Elements Security Center
Retention information for Security Events
It is now possible to see the retention period for the Security Events, showing how long each will remain visible in the portal.
Improved Endpoint encryption and encrypted drive view
In the device details section, the level of details has been improved. This is only available for Windows devices as present.
Multi-factor authentication (MFA) enforcement available in Elements
It is now possible to enforce MFA for all Elements users in a specific Elements organization by request. The MFA enforcement can be requested by contacting WithSecure support.
Things to consider before enforcing MFA:
- Users must be informed in advance that MFA will be enforced so that they will have a phone with an authentication app. Call/SMS authentication is not currently supported.
- Any authentication app is supported but we recommend an app that supports backup (e.g. Authy, 1password, Microsoft Authenticator...)
- MFA is automatically enforced for any new users
- We cannot remove MFA enforcement (only disable it for new users)
- Any account used by API must be separate from an account used by real person. As long as an API account is used only for API calls, MFA is not forced. But if the account is also used for browser access, MFA will be enforced and API call will fail. To recover, login to the account with a browser, disable MFA from settings, logout.
- An account must be individual and cannot be shared by a team
- Phone lost: We cannot reset MFA after the phone is lost. The account will have to be deleted and recreated (occasionally requiring W/Secure support assistance). That is why the user should store the recovery codes or configure the backup in the authentication app.
- Phone changes: The authentication app typically offer solution covering the change of phone. One option is to login in portal with old phone, disable MFA and log out. Then login again, going through the MFA setting with the new phone.
- The MFA enforced settings is not visible in UI.
- Limitation: Only applicable to EPP/EDR and Vulnerability Management users
- For partners only: MFA enforcement is inherited by all resellers and companies in your hierarchy. They must be informed as well.
- For partners only: New created companies will be automatically set to MFA enforced.
- For partner only: "company move" (typical when two partners merge) is not supported. It only means that you must remind W/Secure to set MFA enforced on the company after the move.
Confirmation dialog for potentially disruptive remote operations
A confirmation dialog has been added for potentially disruptive remote operations, to ensure the admin is completely sure they want to complete the action. This is because the actions are disruptive for the user of the device.
Confirmation is asked for the following operations:
- Restart system
- Network isolation
- System drive encryption
- Turn off security features
- Uninstall
- Request diagnostic file.
Info flyouts for some Device View fields
The info flyouts contain general information about the column and / or information about the possible values that the column in question can have.
New Issue in Elements EPP dashboard
A new Issue type in Elements EPP dashboard has been added: "Servers no longer connected to Elements".
This new issue type helps to identify which servers stopped communicating with Elements, potentially due to problems or misconfiguration.
Improved Audit Log
It is now possible to filter Audit Logs by Transaction ID. This can be helpful in some situations.
At the same time, audit log events were added when enabling and disabling Security events email notifications.
Improved subscription message for WithSecure Vulnerability Management
The popover message for 'WithSecure Vulnerability Management' in Subscription view has been improved to make it clearer when to use the VM subscription key.
Improved timestamp formatting in exported CSV files
Timestamps are now in human-readable format in device CSV export files
Browsing Protection exceptions added to Network Location Settings
It is now possible to enable the Browsing Protection/website exception via the "Network Location Settings", allowing this to be location dependent. This is useful in some scenarios where the admin wants to allow access based entirely on the user’s current location.
Elements Endpoint Protection
Installation option to use Active Directory GUID as unique identifier
It is now possible to specify at installation time that the device should be identified using the Active Directory GUID, within the Elements solution.
This can be helpful in organizations using Active Directory, as it can prevent duplicate devices being created.
This installation option is available when installing using the EXE based installer, and also during MSI installation.
Elements Agent 22.8
This release makes the Elements Agent version 22.8 available (internal version 4.39.527).
The endpoints automatically upgrade, without a reboot.
- Added a remote operation to temporarily enable debug logs via remote operation
- Latest installed hotfix information reported to portal
Elements Protection for Mac 22.3.46135
This release for macOS introduces some new security postures, which are visible in the portal.
Linux Protection (Linux Security 64 version 12.0.409)
New versions of Linux Security 64 (version 12.0.409), FSBG (version 1.0.703), and BaseGuard (version 1.0.723) updates have been released. FSBG and BaseGuard are components of Linux Protection. These updates include the following changes:
- It is now possible to bypass distribution compatibility checks and run the product on systems that are not officially supported. The main use case for this feature is to enable running the product on various "clone" distributions that resemble one of the supported distributions.
- Improved integrity checker integration with updates installed via system package manager. Integrity checker baseline can now be automatically updated after a system update has been installed. Currently APT and DNF package managers are supported.
- Support has been added for using wildcards in on-access scanning.
Elements Collaboration Protection
The team has made several releases during November, completely transparently to the customers using the Collaboration Protection solution.
Amongst the changes in these releases:
- The solution now supports URLs of up to 2000 characters in length
- Various user interface improvements
- Additional Response Action: Removal of quarantined item
- Expired quarantined SharePoint sites are automatically deleted according to the policy
Elements Vulnerability Management
The team made two releases during November, again completely transparently to the customers.
Amongst the changes this month:
- Summary reports now contain the asset risk score and importance attributes in various formats (.xml, .xlsx, .docx).
- New reports use the new WithSecure brand.
- WithSecure brand styles and color palette have been applied to the portal.
- The status on the Device Discovery page has been extended with information about problems that may occur on the device which can block VM scanning. The expanded section of the row contains the issue explanation with a short guidance on how the problem can be solved.
Use of SSH credentials
It is now possible to provide SSH credentials (on Elements VM user interface) for network device scans.
You can use the existing SystemScan configuration template to define how to authenticate to a network device and Security administrator can use the existing System Scan configuration to define credentials for the network device scan. "Linux credentials" section has been renamed to "SSH credentials (Linux, network devices)".
These credentials are used to authenticate to network devices and to extract operating system and firmware versions. These are reported in the vulnerability report as an informative finding, specific for each network device vendor. If the network device version is known to be vulnerable, the report will list related vulnerabilities. The current, first release supports Cisco IOS, Cisco IOS XE, and FortiOS and will be extended with other network device vendors in upcoming versions.
Methods to authenticate network devices will be extended as well in the future.
Integrations
Security Events specification is visible in production
The API information relating to Security Events is now publicly available. This information can be useful to customers integrating to our solutions.
- List of events:
- API reference:
Elements API update
It is now possible to use the Security Events endpoint to fetch events for partner organizations.
Other items of interest
Elements Changelogs rationalization
As part of the unification process at WithSecure, the publishing of changelogs has been consolidated to make them accessible in a consistent manner.
Below you can find links to all of the changelogs.
It is possible to subscribe for notifications when a log has been updated:
- First you need to go to specific thread and click to bookmark the thread.
- Then please go to your profile settings → notification preferences and choose to be notified when people comment on my bookmarked discussions.
Threat Highlights – October 2022
Download the full report
In case you missed it
Reminder: Changes in internet domains for WithSecure™ Elements
As mentioned in the October edition of What’s New, WithSecure is changing the domain names of some servers used to access the solution.
Please see https://community.withsecure.com/en/kb/articles/29681-changes-in-internet-domains-for-withsecure-elements for more details.
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via our Ideas Portal, now accessible directly from WithSecure™ Elements Security Center.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center
https://connect.withsecure.com/getting-started/security-events
https://connect.withsecure.com/api-reference/security-events#overview
