Highlights

An overview of the most impactful changes in this release.

Nozomi TI Expansion Pack, Powered by Mandiant

In this new version, deep foundational improvements have taken place to enable the support for adding the vast Threat Intelligent content from Mandiant. This solution allows users to access combined Threat Intelligent feeds from both Nozomi Networks and Mandiant, enriching real-time insights on emerging threats across critical infrastructure systems. Additionally, it enables Vantage users to leverage the newly introduced Vantage Threat Cards to further streamline threat detection by clustering relevant data, such as exploitation status and targeted industries, for faster and more accurate response times. This integration marks a first in the operational technology (OT) cybersecurity space, enabling comprehensive threat analysis and decision support without performance loss.

Data diode support

Data diodes provide a way to securely send information from critical infrastructures to centralized management and information aggregation sites by acting as a one-way communications pipeline. With this update, environments leveraging data diodes into their architectures can now be monitored with local Guardian sensors and all information can be safely and quickly aggregated by upstream Central Management Console (CMC)s and Vantage by leveraging a new synchronization mechanism. Now organizations leveraging data diodes for increased security can monitor all sites across their enterprise from a centralized location.

Arc licensing behavior

Previously, when all available Arc licenses were in use, a newly connected Arc would automatically take possession of a license, and the oldest connected Arc would be disallowed, essentially excluding its information from reaching Guardian or Vantage (think first in, first out). With this release, the licensing behavior for Arc has been modified to provide better control and prevent disconnection of well-functioning, licensed Arc sensors. Now, when the maximum allowed Arc connections is reached, the new incoming Arc are added, but immediately disallowed. This way users can decide if and which currently licensed Arc should be disallowed to make room for the new ones, or if the license should be expanded. Alternatively, users may add as many additional Arc license packs as needed at any time. This ensures that connected and functional Arc sensors are not disrupted, providing users with greater flexibility and control over their license allocations.

Live protocol decryption

The latest update introduces a groundbreaking feature in OT cybersecurity: decryption support for the R-GOOSE protocol (IEC 61850). This capability, the first of its kind in the industry, allows for the secure import of credentials via integration with a Key Distribution Center (KDC) using the IEC 62351-9 GDOI protocol. By leveraging our platform’s unmatched speed, this decryption process happens in real-time without any traffic loss, enabling simultaneous analysis for malware, anomalous behavior, and more. This is only the beginning, as more cutting-edge security features are set to follow.

Safety and flexibility

The cpe2cve process, which converts hardware and software details into actionable vulnerability information for users, includes default memory limits to protect sensor performance. By default, cpe2cve enforces a 5 gigabyte (GB) memory consumption limit, and hotfixes require a minimum of 6 GB free random-access memory (RAM). In this release, the ability to configure cve_enable or va_hotfixes_enabled to true is being introduced to allow content to load without these restrictions. Users should only leverage this new flexibility if they are certain of the implications such as excessive memory usage and potential sensors freezing.

Continued resource optimization

Over time, our platform has taken many steps towards sensor resource optimization. Recently, in the search for optimization, we have minimized unnecessary vulnerability calculations by moving this process from all sensors to their upstream CMCs. With this release we are furthering that optimization to move this process from CMCs to just the top-most CMCs. This guarantees that vulnerabilities are only calculated and shown where it matters to the user. Users wanting to run this process at all CMCs in their system regardless of their level may remove va cve enable if_not_sync to /data/cfg/n2os.conf.user and restart the va service.

Traffic filtering configurations

A new default traffic filter has been introduced with 24.4.0, which automatically excludes all virtual local area network (VLAN) traffic directed to the Guardian’s management port. Previously, VLAN traffic could reach the management port, potentially adding unnecessary data load. Users will now benefit from even more efficient traffic management and reduced resource strain on the sensor by the default new filtering of non-essential traffic. This improvement comes with the following configurable settings:

  • mgmt_filters off - excludes no traffic
  • mgmt_filters on - excludes all traffic (irrespective of the vlan tag) from/to the Guardian
  • mgmt_filters vlan [number] - excludes traffic with a specific vlan tag from/to the Guardian
  • mgmt_filters vlan any - excludes traffic with a vlan tag from/to the Guardian
  • mgmt_filters vlan none - excludes traffic without a vlan tag from/to the Guardian (the default filter setting before release 24.4.0)

Accuracy and elegance

The column time of the node_points query source changes meaning with this version of Nozomi Networks Operating System (N2OS). It will now identify the timestamp at which a node point first took on the given content. For instance, if a server has been analyzed by Smart Polling repeatedly, and the disk usage changed from 23% to 27% on August 15th, then keeping the same percentage for various days, the time column will keep the August 15th timestamp at which the server was polled. The start_time field is now deprecated and will be tentatively removed in two N2OS versions from now. Users are encouraged to adjust their queries to use the time column.

Data integration improvements: Tanium

As part of this update, the Tanium Smart Polling external strategy has been streamlined and moved to Data integration. Upon upgrade, any existing active Smart Polling plans will be automatically converted to data integration configurations and from there will run on a daily schedule continuously enriching asset date. In turn, inactive Tanium Smart Polling plans will be removed. This change is part of an ongoing effort to make user experience more intuitive and efficient.

Data integration improvements: CarbonBlack

As part of this update, the CarbonBlack Smart Polling external strategy has been streamlined and moved to Data Integration. Upon upgrade, any existing active Smart Polling plans will be deleted because the application programming interface (API) used by those Smart Polling plans is no longer compatible with the current CarbonBlack API. This change is part of an ongoing effort to make user experience more intuitive and efficient.

Smart Polling consistency

Smart Polling executions by Arc were not visible in the Guardian activity log, requiring users to check separate logs to manage or evaluate Smart Polling executions. With this release, Smart Polling executions by Arc are now displayed alongside those from Guardian in Guardian’s Smart Polling Activity Log. This update reinforces the integration of our tools, emphasizing the focus on tracking Smart Polling executions regardless of their origin.