Tenable Identity Exposure 3.19 On-premise (2022-04-20)

New Features

  • Scalability — Dynamic activation and deactivation of Indicators of Exposure.

  • LDAP authentication — The ability to enable/disable SASL bindings. For more information, see Authentication using LDAP in the Tenable Identity Exposure Administrator Guide.

  • Memory cacheTenable Identity Exposurehas greatly improved its memory consumption to benefit Indicators of Attack (IoAs).

  • New Indicators of Attack (For more information, see the Tenable Identity Exposure Indicators of Attack Reference Guide.)

    • DPAPI Domain Backup Key Extraction Indicator of Attack can detect a wide variety of attack tools that use LSA RPC calls to access backup keys.

    • Massive Computers Reconnaissance: Detects reconnaissance attacks that generate a massive number of authentication requests to Active Directory targets.

    • Enumeration of Local Administrators: Detects Active Directory data enumeration attacks.

    • NTDS Extraction: NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database that stores Active Directory secrets such as password hashes and Kerberos keys.

    • SAM Name Impersonation: This Indicator of Attack detects an attacker who tries to exploit two vulnerabilities that can lead to an elevation of privileges on the domain from a standard account without any security skills.

    • Kerberoasting IoA to detect and alert to Kerberoasting attacks targeting Active Directory service account credentials.

  • Windows Server 2022 — On-premise support for Windows Server 2022.

  • Retirement of the Caroli component — Retired to optimize platform performance.

  • Retirement of InfluxDB & Equuleus — Retired to optimize platform performance and data consistency.

    Note: For on-premises installations, the change in Tenable Identity Exposure's database implementation will cause the loss of historical data in the dashboards during upgrade. On-premises platforms will lose the history of statistics in the User, Deviances, and Compliance Score. Widgets for Users/Deviance count and Compliance Score will recover their most recent values after reinitialization; however, line chart widgets will only have one data point and will recover their values progressively.
  • Domain connectivity tests — Allows you to test a domain connectivity (LDAP and SYSVOL) before you add or modify it.

  • Scalability Tenable Identity Exposure considers resolved deviances as no longer useful and clears them from the database after 6 months.
  • Indicator of Exposure — Improvements to the Indicator of Exposure Logon restrictions for privileged users.
  • Workload quota — New ability to adjust the limit on the number of Indicators of Attack running simultaneously.

  • Attack Path: New graphical representations to explore Active Directory relationships:

    • Blast Radius: Evaluates lateral movements in the AD from a potentially compromised asset.

    • Attack Path: Anticipates privilege escalation techniques to reach an asset from a specific entry point.

    • Asset Exposure: Measures an asset's vulnerability using asset exposure visualization and tackles all escalation paths.

  • Honey Accounts — Allows the Kerberoasting Indicator of Attack to detect login or service requests. For more information, see Honey Accounts in the Tenable Identity Exposure Administrator Guide.

  • API Endpoint — Retrieval of Active Directory objects from the database using the API.

  • Tenable Identity Exposure propagates changes — such as a move or rename — on an LDAP container to the container children.

Bug Fixes