On 26^th of February and 7^th of March, Bitdefender rolled out new functionality in Bitdefender GravityZone, a comprehensive cybersecurity platform that provides prevention, protection, detection, and response capabilities for organizations of all sizes. These features, consistent with our multi-layered security strategy, are intended to ease the workload of security analysts, administrators, and users.

What’s new for Security Analysts

In a dynamic cybersecurity landscape, security analysts are responsible for uncovering any signs of potential sophisticated attacks to make the invisible visible. This section describes new functionality designed to elevate the capabilities of analysts, offering enhanced tools for threat detection, investigation, and response.

Cloud Security Posture Management

From now on, Bitdefender CSPM+ (Cloud Security Posture Management +) is generally available for all customers, ending the Early Access Program (EAP) which started on the 15th of January 2024, as described with all functionality details here.

Bitdefender CSPM+ includes not only Cloud Security Posture Management (CSPM) functionality, ensuring the secure and compliant configuration of cloud resources and services to identify and mitigate potential security risks and misconfigurations, but also Cloud Identity and Access Management (IAM) security (also called CIEM – Cloud Infrastructure Entitlement Management) and Cloud Detection and Response. IAM security helps organizations to manage user identities and access permissions within the cloud environment to minimize risk. Cloud Threat Detection and Response is also included in CSPM+ and uses the GravityZone XDR detection engine and Incident advisor to extend detection and response to the cloud management plane by analysing cloud audit logs.

These integrated functionalities were designed to help organizations manage security and compliance risks in various cloud environments without requiring cloud security expertise. The integration with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure allows administrators to have full visibility into cloud assets and identities. Continuous security checks, compliance monitoring, and remediation options are provided to ensure secure configurations for cloud resources to overcome complexity and focus on enhancing security team productivity. 

Bitdefender GravityZone CSPM+ management console.

Detailed information about Bitdefender CSPM+ can be found on Bitdefender TechZone in the Cloud Security article here.

Bitdefender IntelliZone Enhancements

Security professionals who want to proactively identify, monitor, and mitigate cyber-threats can use our IntelliZone platform to enhance their cybersecurity defenses. IntelliZone consolidates and provides all knowledge about the threats collected by Bitdefender Labs, our research and development division that discovers 400+ new threats each minute and validates 30 billion threat queries daily.

The Simple Search locates all known threats associated with a specific Indicator of Compromise (IoC) like URL, domain, IP, hash, or certificate hash. All information about Simple Search usage can be found on our GravityZone Support Center page here. With the latest update, security specialists have Cumulative Search, which locates threats based on their association with several attributes. Using filters like threat_actor, country, industry, and indicator, they can create a search that provides a global overview of recently active groups in their region assigned to their industry. The user-interaction optimized interface offers AutoComplete and Helper functionality, displaying a list of available indicators or suggesting all possible entries.

Bitdefender IntelliZone Threat Search

Armed with these indicators, administrators can proactively create policies for searching specific files or connections to enhance their cybersecurity resilience.

Bitdefender IntelliZone Threat details.

EDR raw events - Syslog Forwarding

With Security Telemetry, administrators have access to underlying data related to security events, such as processes (create, terminate), files (create, read, modify, move, delete), registry (create and delete keys, modify and delete values), user access login, and network connection. With the latest update, all data regarding Security Telemetry from protected endpoints can be sent in syslog format to the server that supports TLS. This enables security analysts to create their custom correlations. Detailed information about Securite Telemetry events can be found on our GravityZone Support Center . What is important is that all duplicated information is filtered out to improve system performance and minimize the footprint of exported data.

Configuration can be accessed by editing the Security Telemetry configuration and selecting Syslog (JSON) from the SIEM solution field.

Bitdefender GravityZone Security Telemetry Syslog configuration

What’s New for Administrators

With administrators constantly juggling numerous tasks and responsibilities, tools designed to make their daily tasks easier are highly appreciated. This section describes new functionality designed to facilitate the management of features responsible for prevention, protection, and detection in a defense-in-depth security architecture.

XDR Demo Mode

With the latest update, customers can benefit from XDR demo mode during the proof of concept (POC) implementation and internal training on using and following XDR incidents. The demo mode is available for all customers with XDR subscriptions in the main Incidents -> All incidents panel by clicking the demo icon in the top right corner.

Bitdefender GravityZone Incidents.

The demo incident is always at the top of the grid and can be viewed by the administrator and any users with sufficient permission to see the Incident section.

Bitdefender GravityZone Demo Incident Details

A Scenario of the Demo Incidents

The incident involves entities like endpoints, servers, users, Azure AD users, local AD users, and IP addresses simulating using dedicated Sensors.

Bitdefender GravityZone Demo Incident Graph

The incident starts with an email containing a malicious attachment sent by Johny to Alice and Bob. Upon file execution, a Command and Control (C2) connection is established to the attacker's server, allowing the execution of malicious code remotely. From Bob's machine, using the KerberosBruteForce attack, the attacker gains access to the administrator account. With the administrative user credentials, the attacker connects to several machines, including the file server, CFO, and CEO computers. From the CFO's computer, the attacker downloads additional tools through a malicious URL to spread the attack. Simultaneously, from the CEO's computer, the attacker exfiltrates data and downloads it through the C&C server.

All modifications to this incident, such as status changes or priority modifications, will affect it only if it is open; once the page is exited, it will revert to its default form. An administrator can review all the actions needed to remediate the incident, but they will all be deactivated.

Additionally, the administrator can use the Advanced Search section to review the automatically generated query and see all the raw events and alerts involved in this demo incident.

Bitdefender GravityZone Demo Incident Advanced Search

What distinguishes this query from others is the ending phrase 'AND alert.incidents_number: DEMO', which an administrator can use to create their queries for this demo incident.

Health Dashboard – Data Exporting

The Health Dashboard is a functionality available in our Early Access Program (EAP), designed to provide a comprehensive overview of endpoint issues and status within the network. It serves as an at-a-glance overview tool for the installed solution. Widgets offer crucial insights into the health and performance of endpoints, highlighting critical concerns that require administrator attention. Administrators for example can use the dashboard to check how many endpoints have issues, such as unresolved malware detections or endpoints not connected to the Bitdefender Global Protective Network. Every important parameter, like endpoint updates, security update status, policy status, etc., can be monitored through the dashboard. A full list of available widgets and information on how to enroll the company in the Early Access Program is available at our GravityZone Support Center here.

Bitdefender GravityZone Health Dashboard

With the latest update, administrators can export data from all widgets in CSV format. The exported data can be imported into any other solution supporting CSV files for detailed analysis. Additionally, administrators can directly review the raw data within the exported CSV files, providing an in-depth understanding of all endpoint names counted in each widget. This functionality equips the administrator with the ability to take additional actions to resolve endpoint issues in the corporate network.

For example, knowing from the Health Dashboard that two endpoints are pending restart after a product update, after exporting data to CSV, administrators can easily find their names and take necessary steps to resolve this issue.

Send quarantined items to Sandbox Analyzer

With the latest update, administrators will now have the capability to submit all retrievable files from quarantine directly to the sandbox service. The retrieve functionality is available for Windows and macOS machines.

Bitdefender GravityZone Quarantine file submission to Quarantine

This enhancement allows security analysts to conduct controlled file detonation, resulting in a comprehensive report. The report provides information about known threat actors and the family of the detected infection, details on the detection process, including the security mechanisms responsible for identifying the infection's behavior, and its mapping to Mitre techniques. The system can learn from the threat's behavior, presenting a timeline display of the changes it attempted to make to the system, along with tree graphs depicting its interactions and structure. Additionally, it captures a screenshot of the message or error the user encounters when the system is infected, such as a ransomware note.

It is worth noting that quarantining files during the restoration process on the computer may cause a security incident, and such actions should be performed with all necessary precautions. With this new functionality, administrators will always have a clear picture of quarantined files, ensuring enhanced control and understanding of potential threats. This empowers them to make informed decisions while handling retrievable files, maintaining the security integrity of the system.

Quarantine Detail's View 

Knowing which technology detected and quarantined a file lets administrators gain more control and understanding of their antivirus protection. With the latest releases, administrators can activate the Detecting Technology column in the Quarantine view to check which module (FileScan.OnAccess, FileScan.OnDemand, BehavioralScan, IntegrityMonitor, or Manual Scan) decided to quarantine the file.   Additionally, the detecting technology column can also be used for filtering options.

 

Bitdefender GravityZone Computers and VMs Quarantine management. 

 

Administrators can use this knowledge to respond to threats, fine-tune security policies, and create post-incident analysis and compliance reports. 

Security for Amazon AWS (EC2) enhancements

To maximize benefits of cloud implementation, administrators can choose between two ways of AWS integration: using the complete Bitdefender Endpoint Security Tools (BEST) installer or employing a lightweight agent with Security for Virtualized Environments (SVE). SVE is deployed as a virtual appliance, designed from the ground up for virtualization and cloud computing ensuring lightweight security footprint on each instance while maximizing performance and protection. More information can be found here.

With the latest updates, several improvements have been added to enhance management for our Managed Service Providers (MSP), partners and customers who are using Bitdefender Security for Amazon AWS. Firstly, after integration with Amazon EC2, all available resources will be displayed in the Network configuration and moved out from the Computers and Groups inventory to a separate Amazon EC2 group like on the below screen.

Bitdefender GravityZone Network configuration section

In addition to this, with automated inventory synchronization, administrators will have a view of all inventories, whether or not an endpoint is installed on them. An administrator can assign a policy to individual resources, or he can assign it globally to EC2 instance, then it will automatically be inherited by all groups in the inventory.

When the administrator defined tags on his machines in the AWS, for example, to categorize them based on their functions or departments, now it can be used to automatically assign policies using Assignment Policy configuration.

From the GravityZone console, administrators can generate different reports like Monthly Usage, even if they are using multiple subscriptions under their account. This functionality helps in cost calculation and identifies irregularities that may signal security incidents, including unauthorized resource usage for activities like Bitcoin mining or lateral movement within the infrastructure during advanced attacks. Additionally, administrators can configure GravityZone to receive new notifications related to their Amazon EC2, such as information about activated and deactivated subscriptions. All those notifications are also available with API integration.

Product trials

With the latest update, all GravityZone Small Business Security customers can enhance their existing functionality by activating the trial license, which includes both Business Security and Business Security Premium. The trial license is valid for 30 days and allows them to enhance their comprehensive defense against a wide range of cyber threats. To initiate the trial license, administrators will need to navigate to the Product Trials page, accessible on the upper right side after clicking button.

Bitdefender GravityZone Product Trials section.

Upon activating the Business Security license, customers will have access to additional features such as:

• Content Control - administrators can control user activities through granular web filtering and application control.
• Device Control - enables tracking both authorized and unauthorized devices and their usage, minimizing the risk of security incidents
• Network Attack Defense - detects and identifies malicious or suspicious activity by uncovering patterns, anomalies, and indicators of compromise across the network. Can effectively identify potential threats, mitigate risks, and provide valuable insights for proactive threat response.
• Endpoint Risk Analytics - a comprehensive tool to help identify and remediate security vulnerabilities and pinpoint users with security risk behavior to reduce potential entry points.

By activating Business Security Premium in addition to Business Security, customers will gain access to features such as:

• Hyper Detect - contains tunable Machine Learning functionality aimed at identifying advanced attacks and detecting new types of malware that it has never seen before by analyzing the behavior of running processes.
• Cloud Sandbox Analyzer - analyzes suspicious files in depth by detonating payloads in a contained virtual environment hosted by Bitdefender, observing their behavior, reporting subtle system changes that indicate malicious intent, and providing actionable insight.
• Fileless Attack Protection - actively identifies and prevents fileless malware during pre-execution stages to thwart attacks that leverage Living off the Land (LOL) techniques.
• Incident, Threats Explorer - provides a centralized view of security events with full recorded timeline for blocked attacks

Beyond the core offerings, existing Small Business Security customers can also evaluate features such as:

• Patch Management - provides the ability to immediately patch vulnerable software on systems, reducing the attack surface.
• Full Disk Encryption - keeps data encrypted and secure, minimizing the risk of data loss or theft.
• Mobile Security - with advanced Mobile Threat Detection (MTD), focuses on risk identification, threat detection, remediation, and reporting to safeguard against a range of anticipated and unexpected threats. MTD serves as an additional layer of defense, enhancing the security posture of mobile environments, especially as remote work, and Bring Your Device (BYOD) has become more common.

Summary

Bitdefender GravityZone platform stands out from the crowd, offering a one-stop solution for all your organization's security needs. As the digital landscape evolves, Bitdefender remains proactive, providing prevention, protection, detection, and response capabilities, ensuring the ongoing safety of organizations of all sizes worldwide.

To learn more about the Bitdefender GravityZone platform, contact us or a Bitdefender partner for more information. You can also start a free trial by requesting a demo here.