SES Evolution 2.1 new features
New protections
Advanced protections
Advanced protections make it possible to protect your pool from malicious operations such as the theft of authentication credentials, malicious use of Windows tools, persistent techniques, etc.
Find out more
New built-in policy: Protection of backoffice components
A built-in security policy is now equipped to increase the security of SES Evolution backoffice components. This policy must be applied to agent groups that contain agent handlers, backends and the administration console.
In addition to the security features in the default policy, it includes several modular rule sets, each of which corresponds to a backoffice component. The policy consists of the following rule sets:
- Audits of attack contexts,
- Backend protection (new),
- Agent handler protection (new),
- Administration console protection (new),
- Advanced protections (new),
- Protection baseline.
Changes to existing policies
The default policy has been enriched with new rule sets that provide advanced protections and protection from theft of sensitive information.
It now consists of the following rule sets:
- Audits of attack contexts,
- Advanced protections (new),
- Data leak prevention (new),
- Protection baseline.
When updating from SES Evolution 2.0.x to version 2.1, refer to the Recommendations to find out the steps to take with regard to policy updates.
New built-in rule sets
The following rule sets have been added:
| Backend protection | Protects the IIS application server (programs, settings, injection, etc.), database and SES Evolution Installation Center. |
| Agent handler protection | Protects the agent handler (programs, settings, injection, etc.), database and SES Evolution Installation Center. |
| Administration console protection | Protects the SES Evolution administration console (programs, settings, injection, etc.), database and SES Evolution Installation Center. |
| Advanced protections | Unlike protections that react to a strong individual event, advanced protections react to a pattern of several weak events, which when combined, represent a threat. |
| Data leak prevention |
Protects some specific applications used frequently in organizations, e.g., web browsers, file transfer tools, vaults, Windows security authorities and remote control tools. This protection mode covers unauthorized access to files, registry locations and keylogging attempts to deter the theft of sensitive assets. Windows security authorities are also protected from interprocess access, which prevents the extraction of Windows passwords. Special attention is given to programs that allow external code to run (e.g., script engines, DLL loaders, etc.), so that their operations will always be blocked. Likewise, programs provided by default with Windows (LOLBIN) that allow indirect access to information, are blocked. |
| Windows Defender event forwarding | Consolidates in the administration console security alerts of interest that Windows Defender raises on protected workstations in the SES Evolution pool. It is not included in built-in policies, so it must be added manually to your policies. |
Changes to existing rule sets
The following rule sets have been modified:
| Audits of attack contexts |
|
| Protection baseline |
This rule set has been enriched and hardened:
|
Agent management
Agent groups based on Active Directory criteria
Agents can be automatically assigned to an agent group according to the Active Directory groups or organizational units to which they belong. This feature saves time and lowers the risk of error when creating agent groups.Find out more
Uninstalling agents
You can now prevent the local administrator of a workstation from uninstalling the SES Evolution agent. In this case, the agent can still be uninstalled via a challenge.Find out more
Agent filtering
New filters now make it possible to show the list of agents by criteria such as operating system, status, security policy, etc.Find out more
Dashboard
A new diagram now appears in the dashboard of the administration console and shows the number of agents in the pool for each version of SES Evolution.Find out more
Database
Log retention in the database
The duration of log retention in the log database can be configured, either when SES Evolution is installed, or at any time through the new System menu in the administration console. When logs reach the end of their retention period, they will be deleted by a task that runs regularly. Find out more
Versions of policies and rule sets
The versions of policies and rule sets are now better managed to optimize storage space in the administration database.Find out more
Removable devices
The list of known USB devices (vendor and product) has been updated in the administration console.
Activity monitoring
Windows event monitoring
Windows events of your choice can be forwarded to SES Evolution so that security information about your environment can be displayed.Find out more
Logging of user activity
User activity in the SES Evolution administration console is now logged through a full audit of operations performed.
Backoffic component logs
A new menu in the administration console, System logs, shows the activity of agent handlers, backend servers and the SES Evolution administration console. Find out more
OSSEC analysis engine
OSSEC rules can now be imported into security policies from the administration console. This allows agents to subscribe to text-based logs or Windows events, and report them as SES Evolution logs in the log database or an SIEM.Find out more
Exporting to syslog servers
Logs can now be exported to several syslog servers and the export formats IDMEF and CEF have been added to facilitate their integration into your solutions.Find out more