BlackBerry Cylance adds UEBA monitoring capabilities to platform with CylancePERSONA

The new capability for intelligent detection of anomalous behavior fills what had been a void in the Cylance endpoint offering – one that they have been working on addressing for an extended time.

Kumud Kalia, CTO/CIO of BlackBerry Cylance

BlackBerry’s acquisition of endpoint protection provider Cylance closed last week, and today the BlackBerry Cylance business unit announced a major upgrade to the platform that Cylance had been working on for close to two years. They have announced the introduction of CylancePERSONA, an AI-driven proactive UEBA [user and entity behavior analytics] add-on to their platform that adds a monitoring capability that identifies suspicious users in real time.

“We have not had a capability in the UEBA space before because we have been focused on prevention – stopping threats coming in,” said Kumud Kalia, CTO/CIO of BlackBerry Cylance. “This is something that we have been talking about doing for a while, and we have been working on this for close to two years. This step into the space is our first serious commitment. From an optics perspective, this was the time to introduce something credible to combat lateral movement.”

This is not the first real-time UEBA capability on the market, but some of the offerings do lack this capability, which Kalia said makes this a differentiator.

“Most classic UEBA are history and not current,” he said. “This provides the protection in real time.”

CylancePERSONA sensors both detect and score malicious and anomalous conduct, using continuous biometric monitoring of user behavior through real-time detection of suspicious keyboard and mouse actions in the context of previous user login activity.

“We use a number of different lenses to look at baseline user behavior and detect anything that’s different for the context of a particular user, such as the time of day they log in, the sites that they visit, the places they sign on from, and the applications that they use,” Kalia said. “From these, we calculate a composite Cylance Trust Score, and if we see that Trust Score deteriorate, we can interrupt user activity with automated challenges like requiring a second password, and can suspend or log off the user if the response isn’t adequate.”

UEBA products started out as standalones aimed at larger enterprises, and some of the startups who made them have been acquired and their technology integrated into other people’s SIEMs. Kalia said that an advantage of CylancePERSONA is its ability to fit in with other solutions rather than simply replace them.

“Customers are very interested in being able to deploy what they have already, and not have to replace things,” he said. “If they have a SIEM and trust that, they can leverage our technology the same way, because it is all enabled by our APIs. They can pull our trust score into a SIEM or bespoke solution they built for themselves. We have made it as flexible as possible, to maximize user choice. That’s how the user is evolving. We  don’t want to force them to change how they manage their security fabric. We want to integrate with it.”

CylancePERSONA will be sold as an upsell to customers who have already bought their software, since it uses the same agent.

“It is an option for them,” Kalia said. “They don’t have to use it, or buy it if they don’t want to.”

He indicated, however, that BlackBerry Cylance thinks many of them will want to.

“End users want simplicity,” he said. “We can provide a single agent solution rather than multiple agents in their end points and multiple points of management. That’s compelling for them. And if it’s simpler for customers, that’s better for partners.”

BlackBerry Cylance is demonstrating CylancePERSONA at RSA through Thursday, at Booth #6145 in the North Hall of the Moscone Center.