Cyberhaven Product Update – May 2022
The Cyberhaven team is always working to bring you the best data protection solution and customer experience possible. As part of our regular cadence of improvements, we wanted to share some of the latest features and enhancements in the product, and what they mean to your security practice.
This update summarizes information related to Cyberhaven version 22.05. Key features and enhancements include:
Role-Based Access Control (RBAC)
Role-Based Access Control lets organizations selectively grant team members access to individual parts of the Cyberhaven console. Cyberhaven comes with a flexible permissions schema and allows organizations to create custom roles. The following five roles are available by default:
- Global Admin – full access to everything.
- Security Admin – full access to investigation dashboard and security settings.
- Security Analyst Level 1 – basic access to incidents.
- Security Analyst Level 2 – full access to incidents, including the ability to review captured data.
- IT Admin – access to Cyberhaven deployment options and configuration.
In future releases, we will further extend RBAC capabilities to allow granting selective access to certain objects only — for example, the ability to view only incidents assigned to the user.
Employee Directory Integration
The current release introduces Cyberhaven’s first iteration of integration with a variety of enterprise directory infrastructures. Cyberhaven can now ingest user information from any of the following systems:
Cyberhaven pulls all available information about company employees from the directory system and makes it available in the Cyberhaven console to enhance incident investigations. We will continue to expand on these capabilities in future releases including the ability to use directory information in policies.
NOTE: This feature is in beta and is disabled by default. Please contact Cyberhaven Support if you would like to test the feature.
NOTE: Currently, Cyberhaven relies on Azure AD integration to link endpoint user IDs seen by our sensors to their cloud IDs. Therefore, customers must configure the Azure AD integration to enable other integration. This limitation will be addressed in future releases.
Cyberhaven Splunk App in the Splunkbase
Cyberhaven now has its own native Splunk app on the Splunkbase. The app makes it easier to integrate Cyberhaven and Splunk by streamlining the configuration process. Furthermore, Cyberhaven App now conforms to Splunk’s Common Information Model (CIM), making it easier to search and analyze Cyberhaven data in Splunk, as well as correlate it with events from other products.
Open API (Technology Preview)
Cyberhaven Open APIs allow customers to easily integrate Cyberhaven with other enterprise tools such as SIEMs, SOAR, ticketing, asset management tools, etc. Please note that this release introduces APIs as a technical preview, and APIs may change in the future. Initial APIs include:
- Incidents API
- Endpoint sensors status API
We will continue to expand the available APIs in following releases.
Preventing End-Users with Local Admin Rights From Uninstalling Cyberhaven
Cyberhaven now offers the option to prevent end-users from uninstalling the Cyberhaven agent. When enabled, a user will be required to provide a password in order to uninstall the agent even if the user is a local administrator.
Future releases will continue to expand on this capability to detect other means of tampering with the agent, such as attempting to kill its processes or delete its files.
NOTE: This feature is currently only available on Windows. Mac support is coming soon.
NOTE: This feature is currently in beta. If you’re interested in trying it out, please ask your Cyberhaven representative for further details.
Agent Integrity Self-Check
Security agents such as anti-viruses can mistakenly compromise the integrity of other agents running on the system. To help address this issue, Cyberhaven now checks the integrity of its files and reports it as an error if any files are missing or altered. This status will be disabled automatically when all missed, or corrupted files are recovered.
- Policy Violation Warnings for Offline Devices – Cyberhaven can now show policy violation warnings when users violate policies even while the endpoint is offline. Note that this functionality works in the vast majority of situations, however, may not support cases where policies depend on data flow information not available on the endpoint.
- Re-arrange Dataset and Policy Conditions Using Drag-and-Drop – Cyberhaven now allows users to easily re-arrange datasets and policy conditions using drag-and-drop.
- Option to Remotely Enable/Disable Agent – In rare situations, the IT team may need to temporarily disable the Cyberhaven agent. Cyberhaven now provides this capability through remote agent management, both on Windows and macOS.
- Improved Tracking of Files Added to Emails in Outlook – Cyberhaven significantly improved the tracking of Outlook attachments by moving the tacking logging in-line. This change removes rare cases when file attachments might have been missed in the past.
- Improved Settings and User Management UI – We revamped Cyberhaven settings UI with a focus on users and roles management. Admins can now easily create, edit, delete or search users and roles in our product.
As always, we are actively working on new enhancements that help our customers protect their data and solve security problems that they could never do before. For additional details, you can find the full release notes for this release at https://docs.cyberhaven.io/docs/may-22-05 .
If you would like to learn more about any of these features or the update process itself, please reach out to Cyberhaven team members or contact us at https://www.cyberhaven.com/contact-us/ .