Integration Guide for Cybereason

This guide provides information on how to set up a Beyond Identity integration with Cybereason.

How this integration works

Beyond Identity validates identity by eliminating all phishable factors such as passwords and one-time passcodes, replacing them with phishing-resistant factors -asymmetric cryptography, and biometrics. Security is then augmented by a policy-based device inspection that checks for the presence and configuration of the Cybereason agent, and ingests risk signals that indicate device compromise. In this way, the integration serves as a preventative security tool to stop threat actors before they get through the door. After a session is established, Beyond Identity and Cybereason continuously monitor the security posture of the device, ensuring adherence to precise authorization policies
throughout a session. And if a policy is violated at any time, Beyond Identity automatically signals Cybereason to isolate the out-of-compliance device, thereby ensuring automated security
coverage.

The following steps describe the integration flow shown above.

1. The end user initiates access, and IdP delegates to Beyond Identity phishing-resistant MFA.

2. At the point of authentication, Beyond Identity ensures the user/device are authorized and device posture meets security policy, including the presence of the Cybereason agent.

3. By ingesting risk signals from Cybereason, Beyond Identity will authenticate only devices that meet policy.

4. Phishing-resistant MFA is granted to authorized applications.

5. Continuous validation of the device occurs, including Cybereason agent and risk signals to ensure the device continues to meet the security policy.

6. An automated isolate action signal is sent to Cybereason when Beyond Identity’s
   continuous authentication detects a device out of compliance.

Prerequisites

Licensing Requirements

• Cybereason SKUs and Features required:

  • Cybereason Professional

• Beyond Identity SKUs and Features required:

  • Included with Beyond Identity Secure Workforce

  • https://www.beyondidentity.com/products/secure-work

Version Requirements

• Cybereason Sensor

• Beyond Identity Authenticator: Version 2.89.0 and above, supports macOS and Windows

Role/Access Requirements

• Cybereason Role/Access Requirements

  • API user (TFA disabled)

• Beyond Identity Role/Access Requirements

  • User with a minimum role of ‘Integrations Administrators’ for adding and configuring integrations

  • User with a minimum role of ‘Policy Administrators’ for configuring policy

Configuration

Create an API user for Cybereason

1. Log in to your Cybereason console, then click Users.

2. Click Create new user.

3. Choose the following roles:

   • Analyst L3

   • System admin
     

4. Click Add user.

Beyond Identity Configuration

1. In the Beyond Identity Admin Console, go to Integrations > Endpoint Management.

2. Choose Cybereason and enter the following:

   1. API URL - Cybereason URL without the port number unless it is required to reach the UI (e.g. https://company.cybereason.net)

   2. API username

   3. API password
      

3. Click Save Changes. The integration is now configured. Continue to Step 3 to test the integration.

Test the integration

To test the Cybereason integration, configure Beyond Identity policy rules:

1. Create a monitor rule to evaluate if Cybereason is installed. View matches for the monitor rule via match counts under Policy.
   
   

2. Create a Deny rule that is scoped on a test user group or test device (via passkey tag) to test the Cybereason Isolate action.