Release Notes

In this topic:

    Deployment - August 16, 2018
    • Compliance engine:
      • New scoring calculations.
        The new score would be based on tests (=rule assessed on a cloud entity), and not rules, as done today. Today even single failure in a test fails the entire rule.

    Example:

    • 10 rules running, each on 10 entities. Let's say that 2 entities fail for each of the first 5 rules. Today's score: 50% (5 rules without fails). Since 15th: 10 failures out of 100 tests = 90%.

     

    Deployment - August 15, 2018

    PREVIEW

    • Compliance engine:
      • ElasticIP entity
      •  
        Customer gateway entity
         
    • New assessment history page

    Example:

    • GSL Examples:  
      Make sure CustomerGateway has VPN connections established
      CustomerGateway should have vpnConnections
       
      EIP should be associated with an instance
      ElasticIP should have associationId
       
      EIP should be allocated in a VPC
      ElasticIP should have domain = 'vpc'

     

    Deployment - August 05, 2018

    Compliance Updates:

    New Bundles:

    • AWS ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for AWS
    • Azure ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for Azure
    • GCP ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for GCP

    New Rules:

    • D9.AWS.LOG.13 - ELB is created with Access logs enabled
    • D9.AWS.NET.30 - ECS Cluster should have active services
    • D9.AWS.NET.31 - ECS Cluster should not have services without running tasks
    • D9.AWS.NET.32 - ECS Cluster instances must be placed in a VPC
    • D9.AWS.NET.33 - ECS Cluster should not have running container instances with unconnected agents
    • D9.AWS.CRY.19 - ElastiCache At-Rest Encryption
    • D9.AWS.NET.34 - Ensure that at least one instance is registered with an ECS Cluster

    Rules Changes:

    BUG FIXES

    • S3 bucket should have versioning MFA delete enabled.
      • GSL updated to: S3Bucket should have versioning.mfaDelete=true
    • Use secure ciphers in CloudFront distribution.
      • GSL updated to: CloudFront should have distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%'
    • Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
      • GSL Updated to: List<CloudTrail> should have items with [ hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }') or filterPattern isFilterPatternEqual('{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true }')] ] length() > 0]

    Additional Rule Changes including Wording Changes - Updated Rule Names, Description and Remediation Fields, Compliance Sections Updates.

    For more information please click here

     

    Deployment - July 12, 2018

    PREVIEW

    • Compliance engine:
      • Azure KeyVault entity support.

    Example:

    • Ensure KeyVault is not empty
      KeyVault should have keys

     

    Deployment - July 02, 2018

    Compliance engine:

    New Rules:

    • D9.AWS.AS.02 - S3 Buckets outside of Europe
    • D9.AZU.AS.01 - Instances outside of Europe
    • D9.AWS.CRY.18 - DynamoDB - Server Side Encryption
    • D9.AWS.OPE.01 - Lambda Functions must have an associated tag
    • D9.AZU.NET.29 - Public AMI
    • D9.AWS.NET.AG4.ApplicationLoadBalancer.9090.TCP - ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
    • D9.AWS.NET.AG4.ELB.9090.TCP - ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
    • D9.AWS.NET.AG4.Instance.9090.TCP - Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
    • D9.AWS.NET.AG4.NetworkLoadBalancer.9090.TCP - NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
    • D9.AWS.NET.AG5.ApplicationLoadBalancer.9090.TCP - ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • D9.AWS.NET.AG5.ELB.9090.TCP - ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • D9.AWS.NET.AG5.Instance.9090.TCP - Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
    • D9.AWS.NET.AG5.NetworkLoadBalancer.9090.TCP - NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope

    Rules Updated:

    • D9.AWS.CRY.04 - S3 Bucket should have encryption in transit for read actions
    • D9.AWS.CRY.14 - S3 Bucket should have encryption in transit for write actions

    Bundle Titles and Descriptions update:

    • AWS NIST 800-53 Rev 4 (FedRAMP)
    • Azure NIST 800-53 Rev 4 (FedRAMP)
    • GCP NIST 800-53 Rev 4 (FedRAMP)

    For more information please click here

     

    Deployment - June 18, 2018

    Compliance Bundles change

    We have expanded and updated our compliance bundles!

    Updated some existing rules / bundles mappings including the following bug Fixes

    • Update compliance section references for AWS NIST 800-53 bundle. 
    • Improved ELB with weak ciphers rules.
    • Fixed rules with "contain" usages.

    BUG FIXES

    • Clarity:
      • Fixed VPC Peering to cross region handling.
    • Compliance engine:
      • Fixed tool tips and UI flickering.

     

    Deployment - June 14, 2018

    PREVIEW

    • Compliance engine:
      • AWS VPN Connection entity support.

    FEATURES/FUNCTIONALITY

    • Dynamic Access page:
      • Added UI improvements.
      • Added terminate all support

    BUG FIXES

    • Policy Reports:
      • Fixed export to CSV formatting.
    • IAM Reports:
      • Fixed Credentials report export to CSV date fields support.
    • Home Page:
      • Fixed cloud account findings.

     

    Deployment - June 11, 2018

    PREVIEW

    • Compliance engine:
      • Azure Locks entity support.

    CROSS SYSTEM

    • New Main menu
      • Improved the product categories

    BUG FIXES

    • Security groups:
      • Added SG type name to the title.
    • IAM Reports:
      • Fixed Credentials report date fields sorting.
    • Home Page:
      • Fixed inaccurate cloud account information sync.

     

    Deployment - June 6, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • IAM User - Added new field: "mfaType" which will be of values "None" / "Hardware" / "Virtual".
      • CloudTrail - Expanded the metric filters structure to better troubleshoot sns subscriptions,

    BUG FIXES

    • Compliance engine:
      • Fixed missing region field for S3Buckets.

     

    Deployment - May 31, 2018

    PREVIEW

    • Compliance engine:
      • AWS WAF Regional entity support.

    BUG FIXES

    • Compliance engine:
      • IAM Role combined policies fix.
    • Clarity:
      • Performance improvements.

     

    Deployment - May 30, 2018

    FEATURES/FUNCTIONALITY

    • AWS Onboarding:
      • Updated the dome9-read-only policy in order to support WAF for web ACL. [Details]

    BUG FIXES

    • Compliance engine:
      • Dashboard - Improved exporting large files to CSV.
    • Policy Reports and Security groups page:
      • UI text and titles fixes.

     

    Deployment - May 28, 2018

    Compliance Bundles change

    We have expanded and updated our compliance bundles!

    As security threats continue to evolve, we want to ensure that you are adhering to up-to-date compliance requirements and security best practices in the public cloud.
    As part of this commitment, we are constantly updating our compliance bundles included in our product.

    We have made the following enhancements to our compliance module.

    1. Added 5 new bundles for additional GCP and Azure coverage:

    • Azure CIS Foundations v. 1.0.0
    • Azure NIST 800-53 Rev 4
    • Azure PCI-DSS 3.2
    • Azure GDPR Readiness
    • GCP NIST 800-53 Rev 4
    • GCP PCI-DSS 3.2

    2. Added new rules to include additional security guidelines
    3. Updated some existing rules / bundles mappings including the following bug Fixes

    • DFT-154 - Update Route53 hosted zone check
    • DFT-152 - Typo in PCI bundle (default')
    • DFT-138 - Remove Security Group checks from S3 bundle

    Additional Client Impact:
    New Findings in Continuous Compliance Scheduled Reports
    New Findings being sent to SIEM system
    Compliance score changes
     

    BUG FIXES

    • Security Group page:
    • Dome9 Description text fix.

     

    Deployment - May 23, 2018

    BUG FIXES

    • Compliance engine:
      • Dashboard - Failed to trigger download CSV file.
    • Clarity
      • VPC without assets fix.

     

    Deployment - May 16, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • ElastiCache entity added tags support.

    BUG FIXES

    • Clarity
      • Peered VPC assets fix.

     

    Deployment - May 15, 2018

    PREVIEW

    • Compliance engine:
      • AWS VPN Gateway entity support.

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • Added List<Entity> rules support.
      • Added GroupBy [object] rules support.

     Examples:

    • Ensure no more than 5 IAM Admins exist in any particular account.
      List<IamUser> should have items with[name like 'admin' or name like 'administrator'] length() < LIMIT
    • To detect if your account is near the EC2 Security Group Limit in a VPC.
      List<SecurityGroup> should have items groupBy [vpc.id] contain-all [values length() < LIMIT]

    BUG FIXES

    • Compliance engine
      • Assessments history
    • User Permissions fix

     

    Deployment - May 14, 2018

    PREVIEW

    • Compliance engine:
      • AWS AMI entity support.
        • Check if the image is private
          AMI should have isPublic='false'

     

    Deployment - May 9, 2018

    BUG FIXES

    • GSL
      • Query 'Region should have hasCloudTrail=true' returns invalid results after 'isMultiRegion' is toggled OFF
    • Dynamic Access Lease
      • Setting default access lease time does not reflect or update 'GET ACCESS' default time.

     

    Deployment - May 8, 2018

    PREVIEW

    • Azure Protection mode:
      • Added NSG Tamper protection support.
    • Cloud accounts:
      • Added support for Azure tamper protection view.
    • Audits and Alerts page:
      • Added Invalid credentials alert for Azure.

    BUG FIXES

    • UI/Description
      • Fixed description to shouldn't (EC2 Instance there shouldn't be any High level findings in Inspector Scans).
      • Update name of the s3 to stay in 1 line to " AWS Dome9 S3 Bucket Security"

     

    Deployment - May 7, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • Added triggered by column to Assessment history

     

    Deployment - May 3, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • KMS entity added tags support.

     

    Deployment - May 2, 2018

    FEATURES/FUNCTIONALITY

    • UI/Optimization:
      • Optimized the account statistics on the homepage (Network, IAM and S3 information).

     

    Deployment - May 1, 2018

    PREVIEW

    • Compliance engine:
      • AWS DynamoDB entity support.

    Examples:
    DynamoDB is encrypted:

    DynamoDbTable should have encrypted=true

    DynamoDB table size:

    DynamoDbTable should have tableSizeBytes<100

    DynamoDB number of items:

    DynamoDbTable should have itemCount<100

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • AWS Instance entity added Image details support (Image name, Is public, owner Id, etc').

    • AWS Onboarding:
      • Updated the dome9-read-only policy in order to support DynamoDB and ElasticCache tags. [Details]

     

    Deployment - April 26, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • Redshift entity added tags support.

     

    Deployment - April 26, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine:
      • Kinesis entity added tags support.
      • Lambda entity added tags support.
      • EFS entity added tags support.

    BUG FIXES

    • Cross system
      • Export to CSV component fix.
    • Security groups page
      • Clone security groups - Peered security groups fix.

     

    Deployment - April 24, 2018

    FEATURES/FUNCTIONALITY

    Compliance Bundles change

    Dome9 now has new and improved compliance bundles! Compliance Engine bundle management will be based on the unified mapping of the Dome9 compliance checks to various security and compliance frameworks.

    Additional Client Impact:

    New Findings in Continuous Compliance Scheduled Reports

    New Findings being sent to SIEM system [Details]

    • Compliance engine:
      • RDS entity added tags support.

    BUG FIXES

    • Compliance engine
      • Edit Bundle JSON - UI freeze.
    • Protected Assets
      • Roles info data validation fix.
    • IAM Reports
      • Fixed role entity managed policies support.

     

    Deployment - April 12, 2018

    PREVIEW

    • Compliance engine:
      • Azure Storage entity support.

    Examples:

    Encryption key is enabled rule:

    StorageAccount should have encryption.key.enabled=true

    Check that StorageAccount uses only https traffic:

    StorageAccount should have httpsOnlyTraffic=true

     

    Deployment - April 8, 2018

    PREVIEW

    • Compliance engine:
      • Route 53 Domain entity support.

    Examples:

    Route53Domain should not have expirationTime before(-1, 'minutes')
    Route53Domain should not have autoRenew=false
    Route53Domain should not have expirationTime before(7, 'days')
    • Compliance engine:
      • Added GDPR Readiness bundle.
      • Added NIST 800-53 Rev 4 bundle.
    • Account page:
      • Billable assets definition and link to protected assets.

    BUG FIXES

    • Compliance engine
      • Navigation exceptions from compliance reports.
    • IAM Reports
      • Fixed role entity support.

     

    Deployment - March 27, 2018

    PREVIEW

    • Protected assets page:
      • Guard Duty integration, Added Alerts and findings tab to show findings.

    FEATURES/FUNCTIONALITY

    • AWS Onboarding:
      • Updated the dome9-read-only policy in order to support Guard duty

     

    Deployment - March 25, 2018

    PREVIEW

    • Compliance engine:
      • Azure Redis entity support.

     

    Deployment - March 19, 2018

    PREVIEW

    • Compliance engine:
      • AcmCertificate entity support.

    Examples:

    AcmCertificate should not have notAfter before(-1, 'minutes')
    ApplicationLoadBalancershould not havelisteners with [ certificates with [ expiration before(-1, 'minutes') ] ]
    ELBshould not haveelbListeners with [ certificate.expiration before(-1, 'minutes') ]

    FEATURES/FUNCTIONALITY

    • Cloud Accounts:
      • Added Validate all permissions button, will try to validate permissions on all of the missing permissions cloud accounts.

    BUG FIXES

    • Compliance engine
      • Fixed tags result output.

     

    Deployment - March 15, 2018

    PREVIEW

    • Compliance engine:
      • Route53 entity support.

    Examples:

    Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='S3Bucket' and assetMetadata.exists=false] ]
    Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='CloudFront' and assetMetadata.exists=false] ]
    Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='CloudFront' and assetMetadata.active=false] ]

     

    Deployment - March 11, 2018

    PREVIEW

    • Compliance engine:
      • IAMServerCertificates entity support.
      • ELB and ApplicationLoadBalancer entities added IAM Certificate support.

    Examples:

    IamServerCertificate should not have expiration before(0, 'minutes')
    ELB should not have elbListeners with [ certificate.iamServerCertificate.expiration before(1, 'months') ]
    ApplicationLoadBalancer should not have listeners with [ certificates with [ iamServerCertificate.expiration before(0, 'minutes') ] ]

     

    Deployment - March 8, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine - S3 Bucket Security Posture:
      • This bundle has been updated to include the rule - S3 Buckets - without server-side-encryption enabled.

     

    Deployment - March 7, 2018

    PREVIEW

    • Compliance engine:
      • ELB entity added security policies and ciphers support.
      • ApplicationLoadBalancer entity added access logs support.
      • NetworkLoadBalancer entity added access logs support.

    Examples:

    ELB should not have elbListeners with [ policies with [ attributes contain-any [$ in ( 'ECDHE-RSA-RC4-SHA', 'EXP-RC4-MD5') ] ] ]
    ApplicationLoadBalancer should have attributes contain-any [ key='access_logs.s3.enabled' and value='true' ]

     

    Deployment - March 6, 2018

    FEATURES/FUNCTIONALITY

    • Compliance engine - Dome9 AWS Dashboards policy:
      • S3 Buckets - without server-side-encryption enabled - expanded rule to support all server side encryption types.

    BUG FIXES

    • User Interface
      • Fixed tab panels items when refreshing page.
    • S3 Buckets
      • Without server-side-encryption enabled rule - causes false positives for customers

     

    Deployment - March 5, 2018

    PREVIEW

    • Compliance engine:
      • Kinesis entity support.

    FEATURES/FUNCTIONALITY

    • AWS Onboarding:
      • Updated the dome9-read-only policy in order to support Kinesis

     

    Deployment - March 1, 2018

    FEATURES/FUNCTIONALITY

    • Clarity:
      • Added EFS asset count and attached security groups icon

    BUG FIXES

    • RFC6890 Support
      • Fixed internal network RFC6890 support.
    • RDS / Redshift
      • Fixed RDS and Redshift state coloring.
    • VPC display
      • Fixed un-managed VPC display for wrong security groups.