Enterprise Threat Protector (ETP) now includes these features and enhancements:

Update to custom lists in a policy. All custom and top-level domains lists are no longer included in a policy configuration by default. Administrators can now assign individual lists to a policy.

New user interface for Custom Lists. A new user interface is available on the Custom Lists page (Configuration > Lists). In the new design, administrators can now associate domains and IP addresses to a custom list when creating the list. Likewise, administrators can now add top-level domains when creating a top-level domains list.

Strict delegated access. When enabled for an organization, an ETP super administrator can assign a strict delegated administrator role and the locations and policies the delegated administrator is allowed to manage. A delegated administrator with restricted access can:

• create locations and policies
• manage assigned location and policies
• view events and other reporting data based on the locations and policies they can access

A strict delegated administrator cannot view locations and policies they did not create. They also cannot view other configuration areas of the product such as the Utilities page.

Support for dynamic DNS in limited availability. Dynamic DNS for a location configuration is now in limited availability. When enabled for an organization, an administrator can configure a location with a persistent DNS hostname that resolves to dynamic IP addresses. To enable this feature, contact your Akamai representative.

Enterprise Threat Protector now protects your network from threats that target HTTP and HTTPS traffic

These features are available:

• ETP Proxy. Proxy server that intercepts suspicious HTTP and HTTPS traffic, examines the full URL in a request, and determines which websites are safe for end users to access. You can enable this feature in a policy configuration (Configuration > Policies). When ETP Proxy is enabled, you can select an action for risky domains and file sharing domains. Risky domains are domains that may be a threat because they are newly registered or discovered. File sharing domains are domains for file sharing applications or services.

• URL-based Threat Intelligence. ETP Proxy inspects the URL and, based on the policy configuration, blocks traffic that’s known to be a security threat. ETP can block traffic to a specific URL without blocking the entire domain. A new Classify policy action is also available for custom lists, risky domains, and file sharing domains. When a threat is detected, the Classify action assigns the corresponding policy action in the Akamai Security tab.

• HTTPS Traffic Analysis. ETP Proxy requires that you create an Akamai certificate or generate a certificate signing request that’s signed by your organization’s certificate authority (CA). These certificates function as TLS certificates for the ETP proxy to intercept suspicious traffic. If you are creating an Akamai certificate, you must install the root certificate on end-user machines. The certificate feature is available on the Utilities page (Configuration > Utilities > Certificates).

• Inline Payload Analysis. Feature offered with ETP Advanced Threat that enables ETP Proxy to scan downloadable content on a risky website or in a file sharing application. Multiple static analysis engines are used to scan documents and executables for zero-day threats and other attacks that are typically undetected by antivirus engines.

• New Reporting pages. New pages are available for reviewing ETP Proxy activity (Monitoring > Activity > Proxy) and network traffic that’s directed to ETP (Monitoring > Activity > Network Traffic).

• New Acceptable Use Policy (AUP). New categories and detailed subcategories are available in a policy configuration for administrators to control access to websites or specific website content.

Enterprise Application Access (EAA) 10/26/18 software release

The release includes new features, performance improvements, and EAA component bug fixes.

New features and performance improvements

User experience improvements: Login Portal (end-user) customization

  Italian Language support. The end-user portal can be configured to display content in Italian. Once enabled, the browser’s language settings are used to determine the language being displayed, and users can override the language being selected.

Customization for help desk email addresses. The help desk email address found under EAA Management Portal > System > Settings can be customized to any address the organization chooses and all references to help desk will point to the new address provided.

Organization name customization in MFA notifications. All MFA notifications are sent from “Akamai” today. This release will provide customers with the capability to customize the Organization name presented in MFA notifications.

URL for new user sign up. An optional field can be exposed in the end-user Login Portal that allows EAA administrators to customize the URL for new users to sign up.

Customization for application headers. EAA supports sending LDAP attributes as a custom header for applications.

Email Notification On/Off. EAA supports the ability to toggle system email notifications on or off from the EAA Management Portal.

Identity capability improvements

Support for Integrated Windows Authentication (IWA). IWA allows end users to single sign on to their apps by virtue of logging into their device (desktop SSO). This feature can be leveraged when users are on a trusted network. EAA supports multiple operational modes for IWA.

Authentication only based on client certificates. Provides an SSO-like experience without the need of username and passwords. Users are logged into the IdP on presenting a valid certificate.

WS-Federation with SAML 1.1 support. WS-Federation and SAML 1.1 support facilitates SAML authentication to Sharepoint.

Multi-auth support per PCI-DSS guidance. PCI-DSS 3.2 defines multi-auth capability to require traversal through all factors of authentication before a success or failure is revealed at login. EAA supports multi-auth as part of the TOTP based mutli-factor authentication workflow, which provides additional protection against brute force attacks.

Enhancements with third party IdP integration using EAA’s identity access aware capabilities

Support for EAA user workplace with third party IdP (eg.Shibboleth). EAA admins can present the EAA user workspace in conjunction with third party IdPs.

Authorization for third party IdP. Ability to leverage group information in policies when using third party IdPs, and an updated IdP deployment workflow.

EAA Management Portal Dashboard enhancements

The new dashboard provides a tiled view with actionable widgets. New tiles include OS/Browser distribution, login failure details, and user activity details.

Application off-loading when on trusted (on-prem) networks

Allows customers to define trusted networks on the basis of subnets within the IdP. When traffic comes in from a user inside a trusted network, admins can optionally allow the data path to flow directly through without being proxied via EAA. In such scenarios, EAA will still handle the authentication flow.

SIEM updates

Expanded information is provided to Splunk via the EAA Splunk app. Updates include information on response times, login event details, and resource IDs. There is no change required on the Splunk application available on Splunkbase.

Reporting enhancements

EAA users can query for a report without selecting any query parameters. EAA supports these new preset reports,

• Applications Accessed
• Applications Failed login
• Login Failure Details
• Unique Users Count

Known limitations

Italian Language Support. The EAA remote-desktop aide and EAA Management Portal will continue to display content in English regardless of language selection.

Application Templates. SaaS apps cannot have profiles assigned at this time. Only access applications can have profiles assigned.

Certificate Limitations. When an existing CA certificate is updated, applications using this certificate are not marked for deployment.

Application Off-loading when on trusted (on-prem) networks. Only web applications are supported at this time; VNC/RDP/SSH application profiles are not currently supported.

Report enhancements. IdP URL will not be shown for the Applications Accessed and Applications Failed preset reports.

IWA Error. If a user performs a save on the Advanced Settings page and goes to the deployment page they may receive an error on the IWA field if there are changes to another previously enabled IWA. The work-around is to hard-reload the browser to clear the error.

Bug fixes

These bugs were addressed and resolved in this release,

Text and displays in the EAA Management Portal

• Increased the size of the the external hostname configuration field in the  EAA Management Portal > Preview Configuration tab.
• Status tab is now Diagnostics
• Moved the sync option in the ‘Status’ tab to the ‘Advanced’ tab
• Removed the ‘Diagnostic Tools’ from the tray
• Reduced the size of the window on the EAA Management Portal > Settings page

InstallBuilder Package Code

Added support for InstallBuilder Package Code signing for MacOS and Windows 64 bit.

Client Connector version 2.0.4 is now in beta and available for download. This version of Client Connector protects end-user machines that are on or off the corporate network.

If your organization previously installed version 1.3.1, you can upgrade to 2.0.4. To download and test 2.0.4:

1. In the Enterprise Threat Protector (ETP) navigation menu, select Configuration > Utilities.
2. Click the Client Connector tab.
3. From the Versions Management tab, hover over Client Connector version 2.0.4 for a Windows or Mac operating system and click the download icon.

After testing and approving the connector, an administrator can choose to force an upgrade on end-user machines or allow end users to initiate an upgrade. For more information, see the ETP online help or the Enterprise Threat Protector Client Connector Configuration Guide.

In a policy configuration, new categories and detailed subcategories are available for ETP administrators to control the websites and content that end users can access in the corporate network.

ETP now includes a new and improved user interface when configuring or modifying a location or policy. On the Locations or Policies pages, administrators can also now search for locations or policies.

Client Connector area of the Utilities page now includes a new Reports subtab that contains more data about Client Connectors. In addition to pie charts that show errors and installed Client Connectors, a table is now available to show device information, software version, and the current status of installed Client Connectors. Administrators can also filter this data based on time, such as the most current data or data that was reported in the last day or month.

ETP super administrators can now assign the delegated administrator role to ETP users. When enabled for your organization, this feature is available from the Delegated Access tab on the Utilities page (Configuration > Utilities). To enable this feature, contact your Akamai representative.

ETP super administrators can now assign specific locations to alert notification recipients. This allows administrators to define the locations that these recipients can receive information about. When enabled, this feature is available from the Communication tab of the Utilities page (Configuration > Utilities). To enable this feature, contact your Akamai representative.

When ETP Proxy is enabled, you can select to allow or examine risky domains and file sharing domains. Risky domains are domains that may be a threat because they are newly registered or discovered. File sharing domains are domains of file sharing applications or services. You can select to Allow or Classify traffic to these domains.

The Classify action examines the full URL of a request. If a threat is discovered, a corresponding threat category is assigned to the URL. You can assign the Classify action to custom lists, risky domains, and file sharing domains.

ETP Proxy requires that you create an Akamai certificate or generate a certificate signing request to submit a subordinate certificate that’s signed by your organization’s certificate authority (CA). These certificates function as TLS certificates for the ETP proxy to intercept suspicious traffic. ETP now allows you to generate and submit certificates in binary (.der) format.

If ETP Proxy is enabled, administrators can select different logging levels to define some of the data that’s reported for HTTP or HTTPS traffic in ETP. This setting is available in a policy configuration. The default logging mode provides details that’s most helpful for investigating events.

ETP now includes a delegated administrator role. After this role is assigned to a user in Luna Control Center, an ETP super administrator can grant a delegated administrator access to specific locations and policies, allowing the delegated administrator to manage assigned locations and policies.

A delegated administrator can:  

• Add new locations and policies
• Deploy configuration changes that they applied or were applied to the locations and policies they manage
• View settings associated with most configuration features in ETP, such as custom lists and quick lists
• Schedule a report. Report results show data based on locations a delegated administrator can access
• View and analyze event and activity data based on assigned locations
• Download Client Connector and view reporting data that’s associated with Client Connector installations
• Grant or revoke Akamai Support Access

An ETP super administrator can assign a delegated administrator access to locations or policies on the new Delegated Access tab of the Utilities page (Configuration > Utilities). This tab is available to ETP super administrators only.

A new deploy window is available for configuration changes that are pending deployment. Prior to this release, there were different deployment options for custom lists, quick lists, policies, and locations. In this release, a Pending Changes tab is available on the right side of the configuration pages. ETP administrators click this tab to view all submitted configuration changes that are not yet deployed to the ETP network. Administrators can select specific changes they want to deploy or they can deploy all changes. Information about changes is also listed, such as what changed and who made the change.  The Pending Changes window also offers:

• A revert option to undo or delete a pending change. Any change that is reverted returns a configuration to its last deployed state.
• When deploying a change, administrators can comment on the changes they are deploying. These comments appear in the new Deployment History tab on the Utilities page.

ETP now allows super administrators to rotate a Client Connector entitlement code in case the original entitlement code is compromised. If alerts are detected within a five minute period of sending out an alert notification, users are now notified about these additional alerts after the five minutes. Prior to this release, users were not notified about the alerts that occurred during this period.  The ETP reporting pages include the following improvements:

• Filter Editor now appears at the top of page when a user scrolls past it. This ensures that Filter settings are always accessible to users who are analyzing data on the Event Analysis and Activity pages.
• Report viewers can filter data based on whether there is a correlation between security connector events and threat events.
• A menu with convenient options is available from certain fields on the Event Details window. For example, if a user clicks a Resolved IP address,  a menu appears with actions for this data such as adding the IP address to the Include filter.
• New Detection Method dimension is available to show events that were detected at the time of access (inline) or were discovered later in log data based on behavior (lookback).

• Access prohibited message:
  When an end user attempts to access a malicious or suspicious domain that is directed to the security connector, a Website Access is Prohibited message now appears.  
• Factory reset option removed from Web Console:
  A factory reset option is no longer available in the Web Console. This option is also not supported on Security Connector version 1.1.0 or 2.1.0.

To upgrade to Security Connector version 2.2.0, click the upgrade icon that is associated with the security connector (Utilities > Security Connector) in Enterprise Threat Protector (ETP). If you upgrade from version 2.0.0 and ETP indicates that the security connector was only upgraded to version 2.1.0, click the upgrade icon again to automatically install version 2.2.0.

Enterprise Threat Protector (ETP) now includes the following updates:

Enterprise Client Connector version 1.3.1 is now in beta and available for download. This version of Client Connector includes the following:

• Protection on or off the corporate network: Regardless of network conditions, Client Connector protects end user machines that are on or off the corporate network.
• Auto Upgrade: Client Connector now supports automatic upgrade. In ETP, administrators can choose to force an upgrade on end user machines or allow end users to initiate an upgrade when it’s available.
• Optimized Internet routing: Client Connector sends requests to the ETP DNS servers in the closest geographical region. As a result, ETP returns the IP address of the origin server that is in proximity to the client connector, allowing Client Connector to connect to local websites through the best-performing path.
• Support for split DNS and split VPN network topologies: Client Connector now supports complex network topologies, including a split DNS or split VPN topology.
• Improved Client Connector user interface: The client connector user interface has been redesigned. In addition to improving the overall appearance of the client connector, an icon now allows end users to access the application from a Windows toolbar or Mac menu bar.
• Installation and Error Reports: Reports are now available on the Client Connector tab of the Utilities page (Configuration > Utilities) where the client connector software is downloaded in ETP. Administrators now see the total number of deployed client connectors and any detected errors. A CSV report is also available for download that contains additional information about deployed client connectors, including the overall status.
• Network configuration of internal IP addresses and DNS suffixes: When configuring Client Connector, administrators can also provide internal IP addresses and the DNS suffixes of domains that end users can access while they are protected by Client Connector. Options are available for administrators to add the IP address ranges or blocks that are reserved on the Internet for private or internal networks as defined by RFC 1918 and RFC 4193. The new Network Configuration tab is available on the Utilities page and accessible from the Configuration area of the Client Connector tab.

Advertisement domains removed from Privacy category of Acceptable Use Policy (AUP) To resolve an issue with custom Error pages in Enterprise Threat Protector, advertisement domains were removed from the Privacy category of the AUP. If the Privacy AUP category is blocked in a policy, this change reduces or eliminates the number of alerts that are based on this category.

This change is a temporary solution. Akamai plans to improve AUP services and eventually restore domains in the Privacy category. If you have any questions or concerns, please contact technical support.

Enterprise Threat Protector (ETP) now includes the following enhancements:

• Custom Sinkhole is now Custom Response: A custom sinkhole is now called a custom response. This feature is accessible from the new Custom Responses tab of the Utilities page (Configuration > Utilities). Administrators no longer configure this feature on the Enterprise Security Connector tab.

• New Custom – Response policy action: A Custom – Response action is now available for custom responses. This policy action blocks malicious or suspicious requests and directs the request to the IP address of the custom response device that’s associated with the policy. When configuring a policy, administrators can select this policy action, assign a custom response, and if necessary, manage custom responses. The Block – Sinkhole policy action now exclusively redirects traffic to Enterprise Security Connector.

• Scheduled report improvements: The user interface for configuring a scheduled report is now improved. Administrators can select to enable or disable individual scheduled reports, identify the administrators who created or modified the report, more easily add email addresses for report notifications, and configure the report output format. Scheduled reports are now available in HTML or text format.

• Alert notifications now available in text format: In addition to HTML format, alert notifications are now available in text format. When enabling email addresses for alert notifications, an ETP administrator can now select the format for all alert notification emails.

• Enhanced UI for Security Connector and threat event correlation: When viewing correlated Security Connector and threat events, separate windows are now provided with detailed information. For example, viewing a correlated threat event from the Security Connector tab of the Activity page (Monitoring > Activity) opens a window where threat information is provided. If you choose to view correlated Security Connector events from the Threat Events tab of the Event Analysis page, data about all associated Security Connector events is shown. In each of these windows, report viewers can also download event data to a CSV file.

Enterprise Threat Protector (ETP) now includes the following enhancements:

Integration of Nominum Data: Enterprise Threat Protector now benefits from threat data generated by Nominum, the carrier DNS-based security and services innovation leader that was recently acquired by Akamai. Nominum’s carrier-grade DNS software currently resolves over 1.7 trillion daily DNS requests for carriers worldwide. The addition of this data allows ETP to identify more threats in an enterprise network.

On the first day of this release, you will see an increased number of offline events as this additional intelligence is expected to discover more events from the last 7 days.

DNS Exfiltration Security List: ETP now offers a DNS Exfiltration Security List and a new DNS Exfiltration category for custom lists. The DNS Exfiltration Security List identifies domains that serve as a communication channel over DNS and may be used to steal sensitive data or allow malware to communicate outside the network.

This data was previously part of the Command and Control (C&C) Security List. By default, the new DNS Exfiltration list uses the same policy action as the C&C Security List as long as the C&C list does not use the Block – Error Page or the Block – Sinkhole policy action. The Block – Error Page and the Block – Sinkhole actions do not prevent DNS exfiltration because a malicious communication channel can be created when domains are resolved to a custom error page, sinkhole, or Enterprise Security Connector. As a result, if these actions are configured for the C&C list, the new DNS Exfiltration list is assigned the Block – DNS action.