Editor’s Highlights
Dynamic Risk Scoring for Elements Vulnerability Management
WithSecure Elements Vulnerability Management now makes use of Dynamic Risk Scoring, to adapt the Risk Score based on current events and known exploits. You can find more information below in the Elements Vulnerability Management section.
Revised Broad Context Detections view in Elements Endpoint Detection and Response
We have made some changes to how BCDs are presented within Elements EDR. You can find more details under Elements Endpoint Detection and Response below. We think you'll like the changes!
Elements Security Center
Added filter by a device OS type for Security events
Added filter by Active Directory Organzational Unit for Security events
Unprotected devices that have previously had WithSecure EPP client installed
If these devices have been explicitly deactivated by the administrator, they are now considered protected, so that they will not appear in Unprotected devices listing.
Email reports view has been added
Devices Status report now has an info flyout
Similar events feature
We have added a feature intended to help security administrators look at the whole picture and acknowledge multiple events at once. In the action menu there's a new item "Show similar", which opens the flyout with all the similar events. The Info icon near the title will show why do we think that these events are similar. The filters are copied from the main view, and you can adjust them to narrow your search further or to limit amount of events shown. On the bottom of the view there's "Acknowledge all" button, which sends the acknowledgement request for all events currently visible in the view. Please note that acknowledging many events might be time consuming and won't appear in the portal right away. There's also an upper limit of 10000 events to be acknowledged simultaneously.
Please note:
- Read-only users can't acknowledge events even with "acknowledge all" feature.
- Available only for events starting from the 1st of Sep 2023. The action is not present for older events.
macOS 14 Sonoma notifications
Apple has released the next major operating system version 14 (Sonoma) ahead of schedule, and our agent is not yet compatible with it. We have now two new issues in the EPP dashboard advising not to upgrade yet and showing which devices have already upgraded to the new OS version.
Elements Endpoint Protection
Elements Agent for Windows workstation and server: version 23.7
A new version of the endpoint clients is available.
This release makes the Elements Agent version 23.7 available (internal version 23.7.416).
The endpoints automatically upgrade, without a reboot.
New away option in automated tasks.
The “away” option allows to run automated task after user has been away for defined number of minutes. Example “@away 5” would run task after user have been away for 5 minutes.
New automated task to create restore point.
There is new automated task which allows to create system restore point in the client.
Improvements how windows operating system version is reported.
The client now sends also windows build number and build number is visible in the device details.
Remote action to turn off application control.
There is new remote action to turn off application control.
Improved security events to contain information also about quarantined registry entries.
If rollback did happen and restored registry entries, the security event generated from the event was missing information about the restored registry entries. Now the event contains information about the restored registry entries.
Security scanning exclusions improvements
It is now possible for administrators to enabled and disable individual rules, instead of removing the rules completely. Also, it is possible to write a comment for the exclusion.
Running automated task from client user interface
It is possible to run automated task from the client user interface. Running task is only possible for administrative users and must be enabled from the profile separately.
Elements Endpoint Detection and Response
New Automated Actions view
WithSecure Elements EDR has released a new view called 'Automated actions'.
This replaces the old 'Automated response' view.
What has changed?
The functionality stays the same and you can still configure ‘Device isolation’ rules that run 24/7 and specify the risk level, like with the original 'Automated response' view, however you can now create an action rule with ‘custom’ scheduling where you can input specific hours for when you want a rule to run, for example, outside of office hours.
The new 'Automated actions' view includes all existing Device Isolation rules, so there is no need to worry about having to re-create them.
It includes the new 'custom' scheduling, so specific days and times can be applied for when you want the rules to run, for example, from 17:00 until 09:00 the next morning.
Lastly, the existing 'Automated response' view is still available for the next two weeks, in read-only mode, so you have time to get used to the new view.
Why?
Not only does this new feature provide custom scheduling but it also starts to build towards our vision to include more automated actions within Elements – initially, with the co-monitoring service and the new email notifications with risk level selection, but also for more response actions in the future.
This new Automated Actions view is now available to use in Elements.
New Broad Context Detection details view
The new Broad Context Detection (BCD) details view has been fully released into production and is now the default view, replacing the old Broad Context Detection details view.
What has changed?
The new BCD details view has become the default view so when you click on the ‘Broad Context Detection’ menu option in Elements, you will now be presented with this new view.
The old BCD details view is still available to use, for a limited time, to give you more time to familiarise yourself with the new BCD view. You can navigate to the old BCD view via the ‘Go to old Broad Context Detection view’ button in the top right corner of the page.
You are able to elevate BCDs from within the new BCD details view, unlike before when it was in ‘Preview’ mode where you had to navigate back to the old BCD view to elevate a detection. The new view supports both manual and automatic elevations and works exactly the same as the old view.
You are also able to change the default Elevation subscription token selected. The subscription expiring the soonest is selected by default, however you can now see all available subscriptions and change it to another one if you so wish.
Extra information has been added to the new view to help you interpret the information displayed.
Elements Collaboration Protection
Blocking file types
The new feature "Blocking file types" was has been enabled for all Collaboration Protection customers.
The policy settings were expanded to allow blocking of certain file types. Administrators can select the file types to be disallowed within the protected ecosystem, from a list curated by our security experts. The system will handle all files of the selected file types as harmful and act according to a tool specific policy setting. The feature does not rely on the file extension but leverages intelligent file type recognition.
Elements Vulnerability Management
Dynamic Assets Risk Score has been enabled.
The Static Asset Risk Score was calculated based only on the CVSS base score, with an additional boost for old and/or exploitable vulnerabilities, enhanced with the asset importance mark and internet exposure flag.
Here are the improvements introduced in the second version of Asset Risk Score, that is called "Dynamic Risk Score" with different boost factors:
The score is slightly (from -10% up to +60%), corrected with EPSS (exploit prediction) score together, when there are no signs of exploitation
- It is boosted between 20-70% when there is an exploit. The boost depends on our knowledge about the maturity of the exploit or observation of incidents related to the vulnerability.
- It is boosted according to the number and age of cyber security reports describing the vulnerability
- With other impacting factors such as:
- Taking into account a few most severe vulnerabilities, as opposed to static risk score that only took the first top one.
- Taking into account the asset importance that is set by the customer.
- Taking into account the visibility of the asset from public internet.
Elements Vulnerability Management: System Scan
The Elements Vulnerability Management System Scan was updated to detect vulnerabilities in the following products as part of authenticated scanning for Windows:
- Siemens JT2Go
- QNAP QVR Pro Client
In addition, a non-version based detector was added for the VMWare Aria Operations For Networks remote code execution vulnerability (CVE-2023-34039)
Elements VM Scan Node Agent: Linux
A new version of the Linux Scan Node Agent was released, fixing several known issues and also adding registration towards the Elements Vulnerability Management system.
Integrations
Endpoint Protection API: Subscriptions endpoints end of life on 11th of March 2024
The old subscriptions endpoints are deprecated and should be replaced by the subscription endpoints in the Provisioning API. To use this API, you need to request Read-only Provisioning API credentials from WithSecure Support. Access to Provisioning API is only for partner (SOP) accounts.
The following Endpoint Protection API subscriptions endpoints will stop working on the 11.03.2024:
- Get company subscription details
- Get partner subscription details
- List company subscriptions
- List partner subscriptions
- Remove computers from subscription (replaced by Elements API endpoints “Update device state” or “Delete device”)
REMINDER: Elements Connector: Customers still using the (End of Life) Endpoint Protection API to login need to change API authentication credentials
In order to provide a better and more unified set of APIs for WithSecure Elements, we are progressively deprecating the Endpoint Protection API and replacing it by Elements API. If your Elements Connector is used to stream security events from the WithSecure Elements portal to your SIEM and was configured before 23.05 release, it might be still using Endpoint Protection API.
The Elements Security Center will warn you if actions are needed in the Issues list:
A Corresponding warning is also shown in the Connector device view:
In order to preserve event forwarding functionality please switch over to using Elements API credentials before 31.12.2023. You can find full details of the required changes in the userguide.
In case you missed it
Reminder: WithSecure products and macOS 14 “Sonoma”
As you may be aware, Apple have announced that the next version of macOS (version 14, also known as “Sonoma”) will be released on September 26th 2023.
Unfortunately, this release has introduced incompatibilities with some WithSecure products.
The affected products for Mac are:
- WithSecure Elements Endpoint Detection and Response
- WithSecure Elements Endpoint Protection
- WithSecure Client Security (formerly F-Secure Client Security)
- WithSecure Countercept
We have created a Knowledge Base article which details the current status of our support for Sonoma. Our current advice is to NOT upgrade to Sonoma at this time, unless it is critical for your business.
WithSecure is working hard to address these issues and will provide updates via the Knowledge Base page.
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via our Ideas Portal, now accessible directly from WithSecure™ Elements Security Center.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center
