2. New features and improvements

2.1. WebUI - New NDR interfaces and options

2.1.1. Home page and global overview table

The new homepage and the new global overview table provide a summary of the strategic risks according to the input chain and the MITRE framework.

2.1.2. Alert dashboard

A new dashboard is available providing a summary of alerts listed by risk level and aggregated by signature.

2.1.3. User dashboard

A new dashboard is available displaying the list of users classified by risk level.

2.1.4. Host Dashboard

A new dashboard is available showing the list of hosts classified by risk level.

2.1.5. Relationship Mapping

On the basis of the various alert feeds, the solution is able to dynamically generate a map of the monitored environment by displaying users, hosts, associated risks, and their relationships.
This new display enables identifying the main threats more quickly.

2.1.6. Investigation dashboards

Browsing the investigation dashboards was revised, creating dynamic filters from other dashboards to make it easier to find items.

2.1.7. Creating Tags

Tags can be created and associated with users, hosts, and alerts.

2.1.8. Creating Notes

Notes can be created and associated with users, hosts, and alerts.

2.1.9. Managing association rules

A new menu is available enabling the customisation of association rules when detecting users and hosts.
It is possible, among other things, to define the IP address subnets concerned, to make static declarations, and to make exclusions.

2.1.10. Limiting metadata

A new menu is available enabling the limitation of the metadata volume indexed by the GCenter for the following protocols: DNS, HTTPS, HTTP, SMB.

2.1.11. Dark Mode

The new graphical interface features the “dark mode” option.

2.2. WebUI – Administration

2.2.1. Configuring GCap probes

The GCap configuration has been simplified for defining network variables, file rules, and activating the various protocols that will be analysed.

2.2.2. Diagnostic menu

Generating tech support is now possible via the GCenter WebUI (Diagnostics menu).

2.2.3. Update menu

In the “GUM” section, the “Hotfix” and “Upgrade” menus have been merged into “Software update”.

2.3. Analysis / CTI features

2.3.1. Host Detection

A new mechanism is now in place to create and maintain a list of all hosts on the monitored network.
This passive detection is carried out thanks to the information from the different protocols analysed by the GCap.

2.3.2. User detection

A new mechanism is now in place to create and maintain a list of all users on the monitored network.
This passive detection is based on information from the Kerberos protocol.

2.3.3. Aggregate risk calculation per host

For each host, a risk assessment is performed based on the individual risks (alerts) and the number of related individual threats.

2.3.4. Unified risk calculation

A new module calculates the risk of each alert triggered by the various analysis and detection engines.

2.3.5. Identifying the type of host

A new mechanism has been introduced to identify the type of host in the monitored network - computer, server, virtual machine, mobile, firewall, and others.
This identification process is primarily based on analysing user-agents and MAC addresses.

2.3.6. Host Identity persistence and enrichment

Host identification data is stored and populated over time to create a summary for each host.
The main information available consists of:

  • Host name

  • Related IP address

  • Assigned MAC address

  • Operating system

  • Protocols in use and their proportion

  • Details of detected threats

  • Associated MITRE tactics

  • Aggregated risk score

  • Risk score timeline

  • Top 10 URLs visited

  • Top 10 IP addresses contacted

  • Tags

  • Notes

2.3.7. User identity persistence and enrichment

User identification data is stored and populated over time to create a summary for each host.
The main information available consists of:

  • Host name

  • Assigned IP address

  • Last seen

  • Protocols in use and their proportion

  • Details of detected threats

  • Associated MITRE tactics

  • Aggregated risk score

  • Risk score timeline

  • Top 10 URLs visited

  • Top 10 IP addresses contacted

  • Tags

  • Notes

2.3.8. Connectivity with the CTI

The GCenter is now able to receive feeds directly from Gatewatcher’s Cyber Threat Intelligence (named LastInfoSec/LIS) to automatically generate new detection rules.

2.3.9. Retro-Hunting and CTI

A new retro-hunting engine reanalyses past metadata and communications using new IOCs from Gatewatcher CTI (LIS) streams.

2.3.10. Re-directing to the CTI platform

By clicking on an alert it is possible to be redirected to the Gatewatcher CTI platform (LIS) web portal and perform an automatic search in an attempt to obtain additional information about the initial alert. Please note that a specific LIS licence is required to activate this feature.

2.3.11. Alerts: help with investigating and responding

When clicking on an alert, several actions are suggested:

  • Redirecting to different dashboards for investigation

  • Downloading files (samples)

  • Displaying details of the threat

  • Sending the sample to a sandbox

  • Downloading the report generated by the sandbox

Actions are contextually linked depending on the content of the alert.
In the case of redirecting to a dashboard for investigation, a filter is automatically created with the alert elements in order to improve the user experience and the analysis time.

2.3.12. Associating with the MITRE ATTACK repository

Each alert is automatically associated with the tactics and techniques of the MITRE repository.

2.4. Detection

2.4.1. DGA detection engine

A new version of our Domain Generated Algorithm (DGA) detection engine is available featuring:

  • An optimised algorithm to reduce false positives

  • Dedicated DGA events with the same alerts as the command and control “C&C” type

  • The ability to add domains from a generated alert to a white list or black list

2.4.2. Shellcode detection engine

The Shellcode detection engine (Goasm) has been improved:

  • Quota and automatic cleaning added to avoid saturation

  • Code is optimised to increase stability and performance

  • New Windows features and patches implemented

  • The hash (SHA256, md5) in the alerts no longer corresponds to the content of the “.data”, but to the analysis results enabling to recognize identical shellcodes in different network frames

  • Shellcode alerts include a “Display Data” action to show the hexdump of the “.data”

2.4.3. Powershell detection engine

The Powershell detection engine (Gps) has been improved:

  • Quota and automatic cleaning added to avoid saturation

  • Code is optimised to increase stability and performance

  • Improved extraction, analysis, and scoring to reduce false positives

  • The hash (SHA256, md5) in the alerts no longer corresponds to the content of the “.data”, but to the analysis results enabling to recognize identical powershell commands in different network frames

  • Powershell alerts include a “Display Data” action to show the hexdump of the “.data”

2.4.4. Malcore detection engine

The Malcore detection engine has been improved:

  • An orchestrator has been added to detect failures and perform automatic actions to correct them

  • 16 detection engines are now activated if the licence so enables

  • Improvement of the alert and metadata content that are now extracted from the fileinfo

2.4.5. Yara Rules

Yara rules can be added to the Malcore engine to improve detection capability.

2.4.6. Improved processing of suspicious files

A new option is now provided in the analysis chain to mark suspicious files for automatic reanalysis upon the next engine update, until these files are no longer detected as suspicious.

2.5. API

2.5.1. API and Swagger

The vast majority of possible interactions with the solution can be achieved through the API.
More than 200 API points are available. They are described using Swagger and can be tested through the GCenter WebUI (URL: https://FQDN//docs/swagger/).

2.6. System

2.6.1. Change of operating system

A complete overhaul of the GCenter operating system has taken place at V2.5.3.102.

2.6.2. Update of the kernel

The operating system kernel was updated to the latest Long-Term Support (LTS) version.

2.6.3. Optimising the communication between the GCap and the GCenter

A new component controls the communication between the probe and the manager.
The file transmission mechanism has been optimised with a new communication protocol, database for received files, and more.

2.6.4. File processing mechanism redesign

A complete overhaul of the file processing mechanism has been implemented to:

  • improve the reliability of enrichment

  • obtain all the information related to a reconstructed file

  • be able to systematically find a file from a flow-id

2.6.5. Database for the NDR

A new database has been created to store NDR related data including users, hosts, alerts, risks, and more.

2.6.6. Improved updates

Improvements were made to the solution’s update mechanism.

2.6.8. Netdata: increased retention time

The retention time for metrics reported via Netdata has been increased.

2.6.9. Licences

A new, more detailed licensing system is available.