GCP CIS 1.2 benchmark version now available - The compliance policies for GCP now include CIS version 1.2.
- Activate these new benchmarks by adding an additional permission to the Lacework Compliance service account custom role. See the GCP CIS 1.2 Addition section in Create a GCP Service Account and Grant Access for instructions.
Note: If you are an existing customer and you've integrated through Lacework terraform provider, re-run
terraform applyto upgrade modules and automatically apply the new permission. See GCP Compliance and Audit Trail Integration - Terraform Using Google Cloud Shell.
- These CIS 1.2 benchmarks are suppressed by default. Switch them on by going to the GCP Compliance Reports page (Compliance > GCP > Reports) and selecting Actions > Advanced Suppression on any of the benchmark rules. The GCP CIS 1.2 benchmarks are shown in the format of
GCP_CIS12_*, switch on the ones that you require.
Known Issue: If your Lacework Policy subscriptions (Settings > General Settings) are automatically enabled (or enabled for any severity), the Advanced Suppression modal window will display the status as ON for some or all of the
GCP_CIS12_*rules. This is a known issue in the Lacework Console when first running a GCP CIS 1.2 compliance report and these rules will still be disabled internally. To resolve this, manually disable all of the
GCP_CIS12_*rules that are ON and click SAVE. Once this is done, the GCP CIS 1.2 rules can be enabled in the normal way.
Note: Any active suppressions for GCP CIS 1.0 will not map to the equivalent (or nearest equivalent) GCP CIS 1.2 benchmark in this release. Continue to manually suppress any 1.0 or 1.2 benchmarks that are not required in your environment.
Off-boarding user improvements - When a user is removed from an identity provider (IDP), such as Okta, Lacework admins must also delete the user from Lacework. For details, see After Removing Users from an IDP. Additionally, to help track access to the Lacework Platform, the Settings > Team Members page now includes Last Login Time for each team member.
- CVSS score version - The CVSS score version is displayed for container and host vulnerabilities. When you group by host or image ID, go to the CVE tab in the expandable pane and hover over the CVSS score. When you group by CVE, each vulnerability row displays a tag that indicates the CVSS version and score.
- Simplified open vulnerabilities trendline chart - The Host Vulnerabilities page now always displays the number of vulnerabilities (CVEs) present in your environment. The chart won't change based on the "sort by" selection. The CVE trend chart shows the total number of unfixed CVEs present on each day,
- Number of containers - The container vulnerabilities tag for the number of active containers is now visible by default instead of being included in the expandable list of tags.
- Resource inventory default time window - The default time window is now the last 24 hours instead of "Today."
- Terms of Service - Existing and new customers will be asked to accept terms and conditions upon login as part of the standard business process. The Terms of Service state that any contractual obligation supersedes the Terms of Service. You can view the Terms of Service when you are prompted to accept it.
- Vulnerability scanning quota increase
- The maximum number image assessments per hour for each Lacework account has been increased to 700 (from 500).
- For each integration, the maximum number of image assessments per hour for each repository has been increased to 50 (from 20).
- AWS SDK update - The SDK update brings additional functionality that may manifest as additions when comparing differences between previous resource configurations in the Lacework Console. For the list of additions that may be displayed, see SDK Updates.
AWS APIs support - In addition to the existing AWS APIs, Lacework resource inventory also ingests the following AWS APIs:
- Amazon Access Analyzer list-analyzers API
- Amazon EC2 get-ebs-encryption-by-default API
Because this API isn't included in the security audit policy attached to Lacework's IAM role for AWS config integration, you must add permissions for it. For details, see Managed Integrated AWS Resources.
Host Vulnerability Updates
The Lacework Console introduces a redesigned Host Vulnerabilities dashboard that includes additional data to help you discover areas of exposure, evaluate risk, and prioritize remediation. The dashboard includes the following updates:
- Page layout - The page now has a search field at the top followed by drop-down menus that let you choose how to group vulnerabilities and the time period. Below these are a row of clickable filters. The statistics and chart are immediately below the filters. The new design adds icons for view actions, which are available in the top right corner.
- Additional statistics and trends - The vulnerabilities snapshot now displays the following information:
- MTTR - Mean time to resolve in days. The average time taken for the vulnerability status to go from the New to Fixed.
- Scanned hosts - Total number of hosts with a successful vulnerability assessment.
- Coverage percentage - Number of hosts with a successful vulnerability assessment / total # of hosts with a running Lacework agent.
- Hosts with critical and high severities - Number of hosts with a critical severity + number of hosts with a high severity.
- Search - The improved search field at the top of the page allows you to search the page for specific text within a hostname or vulnerability ID.
- Grouping options - When viewing vulnerabilities, you now have a number of grouping options. You can group by Host, AMI ID, Account, or Zone. You can also group by CVE, Package Name, or Package Namespace.
- Filters and clickable tags - Filters and tags allow you to see only what you want to see by displaying a subset of vulnerabilities. Along the top of the page are some pre-defined filters. You can also use the filter icon and select from the list of all filters. Each vulnerability also has clickable tags.
- Vulnerabilities list - The page lists all vulnerabilities by default (up to 100 at a time). You can sort the vulnerabilities list using options that depend on how the vulnerabilities are grouped. When grouped by Host, vulnerabilities can be sorted by hostname, uptime, or severity. When grouped by CVE, vulnerabilities can be sorted by severity, score, or vulnerability ID. You can refresh the list and also download it as CSV.
- Saving and sharing links to views - When the page displays your desired filtered vulnerabilities, you can save the current view by clicking the Save view icon. This allows you to access the saved view later through the Open views icon. You can also copy the link to the current view by clicking the Copy link icon. You can then share that link with others so they can see the same view. Note that searches and sorting cannot be saved in views or copied as links.
- Improved access to context and vulnerability details - The redesign now has both a table view and a separate expandable detail view so you can more easily access the desired information.