Release Notes – Dome9 Help Center

Deployment - June 20, 2019

Compliance and governance:

Compliance Engine:
- Added Azure NetworkWatcher entity support.

Deployment - June 19, 2019

Compliance and governance:

CIS AWS Benchmarks 1.2.0 support added
8 new rules added across multiple bundles. Click here for details

BUG FIXES

DFT-530 - D9.AZU.NET.09 Ensure that 'Public access level' is set to Private for blob containers - GSL syntax updates
DFT-397 - D9.AZU.CRY.10 Ensure that storage account access keys are periodically regenerated - remediation updates
DFT-529 - D9.AWS.NET.43 - Ensure that AWS Elastic Load Balancers (ELB) have no inbound rules in their security groups - name update

Deployment - June 18, 2019

Compliance and governance:

Compliance Engine:
- Optimized AWS information retrieval service for:
  - SNS Subscription.
  - Log Group.
  - Metric Alarms.

Deployment - June 12, 2019

Compliance and governance:

Compliance engine:
- Added special characters support.
- Optimized AWS information retrieval service for:
  - VPC Peering connection.

BUG FIXES

DFT-428 - Not able to add exclusion due to special characters.

Deployment - June 10, 2019

Compliance and governance:

Compliance engine:
- Optimized AWS IAM Policy entity.

BUG FIXES

DFT-527 - IP Lists - Fixed issue with adding IP's.
DFT-513 - Homepage - Filtering to protected assets fix.

Deployment - June 4, 2019

Compliance and governance:

34 new rules added across multiple bundles. Click here for details

Deployment - June 2, 2019

Compliance and governance:

Compliance engine:
- Added Azure Container Registry entity support.
- Added Azure CosmosDBAccount entity support.

Deployment - May 23, 2019

Compliance and governance:

Compliance Content Updates:
- 76 new rules added across multiple bundles. Click here for details
Compliance engine:
- Added AWS SageMaker entity support.

BUG FIXES

DFT-497 - Remediation URL fixes for Azure Port Based Rules
DFT-436 - Key Vault Rules logic (GSL) updates for rules: D9.AZU.CRY.12 and D9.AZU.CRY.13
DFT-500 - Remove extra brackets for D9.AWS.MON.03 (Ensure a log metric filter and alarm exist for usage of 'root' account)
DFT-435 - D9.GCP.CRY.02 doesn't work for Windows Instances
DFT-498 - D9.AWS.IAM.45 GSL Logic updated to reduce false positives

Deployment - May 16, 2019

Compliance and governance:

Compliance Engine:
- Optimized AWS information retrieval service for:
  - VPC Flow logs.
  - Internet Gateway.
  - VPN Gateway.
  - Subnet.
  - IAM Account Summary.

Deployment - May 5, 2019

Cross system

Organizational units
- Added organizational units support
  For more information click here.

Cloud Inventory

Protected assets page
- Enhanced performance.
- New UI design.
- Additional entity types support
- Added export to CSV report

Network Security

Security group page
- Enhanced performance.
- New UI design.

Compliance and governance:

Compliance Dashboard:
- Enhanced performance.
- New UI design.

BUG FIXES

DFT-364 - Fixed view SSO settings for Auditors.

Deployment - May 2, 2019

Compliance and governance:

Compliance engine:
- Added Azure Postgre SQL entity support.

BUG FIXES

DOME-11383 - AWS Onboarding - Fixed External ID generator.
DOME-11372 - GCP Organisations Onboarding fix.
DFT-496 - Security groups - Clone security group fix.

Deployment - May 1, 2019

Across system

AWS
- Added AWS China support

Compliance and governance:

GCP CIS Benchmarks Bundle Updates - added 21 new GCP rules to the Ruleset. For more details click here
Compliance engine:
- Added AWS S3Bucket Life Cycle information.

BUG FIXES

DFT-491 - Assessment API usage- improved errors handling.
DFT-474 - Fixed Linux Agent Install script.

Deployment - April 30, 2019

Compliance and governance:

Compliance engine:
- Added GCP VM instance OS information.

Deployment - April 23, 2019

Administration:

Users Page:
- Added Last login details and sort by.

Deployment - April 15, 2019

Cloud Inventory:

Cloud Account Page:
- Drastically improved page performance.

BUG FIXES

DOME-11097 - Assessment history - results page filters fix.

Deployment - April 9, 2019

BUG FIXES

DFT-468 - Policies page - Attach policies - improved performance.
DOME-11146 - Clarity - GCP graph fixes.

Deployment - April 3, 2019

Compliance and governance:

Compliance engine:
- Added GCP Big Query entity.

Deployment - April 1, 2019

Compliance and governance:

Renamed compliance categories:
- Bundles changed to Rulesets
- Continuous compliance changed to Policies

Deployment - March 28, 2019

Cloud accounts:

Added cloud account selection for permissions validation.

Deployment - March 26, 2019

BUG FIXES

DFT-464 - Security hub support on Oregon region fix.
DFT-429 - Excluded entities does not represented correctly on homepage.

Deployment - March 24, 2019

Compliance and governance:

Compliance entities:
- Added VPC Peering property for Aws VPC entity.

Deployment - March 19, 2019

Cloud accounts:

Added support for GCP Zurich region

BUG FIXES

DFT-348 - Security groups not being pulled into an onboarded Dome9 account

Deployment - March 17, 2019

Compliance and governance:

Compliance engine:
- Improved the security groups open for all exposure logic
  to increase findings accuracy restrictiveness.
- Added GCP GKE entity.

Deployment - March 14, 2019

Compliance and governance:

Compliance entities:
- Added IPV6 rules support for Aws Security group.

BUG FIXES

DFT-316 - Compliance NACL fix for Destination ports.

Deployment - March 7, 2019

Compliance and governance:

Compliance Dashboard:
- New Export and refresh buttons.
- Additional export options.

Compliance Updates:

New Bundles:

GCP Dome9 SOC2 based on AICPA TSC 2017
Azure Dome9 SOC2 based on AICPA TSC 2017
AWS Dome9 SOC2 based on AICPA TSC 2017
Azure HIPAA

New Rules:

D9.AZU.CRY.01 - Ensure that KeyVault is in use
D9.AZU.CRY.02 - Ensure that logging for Azure KeyVault is 'Enabled'
D9.AZU.CRY.03 - Ensure that the expiry date is set on all SQL Database keys
D9.AZU.CRY.04 - Ensure that the expiry date is set on all SQL Server keys
D9.AZU.CRY.05 - Ensure that the Redis Cache accepts only SSL connections
D9.AZU.CRY.06 - Ensure that 'Secure transfer required' is enabled for Storage Accounts
D9.AZU.CRY.07 - Ensure that 'Storage service encryption' is enabled for the Blob Service
D9.AZU.CRY.08 - Ensure that 'Storage service encryption' is enabled for the File Service
D9.AZU.CRY.10 - Ensure that storage account access keys are periodically regenerated
D9.AZU.CRY.11 - Ensure that 'Data encryption' is set to 'On' for Azure SQL Database
D9.AZU.CRY.12 - Ensure that the expiry date is set on all keys
D9.AZU.CRY.13 - Ensure that the expiry date is set on all secrets
D9.AZU.IAM.03 - Ensure that Azure SQL Server Admin is configured with AD Authentication
D9.AZU.MON.02 - Ensure that 'Auditing' is enabled for Azure SQL Database
D9.AZU.MON.03 - Ensure that 'Threat Detection' is enabled for Azure SQL Database
D9.AZU.MON.05 - Ensure that 'Send alerts to' is enabled for Azure SQL Database
D9.AZU.MON.06 - Ensure that 'Email service and co-administrators' is 'Enabled' for Azure SQL Database
D9.AZU.NET.01 - Ensure that SQL server access is restricted from the internet
D9.AZU.NET.02 - Ensure entire Azure infrastructure doesn't have access to Azure SQL Server
D9.AZU.NET.03 - Restrict Azure SQL Server accessibility to a minimal address range
D9.AZU.NET.06 - Remove unused Network Security Groups
D9.AZU.NET.07 - Ensure that at least one Network Security Group is attached to all VMs and subnets that are public
D9.AZU.CRY.02 - Ensure that logging for Azure KeyVault is 'Enabled'
D9.AZU.CRY.07 - Ensure that 'Storage service encryption' is enabled for the Blob Service
D9.AZU.CRY.08 - Ensure that 'Storage service encryption' is enabled for the File Service
D9.AZU.CRY.12 - Ensure that the expiry date is set on all keys
D9.AZU.CRY.13 - Ensure that the expiry date is set on all secrets
D9.AZU.CRY.07 - Ensure that 'Storage service encryption' is enabled for the Blob Service
D9.AZU.CRY.08 - Ensure that 'Storage service encryption' is enabled for the File Service
D9.AZU.CRY.12 - Ensure that the expiry date is set on all keys
D9.AZU.CRY.13 - Ensure that the expiry date is set on all secrets
D9.AZU.CRY.02 - Ensure that logging for Azure KeyVault is 'Enabled'
D9.AZU.CRY.07 - Ensure that 'Storage service encryption' is enabled for the Blob Service
D9.AZU.CRY.08 - Ensure that 'Storage service encryption' is enabled for the File Service
D9.AZU.CRY.12 - Ensure that the expiry date is set on all keys
D9.AZU.CRY.13 - Ensure that the expiry date is set on all secrets
D9.AZU.CRY.07 - Ensure that 'Storage service encryption' is enabled for the Blob Service
D9.AZU.CRY.08 - Ensure that 'Storage service encryption' is enabled for the File Service
D9.AWS.CRY.20 - AWS Kinesis Streams Keys are rotated
D9.AWS.CRY.21 - AWS Kinesis streams are encrypted with KMS customer master keys
D9.AWS.CRY.22 - Ensure that your Amazon EFS file systems are encrypted
D9.AWS.CRY.23 - Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
D9.AWS.CRY.24 - AWS Kinesis Server data at rest has server side encryption (SSE)
D9.AWS.IAM.45 - Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
D9.AWS.IAM.49 - ECS Service with Admin Roles
D9.AWS.IAM.46 - Lambda Functions with Admin Privileges are not created
D9.AWS.CRY.25.PCI - Ensure ElastiCache for Memcached is not in use in AWS PCI DSS environments
D9.AWS.CRY.26.PCI - Ensure that ElastiCache for Redis version is compliant with AWS PCI DSS requirements

March 7, 2019 Rules Changes

Deployment - March 3, 2019

Compliance and governance:

Compliance entities:
- Added Route tables properties support for several entities.
  - Aws Instance.
  - Aws Lambda.
  - Aws RDS.
  - Aws VPC.
  - Aws RedShift.

Examples:

VPC where accountNumber not in (‘1234…’, …) should not have internetGateways
VPC where accountNumber not in (‘1234…’, …) should not have routeTables contain [ routes contain [ natGatewayId ] ]

Deployment - February 27, 2019

Compliance and governance:

Notifications:
- Added PagerDuty to Issue management systems Integration.
  Configuration instructions here.

Deployment - February 18, 2019

Compliance and governance:

Compliance entities:
- Aws Lambda - Added Resource policy property.
- Azure Storage Account - Added Kind property.

Deployment - February 17, 2019

Compliance and governance:

Compliance entities:
- New optimized JSON viewer with search capabilities.
  Available on Playground, reports, rule builder.
Continuous compliance:
- Added improved continuous compliance wizard
Notifications:
- Separated the notifications from the compliance policies

User menu:

Added create support ticket option.
As part of the integration we moved to a unified CheckPoint support system.
New support tickets will be handled on CheckPoint BEYOND support system.
Existing tickets will be handled on the previous (HelpCenter) system and the ticket history can be accessed.
February 14, 2019

Deployment - February 14, 2019

Cloud inventory - Add GCP cloud account:

Redesigned the onboarding structure.
Added Gsuite onboarding steps.

Compliance dashboard:

Added improved explanation for the export to CSV option..

BUG FIXES

DFT-434 - Detaching policy in continuous compliance.

Deployment - January 29, 2019

Administration - Account settings:

Redesigned the page
Added global emails settings

My settings - Email notifications:

Added under cloud inventory an Invalid AWS and Azure credentials notifications option.

BUG FIXES

DFT-350 - Invalid credentials emails being sent even if all options are disabled.
DFT-276 - Option to disable emails being sent to newly created users

Deployment - January 14, 2019

Compliance and governance:

PREVIEW

Compliance engine:
- AWS API Gateway entity.

Compliance engine:
- AWS S3Bucket added accessPublicBlock support.

Cross system:

Optimized side filter panels

BUG FIXES

DFT-406 - Fixed KeyVault diagnosticSettings object handling.

Deployment - January 10, 2019

Cross system:

Added support for AWS region Stockholm(eu-north-1)

BUG FIXES

DFT-414 - Exclusions not appearing due to deleted rule.

DFT-383 - Improved big compliance assessment runs handling

Deployment - December 16, 2018

BUG FIXES

DFT-394 - GSL fix - Use secure ciphers in CloudFront distribution Rule ID: D9.AWS.CRY.16

DFT-396 - D9.GCP.NET.AG5.VMInstance.22.TCP- Correct description and Remediation

DFT-408 - Dynamo DB -Remove the rule D9.AWS.CRY.18 due to Default encryption settings

DFT-412 - Remove the rules D9.AZU.CRY.07 and D9.AZU.CRY.08

Click here for more details

Deployment - December 10, 2018

Compliance and governance:

Compliance Reports:
- Export to CSV Tags separation.
Continuous Compliance:
- Notification to alert console as default.
Compliance Dashboard:
- Fixed results calculation with exclusions.

BUG FIXES

DFT-265 - Fix Run assessments for GovCloud accounts.

Deployment - December 5, 2018

Protected Assets:

Instance entity:
- Added Inspector and findings table.

Email notifications:

Added filter for cloud accounts.

Deployment - November 25, 2018

Compliance and governance:

Compliance Policies:
- New look and feel.
- optimized filtering.

Compliance Updates:

New Bundles:

GCP CIS Foundations v. 1.0.0
AWS Dome9 Serverless Architectures Security

New Rules:

D9.GCP.NET.11 - Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
D9.GCP.IAM.02 - Ensure that corporate login credentials are used instead of Gmail accounts
D9.GCP.CRY.02 - Ensure "Block Project-wide SSH keys" enabled for VM instances
D9.GCP.CRY.03 - Ensure oslogin is enabled for a Project
D9.GCP.CRY.04 - Ensure oslogin is enabled for a Virtual Machine
D9.GCP.IAM.01 - Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
D9.GCP.NET.12 - Ensure that SSH access is restricted from the internet
D9.GCP.NET.13 - Ensure that RDP access is restricted from the internet
D9.GCP.NET.14 - Ensure Private Google Access is enabled for all subnetwork in VPC Network
D9.AWS.IAM.43 - S3 bucket should have versioning MFA delete enabled
D9.AWS.CRY.24 - AWS Kinesis Server data at rest has server side encryption (SSE)
D9.AWS.CRY.21 - AWS Kinesis streams are encrypted with KMS customer master keys
D9.AWS.CRY.20 - AWS Kinesis Streams Keys are rotated
D9.AWS.IAM.46 - Lambda Functions with Admin Privileges are not created
D9.AWS.CRY.22 - Ensure that your Amazon EFS file systems are encrypted
D9.AWS.CRY.23 - Ensure that your Amazon EFS file systems are encrypted using KMS CMK customer-managed keys
D9.AWS.IAM.45 - Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role
D9.AWS.AS.03 - Lambda Functions must have an associated tag
D9.AWS.AS.04 - Amazon EFS must have an associated tag

November 25, 2018 Rules Changes - click here

BUG FIXES

DFT-371 - Fix GSL logic for 'ELB - Recommended SSL/TLS protocol version'
DFT-963 - Fix GSL logic for D9.AZU.NET.06 "NetworkSecurityGroup should have networkAssetsStats..."
DFT-362 - Fix GSL logic for Compliance policy failing for SQLServer should have AD authentication

Deployment - November 23, 2018

Compliance and governance:

PREVIEW

Compliance exclusions:
- Allows exclusions of specific findings,
  For more information - click here.

Deployment - November 18, 2018

Compliance and governance:

PREVIEW

Compliance engine:
- AWS EcsService entity
- AWS EcsTask entity
- Azure DataWarehouse entity
- GCP IamPolicy entity
- GCP KmsKeyRing entity

BUG FIXES

Compliance:

DFT-366 - Azure KeyVault enableSoftDelete not updated.
DFT-369 - "securityGroup" property is not being populated in Azure GSL "Subnet" & Vnet "subnets" Entity.
DFT-337 - Azure Subnet does not display VNET info via assessment results.

Deployment - November 14, 2018

Cross system:

UI
- Icons and symbols improvements

Compliance and governance:

Continuous Compliance
- Added validations to notifications fields.

BUG FIXES

Compliance rule builder:

DOME-7483 - Fixed several logical issues.

Deployment - November 13, 2018

Compliance and governance:

Compliance dashboard
- Added external id to the cloud account name.
Compliance policies
- Optimized bundle select mechanism.

Deployment - November 8, 2018

Administration

Account settings - Security:
- Added Session idle timeout management policy.

Deployment - November 5, 2018

Compliance and governance:

Continuous Compliance
- Added new fields to CSV report.
- Added summary to CSV report.
Compliance policies
- Optimized bundle select mechanism.

BUG FIXES

System Dashboard:

DFT-332,294 - Fixed compliance system data sync.

Compliance report:

DOME-8456 - Fixed compliance report percentage calculation.

Deployment - November 1, 2018

Compliance and governance:

PREVIEW

Compliance engine:
- GCP IAM Policy entity
- GCP ServiceAccount entity
- GCP Project entity

Compliance entities updates:
- Azure VM - Added IsRunning property.
- GCP VM - Added additional properties
  - IsDefaultServiceAccount property.
  - Disk encryption keys properties.

Deployment - October 29, 2018

BUG FIXES

Protected Assets:

DFT-272 - Fixed ALB / NLB exception handling.

Deployment - October 23, 2018

Administration:

Findings Alerts page:
- Added Copy Finding key to clipboard.

Deployment - October 11, 2018

Compliance and governance:

Compliance rules and bundles:
- Added Rules and bundles audit events.
- Added link to the new rules knowledge base.
Continuous compliance:
- Added new scheduled report type - CSV findings.

Administration:

My settings - Email notifications:
- Improved UI - category view same as the menu.
- Added Compliance section.

Deployment - October 10, 2018

Cloud Accounts

Azure Accounts:
- Added Edit credentials for expired cloud accounts keys.

Deployment - October 8, 2018

Administration

Account settings:
- Added Security user lock down policy.

Deployment - October 4, 2018

PREVIEW to GA

Azure Protection mode:
- NSG Tamper protection support.

Deployment - September 27, 2018

Compliance Updates:

New Bundles:

AWS NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for AWS
GCP NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for GCP
Azure NIST CSF v1.1 Automated Validation of NIST CSF V1.1 for Azure

New Rules:

D9.AZU.CRY.10 - Ensure that storage account access keys are periodically regenerated
D9.AZU.NET.02 - SQL Server accessibility to the entire Azure Infrastructure
D9.AZU.NET.03 - SQL Server accessibility to wide address range
D9.AWS.LOG.12 - S3 bucket should have server access logging enabled
D9.GCP.NET.06 - Unused firewall rules
D9.GCP.CRY.01 - Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK)
D9.AWS.IAM.28 - S3 bucket should not be world-listable from anonymous users
D9.AWS.IAM.29 - S3 bucket should not be world-listableDeleted Rules:

D9.AZU.CRY.01 - Ensure that 'SQL Encryption' is set to 'On'
D9.AZU.MON.01 - Ensure that 'SQL auditing & Threat detection' is set to 'On'
D9.AWS.IAM.17 - Ensure VIRTUAL MFA is enabled for the "root" account
D9.AWS.NET.22 - Process for Security Group Management - Detection of new Security Groups

September 27, 2018 Rules Changes - click here

BUG FIXES

Compliance engine:

DFT-314 - Fixed assessments run failures due to null values.
DFT-319 - Fixed ECS Cluster EC2 instances update.

Compliance rules:

DFT-288: D9.AZU.MON.07 GSL updated - SQLDB should have auditing.retentionDays>90 or (state.Enabled=true and days=0)
DFT-312: D9.AWS.CRY.17 GSL updated - CloudFront where not distributionConfig.origins.items with [ s3OriginConfig] should have distributionConfig.origins.items with [ customOriginConfig.originProtocolPolicy='https-only' ]
DFT-286: D9.AZU.CRY.11 GSL updated - encryption.status='enabled' needs to change to "Enabled".

Deployment - September 17, 2018

BUG FIXES

Findings page:
- DFT-279 - Custom date query fix
Add GCP Cloud Account page:
- DFT-143 - Updated on boarding steps and improved look and feel

Deployment - September 16, 2018

BUG FIXES

Policy reports page:
- DFT-308 - AWS instances - Export to CSV fix
Compliance result page:
- DFT-151 - Result Entities link generation fix

Deployment - September 06, 2018

BUG FIXES

Cloud account page:
- DOME-8091 - Missing permissions improved look and feel

Deployment - September 04, 2018

Compliance Updates:

New Rules:

D9.GCP.NET.06 - Unused firewall rules
D9.GCP.NET.07 - Global Firewall rule that allows all traffic
D9.GCP.CRY.01 - Ensure VM disks are encrypted with Customer-Supplied Encryption Keys (CSEK)
D9.AWS.IAM.17.HIPAA - Ensure MFA is enabled for the 'root' account
D9.GCP.NET.08 - Disable IP forwarding while creating instances
D9.AWS.CRY.19 - ECS Cluster At-Rest Encryption
D9.AWS.NET.31 - ECS Cluster should not have services without running tasks
D9.AWS.NET.33 - ECS Cluster should not have running container instances with unconnected agents
D9.AWS.NET.34 - Ensure that at least one instance is registered with an ECS Cluster

Deleted Rules:

D9.AZU.CRY.01 - Ensure that 'SQL Encryption' is set to 'On'
D9.AZU.MON.01 - Ensure that 'SQL auditing & Threat detection' is set to 'On'
D9.AWS.IAM.17 - Ensure VIRTUAL MFA is enabled for the "root" account
D9.AWS.NET.22 - Process for Security Group Management - Detection of new Security Groups

Changes To Existing Rules - Click Here

BUG FIXES

DFT-289 Rename rule in GCP bundle
DFT-287 Remove Duplicate Azure Rule "Ensure that 'SQL auditing & Threat detection' is set to 'On'
DFT-286 Remove Duplicate Azure RuleSQLDB should not have encryption.status='Disabled'
DFT-290 - D9.AZU.MON.04 GSL Update to SQLDB should have threatDetection.state='Enabled'
DFT-296 Rule Update - New rule added for HIPAA bundle only: IamUser where name like '%root_account%' should have mfaType='Hardware' or mfaType='Virtual'
DFT-299 CIS Foundations 1.1.0 Rule "D9.AWS.MON.07" logic update

For more information please click here

Deployment - August 22, 2018

Compliance and governance:

Continuous compliance is now GA
Continuous compliance - Updated reports format and improved look and feel

Deployment - August 22, 2018

Assessment history page:
- Added sticky headers

BUG FIXES

Cloud accounts page:
- DFT-275 - fixed GCP projects not visible.

Deployment - August 20, 2018

BUG FIXES

Audit trail:
- DFT-270 - fixed export to CSV

Deployment - August 16, 2018

Compliance engine:
- New scoring calculations.
  The new score would be based on tests (=rule assessed on a cloud entity), and not rules, as done today. Today even single failure in a test fails the entire rule.

Example:

10 rules running, each on 10 entities. Let's say that 2 entities fail for each of the first 5 rules. Today's score: 50% (5 rules without fails). Since 15th: 10 failures out of 100 tests = 90%.

Deployment - August 15, 2018

PREVIEW

Compliance engine:
- ElasticIP entity
- Customer gateway entity
New assessment history page

Example:

GSL Examples:

Make sure CustomerGateway has VPN connections established

CustomerGateway should have vpnConnections

EIP should be associated with an instance

ElasticIP should have associationId

EIP should be allocated in a VPC

ElasticIP should have domain = 'vpc'

Deployment - August 05, 2018

Compliance Updates:

New Bundles:

AWS ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for AWS
Azure ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for Azure
GCP ISO 27001:2013 Automated Validation of ISO 27001:2013 Requirements for GCP

New Rules:

D9.AWS.LOG.13 - ELB is created with Access logs enabled
D9.AWS.NET.30 - ECS Cluster should have active services
D9.AWS.NET.31 - ECS Cluster should not have services without running tasks
D9.AWS.NET.32 - ECS Cluster instances must be placed in a VPC
D9.AWS.NET.33 - ECS Cluster should not have running container instances with unconnected agents
D9.AWS.CRY.19 - ElastiCache At-Rest Encryption
D9.AWS.NET.34 - Ensure that at least one instance is registered with an ECS Cluster

Rules Changes:

BUG FIXES

S3 bucket should have versioning MFA delete enabled.
- GSL updated to: S3Bucket should have versioning.mfaDelete=true
Use secure ciphers in CloudFront distribution.
- GSL updated to: CloudFront should have distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%'
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA
- GSL Updated to: List<CloudTrail> should have items with [ hasSNSSubscriber='true' and metricFilters with [filterPattern isFilterPatternEqual('{ ($.eventName = ConsoleLogin) && ($.additionalEventData.MFAUsed != Yes) }') or filterPattern isFilterPatternEqual('{ $.userIdentity.sessionContext.attributes.mfaAuthenticated != true }')] ] length() > 0]

Additional Rule Changes including Wording Changes - Updated Rule Names, Description and Remediation Fields, Compliance Sections Updates.

For more information please click here

Deployment - July 12, 2018

PREVIEW

Compliance engine:
- Azure KeyVault entity support.

Example:

Ensure KeyVault is not empty
```
KeyVault should have keys
```

Deployment - July 02, 2018

Compliance engine:

New Rules:

D9.AWS.AS.02 - S3 Buckets outside of Europe
D9.AZU.AS.01 - Instances outside of Europe
D9.AWS.CRY.18 - DynamoDB - Server Side Encryption
D9.AWS.OPE.01 - Lambda Functions must have an associated tag
D9.AZU.NET.29 - Public AMI
D9.AWS.NET.AG4.ApplicationLoadBalancer.9090.TCP - ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
D9.AWS.NET.AG4.ELB.9090.TCP - ELB with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
D9.AWS.NET.AG4.Instance.9090.TCP - Instance with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
D9.AWS.NET.AG4.NetworkLoadBalancer.9090.TCP - NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is too exposed to the public internet
D9.AWS.NET.AG5.ApplicationLoadBalancer.9090.TCP - ApplicationLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
D9.AWS.NET.AG5.ELB.9090.TCP - ELB with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
D9.AWS.NET.AG5.Instance.9090.TCP - Instance with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope
D9.AWS.NET.AG5.NetworkLoadBalancer.9090.TCP - NetworkLoadBalancer with administrative service: CiscoSecure,websm (TCP:9090) is exposed to a wide network scope

Rules Updated:

D9.AWS.CRY.04 - S3 Bucket should have encryption in transit for read actions
D9.AWS.CRY.14 - S3 Bucket should have encryption in transit for write actions

Bundle Titles and Descriptions update:

AWS NIST 800-53 Rev 4 (FedRAMP)
Azure NIST 800-53 Rev 4 (FedRAMP)
GCP NIST 800-53 Rev 4 (FedRAMP)

For more information please click here

Deployment - June 18, 2018

Compliance Bundles change

We have expanded and updated our compliance bundles!

Updated some existing rules / bundles mappings including the following bug Fixes

Update compliance section references for AWS NIST 800-53 bundle.
Improved ELB with weak ciphers rules.
Fixed rules with "contain" usages.

BUG FIXES

Clarity:
- Fixed VPC Peering to cross region handling.
Compliance engine:
- Fixed tool tips and UI flickering.

Deployment - June 14, 2018

PREVIEW

Compliance engine:
- AWS VPN Connection entity support.

FEATURES/FUNCTIONALITY

Dynamic Access page:
- Added UI improvements.
- Added terminate all support

BUG FIXES

Policy Reports:
- Fixed export to CSV formatting.
IAM Reports:
- Fixed Credentials report export to CSV date fields support.
Home Page:
- Fixed cloud account findings.

Deployment - June 11, 2018

PREVIEW

Compliance engine:
- Azure Locks entity support.

CROSS SYSTEM

New Main menu
- Improved the product categories

BUG FIXES

Security groups:
- Added SG type name to the title.
IAM Reports:
- Fixed Credentials report date fields sorting.
Home Page:
- Fixed inaccurate cloud account information sync.

Deployment - June 6, 2018

FEATURES/FUNCTIONALITY

Compliance engine:
- IAM User - Added new field: "mfaType" which will be of values "None" / "Hardware" / "Virtual".
- CloudTrail - Expanded the metric filters structure to better troubleshoot sns subscriptions,

BUG FIXES

Compliance engine:
- Fixed missing region field for S3Buckets.

Deployment - May 31, 2018

PREVIEW

Compliance engine:
- AWS WAF Regional entity support.

BUG FIXES

Compliance engine:
- IAM Role combined policies fix.
Clarity:
- Performance improvements.

Deployment - May 30, 2018

FEATURES/FUNCTIONALITY

AWS Onboarding:
- Updated the dome9-read-only policy in order to support WAF for web ACL. [Details]

BUG FIXES

Compliance engine:
- Dashboard - Improved exporting large files to CSV.
Policy Reports and Security groups page:
- UI text and titles fixes.

Deployment - May 28, 2018

Compliance Bundles change

We have expanded and updated our compliance bundles!

As security threats continue to evolve, we want to ensure that you are adhering to up-to-date compliance requirements and security best practices in the public cloud.
As part of this commitment, we are constantly updating our compliance bundles included in our product.

We have made the following enhancements to our compliance module.

1. Added 5 new bundles for additional GCP and Azure coverage:

Azure CIS Foundations v. 1.0.0
Azure NIST 800-53 Rev 4
Azure PCI-DSS 3.2
Azure GDPR Readiness
GCP NIST 800-53 Rev 4
GCP PCI-DSS 3.2

2. Added new rules to include additional security guidelines
3. Updated some existing rules / bundles mappings including the following bug Fixes

DFT-154 - Update Route53 hosted zone check
DFT-152 - Typo in PCI bundle (default')
DFT-138 - Remove Security Group checks from S3 bundle

Additional Client Impact:
New Findings in Continuous Compliance Scheduled Reports
New Findings being sent to SIEM system

Compliance score changes

BUG FIXES

Security Group page:
Dome9 Description text fix.

Deployment - May 23, 2018

BUG FIXES

Compliance engine:
- Dashboard - Failed to trigger download CSV file.
Clarity
- VPC without assets fix.

Deployment - May 16, 2018

FEATURES/FUNCTIONALITY

Compliance engine:
- ElastiCache entity added tags support.

BUG FIXES

Clarity
- Peered VPC assets fix.

Deployment - May 15, 2018

PREVIEW

Compliance engine:
- AWS VPN Gateway entity support.

FEATURES/FUNCTIONALITY

Compliance engine:
- Added List<Entity> rules support.
- Added GroupBy [object] rules support.

Examples:

Ensure no more than 5 IAM Admins exist in any particular account.

List<IamUser> should have items with[name like 'admin' or name like 'administrator'] length() < LIMIT

To detect if your account is near the EC2 Security Group Limit in a VPC.

List<SecurityGroup> should have items groupBy [vpc.id] contain-all [values length() < LIMIT]

BUG FIXES

Compliance engine
- Assessments history
User Permissions fix

Deployment - May 14, 2018

PREVIEW

Compliance engine:
- AWS AMI entity support.
  - Check if the image is private
```
AMI should have isPublic='false'
```

Deployment - May 9, 2018

BUG FIXES

GSL
- Query 'Region should have hasCloudTrail=true' returns invalid results after 'isMultiRegion' is toggled OFF
Dynamic Access Lease
- Setting default access lease time does not reflect or update 'GET ACCESS' default time.

Deployment - May 8, 2018

PREVIEW

Azure Protection mode:
- Added NSG Tamper protection support.

Cloud accounts:
- Added support for Azure tamper protection view.

Audits and Alerts page:
- Added Invalid credentials alert for Azure.

BUG FIXES

UI/Description
- Fixed description to shouldn't (EC2 Instance there shouldn't be any High level findings in Inspector Scans).
- Update name of the s3 to stay in 1 line to " AWS Dome9 S3 Bucket Security"

Deployment - May 7, 2018

FEATURES/FUNCTIONALITY

Compliance engine:
- Added triggered by column to Assessment history

Deployment - May 3, 2018

FEATURES/FUNCTIONALITY

Compliance engine:
- KMS entity added tags support.

Deployment - May 2, 2018

FEATURES/FUNCTIONALITY

UI/Optimization:
- Optimized the account statistics on the homepage (Network, IAM and S3 information).

Deployment - May 1, 2018

PREVIEW

Compliance engine:
- AWS DynamoDB entity support.

Examples:
DynamoDB is encrypted:

DynamoDbTable should have encrypted=true

DynamoDB table size:

DynamoDbTable should have tableSizeBytes<100

DynamoDB number of items:

DynamoDbTable should have itemCount<100

FEATURES/FUNCTIONALITY

Compliance engine:
- AWS Instance entity added Image details support (Image name, Is public, owner Id, etc').
AWS Onboarding:
- Updated the dome9-read-only policy in order to support DynamoDB and ElasticCache tags. [Details]

Deployment - April 26, 2018

FEATURES/FUNCTIONALITY

Compliance engine:
- Redshift entity added tags support.

Deployment - April 26, 2018

FEATURES/FUNCTIONALITY

Compliance engine:
- Kinesis entity added tags support.
- Lambda entity added tags support.
- EFS entity added tags support.

BUG FIXES

Cross system
- Export to CSV component fix.
Security groups page
- Clone security groups - Peered security groups fix.

Deployment - April 24, 2018

FEATURES/FUNCTIONALITY

Compliance Bundles change

Dome9 now has new and improved compliance bundles! Compliance Engine bundle management will be based on the unified mapping of the Dome9 compliance checks to various security and compliance frameworks.

Additional Client Impact:

New Findings in Continuous Compliance Scheduled Reports

New Findings being sent to SIEM system [Details]

Compliance engine:
- RDS entity added tags support.

BUG FIXES

Compliance engine
- Edit Bundle JSON - UI freeze.
Protected Assets
- Roles info data validation fix.
IAM Reports
- Fixed role entity managed policies support.

Deployment - April 12, 2018

PREVIEW

Compliance engine:
- Azure Storage entity support.

Examples:

Encryption key is enabled rule:

StorageAccount should have encryption.key.enabled=true

Check that StorageAccount uses only https traffic:

StorageAccount should have httpsOnlyTraffic=true

Deployment - April 8, 2018

PREVIEW

Compliance engine:
- Route 53 Domain entity support.

Examples:

Route53Domain should not have expirationTime before(-1, 'minutes')

Route53Domain should not have autoRenew=false

Route53Domain should not have expirationTime before(7, 'days')

Compliance engine:
- Added GDPR Readiness bundle.
- Added NIST 800-53 Rev 4 bundle.
Account page:
- Billable assets definition and link to protected assets.

BUG FIXES

Compliance engine
- Navigation exceptions from compliance reports.
IAM Reports
- Fixed role entity support.

Deployment - March 27, 2018

PREVIEW

Protected assets page:
- Guard Duty integration, Added Alerts and findings tab to show findings.

FEATURES/FUNCTIONALITY

AWS Onboarding:
- Updated the dome9-read-only policy in order to support Guard duty

Deployment - March 25, 2018

PREVIEW

Compliance engine:
- Azure Redis entity support.

Deployment - March 19, 2018

PREVIEW

Compliance engine:
- AcmCertificate entity support.

Examples:

AcmCertificate should not have notAfter before(-1, 'minutes')

ApplicationLoadBalancershould not havelisteners with [ certificates with [ expiration before(-1, 'minutes') ] ]

ELBshould not haveelbListeners with [ certificate.expiration before(-1, 'minutes') ]

FEATURES/FUNCTIONALITY

Cloud Accounts:
- Added Validate all permissions button, will try to validate permissions on all of the missing permissions cloud accounts.

BUG FIXES

Compliance engine
- Fixed tags result output.

Deployment - March 15, 2018

PREVIEW

Compliance engine:
- Route53 entity support.

Examples:

Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='S3Bucket' and assetMetadata.exists=false] ]

Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='CloudFront' and assetMetadata.exists=false] ]

Route53HostedZone should not have recordSets contain-any [ records contain-any [ assetMetadata.type='CloudFront' and assetMetadata.active=false] ]

Deployment - March 11, 2018

PREVIEW

Compliance engine:
- IAMServerCertificates entity support.
- ELB and ApplicationLoadBalancer entities added IAM Certificate support.

Examples:

IamServerCertificate should not have expiration before(0, 'minutes')

ELB should not have elbListeners with [ certificate.iamServerCertificate.expiration before(1, 'months') ]

ApplicationLoadBalancer should not have listeners with [ certificates with [ iamServerCertificate.expiration before(0, 'minutes') ] ]

Deployment - March 8, 2018

FEATURES/FUNCTIONALITY

Compliance engine - S3 Bucket Security Posture:
- This bundle has been updated to include the rule - S3 Buckets - without server-side-encryption enabled.

Deployment - March 7, 2018

PREVIEW

Compliance engine:
- ELB entity added security policies and ciphers support.
- ApplicationLoadBalancer entity added access logs support.
- NetworkLoadBalancer entity added access logs support.

Examples:

ELB should not have elbListeners with [ policies with [ attributes contain-any [$ in ( 'ECDHE-RSA-RC4-SHA', 'EXP-RC4-MD5') ] ] ]

ApplicationLoadBalancer should have attributes contain-any [ key='access_logs.s3.enabled' and value='true' ]

Deployment - March 6, 2018

FEATURES/FUNCTIONALITY

Compliance engine - Dome9 AWS Dashboards policy:
- S3 Buckets - without server-side-encryption enabled - expanded rule to support all server side encryption types.

BUG FIXES

User Interface
- Fixed tab panels items when refreshing page.
S3 Buckets
- Without server-side-encryption enabled rule - causes false positives for customers

Deployment - March 5, 2018

PREVIEW

Compliance engine:
- Kinesis entity support.

FEATURES/FUNCTIONALITY

AWS Onboarding:
- Updated the dome9-read-only policy in order to support Kinesis

Deployment - March 1, 2018

FEATURES/FUNCTIONALITY

Clarity:
- Added EFS asset count and attached security groups icon

BUG FIXES

RFC6890 Support
- Fixed internal network RFC6890 support.
RDS / Redshift
- Fixed RDS and Redshift state coloring.
VPC display
- Fixed un-managed VPC display for wrong security groups.

Welcome to the CloudGuard Dome9 Help Center

In this topic:

Compliance and governance:

Compliance and governance:

Compliance and governance:

Compliance and governance:

Compliance and governance:

Compliance and governance:

Compliance and governance:

Cross system

Cloud Inventory

Compliance and governance:

Compliance and governance:

Across system

Compliance and governance:

Compliance and governance:

Administration:

Cloud Inventory:

Compliance and governance:

Compliance and governance:

Compliance and governance:

BUG FIXES

Compliance and governance:

Compliance and governance:

BUG FIXES

Compliance and governance:

Compliance and governance:

Compliance and governance:

Compliance and governance:

Cloud inventory - Add GCP cloud account:

Compliance dashboard:

BUG FIXES

Administration - Account settings:

My settings - Email notifications:

BUG FIXES

PREVIEW

BUG FIXES

BUG FIXES

BUG FIXES

BUG FIXES

BUG FIXES

PREVIEW

PREVIEW

BUG FIXES

PREVIEW

BUG FIXES

BUG FIXES

BUG FIXES

Compliance Updates:

BUG FIXES

BUG FIXES

BUG FIXES

PREVIEW

Compliance Updates:

BUG FIXES

PREVIEW

Compliance engine:

New Rules:

Rules Updated:

Bundle Titles and Descriptions update:

Compliance Bundles change

BUG FIXES

PREVIEW

FEATURES/FUNCTIONALITY

BUG FIXES

PREVIEW

CROSS SYSTEM

BUG FIXES

FEATURES/FUNCTIONALITY

BUG FIXES

PREVIEW

BUG FIXES

FEATURES/FUNCTIONALITY

BUG FIXES

Compliance Bundles change

BUG FIXES

BUG FIXES

FEATURES/FUNCTIONALITY

BUG FIXES

PREVIEW