EDR aimed to be the eyes and ears for your security team, a virtual hall monitor collecting data from all of your endpoints so you can search for threats, either using a rules engine or manually. In theory, this is a great solution to the problem. You have the data, you can search it, you can find threats.

The problem is that with so many threats bypassing AV solutions, security analysts are flooded with security alerts and events daily from multiple systems. Per a recent study, analysts report spending over one third of their investigation time on repetitive alerts, while yet another survey of IT security professionals showed that, due to lack of time and resources, over 50% of important alerts are ignored.

So, in the current cybersecurity landscape, you have:

  • More security product options than you can possibly evaluate, much less run and use effectively
  • An endpoint security stack that is already large, complex, and creates redundant alerts, wasting your time and requiring either more headcount or overworking your security teams
  • A staff that is, on average, not able to investigate over half of all alerts
  • The reality that breaches are still occurring on a regular basis and show no signs of slowing

Something must change, and quick. To combat modern attacks, you must adopt a ‘prevention first’ strategy. By preventing as many threats and attacks as possible first, you dramatically reduce the amount of threats you must analyze, making your team more efficient. 

Shifting the Focus to Prevention

That’s what we’re doing at Cylance – we’re fixing the original problem by focusing on catching 99.9% of the malware trying to get into your organization.

From the inception of Cylance, we have been focused on prevention. With the right combination of data scientists, security experts, and visionary management, we introduced the first artificial intelligence-based prevention solution available, CylancePROTECT®, about four years ago.

CylancePROTECT challenged the norm, claiming to be able to prevent attacks before they occurred using math, machine learning (ML), and artificial intelligence (AI). Four years and over 3,000 customers later, CylancePROTECT has done just that, and it’s rapidly becoming the gold standard for organizations looking to replace their legacy AV solutions.

Today, many solution providers have incorporated machine learning into their offerings and used some of those cybersecurity buzzwords in their marketing materials. The difference is that CylancePROTECT is the only solution built on the foundation of predictive artificial intelligence.

With customers seeing great results from CylancePROTECT, we felt now was the time to introduce a new EDR solution that would provide customers with the visibility, threat hunting, and incident response capabilities required to find other threats on their endpoints.   

Introducing CylanceOPTICS

Today, we are pleased to announce CylanceOPTICS is now available. This prevention-based Endpoint Detection and Response solution was designed from the ground up to augment the prevention delivered by CylancePROTECT - the two solutions go hand-in-hand to drive towards full endpoint protection against threats.

With CylanceOPTICS, organizations can:

  • Identify and mitigate previously exploited attack vectors and vulnerabilities, reducing the attack surface
  • Find and eliminate threats hiding on your endpoints with smart threat hunting
  • Streamline incident response and containment to reduce dwell time, improve efficiency, and decrease the business impact of any security risk

What Makes CylanceOPTICS Different

Data Collection Approach

The value derived from EDR solutions is totally dependent on the data collected from each endpoint. Most tools take the “capture all activity” approach to EDR data collection. Since the vendors providing the EDR product are assuming poor efficacy from the underlying AV product, they need all the data so they can at least see what happened to the endpoint when the AV product fails to prevent a breach.  

For businesses, though, this approach can get expensive quickly. With CylanceOPTICS, we are taking a different approach.

First, with CylanceOPTICS, data is collected and stored locally on the endpoint. This means that you are not forced to add costly servers to your on-premises environment, dramatically reducing the costs associated with this new capability. Since data is stored locally, you are also not forced to stream data continuously to a cloud, alleviating data privacy concerns.

Next, we are focused on collecting security-relevant data from the endpoint. Much of the activity on an endpoint has very little value from a security perspective, so there is no point in capturing and storing it. It’s a demand on your time and it very rarely makes you more secure. Our curated approach to data collection means that we significantly reduce the noise that many other EDR products include, helping analysts make better use of their time.  

Making EDR Capabilities for Everyone

Another important decision we made early in the development of CylanceOPTICS was to make a product that any security analyst could use, regardless of skill level.

Looking at the market, you will see that many EDR products were clearly built for the advanced security analyst or threat hunter. With tons of configuration options and user interfaces that resemble programming dashboards, the user can search for and investigate a variety of things. The problem, however, is that in the broad market, where advanced security resources are scarce, most organizations simply do not have these assets on their team, nor should they have to have them to benefit from EDR technology.

With CylanceOPTICS, we deliver EDR capabilities in a package that any security professional can use. This means that organizations of any size, with any level of security expertise, can now benefit from consistent visibility across endpoints with the ability to search for, find, and eliminate hidden threats from their endpoints. We’re democratizing the detection and response market in our continued effort to protect everyone under the sun.

The Future of CylanceOPTICS

In the coming months, we will be releasing many new capabilities that will take threat detection into the modern age. Just as we did with CylancePROTECT, we will be introducing the first machine learning-based threat detection model designed to specifically run on the endpoint.

This means that with the combination of CylancePROTECT preventing well over 99% of threats before they occur, and CylanceOPTICS enabling analysts to find other threats, you will have the most comprehensive endpoint security solution available, built on the foundation of predictive AI.

To learn more about CylanceOPTICS, please join us on June 8th, 2017 for our webinar (register here), and visit

Steve Salinas

About Steve Salinas

Senior Product Marketing Manager at Cylance

Steve Salinas has worked in the security industry for over 10 years, with extensive experience in computer forensics, endpoint and cloud security, and a keen understanding of the evolving threat landscape. Before joining Cylance as Senior Product Marketing Manager for the Security Platform, he held various sales and marketing roles at Guidance Software as well as leading the Product Marketing team at Alert Logic. He holds a BBA in Marketing from Texas A&M and an MBA from Pepperdine University.