Elements Security Center – Scope Management
We have made some changes in the way the organizational scope is shown in the Elements Security Center, which make it more consistent across all parts of the Elements portfolio. You can find more details below.
Elements Security Center
All charts in the reports page can now be exported as SVG files
Added a history log of device data changes to device details.
Currently supported fields are: Overall protection, Software updates status, Network isolation, Reboot needed, Assigned profile, Profile assignment state, IP addresses, Public IP, Last user and UPN.
Changes to saved views
Custom views can now be shared by using the "Move to organization views" button. Organization views are visible to all admins at the same organization level.
It is now possible to set a view as default. Default view will be applied by default the next time you log into portal.
Organization and system views can now be hidden.
Device details now has an option to Connect with RDP
It is now possible to connect with RDP to computers directly from Elements portal.
Please Note: This features requires a premium subscription.
Export affected devices
It is now possible to export the list of affected devices from flyout for selected missing updates.
Software updates installation log changes
The log now shows separate column for KB ID
Elements scope management.
Elements scope management
Elements Security Center scope management has been introduced. This changes the way how WithSecure Elements Security Center is used to manage multiple Companies under Solution Provider (SOP) or Service Partner (SEP) organisation.
All companies under same organisation hierarchy
Elements Security Center has one organisation hierarchy. This is tree like three level hierarchy to help to manage large amount of companies. With Elements scope management this three level hierarchy is shared and synchronised across all Elements security capabilities.
Elements scope selector user interface component visualises organisation hierarchy and highlights what types of subscriptions each company has (see picture below).
Here "Data Fellows Security" is top level Solution Provider (SOP) organisation having multiple companies under it. Elements scope selector shows indicator of subscription type within company and shows union of available subscription types for Solution Provider and Service Partner organisations.
In the example "BE Consultancy Services" company has Endpoint Protection, Endpoint Detection and Response, and Vulnerability management subscriptions (highlighted icons). "BE Consultancy Services" does not have Collaboration Protection or Cloud Security Posture Management subscriptions (dimmed icons).
Synchronised scope selection
With these improvements scope selection within Elements is fully synchronised between different parts of the Elements Security Center. This means that when you change organisation while being in Endpoint Protection dashboard and then move to any other part of Elements Security Center e.g. to Collaboration Protection dashboard your organisation selection is always preserved until you explicitly pick another organisation scope.
Navigation menu of Elements Security Center adapts to features that are available for selected organisation and current user.
Sample below shows navigation menu behaviour when selected organisation has limited set of subscriptions available.
The company called "Computational Fluid Dynamics" only has Endpoint Protection and Endpoint Detection and Response subscriptions so other Elements security capabilities are not available due to missing subscription. Common management functionalities are available for all organisations.
In cases where organisation has subscription but users access to given security capability is limited this is indicated in Elements menu with "No access". In sample below user does not have access role to Cloud Security Posture Management while organisation does have subscription for it.
It is also possible that company organisation has restricted Solution Provider and Service Partner access to their company data. These cases are indicated with "Restricted" label in corresponding menu item (see sample below).
Elements Endpoint Protection
Elements Agent for Windows and Server new version 23.5
A new version of the endpoint client for Windows is available. This release makes the Elements Agent version 23.5 available (internal version 23.5.378).
The endpoints automatically upgrade, without a reboot.
We have added a new feature to the client, which can rollback unwanted changes in the unlikely event that some malware has been allowed to run.
Remote change of local exclusion lists
It is now possible to remotely change local exclusion lists, directly from the Elements Security Center.
Remote Action to restart Elements Agent
We have added a new remote operation to restart Elements Agent right from the Elements Portal. Restarting services allows to fix various client problems without making a system reboot.
CPU information reported to Security Center
The Elements Agent now reports CPU information to the portal
Agent includes more information to Elements Security Center
The Agent now sends more information about shared folders and logged in users to the portal
Client now reports if RDP is enabled on client
The agent reports if the RDP services is enabled on the client, allowing the Elements Security Center to show an option to login with RDP
Elements Endpoint Detection and Response
New response actions released.
WithSecure Elements EDR has launched new response actions.
The new response actions include:
- Retrieve Amcache
- Retrieve event log tracing entries
- Retrieve jumplist files
- Retrieve Prefetch
- Retrieve RDP cache files
- Retrieve Recently Accessed Files
- Retrieve System Resource Usage Monitor database
These new response actions focus on identifying if persistence has been achieved on endpoints and provides a quick way for detection teams to collect this information.
The new response actions can be easily found using the search functionality within the Response wizard.
As with all other Response actions, these can run simultaneously on multiple devices with one response definition and results (from the selected devices) available and stored within the Elements portal.
New automated way to suppress repeating false positives
A new way to suppress noise has been implemented to XDR Detection pipeline. After this change was applied, the incident (aka BCD) creation delays have been much less than before!
Closed - False Positive: The incident has been closed and is no longer monitored. The detection was not malicious.
Closed - Auto False Positive: The incident has been closed automatically as false positive based on identical incidents that have been closed as false positive.
To optimize system performance, an automated suppression mechanism will activate if any detection part of an incident marked as false positive repeats more than 4 days within a 30 days period, or repeats more than 5 times a day.
If later an incident earlier marked as False positive is marked as Confirmed, all identical incidents are automatically reopened. In such event also the automated suppression mechanism would be deactivated for future detections.
Elements Collaboration Protection
In June the Collaboration Protection team completed the sequence of improvements on the product backend and infrastructure systems. These improvements are set of long lasting and architectural changes covering switch to multi-tenancy, recovering on critical points, overcoming technical limitations and technical debt.
The key outcomes of these changes are:
- Faster response time, time on scanning and taking action upon detected harmful content
- Decrease of a tenant onboarding time, correspondently time on initial protect
- System stability and reliability.
Elements Vulnerability Management
The following capabilities were added to authenticated scanning for Windows:
- Detect vulnerabilities in USB for Remote Desktop
- Detect vulnerabilities in Tracker PDF-XChange Editor
- Detect vulnerabilities in Fortinet
- Detect vulnerabilities in OpenSC
Elements Vulnerability Management Portal
Added an activity log for the deletion of asset alias events
This log provides visibility into the actions taken when an asset alias is deleted, allowing for better tracking and auditing of asset management activities.
Added event logging functionality for enabling and disabling agent scanning.
Endpoint Protection API: Provisioning invitations endpoints end of life on 3rd of November 2023
The old invitations endpoints are deprecated and should be replaced by the new Elements devices endpoints:
The following Endpoint Protection API invitation endpoints will stop working on 03.11.2023:
- Create new invitation
- List pending or expired invitations
- Remove invitations
- Renew expired invitations
- Resend pending invitations
Reminder: In order to provide a better and unified set of APIs for WithSecure Elements, we are progressively deprecating the Endpoint Protection API and replacing it by Elements API. The following endpoints will reach their end of life soon as indicated earlier in this change log:
- Computers endpoint: 30th of May
- Security events endpoint: 30th of June
- Companies endpoint: 31st of July
Update Service Partner (SEP) name
This new API call allows to change an existing Service Partner(SEP) name by using the unique identifier as described in this link.
New properties have been added to to device list endpoint
- Total and free space on system drive
- Total and free physical memory
- Vulnerability Management risk score. That values is calculated only for devices with active VM module
- EDR incidents counters
- Computer model and BIOS version
- Version of malware database and timestamp of its last update
- List of MAC addresses
- Property that indicates if user has administrator privileges
New endpoints have been published:
- Update device state - client can block or inactivate devices
- Remove devices - client can delete device
- List devices endpoint was updated and now devices can be filtered by state. Also, state field is always returned in the response.
A new endpoint has been published:
- List incidents - client can view list of the incidents in the organization
Other items of interest
Monthly Threat Highlights Report: May 2023
Newly introduced top-level domains
The report highlights the dangers associated with newly introduced top-level domains and how they can be exploited by cybercriminals to launch phishing attacks and other malicious activities.
Bypassed vulnerabilities in Microsoft Outlook
The report discusses a recent vulnerability in Microsoft Outlook that was patched but could still be bypassed due to a bug in the HTML platform. This vulnerability could allow attackers to execute malicious code on affected systems.
Actively exploited vulnerabilities in common WordPress plugins
The report identifies several actively exploited vulnerabilities in common WordPress plugins, including a high-severity reflected cross-site scripting (XSS) flaw in the Advanced Custom Fields plugin.
The growing infostealer marketplace
The report provides an update on the state of the growing infostealer marketplace and how it is being used by cybercriminals to steal sensitive information from individuals and organizations.
The state of hacktivist groups
The report provides a brief update on the state of so-called hacktivist groups and their activities, including recent attacks against government agencies and corporations.
The current state of ransomware
Finally, the report takes a closer look at the current state of ransomware and identifies several newcomers to this growing threat landscape.
In case you missed it
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via our Ideas Portal, now accessible directly from WithSecure™ Elements Security Center.
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center