Editor’s Highlights
We recently launched Server Share Protection, part of Elements EPP for Windows Servers, which brings advanced rollback functionality for fileservers when bad content is stored from remote devices. You can find more information in the Elements Endpoint Protection section below.
During December we also launched Teams Protection as part of Elements Collaboration Protection. This brings additional protection capabilities when using Microsoft Teams, including the prevention of links to harmful files shared in chats and channels. More information can be found in the section for Elements Collaboration Protection.
Elements Security Center
Improvements
Device details page has a link to device specific audit logs
It is now possible to view audit logs relevant to one device.
Other Improvements
- Show quarantine action unconditionally for manual scanning type of event in Security Events and show a warning banner with an explanation once clicked if the file is too big or not an archive
Audit log improvements:
- "Source and Target" column simplified into "Target" and removed "Profile" and "Details" prefixes from the values of the column
- Audit logs has new filter for Device UUID
Elements Endpoint Protection
Improvements
WithSecure Elements Mobile Protection for iOS and iPadOS (19.2.285003) has been released
- The app is now faster and consumes less device resources.
- The app now uses the WithSecure brand.
- The assigned profile's name and version are now visible in the user interface under the About section.
- Support for iOS versions 12 and 13 is dropped.
Software updater may notify users about new missing updates
Additional items in Audit logs
The audit log now supports first 2 remote actions from portal: Send Full Status remote action, Uninstall remote action
Additional Protection icons are now available
In the device list, protection icons have been added for Overview of Protection Status, Overall protection, Malware protection and Firewall columns.
Feedback form for Profile Assignment rules is now available
It is now possible to provide feedback from the profile assignment rules section
[PREMIUM] System events detection
Starting from client release 22.9, some system events are sent to security events
The events are:
- Audit log was cleared
- User account was locked out
- An account failed to log on.
Apart from these many other system events may be enabled by administrator.
NEW FEATURE: Server Share Protection
Starting from client release 22.9 the Elements Agent running on Windows Servers is able to detect malware activity on server shared folders and restore files automatically if they are broken or encrypted by malware (by default it only reports a security event and does not restore files, administrator needs to enable the feature via profiles)
For further details, please see the Introducing Server Share Protection Community article.
History of updates for each Windows device
The Administrator may check installation status of updates and see Software Updater Database version.
Elements Endpoint Detection and Response
New and updated response actions
WithSecure Elements EDR has launched new and updated features response actions.
Retrieve Browser artefacts
This response action retrieves browser history from the device.
If a device is infected with malware, it is very likely because the user has downloaded it via their web browser. By retrieving the browser history, you can find out where the malware was downloaded from (i.e. the source URL).
This new action can be found from response wizard.
Action can be used to collect artefacts from various browsers. Artefacts can be collected for all user accounts (default) or for specified user only.
Like all other responses, this one can be run in multiple devices with one response definition and results from all selected devices will be available and stored in the management portal.
Delete files
Delete files response action has two new parameters.
When deleting files from devices there is now option to retrieve file before deleting it. This simplifies work flow by combining two actions into one. This response action automatically verifies/checks that file deletion was successful. Delay between executing delete and verifying the result can be configured. This can be used to verify that e.g. persistence mechanism did not restore it after deletion.
Elements Collaboration Protection
Detections view major redesign
The latest version of the Detections view accumulates the multiple enhancements to better support a day-to-day activity of security admin. The updated design emphasizes the important information, such as a description of security alert, its severity and affected asset. Additional crosslinks simplify the portal navigation.
NEW FEATURE: Teams Protection released
More and more organizations use Microsoft Teams for collaboration, including the sharing of documents.
It is quite common for users to upload files into Microsoft Teams, to share with colleagues and customers, and this introduces some risks. If the user’s device does not have adequate anti-malware protection installed, uploaded documents may contain malware or other undesirable content. Other users opening these files may end up having their devices infected, and naturally this is not wanted.
Teams Protection, part of WithSecure™ Elements Collaboration Protection, can now be used to scan uploaded content, and if it is found to be harmful the content can be deleted, or quarantined.
You can read more about it here in our separate release announcement
Elements Vulnerability Management
Improvements
Improved detection of Dheat
The Network scan is now able to detect Dheat attack vulnerability using the Diffie-Hellman key exchange via SSL/TLS and SSH protocols.
Integrations
Elements API changes in existing endpoints
We have recently made some changes in existing API endpoints:
- Devices and Security Events endpoints: parameter organizationId is now optional. If it is not present, default organization of authenticated client is used.
- Organizations endpoint: added new optional organizationId parameter, now endpoint lists organizations belonging to requested organization (including itself if type matches). If parameter is not present, default organization of authenticated client is used.
- Security events endpoint supports filtering by engine (e.g. EDR) or severity (critical)
- Security events endpoint supports a new engine: System events log. The type of events log sent must be configured from the EPP Profile
Changes in Endpoint Protection API
Security events endpoints are deprecated
The old security events endpoints are deprecated and should be replaced by the new Elements security events endpoints.
The following security events endpoints will stop working by 30.06.2023:
- List security events for a company
- List security events for a partner
- Poll for security events
Infections endpoints have been removed from documentation and will stop working at any time.
Other items of interest
November's Threat Highlights Report
Ransomware: Trends and notable reports
- Quantum Locker targets Cloud Environments
- The Rise of Royal Ransomware
- BlackBasta linked to FIN7 Threat Actor
- US Govt issue HIVE ransomware advisory
Other notable highlights in brief
- DTrack activity targeting Europe and Latin America
- Emotet botnet operational after 5-month hiatus
- ProxyNotShell Exchange Exploits Available
- OpenSSL Vulnerability Downgraded
Research highlights
- DUCKTAIL, continued
- Machine learning accuracy forecast
You can download the full report here
Upcoming change to Elements Vulnerability Management
Starting from March 1st 2023, Elements Vulnerability Management will start to use CVSSv3 for scoring vulnerabilities. We have created a dedicated article relating to this change, including all the information our customers using Elements Vulnerability Management need to know.
In case you missed it
Reminder: Changes in internet domains for WithSecure™ Elements
As mentioned in the October edition of What’s New, WithSecure has now changed the domain names of some servers used to access the solution.
Please see https://community.withsecure.com/en/kb/articles/29681-changes-in-internet-domains-for-withsecure-elements for more details.
If you have encountered any issues after this change, please check the above article for solutions.
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via our Ideas Portal, now accessible directly from WithSecure™ Elements Security Center.
Ideas received are always evaluated by our team, and if suitable will be acted on. Some smaller items have been added in as little as 2 weeks from being suggested, to being delivered to customers in the solution! Bigger items will obviously take longer.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center
https://connect.withsecure.com/api-reference/elements#get-/organizations/v1/organizations
https://connect.withsecure.com/api-reference/elements#get-/security-events/v1/security-events
