Architecture
The architecture diagram and tables presented in this topic describe the components of the Cybereason On-Prem offering.
In this topic:
Architecture diagram
Note
Cybereason Next-Generation Antivirus (NGAV) is a Cybereason component that detects and prevents a broad spectrum of malware on the endpoint. NGAV works together with Cybereason’s EDR component to provide a full security solution. NGAV can replace or run alongside third-party antivirus products. If you have purchased the NGAV package, to enable NGAV in a Cybereason On-Prem (on-premises) environment, you must install an NGAV Local update server.
List of components
Component |
Description |
|---|---|
Endpoint sensors |
A sensor is a Cybereason software component installed on the endpoint. Sensors collect data about the events and operations occurring on each endpoint throughout your organization. Sensors send the collected data to Detection servers for analysis. |
Configuration management server |
The configuration management server applies predefined system configuration to all Cybereason servers, applies day 2 operations such as backup procedures and monitors each of the servers. |
Registration server |
The Registration server automatically assigns sensors to specific Detection servers. |
Detection servers |
All Cybereason deployments include one or more Detection servers. Detection servers analyze data from the sensors using a built-in Cross Machine Correlation (CMC) Engine together with data from threat intelligence sources. Detection servers send detection data to the WebApp server for display in the Cybereason UI. |
Private Threat Intel server |
The Private Threat Intel server supplements the Global Threat Intel server and is specific to your environment. This server hosts your organization’s custom reputation information such as allowlists and blocklists and communicates that information to the Detection server. |
Global Threat Intel server |
Cybereason uses a shared Global Threat Intel server to compare data in your in-memory graph to globally recognized threat sources to determine the reputation of a given file, IP address, or domain. The Global Threat Intel server is updated daily, ensuring your data is checked against the most recent threat information in the cybersecurity industry. |
WebApp server |
The WebApp server hosts the following:
|
Microservices server |
The microservices image includes several microservices. |
Microservices included in the Microservices server
The Microservices server includes the following microservices and servers:
Microservice/server name |
Description |
|---|---|
RabbitMQ microservice |
Transfers messages between the Detection servers and MDS. |
Management microservice |
Applies user changes to system policies. |
Arbiter microservice |
Synchronizes system policy configuration with the sensors. |
PostgreSQL server |
Serves as the database for the Scribe, Management, and Arbiter microservices. |
Behavioral Allowlisting microservice |
Controls the Behavioral allowlisting feature, which allows users to specify behaviors that are benign in their environment. |
Scribe |
Manages the sensor metadata. |
MalOp Decision Service (MDS) |
Controls MalOp creation and grouping. |
SM-OPS microservice |
Includes the containers that manage the sensor environment. |
MongoDB |
Local threat intel database |
Sage |
Container of the Local threat intel which communicates with the Webapp server for classification info. |
Note
Cybereason provides software patches for updating all components.