2. New features

2.1. Gatewatcher Licensing Center

Starting with version, the management servers (GCenter) use the new GATEWATCHER LICENSING CENTER (GLC) licensing system.

The license includes at least one perpetual GWAPI license associated with a GCenter.

The administrator must add a licence in order to configure the hardware.

In turn, the operator can access the data in the GCenter.

To obtain a version license, please contact your Gatewatcher business engineer or commerciaux@gatewatcher.com.

2.2. Gatewatcher Update Manager

Starting with version, GCenters rely on a new unified update tool GATEWATCHER Update Manager (GUM).

It enables managing the various types of releases: update, upgrade, and hotfix.

A real time status is visible on the GCenter WEB interface.

Updates are now unified in a single package with the desired engines (Codebreaker, Sigflow, and Malcore) and can be done:

This requires an intelligence account. This requires an intelligence account.
  • Locally, by setting a default directory.

The Malcore online update is differential and encrypted.

Customisation of the preferred schedule is possible via the GCenter WEB interface.

Hotfixes enable a patch to be applied without having to restart the GCenter.

Up to three GCenter upgrade packages and/or the detection probe (GCap) can be stored.

The GUM configuration is possible via a proxy server (PROXY).

2.3. Connector Endpoint Detection and Response (experimental)

It is possible to add a HarfangLab Hurukai connector (EDR) to the GCenter. The configuration of this feature is possible via a proxy server (PROXY).

2.4. Backup and restore

It is henceforth possible to perform an encrypted backup of the GCenter configuration (license included) and the GCap for restoration.

This can be exported locally in SCP or FTP via the GCenter WEB interface

It is possible to schedule a backup and its export via the GCenter WEB interface.

2.5. MISP connector: Malware Information Sharing Platform

It is possible to add a MISP connector to the GCenter in order to convert Indicators of Compromise (IOC) into Sigflow signatures. The configuration of this feature is possible via a proxy server (PROXY).

2.6. GBox Interconnection

It is now possible to interconnect a GBox to the GCenter and automatically send malware to it.

Configuring the GBox is possible via a proxy server (PROXY).

2.7. Sigflow advanced settings

It is possible to configure the advanced options of Sigflow for all GCaps via the WebUI of the GCenter.

It is now possible to configure many parameters such as:

  • Environment variables.

  • Network variables.

  • Timeout protocols.

  • File reconstructions.

  • Local GCap filtering (XDP Filter).

The Sigflow Manager container was unified through the GCenter WebUI container.

2.8. Rulesets per physical interface

Configuring a global ruleset via the GCenter WebUI or by physical interface with a GCap compatible with GCenter version is now possible.

2.9. Containers

All containers in the GCenter are now based on a Debian 10 (Buster) Linux distribution.

2.10. Python 3.6 or higher

All GCenter Python code is in Python 3.6 or higher.

2.11. GCenter API

GCenter’s internal API aggregates almost all of the application configuration templates of the host machine and/or its containers.

2.12. Simplifying the configuration script

It is now possible to use a python command line with arguments to configure the GCenter.

2.13. Startup of GCenter services

When the GCenter is started, a check of each service is performed to verify whether it was started correctly.

2.14. GCenter Urls

In an effort to simplify and organise, all the URLs of the GCenter WebUI were unified.

2.15. Heartbeat

GCenter is now also capable of detecting the absence or loss of a GCap using a Heartbeat daemon.

2.16. ElasticSearch (ES) and Index Life Cycles (ILM)

Starting with version, GCenter includes version 6.8 of the ELK suite.

It enables reinforcing the security of the clusters.

The KIBANA tables were completely revised.

The Index Life Cycle (ILM) enables increasing the retention capacity of alerts and metadata by using these features:

  • Using hot data on SSD media.

  • Using cold data on an HDD type media.

The ILM enables storing the last 24 hours of data in the hot zone. Beyond this delay, the data is archived in the cold zone.

N.B: performance and time purposes, only the ‘logstash-‘ and ‘malwares-‘ indexes are retained. In version, the nomenclature of the ‘logstash-‘ indexes is changed to ‘suricata-‘.

2.17. Orchestration daemon

In order to ensure the continuity of the GCenter services, an orchestration daemon was added.

2.18. Machine Learning and ‘Domain Generation Algorithm’

As of version, GCenter embeds artificial intelligence through Machine Learning based on deep-learning to search for Domain Generation Algorithm (DGA).

This new feature enables detecting DGAs that may be linked to Command and Control (C&C) servers used by malware.

The threshold for triggering an alert is configurable via the GCenter WebUI.

2.19. Malicious powershell detection based on Machine Learning

Starting with version, we are now able to self-learn and analyse powershell scripts in order to detect their malicious nature. Only available with a compatible GCap.

2.20. Shellcodes visualisation

In order to simplify the understanding of a Shellcode attack, it is possible to view a chart via the GCenter WebUI.

2.21. KIBANA - NETDATA tables

Implementing the new version of KIBANA and the ES partition enables creating tables to display GCap logs via the ‘GCenter/Trackwatch Logs’. Eventually, the KIBANA tables will centralise the logs of all the hardware.

2.22. LastInfoSec / Sigflow

From now on, Sigflow integrates the external sources ‘LastInfoSec’ (French CTI). This feature is experimental.

2.23. Malcore analysis

Version enables correlating files analysed by Malcore with a flow based on a ‘flow_id’.

2.24. Multi-tenant

It is possible to activate multi-tenant support via the GCenter WebUI. Only with a compatible GCap.

2.25. Customisation of the session duration

As of version, it is possible to customise the WEB session duration per user.

2.26. LDAPS / AD centralised authentication

Lightweight Directory Access Protocol (LDAP) no longer requires creating specific groups in the directory. It now uses mappings.

It is now possible to use it via SSL or STARTTLS.

LDAP authentication can be done anonymously or using a dedicated account.

Validating self-signed server certificates is possible and optional.

2.27. KAFKA

As of version, the KAFKA export no longer exists.

2.28. Public API

Version introduces the development of a public API and its documentation. This is based on the open source tool SWAGGER.