Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance Endpoint Security Data Collection and Use
  4. How Cylance Endpoint Security products collect and use data
  5. How CylanceOPTICS collects and uses data

How
CylanceOPTICS
 collects and uses data

For complete information about this product, see the Cylance Endpoint Security docs.
Item
Data collection and use
Collecting data to detect and respond to threats
  • CylanceOPTICS
     is an endpoint detection and response solution that collects and analyzes forensic data from devices to identify and resolve threats before they impact your organization’s users and data.
  • You enable a
    Windows
    ,
    macOS
    , or
    Linux
     device for
    CylanceOPTICS
     by installing the
    CylanceOPTICS
     agent alongside the
    CylancePROTECT Desktop
     agent. The
    CylanceOPTICS
     agent deploys sensors into the OS at various levels and subsystems to monitor and collect a diverse set of data that is aggregated and stored in the
    CylanceOPTICS
     cloud database.
  • You can leverage
    CylanceOPTICS
     data in several ways to protect your organization’s environment:
    • You can query device data to investigate security incidents and discover indicators of compromise.
    • You can view visual representations of device data to analyze a chain of events.
    • You can enable detection rules to specify the events that you want
      CylanceOPTICS
       to monitor and how you want
      CylanceOPTICS
       to respond to those events when they are detected.
  • The
    CylanceOPTICS
     agent sends the device data that it collects to the
    CylanceOPTICS
     cloud services. The data is aggregated and stored in the secure
    CylanceOPTICS
     cloud database. The
    CylanceOPTICS
     data analytics services offer rich interpretations of device data that you can access using the management console. For devices with agent version 2.x and earlier, the
    CylanceOPTICS
     database is stored locally on the device. Version 3.0 and later automatically aggregates, stores, compresses, and sends the data to the
    CylanceOPTICS
     cloud database at regular intervals.
  • CylanceOPTICS
     also offers features that enhance your ability to respond to potential threats. You can deploy packages that remotely and securely run processes to collect and store desired data, you can lock down devices temporarily to prevent the spread of malware, and you can use remote response sessions to execute device commands.
Collection of endpoint configuration data
BlackBerry
 collects and processes the following information about the configuration of a device endpoint to assess the impact of potentially malicious activity:
  • Hostname
  • FQDN
  • IP addresses
  • MAC addresses
  • OS information
Collection of endpoint process artifacts
BlackBerry
 collects and processes the following information about endpoint process artifacts to assess the impact of potentially malicious activity:
  • Name
  • ID
  • Image file path
  • Owner
  • Command line parameters
  • Description
  • Start/end date and time
  • Parent process
  • Process attributes
Collection of endpoint file artifacts
BlackBerry
 collects and processes the following information about endpoint file artifacts to assess the impact of potentially malicious activity:
  • Path
  • Creation and last modified date and time
  • Owner
  • File hash (MD5 & SHA26)
  • Alternate data stream information
  • File attributes
  • File type
Collection of endpoint user artifacts
BlackBerry
 collects and processes the following information about endpoint user artifacts to assess the impact of potentially malicious activity:
  • Username
  • Username unique ID
  • Domain
  • Local group memberships
  • User privileges
  • Home directory path
  • Full name
  • Account status
  • Password age
  • Password status
  • Country code
  • Account type
  • Assigned workstations
  • Failed login attempts
  • Roaming configuration
Collection of endpoint registry artifacts (Windows OS only)
BlackBerry
 collects and processes the following information about endpoint registry artifacts to assess the impact of potentially malicious activity:
  • Key path
  • Key values
  • Referenced file
Collection of endpoint network artifacts
BlackBerry
 collects and processes the following information about endpoint network artifacts to assess the impact of potentially malicious activity:
  • DNS activity
  • Source and destination IP address
  • Source and destination port
Collection of endpoint event data
BlackBerry
 collects and processes the following information about endpoint event data to assess the impact of potentially malicious activity:
  • File hash (MD5/SHA-256)
  • File read events
  • Logon activity
  • Windows event logs
  • All WMI events (for example, trace)
  • Removable media insertion events
  • Removable media file copy events
  • Script execution events (JScript, VBScript, VBA macro script, PowerShell)
  • Name of the user most recently logged in
  • PowerShell strings (for example, log/pass)
  • CylancePROTECT Desktop
     events (threat protection, memory defense, script control)
Data storage and retention
  • BlackBerry
     uses the data described above to facilitate the performance of the EULA under which
    BlackBerry
    ’s services and products are offered. The data is shared only with necessary third-party services that are needed to fulfill the intended purpose of the services.
  • BlackBerry
     will not sell, lease, or otherwise distribute this information.
  • Endpoint configuration data is removed 30 days after the end of the contract.
  • Endpoint artifact and event data is stored in the
    CylanceOPTICS
     cloud database and is accessible for 30 days. Data is stored in long term backup storage for up to 15 months or 30 days after the end of contract (whichever is less).
  • In
    CylanceOPTICS
     agent 3.0 and later, the data that is collected by the
    CylanceOPTICS
     sensors is cached locally before it is sent to the cloud database. If the device is offline, the data is cached until the device can connect to the cloud database. A maximum of 1 GB of data can be stored locally. If more than 1 GB of data is stored before it can be uploaded, the lowest priority data will be deleted so that higher priority data can be cached.
  • Detections data is stored in the
    CylanceOPTICS
     cloud database and is accessible for 30 days. Data is stored in long term backup storage for up to 15 months or 30 days after the end of contract (whichever is less).
  • InstaQuery data is stored in the
    CylanceOPTICS
     cloud database and is accessible for 60 days.
  • Focus view data is stored in the
    CylanceOPTICS
     cloud database for 30 days.
  • Remote response transactions logs are stored for 30 days.
  • The endpoint data that is collected is stored in
    Amazon Web Services
    , in a location of the customer's choice:
    • Northern Virginia, US
    • Oregon, US
    • Frankfurt am Main, Germany
    • Sao Paulo, Brazil
    • Tokyo, Japan
    • Sydney, Australia