About TDR CYBERCON Levels
The concept of the Cyber Condition (CYBERCON) level is central to Threat Detection and Response. The CYBERCON level represents the readiness of an enterprise to defend against attack. CYBERCON levels are numbered from 5 (least severe) to 1 (most severe). CYBERCON level 5 indicates a position that favors business operations over disruptive security precautions. CYBERCON level 1 indicates a position that enables stronger security precautions that could impact business operations. As part of your network security procedures, you define the CYBERCON levels to have specific meaning to your organization.
- CYBERCON 5 — No incidents detected
- CYBERCON 4 — Low threat level, monitor for further incidents
- CYBERCON 3 — Moderate threat level, moderate level of response
- CYBERCON 2 — High threat level, higher level of response and remediation
- CYBERCON 1 — Highest threat level, highest level of response and remediation
Once you have defined the CYBERCON levels, they are your guide for the types of policies you create for each level. The fundamental idea is that as your organization progresses to a more severe CYBERCON level, you enable Threat Detection and Response to complete more automated actions to mitigate threats.
The current CYBERCON level appears at the top of the navigation pane.
The CYBERCON level does not change automatically based on detected threats. Only a user with Operator credentials can change the CYBERCON level.
In the ThreatSync Policy settings, you configure policies that define actions that Host Sensors can take at different CYBERCON levels. In each policy, you specify a CYBERCON Threshold, which defines the CYBERCON levels the policy applies to. A policy is active only when the CYBERCON Threshold in the policy is equal to or higher than the CYBERCON level. For example, a policy with a CYBERCON Threshold of 3 is active only when the CYBERCON level is 3, 2, or 1.
For more aggressive policies, set the CYBERCON Threshold to a low number. For less aggressive policies, set the Cybercon Threshold to a higher number. After you have configured policies for each CYBERCON level, you can change the CYBERCON level to quickly activate a more aggressive set of policies to respond to a threat. For more information, see Configure TDR Policies.
Change the CYBERCON Level
A user with Operator credentials can change the CYBERCON level. All other users can see the CYBERCON level, but cannot change it.
To change the CYBERCON level:
- Log in to the Threat Detection and Response web UI as a user with Operator credentials.
- To increase or decrease the CYBERCON level, adjacent to the CYBERCON level, click the up or down arrows.
A confirmation dialog box appears.
- Click YES.
All policies with a CYBERCON threshold less than or equal to the selected CYBERCON level are active. For example, if the CYBERCON level is 4, all policies with a CYBERCON Threshold of 4 or 5 are active.