This guide provides information on how to set up a Beyond Identity integration with Cybereason.
How this integration works
Beyond Identity validates identity by eliminating all phishable factors such as passwords and one-time passcodes, replacing them with phishing-resistant factors -asymmetric cryptography, and biometrics. Security is then augmented by a policy-based device inspection that checks for the presence and configuration of the Cybereason agent, and ingests risk signals that indicate device compromise. In this way, the integration serves as a preventative security tool to stop threat actors before they get through the door. After a session is established, Beyond Identity and Cybereason continuously monitor the security posture of the device, ensuring adherence to precise authorization policies
throughout a session. And if a policy is violated at any time, Beyond Identity automatically signals Cybereason to isolate the out-of-compliance device, thereby ensuring automated security
The following steps describe the integration flow shown above.
- The end user initiates access, and IdP delegates to Beyond Identity phishing-resistant MFA.
- At the point of authentication, Beyond Identity ensures the user/device are authorized and device posture meets security policy, including the presence of the Cybereason agent.
- By ingesting risk signals from Cybereason, Beyond Identity will authenticate only devices that meet policy.
- Phishing-resistant MFA is granted to authorized applications.
- Continuous validation of the device occurs, including Cybereason agent and risk signals to ensure the device continues to meet the security policy.
- An automated isolate action signal is sent to Cybereason when Beyond Identity’s
continuous authentication detects a device out of compliance.
- Cybereason SKUs and Features required:
- Cybereason Professional
- Beyond Identity SKUs and Features required:
- Included with Beyond Identity Secure Workforce
- Cybereason Sensor
- Beyond Identity Authenticator: Version 2.89.0 and above, supports macOS and Windows
- Cybereason Role/Access Requirements
- API user (TFA disabled)
- Beyond Identity Role/Access Requirements
- User with a minimum role of ‘Integrations Administrators’ for adding and configuring integrations
- User with a minimum role of ‘Policy Administrators’ for configuring policy
Step 1: Create an API user for Cybereason
- Log in to your Cybereason console, then click Users.
- Click Create new user.
- Choose the following roles:
- Analyst L3
- System admin
- Click Add user.
Step 2: Beyond Identity Configuration
- In the Beyond Identity Admin Console, go to Integrations > Endpoint Management.
- Choose Cybereason and enter the following:
- API URL - Cybereason URL without the port number unless it is required to reach the UI (e.g. https://company.cybereason.net)
- API username
- API password
- Click Save Changes. The integration is now configured. Continue to Step 3 to test the integration.
Step 3: Test the integration
To test the Cybereason integration, configure Beyond Identity policy rules:
- Create a monitor rule to evaluate if Cybereason is installed. View matches for the monitor rule via match counts under Policy.
- Create a Deny rule that is scoped on a test user group or test device (via passkey tag) to test the Cybereason Isolate action.