We would like to inform you that a new version of the Heimdal Release Candidate (RC) dashboard, version 4.2.0, will be released next Tuesday/ Wednesday, May 28th/ 29th 2024. Starting Friday, May 31st, 2024, the Heimdal RC Agent will be available for download in the dashboard's "Guide" section under the "Download and Install" tab. It will be deployed on a roll-out basis over the course of the coming weeks. Here are the main features and improvements rolling in with the new 4.2.0 RC.
1. TPE and TPN submodules comply with the Keeping Children Safe in Education norms
2. Device protection functionality available in the Next-Gen Antivirus & MDM, Firewall and REP for endpoint group policy areas
3. Enhanced info about elevations in the PEDM Pending approvals and History views
4. End user Multi Factor Authentication for elevation requests
5. Enhanced Tray tools for PEDM - ability to create a custom applications list
6. Enhancement of the Email Security Allow Sender quarantine report option
7. Additional details for the Email Fraud Prevention User AI anomalies
8. Revamped TAC homepage (Globe and Map views) and risk score real-time calculation
9. Inclusion of the Windows OS updates release dates in the Verbose .csv export from Installed, Available and Pending views
10. Option to customize the Dashboard idle/auto logout time and date format
11. Ability to customize the CPU consumption for Next-Gen Antivirus scans
HEIMDAL THREAT PREVENTION ENDPOINT AND NETWORK
TPE and TPN submodules comply with the Keeping Children Safe in Education norms
Starting with the 4.2.0 RC Release, our Threat Prevention product fully meets the UK Government’s statutory guidance for schools and colleges, on safeguarding children and safer recruitment – Keeping Children Safe in Education.
This new compliance level has been achieved by the introduction of two new categories, in our TPE and TPN “Block by category” functionality, namely: “Keeping Children Safe in Education (Internet Watch Foundation)” and Met Police’s feed “Keeping Children Safe in Education (Counter-Terrorism Internet Referral Unit)”.
HEIMDAL ENDPOINT DETECTION
Device protection functionality available in the Next-Gen AV & MDM, Firewall and REP for endpoint group policy areas
In order to tighten even more the security of our partners and customers’ IT estates, we’ve introduced new automatic ways of mitigation in case of detections occurring in three of the Endpoint Detection product submodules: Next-Gen Antivirus & MDM, Firewall and Ransomware Encryption Protection for endpoint. A new checkbox called “Device protection actions” is available in the Endpoint Settings -> Endpoint Detection -> Next Gen Antivirus/ Firewall/ Ransomware Encryption Protection tabs.
If enabled, a dedicated table will be displayed, in which the dashboard user can select one or multiple actions (isolate, shutdown or logout) to be taken in case of detections occurring in one of the three earlier mentioned Heimdal product submodules.
IMPORTANT
In case Device protection actions is enabled and the Firewall module is disabled, the latter will be enabled automatically, as will the Endpoint isolation setting. If the Ransomware Encryption Detection module is disabled or the submodule is not licensed, the row inside the grid, corresponding to Ransomware Encryption Detection, will be disabled (not actionable). For the Firewall module, the only available protection action is Isolation and it will be triggered after a minimum of 100 occurrences of public Brute Force Attacks. Disabling the newly added setting after a Group policy update will trigger a toast message informing the dashboard user that disabling the Device protection actions feature will not disable the Firewall module and the Endpoint isolation setting.
In case multiple actions are selected for a module, these will be executed in order: Isolation first, followed by Shutdown and Logout, as the third action (depending on the combination of actions, in some scenarios, the Logout action will not be performed anymore).
HEIMDAL PRIVILEGES & APP CONTROL
Enhanced info about elevations in the PEDM “Pending approvals” and “History” views
In order to improve our dashboard users’ experience, we’ve made some changes to the “Pending Approvals” and “History” views (Products -> Privileges & App Control -> PEDM). In the “Pending Approvals” view, we changed the name of the grid column “File name” to “Application” (for “Administrator Session” elevation types, the info from this column will always be “-“). Also, we’ve taken out the extension information, and, starting with this release, the elevated application name will be clickable (same change is available in the Client Specifics view – click on the hostname -> Privilege Elevation and Delegation Management tab -> Pending Approvals view). When the application name is clicked, we will open a pop-up window containing the new, boosted details related to that specific application: Full path, Publisher, Version and MD5 (hash) data.
Note: For old data (pending elevations prior to the 4.2.0 agent release) the application will be displayed with the extension and the “Publisher” and “Version” data sets won’t be available (fields will be populated with “-“).
We’ve also enriched the data from the “History” view and the corresponding Clients Specifics (click on a hostname) -> Privilege Elevation and Delegation Management tab -> History view, Process details (when clicking on the number of “Executed Processes”), by changing the grid column name “Process Name” to “Application” and adding two new columns “Publisher” and “Version” in which we’ll display the corresponding data.
Note: For old data (approved elevations prior to the 4.2.0 agent release) the “Publisher” and “Version” data sets won’t be available (fields will be populated with “-“).
End user Multi Factor Authentication for elevation requests
Our most important goal – strengthening the cybersecurity posture of our Customer and Partners is the reason why we also introduced this new extra security layer for the PEDM elevations. It consists of a Multi Factor Authentication, in the Heimdal agent, for end users, ensuring that only authorized users can conduct file or session elevations. The functionality can be enabled by ticking a box called “Multi Factor Authentication” (Endpoint Settings -> Privileges & App Control -> Privilege Elevation and Delegation Management).
When the feature is activated for the first time, a registration MFA pop-up window appears when an end user requests a session or file elevation. The end user can register the MFA using an authenticator application.
After registration, whenever the end user requests a file or session elevation, the MFA code verification popup will appear. The user must enter the code provisioned by the authenticator software used to register the MFA. Once validated, the elevation will proceed according to the flow set in Group Policy.
To reset the MFA, in case of data loss from the authenticator app. or phone, you can find the reset button in Heimdal Agent -> Settings -> Privileges and App Control -> Privilege Elevation and Delegation Management, “Reset MFA” button.
Note: On Windows Server OS machines, the reset button is located in the Check MFA code pop-up window.
The reset popup will include a field for entering the Master Uninstall Password, which is generated from the Dashboard.
Enhanced “Tray tools” for PEDM – ability to create a custom applications list
In order to further improve our PEDM users’ experience, we’ve conducted an enhancement to the existing “Tools” functionality (Heimdal Agent context menu, Privileges & App Control section), namely the ability to opt for a customized list of quick access applications for elevation purposes. Starting with the 4.2.0 RC release, the dashboard users can choose between the already existing 5 default applications/ items displayed in the “Tools” list or, select a “Customize Tools” option where they can edit and add new applications or file paths. In order to achieve this, two new radio button entries (Endpoint Settings -> Privileges & App Control -> Privilege Elevation and Delegation Management tab, ‘Additional settings’ section of the GP), called “Customize Tools” (default disabled) and “Use default Tools” (default enabled) are now available.
If “Use default Tools” is selected, we will show, in the context menu of the Heimdal agent, Privileges & App Control, “Tools” entry, the preset list of 5 apps.
Selecting the “Customize Tools” option, will show a new section and the table belonging to this new section will be auto populated with the 5 preset entries (pertaining to the current functionality). Next to the “Customize Tools” radio button, a tool tip is available with the following text: “Manage and customize the applications list displayed in the PEDM Tools functionality from the agent context menu. For a sample CSV click here.”. Clicking on ‘here’ will download a sample csv file containing the “old” apps/ tools.
The dashboard user will be able to edit or delete the preset “Tools” list items and/ or add new apps to it (a max. of 12 entries are allowed) and then edit or delete.
This new table has 4 columns:
• Friendly name – “custom” name given to the app. and displayed in the Heimdal Agent context menu, Tools list (e.g.: for “cmd.exe” we’ll display “Command Prompt”);
• Path - represents the path to the directory or file of the app(s);
• File name - is populated automatically from the path information;
• Action – 2 options are available: edit (allowing the modification of the friendly name and/ or file path info) or delete an entry; for the delete command, we’ll also display a pop up window, asking if the action is to be performed or cancelled.
In order to add a new entry to the “Tools” list, both the “Friendly name” and “Path” info are mandatory to be filled in (if the “Friendly name” and/ or “Path” info already exist in the grid, one of the input boxes is left empty or the provided path info is not valid, a message will be displayed, as showcased below).
If the maximum 12 entries limit is reached and the dashboard user is attempting to add another entry, a toast message will be displayed.
After the Group Policy is updated and the dashboard – agent synchronization takes place, all the entries added to the grid will be available in the agent “Tools” list.
HEIMDAL EMAIL PROTECTION
Enhancement of the Email Security “Allow Sender” quarantine report option
Prior to our 4.2.0 Release, the “Allow Sender” option from the email Quarantine report, if used, authorized the end users to add senders to the global/ per domain Allowlist. Given that our ESEC features’ suite includes an “End user console” (dedicated ESEC console for end users, providing a few options to manage their emails and mailbox settings: Release, Allowlist and Blocklist), this enhancement came naturally and with it, the “Allow Sender” option can now be performed at global/ domain level, or at personal (end user) level. A new option (Network Settings -> Add/Edit domain -> Quarantine Settings tab, Advanced Threat Protection section), called “Allow Sender Personal” was added, while the already existing option’s name, “Allow Sender” was changed to “Allow Sender Global”. These options can be enabled for all existing email types.
If the “Allow Sender Personal” option will be enabled, it will authorize end users to add the sender to their personal Allowlist from the email Quarantine report and the End User Console. The new option will work only when the “User Quarantine Report By Email” and “End User Console” checkboxes are enabled. This option will also act as a restriction for a user logged in their End User Console, for a particular email type (for example, if the Newsletter type is not ticked/ enabled in the GP area), in regard to the “Add Sender to Allowlist” option, as showcased below.
If the Release option (from the “Quarantine Settings” tab), for a particular email type, is not ticked/ enabled, it will restrict the end user from releasing emails of that particular type, in the “End User Console”.
If “Allow Sender Personal” is checked for a particular email type, a new option will be displayed, on the end user side, after clicking the “Allow Sender” button, from the Quarantine report and that new option is called “Add Sender to Personal Allowlist” (the previous “Add Sender to Allowlist” option has been renamed to “Allow Sender to Global Allowlist”).
Activating any of the “Allow Sender Global” or “Allow Sender Personal” checkboxes, or both, will activate the “Allow Sender” option within the email Quarantine Report. Clicking on the Allow Sender button opens a page similar to the Preview one that displays at the bottom the buttons to “Add Sender to Global Allowlist” or “Add Sender to Personal Allowlist”, or both.
Activating the checkboxes for the “Allow Sender Personal” row will activate the Allow options within the “Details” modal window, in the End user console.
Unchecking these tickboxes or one of the following options: “Preview” or “Include in Report”, will also make the “Add X to Allowlist” buttons inactive. While inactive, hovering on each button will display the reason for inactivity.
While inactive, the "Add Header Sender to Allowlist" and "Add Header Domain to Allowlist" buttons will not be displayed.
Additional details for the Email Fraud Prevention User AI anomalies
We’ve refined our Email Fraud Prevention User AI anomalies functionality by the addition in the “Triggered rules details” of the pin-point AI outliers that lead to the email(s) being flagged as potentially malicious. These details pertaining to emails falling under the rule category “AI outliers”, can now be visualized in a “process tree” visualization by pressing the “View triggered rules” button in the EFP Inbound and Outbound views.
The outliers that our Email Fraud Prevention Neural Network can spot are comprised in one of the following 7 categories:
• Suspicious Links: counts the number of URLs identified as suspicious by our detection engine;
• Clickbait Detection: the neural network assesses whether content is designed as clickbait or not;
• Language Analysis: identifies the language used in the email and compares it with the typical languages used within the company;
• Attachment Analysis: evaluates attachments based on their potential malicious character;
• Text Analysis: identifies potential fraudulent words from the email's content;
• HTML Analysis: singles out HTML templates and tags the ones that deviate from the norm;
• Timing Analysis: looks at the distribution of common times when emails are sent and received by the company;
HEIMDAL THREAT-HUNTING & ACTION CENTER
Revamped TAC homepage (Globe and Map views) and risk score real-time calculation
Our SIEM/ SOAR SOC tool, Heimdal Threat-hunting & Action Center just got better when it comes to providing relevant and powerful threat intel and hunting capabilities to our Corp. Customers, Partners, MS(S)Ps and our own SOC/ MXDR team, in a single pane of glass. Both at reseller (only the Globe view), as well as at customer level, both of the TAC “home page” views (Globe and Map) for Threat Telemetry Visualization, have been enriched with relevant telemetry info, enabling users to focus on the utmost urgencies and resolve the most pressing cybersecurity issues with a click of a button.
In the left-hand side of the home page, where customers/ endpoints are displayed, default sorted descendent on risk score, we’ve added a set of new icons, showcasing the: Ransomware Encryption Protection endpoint, Next-Gen Antivirus, Extended Threat Protection, VectorN Detection™ and Firewall Brute Force Attacks detections + the Operational Issues (Active Clients notifications) and their corresponding number and also, at reseller level, the number of active clients (machines) of each customer, for fast lighting forensics and prioritization.
In the search field, there is also a new option, enabling you to select criteria from the above-described new entries (except for Operational Issues) and sort the view based on the desired criteria.
On top, we’ve improved the computation of the TAC risk scores, they are now being updated in real-time, depending on the new detections, mitigation actions that are taken etc.
OTHER IMPROVEMENTS & FIXES
Inclusion of the Windows OS updates release dates in the Verbose .csv export from Installed, Available and Pending views
As part of our constant search to provide our customers and partners with streamlined reporting capabilities, we’ve introduced the release date information, for the Windows OS updates, in the Verbose .csv export from the Installed, Available and Pending views (Products -> Patch & Asset Management -> Operating System Updates -> Windows OS tab).
Option to customize the dashboard idle/ auto logout time and date format
The 2 new options are available at dashboard account level. In this regard, when a new account is created or an existing one is edited, you will notice in Accounts -> Create new account/ edit account (click on an email address) -> Account tab, one new dropdown list called “Date format” and one new checkbox called “Customize dashboard idle time”.
The “Date format” dropdown list can be found under the “Basic info” section of the “Account” tab and enables the dashboard user to set the desired date format; post selecting the preferred format and updating the account, the new date visualization will be reflected in most of the Heimdal dashboard areas (product data views’ charts and grids, .csv exports, email reports, except for the “Subject” line and “Filter” fields), the goal being to provide a consistent, yet customizable date display across functional areas, enhancing user experience and data handling capabilities.
The “Customize dashboard idle time” feature allows users to personalize the maximum period of inactivity (idle time) before the dashboard user is automatically logged out for safety reasons. This setting can be adjusted via a slider found under the "Miscellaneous settings" section of the account page (default idle time of 15 minutes).
To enable customization, users must first check the box labeled "Customize Dashboard idle time". Once enabled, a warning will appear indicating that changing this setting may pose security risks. Users can then adjust the idle time using the slider, selecting a duration between 5 and 120 minutes in “5-minute” increments.
Note: if the customization box is unchecked, the idle time reverts to the default setting of 15 minutes. In order for the changes to take effect on an account that is currently logged in, it is necessary for that account to first log out and then log in again.
Ability to customize the CPU consumption for Next-Gen Antivirus scans
This feature allows the dashboard users to tailor the CPU Throttling Limit of our Next-Gen AV scans, based on their desire. This can be achieved with a slider, ranging from 5% to 90% CPU Throttling Limit.
Note: keep in mind that instantaneous values will sometimes spike beyond the set limit, however this feature brings the average CPU usage below the set value.