Skip Navigation
BlackBerry Blog

Introducing CylanceOPTICS™ v2.3

NEWS / 06.20.18 / Matthiew Morin

CylanceOPTICS v2.3 allows each endpoint to act as its own security operations center. It deploys directly on the endpoint to conduct continuous system monitoring and analysis. Armed with threat behavior models engineered by machine learning (ML), CylanceOPTICS offers immediate protection while constantly improving an organization’s security posture over time. This approach provides a level of protection beyond standard antivirus (AV) file-detection and quarantine behavior.

CylanceOPTICS does not scan binaries; it records system behavior and monitors system resources for anomalous activity. The result is increased protection from a variety of threats ranging from malware to malicious user activity.

How Does It Work?

While most legacy AV solutions focus on discovering malicious files, CylanceOPTICS focuses on suspicious behavior. Scanning for infected files offers no protection against attackers who increasingly rely on using legitimate system resources and applications to compromise infrastructure. Monitoring the environment is a critical response to modern threat actors who are migrating towards fileless malware or living-off-the-land attacks.

CylanceOPTICS uses mathematical models to determine whether a given system activity is normal. These models are trained through exposure to a clean environment and a malware sandbox. By comparing the inter-process relationships and interactions occurring in each environment, CylanceOPTICS learns which behaviors are suspicious. It then uses this knowledge to provide real-time protection to the endpoint. Rather than searching for infected files or malware executables, CylanceOPTICS keeps its finger on the pulse of each endpoint, constantly checking for irregularities.

CylanceOPTICS 2.3 ML models are finely tuned to the tactics, techniques, and procedures (TTPs) of threat actors. This allows CylanceOPTICS to recognize new or previously unseen variations of common attack types. For example, heavily obfuscated commands that elude signature-based protection are recognized by CylanceOPTICS.

Handling Threats

When suspicious activity is detected, CylanceOPTICS offers multiple ways to respond. Automated responses can be customized by security administrators. Automatic responses include deleting files, logging off users, terminating processes, disabling resources across the environment, and other options.

Pre-configured responses execute even when an endpoint is not connected to the environment. Security administrators who prefer exercising manual options can use the Device Lockdown feature to isolate endpoints on the network.

The managing security team may also review any suspicious network activity, files, and processes to determine if further action is appropriate. Through the InstaQuery feature, endpoint activity can be investigated in seconds, giving security professionals maximum time to evaluate potential problems. By comparing current and historical activity data, threat researchers can easily assess the significance of reported endpoint behavior.

The protective capabilities of CylanceOPTICS do not end when a threat is identified and prevented. Critical data gathered from each successful prevention is stored for future use. The Focus View feature generates a timeline of events for each threat detection. This gives security teams a roadmap of activities leading up to the attempted attack and may highlight existing gaps in security controls.

Integration with CylancePROTECT®

CylanceOPTICS perfectly complements the high-speed binary analysis of CylancePROTECT. While CylancePROTECT determines if a file is malicious during pre-execution, CylanceOPTICS monitors the environment of each endpoint for suspicious behavior. This results in heightened protection from both dangerous files and the abuse of legitimate system resources.



AI driven malware prevention

AI driven root cause analysis

Real-time memory protection

Enterprise-wide threat hunting

Integrated application and script control

Dynamic threat detection

Device control through policy enforcement

Automated incident response



CylanceOPTICS provides continuous, lightweight, ML driven endpoint security which functions independent of network connectivity. By monitoring system behavior directly on the endpoint, CylanceOPTICS quickly identifies suspicious activity and notifies security personnel.

Alternatively, CylanceOPTICS can be configured to handle specific behaviors without any human intervention whatsoever. Security teams can configure endpoints to be as autonomous as needed, freeing up critical business resources for other uses. The ML threat models introduced in CylanceOPTICS v2.3 continuously improve the security of the environment while also providing instant protection from known TTPs.

VIDEO: CylanceOPTICS Machine Learning Threat Detection Modules Demo


*This table is a slight variation of one found in the CylanceOPTICS solutions brief:

Matthiew Morin

About Matthiew Morin

Senior Product Manager, BlackBerry