WHITE PAPER

Windows Security
Going Back To Basics
 Initially, security
was not a priority
to Microsoft, due to
the low number of
successful public
breaches when the
operating system
was first released.

Background
According to Statista’s January 2019 Report1, Microsoft Windows leads the global
operating systems (OS) market share for desktop PCs by 75.4% while Mac OS and
Linux place a distant second and third, respectively. As a matter of fact, Microsoft
Windows became and stayed a dominating presence in the desktop operating
system market since its debut in 1985.
Initially, security was not a priority to Microsoft, due to the low number of successful
public breaches when the operating system was first released. The original versions
of Windows were open and never limited users from accessing personal data. Linux
and Mac, on the other hand, focused on limiting unauthorized access from their
very first days.
Although Windows 3.1, 95, and 98 seemed like advanced operating systems, they
were based on the disk operating system (DOS) initially released in 1981. It was a
single-user design without segregation of user accounts and permissions. DOS
did not offer security restrictions or adequate file permissions to protect the data
and the OS from intrusions. There was no primary need for it anyway, so it took
time before the company turned its consideration towards strengthening security
measures.

1 https://www.statista.com/statistics/218089/global-market-share-of-windows-7/

Windows Security — Going Back To Basics | 2

The result was Windows NT, which became Microsoft’s Windows Hello PIN is tied locally to the device, is backed
substance for later more widespread and popular versions by hardware, can be complex, and uses biometrics for an
such as Windows 2000, XP, Vista, 7, 8, and now their latest additional security factor and recovery solution.
flagship product, Windows 10. These are modern multi-
Windows Sandbox
user platforms that include security features to restrict
Windows Sandbox offers an isolated, temporary, desktop
unauthorized entry.
environment where you can run untrusted software without
Today, Microsoft is offering a lot more security features the fear of harming the user’s PC. Any software installed in
than ever before. It is the duty of security practitioners Windows Sandbox stays only in the sandbox and cannot
to adapt to Microsoft’s security best practices while also affect the host. Once Windows Sandbox is closed, all the
enhancing them with advanced security tools. software, files, and states are permanently deleted.
Windows 10 Windows Sandbox creates a secure Windows 10 instance
Windows 10 drastically improved a lot of elements in a within a running Windows 10 virtual machine environment.
traditional Windows Operating System. The fast evolution It uses hardware-based virtualization for kernel isolation,
of malware alongside advanced attacks in recent years has which relies on Microsoft’s hypervisor to run a separate
made security a vital concern, not only to IT professionals, kernel for Windows Sandbox. The sandbox also uses the
but home users as well. integrated kernel scheduler, smart memory management,
and virtual GPU.
According to Microsoft, Windows 10 delivers
comprehensive, built-in, and ongoing security protections Users can copy and paste executables and files into
you can trust – including Windows Defender Antivirus, the sandbox and run them to observe their behavior.
firewall, and more. These features defend against software They can also browse to unknown websites to test their
threats like viruses, malware, and spyware across email, maliciousness within a closed and safe environment.
apps, the cloud, and the web.
Device Guard
There have also been some new additions to Windows 10 Device Guard relies on hardware and software, including
Security, including: Windows 10’s virtualization-based security, to lock
•• Windows Hello down the machine so it only runs trusted applications.
Applications must have a valid cryptographic signature
•• Windows Sandbox
from specific software vendors, or Microsoft, to execute.
•• Device Guard
Device Guard isolates Windows services that verify
•• Credential Guard
whether drivers and kernel-level code are legitimate in a
Windows Hello virtual container. Even if malware infects the machine, it
Windows Hello allows users to use a digital wristband, cannot access that container to bypass the checks and
smartwatch, phone, and other companion devices to execute a malicious payload. Device Guard goes beyond
quickly unlock a Windows PC without a password. By the older AppLocker feature, which could be accessed by
certifying a user’s identity, these devices provide another attackers with administrative privileges. Only an updated
choice for quick, secured sign-ins. policy signed by a trusted entity can change the app
control policy that has been set on the device.
Passwords are asymmetric keys, which means a server
keeps of a copy of the password. Windows Hello PIN is not. This feature eliminates the risk of being infected by
Windows Hello protects a user’s key in the TPM (Trusted unsophisticated malware. Having said that, Device Guard
Platform Module). Even if the keys/passwords server gets does not protect against Just-In-Time (JIT) compiled
hacked, the user’s PIN and access are unaffected. applications, or code running in documents, such as
macros in Microsoft Office tools.

It is the duty of security practitioners to

adapt to Microsoft’s security best practices
while also enhancing them with advanced
security tools.
Windows Security — Going Back To Basics | 3
 While Windows 10 is a significant
improvement from a security standpoint,
the new exciting features come with a lot
of challenges.
A typical example is Mimikatz, which is a widely used
tool that enables the viewing of credential information
from the Windows lsass (Local Security Authority
Credential Guard Subsystem Service). Using its sekurlsa module, which
Credential Guard protects corporate identities by isolating includes plaintext passwords and Kerberos tickets,
them in a hardware-based virtual environment. Microsoft allows threat actors to execute pass-the-hash and pass-
isolates critical Windows services in the virtual machine to the-ticket attacks. Before Credential Guard, an attacker
block attackers from tampering with the kernel and other could leverage easy-to-use tools to dump all passwords
sensitive processes. The new features rely on the same from memory.
hypervisor technology already used by Hyper-V.
Windows 10 – Security Challenges
Credential Guard addresses an essential aspect of
While Windows 10 is a significant improvement from a
enterprise security. It stores domain credentials within
security standpoint, the new exciting features come with a
a virtual container, away from the kernel and user
lot of challenges. For example, Device Guard and Credential
mode operating system. This way, even if a machine
Guard are intended for business systems and are available
is compromised, the credentials are not available to
only in Windows 10 Enterprise and Windows 10 Education.
the attacker.
The hardware needed to add all the new security features
Advanced persistent attacks rely on the ability to steal is substantial, hard to implement, and requires significant
domain and user credentials to move around the network infrastructure changes. The built-in Windows Defender is
and access other computers. Typically, when users log in undoubtedly an improvement to Windows 10. However, it
to a computer, their hashed credentials are stored in the remains a signature-based antivirus that suffers from the
operating system’s memory. Previous versions of Windows ills common to that approach - friction for security content
stored credentials in the Local Security Authority, and updates, possible content corruption, and dependence on
the operating system accessed the information using network/cloud lookups and communications.
remote procedure calls. Malware or attackers lurking on
the network were able to steal these hashed credentials
and use them in the prevalent pass-the-hash attacks that
were originally published by Paul Ashton in 1997.

Windows Security — Going Back To Basics | 4

User Account Control
While this Windows security feature has been around since Malware Spread
Windows Vista, it has not yet been fully adopted. A lot of People are the weakest link in information security. Many
enterprises and government entities allow regular users online users are easily deceived into visiting legitimate-
to have local administrative rights. looking fake sites or opening unknown emails, making
them vulnerable to threat actors. Adversaries find it easy
For many years, organizations have been giving normal
to steal unsuspecting user’s credentials and access their
users administrative privileges for several reasons,
systems with their designated privileges.
including:
According to Verizon’s 2018 Data Breach Investigations
•• Legacy software requiring administrative rights to run.
Report (DBIR)2, 92.4% of malware is delivered by email
•• Software installation and updates, especially on laptops as users continue to be deceived by phishing attempts,
or portable devices. social engineering, and malicious attachments made to
•• IT personnel, especially developers, to increase their look legitimate.
overall productivity and development experience.
Lateral Movement
•• Lack of information security culture. Some organizations
Lateral movement is a technique used by adversaries to
are not fully aware of the challenges around information
move through a network in search of data or assets to
security in general, and users’ access in particular.
exfiltrate.

Why Giving Normal Users Administrative Adversaries use different tools and methods to get higher
Access Is Dangerous privileges and access, allowing them to move laterally
While giving a user access to install a new printer might across the network. If the attacker secures administrative
not seem that risky, the same access rights allow privileges, lateral movement can be challenging to
malicious execution to happen and also spread across an detect, as it may appear like legitimate network traffic to
entire network. security analysts.
Adversaries have been focusing in the last few years Insider Threats
on users more than systems and servers. Sytems and A Crowd Research Partners survey shows that careless
servers, for the most part, are usually well maintained, users are the most significant insider threat concern for
patched, and protected by several firewalls and intrusion organizations3. And they should be, considering that many
detection systems. They are also highly and frequently high-profile breaches happen as a result of inadequate
audited by IT and Security teams. Users, on the other hand, access management practices and unintentionally
can perform very inconsistently and make much better exposed administrative credentials.
targets for attackers.

People are the weakest link in information

security. Many online users are easily deceived
into visiting legitimate-looking fake sites
or opening unknown emails, making them
vulnerable to threat actors.

2 https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf
3 http://crowdresearchpartners.com/wp-content/uploads/2017/07/Insider-Threat-Report-2018.pdf

Windows Security — Going Back To Basics | 5

Access To Sensitive Information
Recommendations and Best Practices •• Enable Early Launch Anti-Malware (ELAM) to be used
•• Choose a strong password and enforce a strong in conjunction with Secure Boot. An ELAM driver can be
password security policy in enterprise environments. registered as the first non-Microsoft driver that will be
•• Require passwords to be frequently changed. initialized on a workstation as part of the boot process,
•• Enable multi-factor authentication. thus allowing it to verify all subsequent drivers before
they are initialized. Only known good drivers should be
•• Enable logging and auditing.
allowed to be initialized during the boot process.
•• Disable local administrator accounts.
•• Uninstall unneeded built-in Microsoft applications and
•• Enforce an account lockout policy to prevent unlimited always use the latest possible version of web browsers.
attempts to access a machine. The threshold for locking
•• Use a 64-bit architecture whenever possible as it has
out accounts does not need to be overly restrictive
additional security functionality that the x86 (32-bit)
to be effective. For example, a limit of three incorrect
versions lack.
attempts, with a reset period of 10 minutes for the
lockout counter will prevent any brute force attempt •• Centrally manage and deploy patches and driver
but allow a legitimate user to enter their password updates and ensure they are installed in an appropriate
incorrectly a few times. timeframe (as determined by the severity of the security
vulnerability and any mitigating measures already in
•• Adapt to the principle of least privilege access,
place). This can be achieved using Microsoft System
removing administrative rights and allowing them purely
Center Configuration Manager (SCCM) and Windows
on demand.
Server Update Services (WSUS).
•• Enable disk encryption to protect against data loss
•• Antivirus software should be installed. It is actually
following physical theft.
recommended to use more than an antivirus as they may
•• Enable Windows Hello for Business and allow the user only cover attacks that have been previously defined.
to log in with a PIN code that can be the same as the one Adapt to the new era of endpoint security by introducing
used to authenticate to BitLocker. an artificial-intelligence-based approach and leverage
•• When possible (Windows 10), enable secure boot. A UEFI cloud-based services when beneficial.
password can make it more difficult for an attacker to •• Disable Autoplay and AutoRun functionality and restrict
modify the boot process. USB devices to trusted ones.
•• Configure Windows Update to automatically download •• Disable Remote Desktop Services. If necessary,
and install updates as soon as possible. configure Remote Desktop Services as secure as
•• Disable PowerShell everywhere possible. Blocking possible and only for the machines and users with the
PowerShell across endpoints eliminates the risk of a specific need.
whole class of cyber attacks. •• Disable Safe Mode as Safe Mode with Networking or Safe
•• Disable Command Prompt access or the ability to Mode with Command Prompt. These options may allow
execute batch files and scripts. attackers to bypass system protections.
•• Applications that have any built-in security functionality •• Enable session locking. An adversary with physical
should be enabled and appropriately configured access to an unattended workstation may attempt to
along with unrequired functionality disabled. For inappropriately access other users’ sessions to misuse
example, Microsoft Office by default should be used their credentials. They may seek to obtain sensitive
to block untrusted macros in Office documents from information or ruin someone’s reputation by engaging
automatically executing without user interaction. in malicious or suspicious communications.
•• Limit credential caching to one login and don’t allow •• Configure and enforce a secure Windows Remote
storage of passwords and credentials for network Management and Disallow WinRM from storing RunAs
authentication. credentials.
•• Disable Remote Shell Access as it can allow an adversary
to remotely execute scripts and commands.

Windows Security — Going Back To Basics | 6

How Can BlackBerry Cylance Help?
Today’s advanced cyber threats target every computer, Malware Execution Control
mobile device, and enterprise endpoints, especially those Malware Execution Control is the core protection
related to critical infrastructure like industrial control technology of CylancePROTECT. This technology leverages
systems (ICS). The modern computing landscape consists AI and machine learning to detect and prevent malware on
of a complex array of physical, mobile, cloud, and virtual Windows, Mac, and Linux environments before it executes.
computing, creating a vast attack surface. Meanwhile, the This revolutionary approach provides effectiveness
cybersecurity industry is prolific with defense-in-depth far beyond traditional signature-based approaches.
security technologies, despite a threat landscape that The CylancePROTECT agent architecture consists of a
remains highly dynamic, sophisticated, and automated. lightweight agent installed on the host and managed by a
BlackBerry® Cylance® console.
BlackBerry Cylance takes a different, innovative approach
of using real-time, machine learning threat analysis to One of the key capabilities of CylancePROTECT is
solve this problem for organizations, governments, and malware execution control, which will detect and prevent
end-users worldwide — demonstrating its leadership as malware using tested mathematical models on the host,
a global cybersecurity solutions provider. independent of cloud connectivity, signatures, trust-
based systems, or behavioral analysis. It is capable of
BlackBerry Cylance uses artificial intelligence (AI) to
detecting and quarantining malware in both open and
deliver prevention-first, predictive security solutions that
isolated networks without the need for continual updates,
change how organizations, governments, and end-users
rendering malware, ransomware, fileless attacks, bots, and
approach endpoint security. BlackBerry Cylance’s security
future variants useless.
solutions combine AI-driven predictive prevention with
dynamic threat detection and response to deliver full Script Control
spectrum threat prevention and threat visibility across CylancePROTECT offers integrated script control to assist
the enterprise. its superior AI-based malware execution prevention
technologies, giving administrative control over when,
Pre-Execution Prevention
where, and how scripts are used in an environment. This
BlackBerry Cylance’s next-generation antivirus product,
ultimately reduces the attack surface on which a threat
CylancePROTECT,® delivers industry-leading malware
actor may distribute malware.
prevention powered by AI, combined with application
and script control, memory protection, and device policy CylancePROTECT Script Control protects users from
enforcement to prevent successful cyber attacks. malicious scripts running on their devices by injecting
itself into a script interpreter (responsible for the
Without the use of signatures or the need to stream data
execution of scripts) to monitor and safeguard against
to the cloud, CylancePROTECT combats common threats
scripts running in an environment. The agent is then able
such as malware, ransomware, fileless malware, malicious
to detect the script and script path before the script is
scripts, weaponized docs, and many other attack vectors,
executed. Depending on the policy set for script control
no matter where the endpoint resides. With unmatched
(alert or block), the agent will allow or block the execution
effectiveness, ease of use, and minimal system impact,
of the script.
CylancePROTECT is the best way to prevent both known
and unknown attacks before they can execute.

Past Present Future

HIPS /
AV Sandboxing Isolation EDR AI
Anti-Exploitation

No Humans
Specialized Humans Needed
Humans Needed Pre-Execution:
Post-Execution: REACTIVE
PREDICTIVE

Windows Security — Going Back To Basics | 7

 CylancePROTECT
detects and prevents
file exploitations from
delivering their malicious
payloads in both the
operating system (OS)
and memory layers.

Memory Defense CylancePROTECT Memory Exploit Prevention Stops:

CylancePROTECT detects and prevents file exploitations •• Memory misuse
from delivering their malicious payloads in both the
•• Exploitation
operating system and memory layers.
•• Process injection
CylancePROTECT memory protection abilities are similar
•• Privilege escalation
to those found in modern host intrusion prevention
systems, but without the configuration complexity. •• Payload termination
Memory protection adds an additional layer of security
Device Control
and strengthens the OS’s basic protection features,
Device Control is available as part of CylancePROTECT
such as data execution prevention, address space layout
and provides administrators the ability to control the
randomization, and enhanced mitigation experience toolkit.
usage of USB mass storage devices in their environment.
In many breach events, a benign process is initially Administrators can enable Device Control per the existing
exploited by malicious payload code. The most common Device Policy and can choose to allow or block access to
incidents involve a user browsing to a malicious website USB mass storage devices.
or a user executing malicious macros in documents. When
Device Control policy will only apply to those USB devices
this occurs, the attacker’s payload code executes in the
classified as mass storage. USB peripherals are not
memory of the browser or application without attempting
affected. For example, if an administrator creates a policy
to create or execute a new malicious executable. When
to block USB mass storage devices, an end-user can still
deployed on servers, CylancePROTECT’s memory
use a USB mouse, but not a USB thumb drive.
protection capabilities prevent the exploitation of many
of the most common classes of vulnerabilities, such as As part of Device Control policy, administrators also can
exploits for buffer overflows and use-after-free. define exceptions to the policy. This is done by using the
Vendor ID, Product ID, and Serial Number to specify the
CylancePROTECT’s memory protection module is
exception.
comprised of an agent dynamic-link library loaded into
each protected process, and a service component to Application Control for Fixed-Function Devices
supply configurations, receive information, and respond CylancePROTECT Application Control gives organizations
to events. The agent hooks various user-mode application the ability to ensure fixed-function devices are in a pristine
program interface (API) functions to maintain a secure state continuously, eliminating the drift that may occur
state and watch for specific hard-coded behaviors over time when devices are left unmanaged.
indicative of a compromise. Whenever such a behavior is
detected, an event is communicated to the service before
the hooked API function is allowed to complete.

Windows Security — Going Back To Basics | 8

Securing an organization’s
endpoints and servers from
compromise is the number one
priority of BlackBerry Cylance
security solutions.

Augmenting the AI-driven malware prevention capabilities Post-Execution Protection

of CylancePROTECT, Application Control is the easiest way Augmenting CylancePROTECT prevention, CylanceOPTICS™
to ensure fixed-function devices: is an endpoint detection and response (EDR) component
•• Remain compromise free continuously that enables easy root cause analysis, threat hunting,
and automated threat detection and response. Unlike
•• Are available for their specific function 24x7
other EDR products that require organizations to make
•• Are no longer susceptible to disruptions from a a significant investment in on-premises infrastructure
successful attack and/or stream data to the cloud continuously, and employ
highly-skilled security resources, CylanceOPTICS is
Unauthorized applications on fixed-function devices, such
designed to automate the threat detection and response
as an ATM or kiosk, significantly increase the risk of a
tasks using existing resources.
breach or compromise. To combat the risk associated with
an attacker gaining access to these devices and installing With CylanceOPTICS, security analysts can dissect any
a malicious app, organizations need an easy way to ensure CylancePROTECT-prevented attack to determine the
the device is only used for its intended purpose. root cause to improve their overall security framework.
CylanceOPTICS also provides enterprise-wide threat
The Application Control capability included with
hunting capabilities powered by InstaQuery (IQ), enabling
CylancePROTECT provides a streamlined approach to
on-demand threat hunting with instant access to the
application usage enforcement and policy management.
results. Analysts can then quickly determine if an endpoint
Management Console Reporting is at risk, minimizing dwell time and reducing the attack
Securing an organization’s endpoints and servers from surface. Further, analysts can use the automated
compromise is the number one priority of BlackBerry threat detection and response capabilities to create
Cylance security solutions. Using patented AI and purpose- custom rules, or use the rules provided by BlackBerry
built security features, BlackBerry Cylance products Cylance, to automatically detect suspicious behaviors
deliver continuous prevention, ensuring sensitive data and take specific response actions without human
remains secure. intervention. Finally, CylanceOPTICS delivers AI-driven
With BlackBerry Cylance’s management console reporting incident prevention, a force multiplier for any security
capabilities, users can easily get real-time interactive team. Powered by machine learning threat detection
statistics, increasing their situational awareness and modules developed to run on the endpoint, CylanceOPTICS
gaining insight into their potential attack surface. continuously analyzes changes occurring on each
endpoint. This analysis can uncover threats that would be
difficult, if not impossible, for a human analyst to uncover
in a reasonable amount of time. When a potential threat

Windows Security — Going Back To Basics | 9

is identified, CylanceOPTICS can take decisive actions, Powered by machine learning threat detection modules
in real time, to stop the attack and avoid the cost, risk, for the endpoint, CylanceOPTICS continuously analyzes
and long-term impacts that come with a widespread changes occurring on each endpoint to uncover threats
security incident. that would be difficult, if not impossible, for a human
analyst to uncover in a reasonable amount of time.
Perform Targeted Threat Hunting
Some malicious activities are easy to identify, while When a potential threat is identified, CylanceOPTICS can
others are anything but cut and dry. When a computer take decisive actions, in real time, to stop the attack and
begins to behave irregularly, or it is determined that an avoid the cost, risk, and long-term impacts that come with
endpoint may be at risk of compromise, it is critical that an a widespread security incident. The combination of these
organization’s security toolkit gives it the visibility required threat detection capabilities provides broad protection
to make definitive judgments. BlackBerry Cylance provides against attacks.
immediate access to the forensically-relevant data stored MITRE ATT&CK Framework Rules Packages
on any endpoint. Within moments of a suspicious activity The BlackBerry Cylance CAE, the driving force behind
being identified, searches can be targeted to the exact threat detection and response, comes with a pre-
threat being investigated. configured set of rules mapped to the MITRE ATT&CK
Use Indicators of Compromise To Find Threats Framework, improving threat detection capabilities.
Threat hunting can be described as the act of forming Endpoint Only Response Actions
a hypothesis and then running a series of searches/ Even with security controls in place, no business can
investigations, using indicators of compromise or other guarantee that every single attack can be stopped. This
terms, to either prove or disprove that hypothesis. means organizations must be prepared to respond
Having access to the right data is at the essential core of when an attack is detected. With BlackBerry Cylance,
performing this skill effectively. Targeted threat hunting enterprises get fully-integrated automated incident
with refined results is capable with BlackBerry Cylance, response capabilities. If an attack is detected, a response
delivering access to both current and historical endpoint can be initiated automatically, with no human intervention
data. Unlike other tools that store every piece of data and with no cloud connection required. All detection and
from an endpoint, BlackBerry Cylance stores only the response mechanisms are self-contained on the endpoint
forensically-relevant data, meaning security teams won’t and therefore can act immediately.
have to spend time sifting through mountains of irrelevant
information to find threats. If further responses are required, the item in question
can be quarantined and the endpoint can be locked
Dynamic Threat Detection down, disabling its ability to communicate with any other
There are several ways to identify potential threats endpoints. Forensic data from the impacted endpoint can
and compromises. First, security analysts can perform be collected to gain further context about the incident.
searches across endpoints to identify suspicious Identifying a security concern is important, but having
artifacts, and through manual investigation, determine the ability to respond automatically is a necessity. With
that a threat exists. While there is tremendous value in BlackBerry Cylance, organizations have that ability. True
this process, it simply does not scale across an enterprise. endpoint security does not come from prevention or
To root out threats hidden on endpoints, an automated detection. To combat today’s attacks, organizations must
approach to threat detection must be used. BlackBerry have strong prevention and detection capabilities in place
Cylance includes a rule-based engine deployed on every to keep pace with attackers. With BlackBerry Cylance,
endpoint, called the Context Analysis Engine (CAE), to enterprises get the best of both worlds in one solution,
identify potential threats automatically. The CAE is a high- maximizing the return on security stack investments,
performance analysis and correlation engine that monitors making analysts more efficient, and making the business
events as they occur on an endpoint in near real time more secure.
to identify malicious or suspicious activities. This 24x7
monitoring occurs with no need for a cloud connection. The Playbook-Driven Response
CAE includes a set of curated rules provided by BlackBerry Initiate a set of discrete response tasks automatically if
Cylance as well as the ability to create customized rules. the rule is triggered. Playbook-driven response capabilities
assist organizations in eliminating dwell time by ensuring
While detection rule engines are necessary, it is difficult threat responses are fast and consistent across the
to model all potential attack behaviors. To that end, environment regardless of the skill-level of on-duty
BlackBerry Cylance includes AI-based incident prevention. security personnel.

Windows Security — Going Back To Basics | 10

 Behavioral and Biometrics Analytics About BlackBerry
CylancePERSONA™ is an AI-driven behavior and biometric analysis solution designed
to identify suspicious users in real time to prevent compromises.
Cylance
Augmenting the AI-driven threat and incident prevention capabilities of
BlackBerry Cylance develops
CylancePROTECT and CylanceOPTICS, CylancePERSONA adds the user dimension artificial intelligence to deliver
to the attack surface protection provided by BlackBerry Cylance. prevention-first, predictive
security products and smart,
With CylancePERSONA, enterprises can:
simple, secure solutions that
•• Reduce attacks executed by users with legitimate credentials change how organizations
approach endpoint security.
•• Ensure the user is legitimate – stop stolen credentials – the basis of 80% of
BlackBerry Cylance provides
data breaches full-spectrum predictive threat
•• Proactively block identified users without taxing the security personnel for action prevention and visibility across
the enterprise to combat the
Managed Detection and Response most notorious and advanced
cybersecurity attacks, fortifying
CylanceGUARD™ is a 24x7 managed detection and response offering that provides
endpoints to promote security
actionable intelligence for customers to prevent threats quickly while minimizing hygiene in the security
alert fatigue without requiring additional resources. Using the same expertise operations center, throughout
and methods as the BlackBerry Cylance incident response team, analysts from global networks, and even on
BlackBerry Cylance or a strategic partner, hunt through customer environments employees’ home networks. With
AI-based malware prevention,
to find and contain threats, prevent significant breaches, and allow organizations
threat hunting, automated
to mature their security program. detection and response, and
CylanceGUARD leverages the BlackBerry Cylance AI Platform™ with the pre- expert security services,
BlackBerry Cylance protects the
execution abilities of CylancePROTECT and the post-execution of monitoring and
endpoint without increasing staff
blocking associated with CylanceOPTICS.
workload or costs.

Consulting Services
BlackBerry Cylance also provides world-class cybersecurity consulting services.
BlackBerry Cylance’s consultants help clients address cybersecurity concerns and
challenges of all types, working with clients to construct a reliable and effective
security posture while utilizing prevention-first methodologies.
BlackBerry Cylance’s industry-leading experts provide the technical expertise
needed to effectively analyze cybersecurity requirements and to design
comprehensive solutions to meet client goals and objectives. The number-one
priority of BlackBerry Cylance’s consulting services is to secure clients as quickly
as possible using advances in automation, including artificial intelligence and
machine learning.

Next Steps
While Microsoft has made great strides in securing Windows over the years, there
are still many gaps in security, the most prominent of which is the human factor,
that must be addressed by organizations in order to prevent damaging and costly
breaches. Loss of reputation, loss of user and customer trust, as well as steep fines
for non-compliance with security regulations can greatly impact the organizations
that do not enhance the security features provided by Windows in order to address
threats such as zero-day malware, fileless attacks, and phishing. While people can
be an organization’s greatest asset, they also can be its greatest threat when it
comes to cyber attacks.

To learn more about how your organization can benefit from BlackBerry Cylance’s
AI-based security products and its team of security experts, visit www.cylance.com
or contact us today.
+1-844-CYLANCE
[email protected]
www.cylance.com

 019 Cylance Inc. Trademarks, including BLACKBERRY, EMBLEM Design, CYLANCE, and CYLANCEPROTECT are trademarks or registered
2
©

trademarks of BlackBerry Limited, its affiliates, and/or subsidiaries, used under license, and the exclusive rights to such trademarks are expressly
reserved. All other trademarks are the property of their respective owners. SALES 19-0684-20191016