General – Haven Deployment – Haven Service

FAQs

General

Please contact the person authorized to submit support tickets for your organization. Once a ticket is submitted, Corvid Cyberdefense will release the attachment if deemed safe.
Your administrator has policies in place that place messages on hold. These could be based on spam, attachment, or content examination policies, designed to prevent unwanted emails from reaching your inbox. The Personal On Hold viewer at https://login.mimecast.com allows you to view the emails that have been held, and decide if you want to release them or reject them, individually or in bulk. Select the Advanced icon. (Three dots) Select Personal On Hold from the menu Select either a single email or multiple emails Using the Release icon, select one of the following desired actions: Release Email, Release Email & Permit Address, Release Email & Permit Domain.
Contact your administrator who can submit a ticket to Corvid Cyberdefense.
Never click on an email that looks in any way suspicious. Please report the email to your administrator who can submit a ticket to Corvid Cyberdefense.
Contact your administrator who can submit a support ticket. If Corvid Cyberdefense deems the website safe, we will allow access to the website.
Go to https://login.mimecast.com. Enter your email address and select Next. Beneath the Log In button, select “Reset Cloud Password.” Follow the remaining prompts to set up your password. More information can be found in the Help Topics and User Guide sections of this page.
If you encounter an issue downloading, installing, or running a program, please follow the steps below:
Open the CylancePROTECT client by double-clicking the icon in the system tray, a window should appear.
Click each of the tabs in the window to see if any Threats, Exploits, Events, or Scripts appear.
If you do see one or more legitimate work-related files listed in one of the tabs, contact your administrator who can submit a support ticket to Corvid Cyberdefense to release the file.
If you do not see anything listed, then it’s not likely a CylancePROTECT issue. Your administrator may be able to help.
The login credentials you use for your personal Mimecast portal may be different than the ones used when you receive a secure email message from someone outside of your organization. Here are a few steps you can try to access the message if you’re having difficulty.

Log out of the Mimecast portal
Click the email link again
Enter the email address that received the secure email
Authenticate using cloud password (if prompted)
If the password is unsuccessful, choose “forgot password” to reset it
Log in using your new password
If still unable to access your secure message, please contact your admin who can submit a support ticket to get help.

Haven Deployment

For on-premise network security appliance installations, we will do our best to limit the amount of time the network is down. Depending on the type of installation, downtime can be anywhere between 2 minutes to 2 hours. We can also schedule installation timing to happen when this will cause the least disruption to your organization.
Corvid Cyberdefense engineers will have access to your network in order to manage and maintain it. We are happy to provide you with more information as requested.
Depending on location, our network security engineer can either be on site or connect through phone or video conference to walk you through each step and ensure the installation goes smoothly with as little downtime as possible.
Your time will be required at touch points throughout the onboarding process, and typically be about 5 hours over the 30-day deployment timeframe.
Yes, we will ask for a list of those who require access to the ticketing portal during the onboarding process. It is best to limit access to as few as possible in order to limit the individuals who have access to make changes to your organization’s security configurations.
If your Haven service agreement includes Cylance endpoint protection, it can replace your current AV. However, please do not uninstall your current AV until Cylance is installed, including a series of follow up reviews, which take approximately 7-14 days. This will allow various policy rules and exclusions to be created based on your goals and the specifics of your IT environment.
Monthly Training Videos
Employees will receive an email with a link to access training videos that were created to be short, entertaining, and educational. A few start-up episodes were selected that teach about core threats like phishing, ransomware, and password security. Episodes are 3-4 minutes in length and they teach a lesson on one specific security threat using a real-life security breach as the story line. Every month, users will receive an email to let them know that a new video episode is available.

Monthly Simulated Phishing Campaigns
Because so many data breaches originate from a phishing email, we’ll be sending occasional simulated spoofed (fake) emails designed to test employee awareness of a true phishing email. These spoofed emails will not reveal any sensitive information, but will provide an idea of where improves in employee training are needed. When a user clicks within a simulated phishing email, that person will be automatically prompted to watch a video on the subject of identifying a phishing email. As our main POC (point-of-contact) you will receive by-user participation and performance reports.
The report of actual and potential threats found is sent to the client that includes our recommendations. Actual threats will be quarantined. We ask the client to confirm the category for items that are a potential risk for the organization. If they are necessary to the organization, they can be waived/safelisted, if not, it is often recommended that they are quarantined.
Each security technology within the Haven solution comes with “out of the box” security controls built in. These controls are used to minimize high confidence impacting events such as Malware, command and control (C2), phishing, and pornography among others.
Although each environment is different, and the Corvid Cyberdefense Implementation team takes into account the customization needed for each environment, the out of the box controls are designed not to impact the organization.
Corvid Cyberdefense will assign a Deployment Success Manager to manage the implementation. The Deployment Success Manager will then establish communications with your team to ensure schedules align.
A Subject Matter Expert will be assigned from Corvid for each security technology sold. The Subject Matter Experts will then start to gather necessary information to stage the baseline of each technology in support of deployment.
When ready and change windows are in place, the CCD rep will work with your team to deploy the security control in a manner that is least impacting to the organization. This creates space that allows continual improvements to be made to each client’s dynamic IT environment.
Once fully completed, your team will be introduced to the security operations team, who who will be supporting your organization going forward.
Due to the high cost associated with physical hardware and the lack of cost effective high grade solutions, Corvid Cyberdefense have built an in house 1U solution that allows us to virtually host some of the most advanced security technology needed to protect the core of your organization. Not only does this make our solution cost effective, it also increases the shelf life and also allows an adaptive approach to technology if we need to change from a provider due to new security threats without additional costs or change windows.
AQT – Auto quarantine of Threats
MPB – Memory Protection Block
SCB – Script Control Block
The goal is not to impact the end users. This is accomplished by providing communication templates, which are used to bring all end users within the organization up to speed on the technologies and controls being deployed.

Haven Service

We continuously audit the marketplace for the latest technologies and modify Haven to ensure maximum efficacy. Current technologies include:

Endpoint- CylancePROTECT and OPTICS. CylancePROTECT is a next-generation antimalware solution that leverages machine learning to detect and prevent malware. CylanceOPTICS is an advanced endpoint detection and response (EDR) solution that can provide full visibility into attacks and local system activity. OPTICS also supports manual and automated response playbooks.

Email- Mimecast is an email security platform that provides anti-malware, spam, plus advanced threat prevention for email attachments and URL’s. In addition, Mimecast supports basic data loss prevention policies and sending encrypted emails to protect sending sensitive data to external recipients.

Network- Palo Alto Networks FW is a next-generation firewall that supports automated detection and prevention of malicious web traffic through URL and application filtering, file sandbox analysis, and SSL decryption. Additionally, Palo Alto Networks includes Global Protect VPN for secure remote access and secure access over insecure or public networks.

Vulnerability Scanning- Network and systems are routinely scanned and analyzed to strengthen system defenses. Scanning is performed monthly or as needed and reported to the Client organization to remediate vulnerabilities to reduce the organization’s attack surface that can lead to a compromise of non-public data. (NOTE: Vulnerability Scanning is part of the Haven™ package. For Haven Cloud and Haven SecureAdvisor, please inquire.)

Employee Awareness Training- Employee awareness training is delivered monthly in micro learning segments to increase employee security awareness and internet safety. Simulated phishing campaigns are delivered in parallel to help employees better detect and report potentially malicious emails. Most compromises result from human error, which can be significantly reduced by better educating personnel.

SIEM- Centralized log collection utilized by Corvid Cyberdefense security analysts to identify and respond to organizational threats. Corvid’s SIEM collects logs from endpoints, network appliances, and other IT and security technologies deployed in the Client environment.
Haven addresses many of the technical security controls defined in common security standards. Upon request, you will be provided with a Haven crosswalk for the compliance standard required by your industry. Common compliance standards include: NIST SP 800-171, NIST SP 800-53 and CMMC.
If you require assistance to develop custom policies, standards, operating procedures, or other security compliance documentation, Corvid Cyberdefense offers professional services. Please contact our business team.
Haven SIEM data is stored in a secure collocated data center with high availability. Our technology partners leverage cloud service providers, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
Depending on the deployment model that is optimal for your organization, Haven can be fully cloud-based or as a hybrid solution. If physical hardware is required, Corvid will ship a pre-configured appliance that will need to be connected to your network and set up with network connectivity. Software will need to be deployed/installed by your employees. If on-site support is required, arrangements can be made based on an agreed upon one-time fee. Full deployment of Haven takes approximately 4 weeks on average; however, it varies by customer environment and needs.
Haven is an end-to-end solution that includes monitoring, detection, response, and remediation of security threats. Other MSSPs typically focus only on monitoring, detection, and alerting, requiring the client to determine how to handle and remediate threats.
Client data is stored in a highly secure environment secured by network segmentation, user and network security groups, multi-factor authentication.
Corvid Cyberdefense provides 24x7x365 coverage. Clients may contact support via phone, helpdesk web portal, or email depending on severity and preference. See our SLA for delivery and response timing.
Logs for all systems originate on the network security appliance, and the originals are stored there.

For every stream for the purpose of monitoring and security, the logs traverse a private SSL tunnel to our main non-public data center in Raleigh, NC. These logs are then housed in an internal single-tenant environment 100% under Corvid Cyberdefense’s control. Each client’s data is housed in data verticals apart from other clients, such that no client can have bleed over access.

Onsite backups and snapshots are accomplished within the same private cluster and engage no extra-corporate services.

Tertiary backups are flowed offsite multiple times per day for continuity to a virtual private cloud at AWS, employing object storage only. No public applications or structures are in place at said VPC, and no other systems at AWS are employed to interact with this data in any way.

Data at rest in cold storage and live in-cluster are maintained for 90 days per contractual SLA. Data is cycled out after this time on the following Sunday from the expiry of said data.
At a minimum all analysts must have Network+, a certification designed to test the competency of a mid-level network technician in supporting and configuring TCP/IP clients in terms of network design, cabling, hardware setup, configuration, installation, support, and troubleshooting.

Analysts are certified in each security technology and they maintain a provided structural learning path via on-site training.
For clients with an on-premise network security appliance, vulnerability scans are conducted on the 4th and 7th of each month. This ensures that the scans occur on a weekday.
No. Haven is designed to provide you with the technology to reduce the amount threats that can impact your organization. Our 24/7 security operations center (SOC) investigates event alerts triggered by the technology to determine if additional action is needed. If there is suspicious activity that cannot be confirmed by the SOC and requires domain knowledge, or if there is activity that is confirmed to be malicious OR is determined to be suspicious with potential for a compromise in data confidentiality or integrity, you will be notified directly per the SLA: corvidcyberdefense.com/haventerms

General – Haven Deployment – Haven Service

FAQs

General

I need an attachment that was blocked. How can I get it?

How do I find an email that was sent to me but I don't see it in my inbox?

I sent an email and the recipient didn't receive it because it is being blocked from sending by Mimecast. What should I do?

I received what looks like a phishing email. Should I report it?

I'm unable to access a website I need for my job. What should I do?

How do I access my Mimecast personal web portal for the first time?

What if I can't download or run a program I need?

I received a secure message from Mimecast and when I try to retrieve it I get a notification that I don't have permission to access the message. What should I do?

Haven Deployment

Will there be network downtime during the installation process?

Who at CCD will have access to our network?

Who actually installs the network security appliance?

How much of our time does Haven installation require?

Can more than one person have access to the ticketing portal?

Can we uninstall our current antivirus?

How is security awareness training conducted?

What is purpose of the Cylance threat report?

Do you have standard blocking categories?

How does the Haven deployment process work?

What is the Haven Network Security Appliance?

What do the EPP policy abbreviations mean?

Is the Haven deployment disruptive for our end users?

Haven Service

What technology is used in Haven?

What compliance standards does Haven help satisfy?

Does Corvid Cyberdefense use a cloud provider and if so, which one?

How is Haven service deployed?

How does your Haven solution compare to other MSSPs?

What kind of access controls are in place for your employees who handle our data?

How is technical support handled?

Where are firewall logs kept?

What training is required for your SOC analysts?

How often are vulnerability scans conducted?

Should I expect to be alerted every time there’s an event or suspicious activity in my environment?