CylanceGATEWAY

release notes

Windows

per-app tunnel wildcard support

In the Gateway Service policy, you can now include a wildcard in the path when you specify which apps can use the

CylanceGATEWAY

tunnel on

Windows

devices.

This feature reduces the administration time when the path specifies an executables folder which may contain versions that change frequently.

This feature is supported on

CylanceGATEWAY

agent for

Windows

2.7 and later.

For more information, see the Gateway Service policy parameters in the Cylance Endpoint Security Setup content.

Start the agent and enable Work Mode automatically on

macOS

and

Windows

In the Gateway Service policy, you can now force the

CylanceGATEWAY

agent on

macOS

and

Windows

devices to start when users log in or enable Work Mode automatically when the agent starts. Your policy settings override the "Start

CylanceGATEWAY

when I sign in" and "Enable Work Mode Automatically" settings in the agent, but users can still manually enable or disable Work Mode after the agent starts or close the agent.

This feature ensures that the devices have access to private network resources and benefit from ACL rules and network security protection settings by starting the agent and establishing a tunnel connection automatically. 

This feature is supported on the following devices:   

For more information, see the Gateway Service policy parameters in the Cylance Endpoint Security Setup content.

Safe Mode DNS protection support on

macOS

In the Gateway Service policy, you can configure users to use Safe Mode.

This feature extends the tenant’s ACL rules and endpoint protection for devices when Work Mode is not enabled ensuring that devices are always protected. With Safe Mode,

CylanceGATEWAY

blocks users from accessing potentially malicious destinations and enforces acceptable use policy (AUP) by intercepting DNS requests. The

CylanceGATEWAY

Cloud services evaluate each DNS query against the configured ACL rules and network protection settings, and then instructs the agent to allow or block the request in real time. If allowed, the network DNS query is allowed to complete over the bearer network. Otherwise, the

CylanceGATEWAY

agent overrides the normal response and prevents access.

When enabled, Safe Mode automatically takes effect when Work Mode is disabled. Enabling Safe Mode does not prevent users from enabling or disabling Work Mode, if the users' policy allows such operations. Safe Mode events appear in the

CylanceGATEWAY

Events screen and are sent to the SIEM solution or syslog server, if configured. 

This feature is not supported in environments that use secure DNS with DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) protocols. DNS queries sent using DoT or DoH cannot be viewed by CylanceGATEWAY.

This feature is supported on

CylanceGATEWAY

agent for

macOS

version 2.7 or later.

For more information, see the Gateway Service policy parameters in the Cylance Endpoint Security Setup content.

Enforce per-app tunnel access on

macOS

and

iOS

In the Gateway Service policy, you can require MDM managed devices to have a valid VPN profile assigned and installed by the MDM provider before users can use

CylanceGATEWAY

. The installed VPN profile will prevent users from manually starting the VPN in the default configuration.

This feature extends Zero Trust Access to bring-your-own devices with user privacy enrollment. This feature also helps decrease the load on your organization’s VPN by enforcing certain work traffic to use the

CylanceGATEWAY

tunnel.

This feature is supported the following devices:

For more information, see the Gateway Service policy parameters in the Cylance Endpoint Security Setup content.

Events enhancements

On the

CylanceGATEWAY

Events page,

Network anomaly detection

CylanceGATEWAY

uses machine learning to learn and monitor a

CylanceGATEWAY

user’s upload volume and download behavior pattern. Network anomaly events are detected when a user's upload and download volume are not consistent with past behavior. Abnormal upload and download volumes could be an early indicator of compromise (for example, exfiltration attempts, or malicious software installed on the device). When an anomaly is detected, it is displayed on the

CylanceGATEWAY

Events screen and identified as a behavioral risk anomaly. This detection allows administrators to review the activity and determine if it is expected behavior. Behavioral risk anomalies do not block user traffic.

Benign Domain Classification

CylanceGATEWAY

uses machine learning that applies categorization to previously uncategorized destinations. This feature allows administrators to ensure compliance with their organization’s acceptable use and regulatory requirements.

C2 beacon detection

Beaconing is one of the first network-related indications of a botnet or a peer-to-peer malware infection. When a host is infected, the malware can initiate a command and control (C2) channel with its creator.

CylanceGATEWAY

now detects and reports beacons in your private network traffic. Identified C2 beacon events are labelled as Zero Day Detection and categorized as a security risk and subcategorized as a beacon. The anomaly detection threat events are sent to the SIEM solution or syslog server, if configured.

Events enhancements

On the

CylanceGATEWAY

Events page,

Time is displayed in UTC format
: All timestamps (for example, Start Time and Event Details) are now displayed in UTC format. This feature allows for easy correlation with other security products that use UTC format for time. This feature also allows administrators to filter events for a specific time without having to consider users that might be in different time zones.
Event Details page
: The link to view a summary of a user’s network activity has been moved from the Events page to the Event Details page.
Control the order of the columns
: You can now change the order of the events columns by dragging the column to where you want it to appear. The updated order of the columns is saved in the local browser that you used to view the page. This feature allows administrators to order the events columns to their preference.
UI update
: The Connector column has been replaced with the Network Route column. The Network Route column will label traffic as Public or Private. For Private connections, the
CylanceGATEWAY Connector
that is used to route the traffic will be identified. The Network Route column can be filtered to display Public traffic, Private traffic, or traffic for a specified
CylanceGATEWAY Connector
.
Filter capabilities
. You can now perform free form type to search the events. As you type characters in the search field, you can select from the displayed matching options. The enhanced filter capability provides you with an alternate method to filter the events.
Network events deep linking
: You can copy a link to an event using the icon added to the top of the event details page and share it with another console user to view the specific filtered event. This feature allows administrators to facilitate multi-team collaboration during an audit or investigation of destinations that users have tried to access. Console users must have the appropriate permissions to view the event.
New user search capabilities
: You can now filter events by users’ Active Directory username from the user filter in events. Select the filter option and type the user’s
Active Directory
username in the search field. This filter allows administrators and SOC analysts to investigate events for a specific user and allows for better correlation between
CylanceGATEWAY
and other security tools.

Gateway Connectors info enhancements

The Connection History Time is now displayed in UTC format. This feature allows administrators to view the latest status of a

CylanceGATEWAY Connector

without having to consider if the connector was installed in a different time zone.

Google

Workspace as Managed Service

Administrators can now easily configure access to the

Google

Workspace set of applications such as

Gmail

,

Google Drive

, and

Google

IM & VoIP without having to know their FQDNs or IP addresses. This feature simplifies the process of configuring access to these destinations in the ACL rules.  

iOS

and

Android

device posture validation on connect

Administrators can require

iOS

and Android devices to be managed by

Microsoft Intune

before users can use

CylanceGATEWAY

. For more information, see Configure Gateway service options in the

Cylance Endpoint Security

Setup content.