About TDR Cybercon Levels

The concept of the Cyber Condition (Cybercon) level is central to Threat Detection and Response. The Cybercon level represents the readiness of an enterprise to defend against attack. Cybercon levels are numbered from 5 (least severe) to 1 (most severe). Cybercon level 5 indicates a position that favors business operations over disruptive security precautions. Cybercon level 1 indicates a position that enables stronger security precautions that could impact business operations. As part of your network security procedures, you define the Cybercon levels to have specific meaning to your organization.

  • Cybercon 5 — No incidents detected
  • Cybercon 4 — Low threat level, monitor for further incidents
  • Cybercon 3 — Moderate threat level, moderate level of response
  • Cybercon 2 — High threat level, higher level of response and remediation
  • Cybercon 1 — Highest threat level, highest level of response and remediation

Once you have defined the Cybercon levels, they are your guide for the types of policies you create for each level. The fundamental idea is that as your organization progresses to a more severe Cybercon level, you enable Threat Detection and Response to complete more automated actions to mitigate threats.

The current Cybercon level appears at the top of the navigation pane.

Screen shot that shows the CYBERCON level in the Threat Correlation & Response UI

The Cybercon level does not change automatically based on detected threats. Administrators can change the Cybercon level.

Cybercon Threshold

In the ThreatSync Policy settings, you configure policies that define actions that Host Sensors can take at different Cybercon levels. In each policy, you specify a Cybercon Threshold, which defines the Cybercon levels the policy applies to. A policy is active only when the Cybercon Threshold in the policy is equal to or higher than the Cybercon level. For example, a policy with a Cybercon Threshold of 3 is active only when the Cybercon level is 3, 2, or 1.

For more aggressive policies, set the Cybercon Threshold to a low number. For less aggressive policies, set the Cybercon Threshold to a higher number. After you have configured policies for each Cybercon level, you can change the Cybercon level to quickly activate a more aggressive set of policies to respond to a threat. For more information, see Configure TDR Policies.

Change the Cybercon Level

An Administrator can change the Cybercon level. All other users can see the Cybercon level, but cannot change it.

To change the Cybercon level:

  1. Log In to TDR.
  2. Select Monitor > Threat Detection.
  3. To increase or decrease the Cybercon level, next to the Cybercon level, click the up or down arrows.
    A confirmation dialog box opens.
  4. Click YES.

All policies with a Cybercon threshold less than or equal to the selected Cybercon level are active. For example, if the Cybercon level is 4, all policies with a Cybercon Threshold of 4 or 5 are active.

About Active TDR Policies

The policies active in your TDR account depend on the Cybercon level and on the Cybercon Threshold and rank configured in your TDR policies. If the active policies change, either because of a change to the Cybercon level or a change to policy configuration, the active policies apply immediately to new indicators that meet the criteria in the policies. After a change to policies or Cybercon level, TDR also reevaluates existing indicators that have one of these prior outcomes:

  • No Policy — there was no active policy to take the requested remediation action
  • Blocked by policy — a remediation policy blocked the requested remediation action

Because you might make several changes to TDR policies in a short period of time, TDR waits five minutes after the last change to policy or Cybercon level before it reevaluates existing indicators.

APT Blocker policies can apply only to new indicators. TDR does not reevaluate existing indicators when the Cybercon level or active APT Blocker policies change.

See Also

Configure TDR Policies