Transcript
This is our monthly-ish podcast where we go over the release notes from Zed Scaler products, and then we pick out any particular highlights from those release notes that are interesting from a security perspective or a user experience perspective. So with me this month, I have as guests, Andrew. Hi. Hello, everyone. Andrew, thanks for being here. And Patrick. Hey, hello, everybody. Hey, Patrick, and thank you for being here. So as usual, my guests have picked out a number of features from the release notes for the last sort of month and a bit. Obviously, with Christmas in the middle, there's a bit of a longer time between episodes. But there's a few more features in this one. As normal, they picked out anything that's particularly interesting to them in their respective areas of expertise. So without further ado, I don't know who's going first. I think, Andrew, it might be you, if you want to go ahead and tell us what your first feature is, what it's about, and why it's important. Thank you. Thank you, Alex. So the first one I picked is like for the geek within us. I mean, it's about an announcement that we have in the custom URI categories. It's about supporting now regex patterns in the definition of this custom URI category. So this is a configuration structure that I think is very, very used in many areas of the CIA and the policies. And now you have much more flexibility into matching URI to a custom URI category using regex. There are some use cases that I can think of while I was doing a little bit of research. I mean, for instance, one thing I've learned is that there are some second out feed, for instance, that are provided in the form of regex. So some of our customers use that to pull this regex and they would like to put them into a custom URI categories to block this second out. So that's a very useful thing you can do now. And also, obviously, providing a better flexibility in matching certain patterns, right? Because sometimes with an exact match, or you have to create multiple entries inside a custom URI categories with regex, obviously, you can have it simplify your configuration and have a single statement that match multiple entries. Like for instance, sometimes you have a URI that changes anytime you access them or if a different user access that. So it's very difficult to match that with an exact match, while with regex-like structure or partner, you can now support this use case as well. And correct me if I'm wrong, I believe this is live, live, but you may need to reach out and open a provisioning ticket on the ZX Sports website, just to ask them to turn this on for your tenant. Is that correct? Correct. Correct. Okay. And I believe the next couple of features are yours as well? Yes. So I stick to the URL filtering now for the policy, so the rule creation, there's even here another announcement that goes in the direction of simplification and better granularity and controls. So when you create a new rule into URL filtering policy, obviously, you have a lot of criteria to select from to match that rule, and including users, groups, and departments. So the who to which this will apply. This criteria typically have a fixed logical operator between them. So whether it's an OR or an AND, it's predefined in the rule structure. Now we added the possibility to change, to customize this for user groups and departments. So you can select whether it's an OR or an AND operator between those criteria for matching the rule. And again, this goes into the direction of providing better granular and precise control to the rule match, and also to provide additional security. Because obviously, previously, you have to, for instance, if you have a rule that matches on users or groups, I mean, it would be an OR, right, between the two. So you have some use cases where you want to match only users that belong to specific groups or groups that belong as well to a department. So you have a more precise structure there, a more precise control of where the rule applies. This is also, I think, very useful for large organizations that maybe have a nested organization structure that can result in a lot of different groups and departments. So this provides a way to be very specific and to control rule filtering policies and provide enhanced security with this. Perfect. I think those are definitely some pretty good enhancements to URL filtering specifically, since I know that in both cases, it'll be of interest specifically to security teams and large businesses, as you mentioned. I wanted to add that also this feature requires a provisioning ticket to be enabled. Perfect. What's next? So the next one is a sandbox verdict logging. I think it's a new interesting feature in this area. I mean, I wouldn't say it's really game changing, but definitely is a new approach for reviewing the activity of the sandbox. So now what we have added is a new insight specifically targeted to sandbox verdict. So we have in the tenant, in CIA, in the analytic sections, we have different insights for firewall, for web logs, et cetera. Now there's a new one for sandbox verdict, which provide a very quick way to review the activity of the sandbox. So in this new insight, you have an immediate view, like you can select, obviously, as on the other insight, the windows of observation, whether it's the current day, a week, a month, and so forth. You have a quick overview of essential information about the sandbox analysis, when it was completed, what file type it was, if there's a, what's the MD5, and so on, quickly access to the detailed report of the sandbox and so forth. So you have a lot of information. You can also filter on this information to really drill down to what you look for. And it simplify a lot, I think, the triage and the review of the verdict activity, because previously you had to access directly the web logs, the search. Obviously, we had already logs for the sandbox, but it was more transaction based. So you look for sandbox event on the user transactions here, instead you have immediate visibility of what the sandbox activity were. And related to this, there's also announcement in the logging capabilities when it comes to streaming these logs to a SIEM, whether it's an on-prem or a cloud-based. So you can now, this announced information can be streamed to a log feed to a SIEM for consolidating also this logs. And this opened up to some interesting use case as well. We have customers that, for instance, they parse the log SIEMs to provide dashboard, for instance, to different user groups. And previously, for instance, to say one thing, it was not possible to access to, for instance, a verdict for the sandbox or to access the link for the needed report through the empty file. So now for this information, this logs information is also available on the SIEM and you can build, for instance, dashboard for groups of user that needs to access that information without logging in the admin UI for ZIA. So it provides a better user experience and monitoring capabilities of this important feature. So extremely useful for SOC teams who will always want to be using their SIEM. I forgot to say again about availability. This is already available. And so you should see it in the tenant, except for this directory, where it should come up in the next week. So I mean, first week of February, it should be also deployed in this directory. Perfect. And then you have one last feature, I believe. Yeah, it's in the area of GenAI. So, yeah, I mean, we can, let's say, talk about them together. So the first one is very simple, straightforward. So we have now administered, have now the ability, it's about rollback control. So rollback control for admin when accessing the UI. So as you know, we have the ability to parse prompt for GenAI application. And since this prompt can contain sensitive data, PII data, but in any case, it's sensitive data. There is an option when creating a new admin role to obfuscate the prompt in the weblog. So typically, you would see the prompt in the weblogs. And with this control, you have now the ability to obfuscate this prompt. So maybe customers, they have like a partner or that is accessing their routes for whatever reason, or they have a team that needs to access the logs, but they don't want to allow them to see the prompt for all the organizations. So you can control this type of sharing and the access to this information. So simple, but effective. I think it's a very good announcement that is needed. And the other one is about providing grammar control over a new AI application. In this case, I mean, there is obviously this, we have a set of AI application that we support where we can do a lot of parsing, prompt parsing, sorry. And there are more and more application that embed AI, one of which is Atlassian, for instance. We have now introduced support for controlling embedded AI in this cloud application. And also, there's an opt to control whether you want to parse or not the prompt. It's a bit different from what we typically do for the more general gen AI application where the configuration is global. So you do have an opt to decide whether you want to, for instance, capture the prompt or not in the cloud app advanced settings. So it's a global configuration. In this case, the configuration is within the cloud app policy. So it's more grammar. You can define, there are new criteria and when you add a policy for Atlassian cloud application in the cloud app control policy, you have now additional criteria. One is to allow or block globally embedded AI on Atlassian. And the other one is if you want to parse or not the prompt. So you have a grammar control there on gen AI for Atlassian and the rule level. Perfect. Thank you very much. And I think the next few features belong to Patrick. So Patrick, I believe you're here to talk to us about some ZDX stuff and some Deception stuff. Yeah, but first a small topic around CIA. So we have a large list of file types that we can identify based on not only the file extension, but also by looking into the file on the mind type and magic byte. So basically looking at the content of the file to see, okay, what file type is it? And you can use that within file type control and also in data loss prevention policies without content filtering, right? So basically a DLP policy that allows you to upload a certain document or not. And the latest addition is the MSIX form factor. And it basically is available in the executable category. And yeah, you can compare it to a zip container for applications and then in a modern form factor. So the second one is indeed ZDX. So we have added two web probe metrics, which are called server processing time and Zscaler time to first byte. So yeah, we have added a new acronym with the Z in France. So Zscaler time to first byte. But yeah, if we go to the first one, so server processing time, yeah, it captures the duration from the web server processes, from the web server process till, yeah, it first sends back a response, right? So it's mainly focusing on server side processing by measuring the efficiency of the server to generate a response. The second one is Zscaler time to first byte. So it captures the duration from when a user browser sends a request to an application until it receives the first byte of data from the server. And this includes a lot of metrics like TCP, SSL handshake time, server processing. And it does not include DNS time, right? Because that is not part of the initial response. And it is a great indicator to see if the web server is actually having a decent user experience. And the last one also comes in place of the former one, which is server response time category. Then on to deception, we have added a new decoy type, which is called Radius decoys. In 2024, there was a CVE found in the Radius protocol. And the vulnerability is also called Blast Radius. And it is based on the MD5 hash algorithm that is being used by Radius. So that is vulnerable for attacks. So basically an attacker, when they have access to an internal network, they can mimic themselves as being part of the connection between the user and the Radius server. So they can intercept the communication. And with that communication, they can turn it back into plain text. So they can see the logging information that is being used. So the idea is by deploying these Radius decoys, you can divert these threat actors from your real Radius network. And the second one is we provide Terraform support for deploying cloud decoys. I've done it a couple of times myself. And the traditional way was by using PowerShell script, which is a bit of cumbersome. But nowadays, you can download a Terraform package that includes all configuration files. And it is available for both AWS and Azure. And yeah, it makes it much easier to deploy these in scale. You can also leverage your existing infrastructure that you already use in your CICD pipeline. So yeah, basically leveraging infrastructure as a code. Again, I think a really good addition to Deception. Perfect. I think that is the end of the features that you guys had selected for this episode. So I just want to say, Andrea, Patrick, thank you very much for coming on to talk about those features. Thank you. Yeah, you're welcome. And that's it for this episode. So thank you everyone for listening. We'll see you in next month's episode. Bye.