Recommendations

Before updating an existing environment to this new version of SES Evolution:

Built-in rule sets provided by Stormshield are automatically updated in the administration console when the solution is updated. However, this is not the case for built-in security policies. When necessary, you must manually update your policies in the console if any of the sets that they contain have a green arrow, as described in step 4 of the procedure below.

The following are the major steps involved in updating policies and the pool to this new version:

1

Updating SES Evolution via the Installation Center
2 Updating security policies to use the latest versions of rule sets
3 Creating a test agent group
4 Selecting pilot agents for the test group and monitoring their behavior for several days
5

Updating all agents to version 2.4.1

We recommend that you follow the detailed procedure below for the update:

  1. If there are unsaved changes in your administration consoles, save them and shut down the consoles.

  2. Follow the procedure for updating SES Evolutioncomponents via the Installation Center, as explained in the Installation guide.

  3. Once the update via the Installation Center is complete, open the consoles again to finalize the update. A message will warn you that the security policies are not using the latest version of the rule sets. Policies were not automatically updated in order to prevent compatibility issues with agents in versions lower than version 2.4.1.

  4. Select a console. In the console's Policies menu, a green arrow pointing upwards indicates policies that are not using the latest version of some rule sets.
    Rule set versions
    Duplicate a policy containing a green arrow, such as the default policy, for example.

  5. Select the copy of the policy and click on Edit.

  6. Rename the policy by adding the version number "2.4.1" for example.

  7. Select Always use latest version for all rule sets containing a green arrow.
    Always use latest version of rule sets

  8. Save the policy.

  9. Now, duplicate one of your production agent groups to test the deployment in version 2.4.1 with the new updated policy.

  10. In the Policies tab, select the policy created earlier.

  11. Ensure that the software version selected in the Version section of the Software tab is 2.4.1.

  12. Save the new group.

  13. You will now select one or several agents in your initial group, which will be used as pilot agents. In the General tab of the initial group, select the pilot agents and click on Move agents to. Select the new test group.

  14. In the Environment menu, click on Deploy to deploy the changes made to your environment.

  15. After the pilot agents have reconnected to the agent handler, the workstations must be restarted. After restarting, ensure that the agents have indeed switched to software version 2.4.1 and that they are using the new policy.

Test the behavior of the pilot agents for several days. Once you are sure that they are running properly, you can update all the agents in the pool. There are two ways to do so:

  • Select the new policy and software version 2.4.1 in your production agent groups. If you choose this option, remember to delete the test group.

- or -

  • Duplicate all your production groups and update them, then delete older groups if necessary.

If there is a need for agents to downgrade to an earlier version after updating to version 2.4.1, the version would no longer be compatible with the policies that contain version 2.4.1 features. We recommend that you then move the affected agents back to their original group.

With version 2.4.1, Stormshield provides protection and audit rule sets. These rule sets are shared and are either built into the console or need to be downloaded, and can be used in built-in policies or in your own policies.

You can follow the recommendations below regarding the order of sets and which sets to use in your policies.

Default policy

Order   Rule sets

Included/Optional
1   Audits of attack contexts Included
2   Monitoring of known dangerous or vulnerable drivers Included
3   Windows Defender event forwarding Optional
4   Your own audit rule set Optional
5   Secured Wi-Fi hotspots Optional
6   Block-list of known dangerous applications Included
7   Advanced protections Included
8   Anti-ransomware protection Included
9   Your own protection rule set Optional
10   Protection against malicious usage of LOLBIN Optional
11   Data leak prevention Included

12

   Protection baseline Included

13

   Common applications hardening Optional

14

   Common network hardening Optional

Backoffice component protection

Order   Rule sets Included/Recommended/Optional
1   Audits of attack contexts Included
2   Monitoring of known dangerous or vulnerable drivers Included
3   Windows Defender event forwarding Optional
4   Your own audit rule set Optional
5   Block-list of known dangerous applications Included
6   Backend protection Recommended (backend only)
7   Agent handler protection Recommended (agent handlers only)
8   Administration console protection Recommended (administration consoles only)
9   Advanced protections Included
10   Anti-ransomware protection Included
11   Your own protection rule set Optional
12   Protection against malicious usage of LOLBIN Optional
13   Data leak prevention Optional
14   Protection baseline Included
15   Common applications hardening Optional
16   Common network hardening Optional

Other Stormshield built-in rule sets can be found in shared rule sets. For more information, refer to the sections Understanding built-in rule sets and Customizing built-in rule sets in the SES Evolution Administration guide.

Before updating the Microsoft operating system on workstations that host SES Evolution agents, ensure that you have the most recent Stormshield rule sets. If this is not the case, download the latest rule sets as described in the section Downloading Stormshield updates, , then update your security policies.