Highlights

An overview of the most impactful changes in this release.

Backup managements from upstream

The new Backup and Restore Management feature in Central Management Console (CMC) allows centralized management of backup and restore schedules for all connected sensors. It supports saving to and restoring from third-party locations, ensuring local sensor storage remains dedicated to monitoring data. This feature enhances support for data diode architectures, enabling secure asset and cybersecurity management across these configurations. Users can set customizable backup and restore schedules, ranging from minutes to months, and facilitate seamless data transfer across data diodes by configuring backups to save to locations on the transmitting end of a data diode and restore from locations on the receiving end by another CMC. Every time the CMC is restored from a new backup, it will contain all the latest information about the monitored system and all users from outside the protected perimeter (downstream from the data diode) will be fully abreast of their systems' status.

Simple asset vulnerability analysis

The new Asset Vulnerability Analysis feature in Guardian and CMC enables running queries on vulnerabilities present on every device in the monitored system. These queries can be utilized for widgets, dashboards, assertions, and reports, driving operational efficiency and consistency across the organization. Additionally, this vulnerability information can be integrated into third-party systems such as security information and event management (SIEM)s, SOARs, and other tools used at the SOC, enhancing overall security posture and response capabilities.

Richer SIEM event forwarding

The new SIEM event forwarding feature enhances device information tables by organizing extensive data across standard fields and allowing the forwarding of custom fields for additional device information. Previously, custom fields could be included in alert messages to store relevant device information during alert conditions. Now, these custom fields can also be sent to SIEMs using the Common Event Forwarder (common event format (CEF)). This allows SOC personnel to receive comprehensive alert information, including custom fields, providing valuable context and guidance to improve incident response, alert management, and operational effectiveness.

ARP flood detection

The new address resolution protocol (ARP) Flood Alert enhances our network security by providing advanced detection and alert capabilities for various ARP flood conditions. This feature allows for monitoring ARP traffic by exceeding a configured number of ARP packets, identifying an increase in ARP packets above a configurable threshold, and checking if the ratio of ARP packets to regular traffic packets exceeds a set limit. Additionally, users can enable a strict mode where different configurable thresholds must be met to trigger an alert, ensuring that no single threshold violation alone can trigger an alert and thus minimizing false positives. There is also the ability to configure a threshold for if and how long to silence this alert after it’s triggered, further reducing false positives and alert flooding, and ensuring more accurate detection of ARP flood attacks. This comprehensive monitoring capability helps enhance the security and operational effectiveness of network management.

Multicast and broadcast nodes do not generate assets

The accuracy of asset management has been improved by refining the criteria for converting nodes into assets. Previously, devices with broadcast and/or multicast media access control (MAC) addresses were converted into assets. With this update, such nodes will no longer be converted into assets and all assets previously resulting from nodes with these characteristics will be deleted. This change ensures that only devices with unique and meaningful MAC addresses are recognized as assets, improving the overall quality and relevance of asset information. Users will benefit from a more precise representation of their network environment, excluding generic broadcast and multicast nodes from asset lists.