September 2023 Platform Releases

Generally Available

• Attack path analysis adds support for the Google Cloud environment - Attack paths are now supported for the following Google Cloud assets:

  • Google Cloud SQL
  • Google Cloud Compute instances
  • Google Kubernetes Engine (GKE) (Kubernetes NodePort and LoadBalancer services)
  • Container images exposed to the internet with a critical vulnerability

  The Lacework Console has the following updates:

  • The Top work items page Top risky hosts and Top risky data assets tables include attack paths to Compute instances and Cloud SQL. The page has a new cloud provider filter and revised table columns.
  • The Path investigation page includes new Exposure Polygraph nodes to support Google Cloud assets. The page has new Google Cloud-related sections for detailed information: Cloud SQL, Compute instances, firewall rules, and load balancers. The page has a new cloud provider filter and revised table columns.
  • The Alerts page supports Exposure Polygraphs for Google Cloud.
  • The Vulnerabilities page supports the internet exposure filter for Google Cloud.
  • The single machine dashboard includes Exposure Polygraphs for Google Cloud.

• The Cloud Security Alliance Cloud Control Matrix (CSA CCM) v4.0.5 report is now available for Google Cloud and Azure - See Available Reports for a complete list of available reports for all supported cloud service providers.

• MITRE ATT&CK tags - Lacework alerts now include MITRE ATT&CK tags, empowering you to respond effectively to potential threats. This augmentation of robust monitoring and analysis strengthens protection for critical assets against evolving threats. For more information, see Built-in Filters.

• Filters relating to classification of vulnerabilities are now available in the Host and Container Vulnerability pages - You can now filter for the following:

  • Common Vulnerability Scoring System (CVSS) score of a vulnerability.
  • If there is a public exploit for a vulnerability.
    • Additionally, when grouped by CVE, the vulnerabilities list now displays the age of the public exploit in the row (this is also sortable).
  • Common Vulnerability Scoring System (CVSS) vectors of the vulnerability.

  See Host Vulnerability Filters and Container Vulnerability Filters for a list of all available filters.

• New AWS resources - SSO-Admin and Identitystore resources are now integrated with Lacework. See Datasource Metadata for more information.

• Pub/Sub-based Google Cloud audit log integration - You can set up a Pub/Sub-based Google Cloud audit log integration to route specific audit logs to a Pub/Sub topic in Google Cloud and enable the Lacework platform to ingest the logs from the Pub/Sub topic to report alerts for anomalous behavior.

  The Pub/Sub-based audit log integration method provides the following benefits:

  • The logs routed to the Pub/Sub topic are available for ingestion in a few minutes. This enables the Lacework platform to provide alerts for anomalous behavior faster than the Storage-based audit log integration method.
  • You can use the LW_ACT_GCP_ACTIVITY Lacework Query Language (LQL) datasource to create custom LQL policies to trigger alerts when policy-based violations are found in the audit logs. For more information, see Create Custom Policies.
  note

  The Pub/Sub-based audit log integration does not support the default Google Cloud audit log policies. You must use the LW_ACT_GCP_ACTIVITY LQL datasource to create custom LQL policies.

  For instructions on setting up a Pub/Sub-based audit log integration, see the following topics:

  • Google Cloud Integration - Guided Configuration
  • Pub/Sub-Based Google Cloud Integration - Terraform from Any Supported Host
  • Pub/Sub-Based Google Cloud Integration - Terraform from Google Cloud Shell
  • Pub/Sub-Based Google Cloud Audit Log Integration - Manual Configuration
  Important

  Starting from September 25, 2023, you cannot create a new Storage-based audit log integration. Lacework recommends that you do the following:

  • Create Pub/Sub-based audit log integrations going forward.
  • Migrate your existing Storage-based audit log integration to a Pub/Sub-based audit log integration. For more information, see the following topics:
    • Migrate From Storage-Based to Pub/Sub-Based GCP Audit Log Integration Using Terraform
    • Migrate From Storage-Based to Pub/Sub-Based GCP Audit Log Integration - Manual Configuration

Public Preview

• Linux agent configuration from the Lacework Console - Previously, you had to manually update the config.json file on every host to modify the Linux agent configuration. You can now use the Lacework Console to specify the configuration for all agents that use a specific agent token. Any new agent that you install using the token will also use the same configuration. For more information, see Configure Linux Agent Behavior in the Lacework Console.

  note

  The settings in the config.json file take precedence over the settings in the Lacework Console. So, you can continue to manually update the config.json file on every host if you prefer. However, Lacework recommends using the Lacework Console to configure the agent because it makes it easier to quickly change settings for a large number of agents.

• The GitHub Security Advisory is now used as the CVE source for Java and NPM vulnerabilities - See supported language libraries and package managers for containers and hosts for a full list of the CVE sources used.

• New composite alert - The Potentially compromised Google Cloud identity alert will be triggered when there is unauthorized access, data leaks, exploitation of vulnerabilities, or other malicious activities within your Google Cloud environment.

• Entitlement management - The Lacework entitlement management feature provides you with the visibility and context to understand your cloud identity architectures and right-size cloud permissions to achieve least privilege goals.

  Access the new entitlements capabilities through a new top-level Entitlements menu item in the left navigation. Entitlements has three tabs:

  • The Overview tab provides a consolidated view of entitlement metrics, including identities with excessive privileges, active keys older than 180 days, and total number of user accounts. Additional categories of metric trends include high risks, low usage, identity activity, and identity compliance.
  • The Top identity risks tab helps you prioritize what to fix first by providing a list of the greatest identity risks in your environment.
  • The Explore tab provides a list of identities and summary information. From here, you can drill down into identity access grants and identity transitions, for example, you can see which user can assume which roles. You can also get remediation suggestions and rationale for fixing identity issues.

• Support for identity attack paths - Identity attack paths include the following new paths:

  • Internet → ... → EC2 → Admin role
    This path depicts an admin role as the path endpoint.
  • Internet → ... → EC2 → Role → S3 bucket cluster
    This path depicts a non-admin role.
    • The EC2 → Role portion means the IAM role associated with the EC2 instance.
    • For the Role → S3 bucket cluster portion, the S3 bucket cluster groups together all the S3 buckets accessible by the role.
  • Internet → ... → S3

  The Lacework Console has the following updates:

  • New Top risky paths with admin role on the Top work items page
  • New Identity name filter on the Path investigation page
  • S3 bucket cluster details