Service Levels

Our CyberStash team will support your IT team to ensure the platform and our service is seamlessly provisioned and validated to be 100% working as designed.

Get day-1 protection with out-of-box threat intelligence from high-quality open-source and commercial threat intelligence feed providers. Gain protection from approximately 40 million indicators with a maximum support of up to 150 million indicators. Bring your own threat feed and integrate with our eclipse XDR Platform to operationalise and capitalise on the value of actionable threat intelligence. We provide out of box integration with other threat feed providers using industry standard protocols such as STIX/TAXII. Additionally, integrate with popular threat feed providers using out-of-box connectors or simply use our Basic IPv4 and Domain List connector to fetch indicators from GitHub and other popular repositories.

• DOMAINTOOLS MALICIOUS DOMAIN BLOCK LISTS - Domain and DNS data covering over 95% of all registered domains, used predictively before any malware has caused damage

• WEBROOT BRIGHTCLOUD® IP - Bright Cloud Dynamic domain threat intelligence feed provides us with ,000 domains per minute, resulting in intelligence on over 230 million domains per month.

• PROOFPOINT ET INTELLIGENCE™ Proofpoint ET Intelligence provides actionable, up-to-the-minute IP and Domain reputation feeds.

Gain up to the minute threat protection as we continuously update our eclipse XDR Platform with Emerging Threat indictors provided by open-source and commercial threat intelligence feed providers. In addition, the CyberStash threat feed is updated with threat indicators received from Government advisories, ensuring speedy protection and reduction of manual effort by your team.

CyberStash provides up to 1-day assistance to assist all its customers with the initial policy design. Identifying exposed services, high risk countries and ASNs, and setting blocking thresholds for each category of attack for both inbound and outbound traffic.

Seamlessly integrate and manage policy exceptions for false positives through automated and manual Allow Lists applied to inbound or outbound traffic.


Seamlessly integrate and manage automated and manual Block Lists. Out of box integration support using industry standard protocols such as STIX/TAXII. Additionally, integrate with popular threat feed providers using out-of-box connectors or simply use our Basic IPv4 and Domain List connector to fetch indicators from GitHub and other popular repositories.

Collect, correlate and processes threat intel related events by forwarding syslog messages to your SIEM from Threat Intelligence Gateways. To minimise your storage footprint, control the level of events being logged by filtering the type of events being forwarded to your SIEM, or otherwise choose to forward all events to your SIEM so you can gain full visibility of both inbound and outbound traffic from your infrastructure.

Adjust the base risk score of threat intel data to increase or reduce the final risk score based on the Country or ASN associated with the network traffic. To minimise your exposure to malicious sources, configure the eclipse XDR Platform to automatically increase the risk score of lower-confident threat intel data if that source is associated with a high-risk country or ASN.

The eclipse XDR Platform collects DNS traffic events from your environment and perimeter network traffic events from the eclipse XDR Platform. It securely transports these events to the CyberStash Cloud SIEM, enabling threat correlation, hunting, investigation, and advanced threat detection. The eclipse XDR Platform includes, but is not limited to, real-time detection of:

• Domain Generated Algorithm Command and Control Behaviour

• Cobalt Strike Command and Control Beacon

• DNS Tunnelling Traffic

• Unusual DNS Activity via Machine Learning (ML)

• Tor Activity to the Internet

• Abnormally Large DNS Response

Security event collection, storage and retention is an essential part of every regulatory and industry security standard. The eclipse XDR Platform provides a Cloud or On-Prem SIEM offering to enables customers to search, pivot and hunt through historical and real-time logs.

• Choose to collect events from 100s of different data sources using standard out-of-box connectors or integrate with custom event-source types.

• With prebuilt data integrations, centralize information from your cloud, network, endpoints, applications — any source you would like.

• Select from hundreds of out-of-box threat detection rules.

• Implement any security use case, and scale quickly.

• Advance operational maturity with a platform for active threat management and incident response. • Continuously guard your environment with correlation rules that detect even unknown behaviors and tools indicative of potential threats. Compare against threat indicators and prioritise accordingly.

• Cut to what matters with preconfigured risk and severity scores. Detections are aligned with MITRE ATT&CK and publicly available for immediate implementation.

• Expose unknown threats with anomaly detection. Arm threat hunters with evidence-based hypotheses. Uncover threats you expected — and others you did not. Achieve rapid value with prebuilt ML jobs and ready-to-use algorithms.

• Search across any kind of information, as far back as you need — searchable snapshots make it financially feasible to extend the breadth and duration of data visibility.

• Triage events and perform investigations, gathering findings on an interactive timeline.

Automatic discovery of URLs and endpoints IP addresses associated with IP traffic matching threat intelligence data.

Explore data with real-time and historical dashboards. Access contextually relevant data on aggregation charts throughout the eclipse UI to quickly detect anomalies that may be indicative of an increased level of risk to your organisation. Drill-down into the underlying data and use it to respond to attacks as part of your incident response plan.

Efficiently search for historical or real-time events as they occur by using drop-down filters or by building your own complex filters.

Generate ad-hoc or scheduled threat and vulnerability reports. Use the summary reports to demonstrate control effectiveness to your executives or the technical reports to prioritize incident response and vulnerability remediation.

With endpoint surveys, produce reports that show high-level asset details for workstations and servers used in your IT environment.

eclipse.xdr collects forensic operating system artefacts and uses the threat hunting technique of STACKING to identify anomalies as part of automated threat hunting.

Discover applications installed within your environment and all new applications installed since the previously assessment, whether authorized or unauthorized. Discover the associated application-level vulnerabilities and the level of exposure these create in your environment. Focus your team’s vulnerability remediation efforts on the vulnerabilities that have the greatest level of risk to your business using the CyberStash proprietary vulnerability prioritization scoring methodology.

Enumerate, stack, and review local and domain-level, user, guest, and privileged-level accounts. Review accounts by count and by number of logins. Determine which hosts particular accounts exist on and the associated processes owned by particular accounts.

Automatic discovery of system accounts and files associated with suspicious IP traffic or URLs matching threat intelligence data.

Accomplish periodic threat hunting using automated forensic-depth analysis, stacking, machine learning and threat intelligence. The eclipseXDR platform will automatically discover leads indicative of system compromise.

Following a breach, conduct an additional ad-hoc survey of one of more endpoints to validate clean-up of the malicious file. Also validate that no other backdoors remain in your environment associated with the breach, whether these are present on the system that was compromised, or a different system within your environment that’s used as the beachhead into your environment.

Respond to identified malicious files with one-click response actions that allow you to delete terminate the process, isolate the host, delete a registry key, or even securely collect digital forensic data to preserve evidence that can be used in a court of law.

Continuous process monitoring and Differential forensic analysis are enabled with Real-Time Process Monitoring.
As a result, security teams and security service providers are able to detect more threats, faster, and respond instantly without impacting network operations.
 
This capability provides the following enhancements:

• Adds Continuous Monitoring and Real-Time Detection
• Automated live memory analysis to expose fileless threats faster
• Differential Forensic Analysis to enable lower footprint forensic data over time
• Monitor, investigate, and hunt malicious activity—past, present, and future

In addition to periodic Automated Hunting, choose to enable the Adversary Behaviour Detection Engine to enable our real-time Endpoint Detection and Response (EDR) capabilities. Mapped to the MITRE ATT&CK framework, we cover the most prevalent tactics and techniques used by adversaries. If you already have a different EDR software, you may choose to replace it with our EDR engine.

Register with VirusTotal and leverage their Public API natively through the eclipse XDR platform to enrich threat detection with threat intel data.

Automate dynamic analysis to enrich and validate threat detection. Detonate both files and URLs detected as threats in a safe and isolated cloud-native sandbox environment which includes Automated IOC Extraction and MITRE ATT&CK Framework Mapping.

Enable automated threat analysis through Security Orchestration, Automation and Response (SOAR). Set thresholds for risk stacking and implement incident response actions based on your organisation risk appetite for blocking attacks in their tracks.

In addition to the native threat feeds, CyberStash protects organisations from malicious IP addresses and domains using additional premium threat data from its partner ecosystem and its own intelligence. CyberStash Threat Intelligence draws from both open-source and commercial threat feed providers. CyberStash proactively blocks traffic to and from real-time sources of attacks covering of the criminal underground and malware activity, including banking trojans, info stealers, loaders, spambots, ransomware and additional emerging threats.

Following a critical advisory on an active threat, CyberStash receives and collects threat data related to the attack campaign and proactively protects your organisation against threat indictors associated with IP address and domains. With the Managed Service Level, CyberStash also reviews your historical and active logs for indicators of compromise.

Following an incident, safely collect and store forensic artefacts from your endpoints onto the eclipse XDR write-once password protected Amazon S3 bucket. Alternately, integrate your private instance of the Amazon S3 bucket with our eclipse XDR platform to safely collect and store forensic artefacts in your own instance.

Select from Weekly, Monthly or Quarterly Post Compromise Lead Investigations. Our Security Analysts will triage and investigate all automatically triggered suspicious leads and produce a report on their level of risk to your organisation.

All security alerts are investigated with details from our team’s analysis provided to your team. This includes the threat and vulnerability category and the level of risk to your organisation along with any tactical and strategic recommendations.

A monthly report of all endpoint assets is provided, the last time of assessment and their current status.

Incidents are raised and responded to by CyberStash Security Analysts using the CyberStash Service Desk Management System and Incident Prioritisation Model.

Quarterly reviews are conducted with the view to enhance access control policies. This ensures that there is an ever-decreasing level of exposure to your organisation to both inbound and outbound threats.

Detection exceptions are made to access policy and threat detection alerts as a result of false-positives and policy exceptions.

Assets are managed end-to-end to ensure the software remain up to date with all critical vulnerabilities remediated through planned and scheduled patching.

All incidents are clearly documented and communicated with your team which includes the next-step decisions and actions required from your team.

CyberStash uses SpyCloud’s account takeover prevention and fraud investigation solutions to detect disclosed credentials on the deep-dark web and to respond to these to minimise your organisation’s exposure. This is backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII data. The CyberStash Deep-Dark Web Credential Disclosure Detection enables organisation to stay ahead of account takeover by detecting and resetting compromised passwords before criminals have a chance to use them to cause irreversible business impact.

While many of the features provided by the VirusTotal API are freely accessible to all registered users, some of them are restricted to their premium customers only. Those features constitute the VirusTotal Private API. Bring your own Private Key to increase the number of API calls made natively through our eclipse XDR platform.