Cybereason XDR Reviews

I use Cybereason XDR for customers who don't have a SOC or managed SOC yet and want to be protected on more than their desktops. It is especially used in the manufacturing industry, yet not exclusively.

The integration of data from firewalls and Active Directory is most valuable. Cybereason XDR facilitates two-way communication, where the firewall sends data to the Cybereason system, and it can communicate with the firewall to stop unwanted communication. 

Customers can deal with multiple types of firewalls with ease. The behavioral analytics help detect advanced threats when attackers use existing software. The multilayered protection approach, including NGAV, integrates XDR detection with antivirus to assess and counter threats effectively.

There could be more integrations with other data sources like NDR systems. Additionally, technical support has been slow in recent times. Enabling multifactor authentication has been problematic for some customers.

I have worked with Cybereason XDR for about two and a half years.

I would rate the stability an eight out of ten. Sometimes, the IP address changes or upgrades cause glitches. Other than that, the stability is generally satisfactory.

I rate the scalability a nine out of ten. 

It scales very well for large environments. However, for smaller customers, the price rather than the technology might be a hindrance.

Customer service is rated as a five out of ten. 

When they work and reach the right level, they are helpful, but getting to the right person can be time-consuming.

Neutral

The initial setup was relatively easy, rated as an eight out of ten. It usually takes a few days to deploy.

The deployment is carried out by Cybereason. We describe the environment and prepare the installation process for their onboarding team.

Pricing is rather expensive, rated as a seven out of ten. However, compared to competitors, it is lower yet considered a high-end product. Customers usually pay anywhere from 50,000 to 60,000 euros to nearly one million euros for a three-year term.

I rate Cybereason XDR a nine out of ten. I recommend having hands-on experience and doing some threat hunting to familiarize yourself with the handling.

We have mostly been using it to help us look into responses. We usually deploy it during the incident response scenarios, trying to find out what happened in an environment.

The solution has an investigation feature, which is useful for building storylines. There is a chain of events when an incident occurs, and the solution shows a nice map of exactly where the initial breach was and where it connects to, allowing you to scroll down with that investigation feature. The solution helps determine how the initial breach happens, what the attacker did, and if it was deployed in the environment.

The one thing we sometimes have issues with is its integration with other security applications like antiviruses.

We connect this solution to many companies, so we set up new custom rules for every company. If there could be a way to manage custom rules and push them to all our customers, that would be lovely. However, it might not be necessary because each customer will have their input. But because we have to manage multiple instances of it, that creates a problem sometimes.

I have been working with this solution for about three years now.

The only problem comes internally when other security tools are in the field or the middle of the field. On its own, the tool is fairly stable. But as soon as there's another antivirus, another security solution, or another honeypot solution, it gets triggered, and that causes issues. There have been some issues where the users needed to find out what happened from both sides.

I rate the solution's scalability a seven out of ten.

We have never had a client that had more endpoints than the solution could handle. So far, so good. The largest deployment we have had is just over 4,000 endpoints. We have not done anything larger than that, but the solution worked perfectly fine for 4,000 endpoints.

I rate the solution's scalability a ten out of ten. I have had no issues with scalability.

Cybereason's support is very good. They are very quick at setting up a new instance. Usually, when we have an IR, they set it up for us within an hour. We have never had any issues that took more than a day to be resolved.

Positive

We also use Palo Alto's XDR, SentinelOne, Trend Micro, and quite a few others.

SentinelOne is nice because you have a centralized dashboard. You just have a single instance and can manage all your clients from one central dashboard, which Cybereason currently lacks. It hinders our use case because we have to redeploy our rules. However, SentinelOne's search feature is slightly more limited than Cybereason's. SentinelOne's search feature is very restrictive, and they have a certain way you have to do it. If you don't follow that way, you're kind of stuck. The deployability is the same, and we have not had scalability issues. We don't work with a larger client. Our largest deployment was about 3,000 endpoints. Cybereason's tech support or the support engineer tends to be slightly better than SentinelOne's because there is no direct contact for support in our region. We usually have to reach out to either the European or the American branches for assistance. There's a bit of a time delay or something that happens. Those are the only major differences.

The solution is very easy to set up. We have used a PowerShell script to push it out, and then we have an ECCM script that we push out to most clients. We just have to deal with a few clients that don't necessarily allow that in their environment. We have got a couple of workarounds for that. We have quite a few ways to deploy the solution easily.

As for the deployment, it mostly depends on the client, but about 90% of the time, it's on the cloud. Two clients had it on-premises, but we mostly deployed the solution on the cloud.

During incident response, we try to deploy most of the server environment within four hours of the initial breach. The rest of it takes about 48 hours. Or at least we can get as much as possible because there might be some laptops we can't access. We try to get most of the coverage within 48 hours, but we usually deploy critical infrastructure like servers within four hours.

Whenever we deploy Cybereason XDR, we enrich data feeds with external fixed feeds. The tool picks up a lot of known vulnerabilities, and getting additional data feeds can help with some of the detection, especially some of the more unknown detections. If people are going to deploy Cybereason XDR, I would suggest integrating it with some sort of threat feed, indicator, or compromise list to cross-correlate with what Cybereason picks to help speed up our investigations. And improve threat detection.

I rate Cybereason XDR a nine out of ten.

We use the solution to administer the Cybereason agent from the customer side. I also investigate alerts and cases where the Cybereason token side does not have enough information or visibility.

Cybereason XDR's most useful feature is the investigation. The way you can build query insights is very user-friendly. For example, you must use a key drill, but Cybereason has a user-friendly interface. You can use a graph to click on the elements you want to investigate, and you'll see the correlation and results. You can always go back and forth without losing the story of the investigation. Cybereason XDR supports legacy operating systems, which other EDRs like Defender do not. This can be important for organizations with older systems that cannot be upgraded to newer versions.

Cybereason XDR is user-friendly once you read the entire documentation. If you are familiar with Defender or other Microsoft tools, you may be used to having a guide that shows you where to click. Cybereason XDR does not have such a guide, so you may need to go to the knowledge base or take some training. The training is good, but it would be great to have some kind of interactive guide or feature that explains how to use the tool. Since we are limited to EDR, there may be some features related to identity management.

I have been using Cybereason XDR for nine months.

The product is stable.

The solution is scalable. Three people are using this solution.

Cybereason's customer support could be better. For example, their definition of urgency is based on the severity of the activity, while our definition of urgency may also include the business impact of the issue. This can lead to mismatches in priorities and delays in resolving critical issues. Support tickets are sometimes assigned to people in different time zones, further complicating communication and resolution.

Neutral

We have two EDRs named Microsoft Defender and Cybereason XDR. The main role would be to support unsupported hosts and versions of legacy hosts and investigation features. The main benefit of Defender is that if you have on-prem infrastructure, like if you have Azure and Microsoft 365, everything is in the same place. It is much easier to navigate between different tools in the Microsoft environment. Th station can be separated into two or three other tools.

The solution is deployed in multiple locations. I struggle to see how many hosts there are. It may be around 3,000.

The solution is cheaper than Microsoft Defender. It has a subscription and no standard license.

The maintenance is easy. You need to stay in touch with the on-site team. They will get the information when they have major updates and schedule the update to your environment. I would ask for a proof of concept for a month to test the tool. If someone decides to try it, they should also request training on how to use it because it would take at least a week to figure out the UI and how the tool works if you only have it for a month. Overall, I rate the solution an eight out of ten.