This FAQ explains concepts related to Halcyon’s two operational policies - Detection and Prevention.
Q: What is the difference between Detection vs. Prevention?
A: When Halcyon refers to “Detection vs. Prevention,” it describes the platform’s transition from simply observing and collecting data (the learning phase) to actively defending against ransomware threats in Prevention.
Q: What is Detection (Warning) Mode?
A: After a Proof of Value (PoV) concludes and Halcyon is introduced into an environment, it enters a learning phase. During this period, the platform collects data, labels alerts, and refines its machine-learning models to understand the environment’s normal behavior.
Halcyon observes and reports on potentially malicious activity without taking autonomic agent action. Threat Response will confirm triaged alerts with the customer and if the activity is related to a ransomware event, Threat Response may put assets or the entire tenant into Prevention (if approved by the customer).
Detection mode is Ideal for the learning phase, or any situation where you prefer Detection to Prevention.
Q: What is Prevention (Blocking) Mode?
A: While in the Prevention mode, Halcyon automatically blocks and contains ransomware threats in real time.
Prevention mode is recommended once the platform has learned enough to accurately differentiate normal behavior from genuine ransomware threats, reducing both false-positives and security risks.
When you see “warning” in an alert level field, it indicates that the device or feature is in Detection mode - no blocking will occur.
When you see “block” in an alert level field, it indicates that the device or feature is in Prevention mode, meaning the file or behavior in question is actively stopped.
Q: When should I move from Detection to Prevention mode?
A: After Halcyon has gathered sufficient context about your environment, you can leave the system in Detection (warning) mode or move it into Prevention (block) mode, where suspicious ransomware activity is not only detected but also actively stopped.
Q: What are the classes of protection and modes supported?
A: The table below represents agent protections applied to a customers tenant in either Detection or Prevention mode and can be set in your Policies screen.
Agent protections |
Notification |
Blocking action |
Disabled |
| Execution Guard (Pre-Execution and Behavioral | |||
| Tamper Guard (Self-protection mechanisms to prevent bypassing the Halcyon Agent) | |||
| Sidekick Protection (Armoring for third-party EDR solutions) | |||
| Data Exfiltration Protection (DXP Module) - DXP Peer | |||
| Data Exfiltration Protection (DXP Module) - DXP Volumetric |
By following this phased approach - learning before protection - Halcyon minimizes disruption while steadily enhancing ransomware defense capabilities.
Comments
0 comments
Please sign in to leave a comment.