SES Evolution 2.5.3 new features and enhancements
Warning
WARNING
Before updating your solution from a version 2.3.x to version 2.5.3, you must download and deploy the 2304a security policy. To download it, go to your MyStormshield client area or to the Stormshield Updates panel in your administration console.
Pool protection
Isolating users' computers
When there is a suspected attack on a workstation in the pool, you can now isolate the workstation from the rest of the network by cutting off incoming and outgoing connections from the administration console.
If the suspected attack is confirmed, isolating a workstation with SES Evolution can quickly prevent the attack from spreading to the rest of the pool.
In the administration console, you can isolate computers, see the list of isolated computers and undo isolation.
Undergo quarantine for malicious files
When creating a remediation task during an attack, you can now choose to quarantine files that you think may be malicious. These files will be placed in a protected folder on the workstation. They cannot be run or cause any harm while you analyze them, after which you can choose to restore or delete the files.
In the administration console, you can establish a list of folders to exclude. The files that they contain will never be quarantined.
You can also configure protection rules in security policies to automatically quarantine executable files.
Quarantined files are automatically deleted after 40 days or when the folder reaches 1 GB.
Sending e-mail notifications
SES Evolution administrators can now receive e-mail notifications when there are security alerts. You can then be quickly warned when certain events occur on your pool, without the need to constantly monitor the administration console. By using notification rules, you can configure the types of logs that trigger notifications, how frequently they are sent and the e-mail addresses of recipients.
Sending activity reports by e-mail
You can configure the sending of reports by e-mail. These reports provide information on the activity of your pool by recapping the security indicators and operational indicators displayed in the console dashboard. They can be sent to users who are not SES Evolution solution administrators. By using notification rules, you can configure the frequency of such reports and their language (French, English, German or Spanish).
Protection against bypass of EDR detection (Endpoint Detection and Response) systems
In the Threats tab of a security policy, a new protection is available: EDR detection bypass. It protects against attacks that seek to disable EDR detection modules.
Protection against fileless attacks
In the Threats tab of a security policy, a new protection is available: Fileless attack. It protects against attacks that strike without writing malicious files on workstations.
New default policies
As of version 2307a of security policies, the default policy has been divided into three levels. There are now three default policies:
Simplified default policy |
Enables the quick and simple deployment of SES Evolution in a pool by dedicating few human resources to it and without the need to modularly manage administration. Can be used without any specific configuration. |
Default policy |
Constitutes a balanced compromise between the need for administration and the security level matching most organizations' needs. |
Hardened default policy |
Raises the security level in a pool to the highest level, making administration harder. It is important that you test it with a pilot group before deploying the policy, to benefit from its policies while keeping false positives to a minimum. |
New built-in rule sets
As of version 2307a of security policies, the two shared rule sets below were added.
Hardening against portable software |
Blocking all executable files run outside standard installation folders. |
Hardening of software installation folders |
Prevents attackers from modifying a program's files in installation folders, to take their place in the system. |
As of version 2310a of security policies, the two shared rule sets below were added.
EDR feature audit |
This set makes it possible to launch WMI detection to search for information on updates installed on the operating systems used. |
Syslog - Audit template (excludes reading) to be sent to a syslog |
This set is in the form of a template, making it possible to capture all events other than file reading and registry reading operations and to send them to another security solution via syslog. |
Modularizing rule sets
As of version 2307a of security policies, the following rule sets have been divided so that they can be used more modularly. Features can be enabled independently without having any impact on other rule sets:
The rule set... | becomes... |
---|---|
Audit of attack contexts |
Three rule sets:
|
Data leak prevention |
Four rule sets:
|
For further information on security policies and built-in rule sets, refer to the release notes on configuring SES Evolution security in your MyStormshield client area (under Downloads, then in SES Evolution Security resources).
SES Evolution public API
Stormshield provides a new public API that makes it possible to manage SES Evolution via orchestration solutions such as SOAR. In version 2.5.3, the public API allows you to use the following SES Evolution features, among others:
-
Shut down a process;
-
Delete files, keys or registry values;
-
Isolate a workstation from the network;
-
Perform remediation tasks during ransomware attacks. Files encrypted by the ransomware will then be restored to their initial version.
From the SES Evolution administration console, you can generate the API keys that secure access to API routes.
The SES Evolution public API is accompanied by documentation. To read the documentation, click on the link at the top right side of the API Keys panel in the administration console. It provides a description of API routes, the list of all parameters, and some examples.
The documentation is also available on the Stormshield Technical Documentation website.
Administration console
New dashboard
The dashboard in the administration console includes new key indicators that describe the status of your pool. They allow you to meet required security and operational conditions in your pool by alerting you to security events that require immediate attention.
New layout of the main menu
The menus in the left panel, comprising the console's main menu, have been reorganized. They are now categorized under Environment, Security, Responses and Backoffice.
Stormshield resource update
When you use the Stormshield public server to download resource updates in the administration console, you can now configure and use a proxy server to contact the Stormshield server.
Syslog server configuration
Syslog messages format
If you have chosen to send agent logs to a Syslog server, you can now add “structured data” in the header of the messages. The new Structured data field is available in the Agent handlers menu in the administration console. To know the expected data format, refer to RFC 5424.
Syslog server operational indicators
A new indicator in the upper banner of the administration console shows you the status of configured Syslog servers.
Concept of incidents replaced
The concept of "incidents" has been replaced with the concept of "contexts". By default, all Emergency and Alert logs now come with a context making it possible to thoroughly analyze the environment of attacks that occur on agents, and determine the nature, source and processes of these attacks. The attack chart is now known as the context chart.