Editor’s Highlights
WithSecure Elements Technical Trainings available for everyone
We are happy to announce that we have now made some of our technical trainings freely available for everyone.
By following the trainings, you can learn more about our Extended Detection and Response and Exposure Management solutions, including:
- How to use the Elements Security Center effectively to manage the solutions
- How to deploy the products that make up the solutions
- How to configure the products
- Daily Administration tasks, including responding to events
You can find the technical trainings here.
2024 MITRE ATT&CK® Evaluations: Enterprise (WithSecure EDR is a leader in detection-to-alert ratio)
In the latest round of MITRE testing, we excelled in the area of detection-to-alert ratio. In plain terms, this means that our EDR solution ensured accurate and early detection without unnecessary noise caused through irrelevant alerts.
These results reinforce our commitment to offering IT professionals with limited investigation resources the best-value cyber security solutions that deliver proven results time and again, only alerting when necessary – often avoiding thousands of time-consuming false positives.
See more:2024 MITRE ATT&CK® Evaluations: Enterprise | WithSecure™
Extended Detection and Response
Endpoint Protection
Elements Agent for macOS: Elements Agent / Client Security & network isolation
Important information for customers planning on upgrading to macOS Sequoia 15.1.1 or higher.
Network isolation on macOS 15.1.1 and higher does not currently work in conjunction with Apple’s built-in firewall.
WithSecure has been in contact with Apple and they have confirmed the issue. WithSecure continues to seek for a resolution together with Apple.
Elements Agent for macOS
WithSecure Elements Agent macOS 24.6.53972 has been released to general availability.
This release fixes an issue which caused product initialization to sometimes fail.
The product Installer can be downloaded from here, and the update is available for automatic update to existing installations.
Elements Agent macOS 24.6 supports following macOS versions:
- macOS 15 Sequoia
- macOS 14 Sonoma
- macOS 13 Ventura
Identity Security
Elements Identity Security: Identity Response Capability
We are thrilled to announce a significant update to our detection and response product. This release introduces the Identity Response capability, designed to enhance your responsiveness to security incidents involving compromised users.
By configuring this new feature, Elements Cloud will integrate seamlessly with Microsoft Entra ID, enabling you to take swift action on affected users.
How to Set Up:
- Navigate to the Environment -> Cloud page.
- Go to the Detection and Response tab.
- Follow the instructions to configure the Identity Response capability. To assist you further, we have provided a helpful onboarding video to guide you through the process of onboarding.
Executing response actions could not be easier. Do this directly from the Identity Broad Context Detections (BCDs), for quick, effective containment. The response actions included are:
- End the current user session
- Reset the users password
- Disable the users access
This capability helps prevent major impacts and stops attackers in their tracks.
Exposure Management
XM newsletter
Finding status management
We have now added Finding Status management. This is similar to recommendations status management, the user can manually adjust the impact on individual finding status. Only active findings are taken into account for risk score calculations.
More detailed information about scans
There is now more detailed information about the related scan(s) in the Recommendation details.
- "Scan subtype" column gives a hint on what scan type has led into the creation of the finding. e.g "System Scan" for vulnerability findings and "Azure (cloud scan)" for Cloud findings.
Note: This data is available for recent scans only. In case of old scans, a re-scan is required to populate it.
Filter alignment
Filters are now aligned across various XM views.
Identity list view:
MFA false-positives have been significantly reduced. Now more precise status appears on the UI. Note: As a result of this fix, users might notice more yellow colors on Identity list page.
Vulnerability Management
EVM Portal
New engine for Internet Discovery
The Internet Discovery page now utilizes the new scanning engine, Shodan.io.
Obsolete API Endpoints removed
We have now permanently removed some obsolete API endpoints and these are no longer available.
EVM System Scan
The ability to detect vulnerabilities in the following products was added to Authenticated Scanning for Windows:
- Apache Kafka Clients
- Autodesk Navisworks (Freedom, Manage, Simulate)
- Cisco Enterprise Chat and Email
- Cleo servers
- GitHub CLI
- Intel Processor Identification Utility
- NetApp SnapCenter Server
- NetCloud Exchange client
- Ollama
- Spring LDAP
Important note: Due to some corner cases that trouble some customers we had to temporarily disable calculation of all missing Microsoft Cumulative Updates and go back to the previous model. We will be actively developing solution for those cases so that the calculation will be back as soon as possible. Although this is unfortunate and detections may for the time not paint the whole picture, if any of the Cumulative Update is missing, there will be at least one vulnerability showing up in the reports.
Elements Foundations
Elements Security Center
New Mac profile editor is now in production
An updated profile editor for Mac clients has been released
Integrations
Elements API
A bugfix has been released in the query devices endpoint (GET /devices/v1/devices).
Previously the response enum field firewallState contained a value "disabledMacos" while the correct and documented spelling is "disabledMacOs". With the latest release the spelling in the response has been fixed and is now "disabledMacOs" (capital O as in Os).
Other items of interest
Threat Highlight Reports: December
Threat Advisory: Abuse of VPN features
Recently a proof-of-concept tool was released publicly that demonstrates how to deploy a rogue VPN server to exploit a feature found in multiple VPN products.
The tool demonstrates techniques to attack the SSL-VPN feature, that is found in VPN products including but not limited to: Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, Ivanti Connect Secure
Because of insufficient digital certificate verification, attackers could manipulate the SSL-VPN communication process.
If successful, the NachoVPN tool allows for remote code execution, credential theft, traffic interception, and/or privilege escalation.
You can sign up to receive the monthly Threat Reports, with full details of these threats.
In case you missed it
End of support for F-Secure branded Elements clients
As 2024 closed, support for F-Secure branded Elements clients was stopped. All supported products have an equivalent WithSecure branded version, and in most cases these will have been taken into use automatically. You can find more information here.
Share your ideas with us
Our purpose is to co-secure the world with you. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via the Ideas section of the WithSecure Community, now accessible directly from WithSecure™ Elements Security Center.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center
