• Custom Sinkhole is now Custom Response. A custom sinkhole is now called a custom response. This feature is accessible from the new Custom Responses tab of the Utilities page (Configuration > Utilities). Administrators no longer configure this feature on the Enterprise Security Connector tab.

• New Custom – Response policy action. A Custom – Response action is now available for custom responses. This policy action blocks malicious or suspicious requests and directs the request to the IP address of the custom response device that’s associated with the policy. When configuring a policy, administrators can select this policy action, assign a custom response, and if necessary, manage custom responses. The Block – Sinkhole policy action now exclusively redirects traffic to Enterprise Security Connector.

• Scheduled report improvements. The user interface for configuring a scheduled report is now improved. Administrators can select to enable or disable individual scheduled reports, identify the administrators who created or modified the report, more easily add email addresses for report notifications, and configure the report output format. Scheduled reports are now available in HTML or text format.

• Alert notifications now available in text format. In addition to HTML format, alert notifications are now available in text format. When enabling email addresses for alert notifications, an ​SIA​ administrator can now select the format for all alert notification emails.

• Enhanced UI for Security Connector and threat event correlation. When viewing correlated Security Connector and threat events, separate windows are now provided with detailed information. For example, viewing a correlated threat event from the Security Connector tab of the Activity page (Monitoring > Activity) opens a window where threat information is provided. If you choose to view correlated Security Connector events from the Threat Events tab of the Event Analysis page, data about all associated Security Connector events is shown. In each of these windows, report viewers can also download event data to a CSV file.

• Integration of Nominum Data. ​Secure Internet Access Enterprise​ now benefits from threat data generated by Nominum, the carrier DNS-based security and services innovation leader that was recently acquired by Akamai. Nominum’s carrier-grade DNS software currently resolves over 1.7 trillion daily DNS requests for carriers worldwide. The addition of this data allows ​SIA​ to identify more threats in an enterprise network.

  On the first day of this release, you will see an increased number of offline events as this additional intelligence is expected to discover more events from the last 7 days.

• DNS Exfiltration Security List. ​SIA​ now offers a DNS Exfiltration Security List and a new DNS Exfiltration category for custom lists. The DNS Exfiltration Security List identifies domains that serve as a communication channel over DNS and may be used to steal sensitive data or allow malware to communicate outside the network.

  This data was previously part of the Command and Control (C&C) Security List. By default, the new DNS Exfiltration list uses the same policy action as the C&C Security List as long as the C&C list does not use the Block – Error Page or the Block – Sinkhole policy action. The Block – Error Page and the Block – Sinkhole actions do not prevent DNS exfiltration because a malicious communication channel can be created when domains are resolved to a custom error page, sinkhole, or Enterprise Security Connector. As a result, if these actions are configured for the C&C list, the new DNS Exfiltration list is assigned the Block – DNS action.

• New sections for General policy settings. General policy settings are now organized into sections: The new Browsing Restrictions section contains SafeSearch and YouTube settings. The new Other Settings section contains the CDN Optimization switch.

• Update to YouTube Restricted Mode Settings. To enable YouTube Restricted Mode, an ​SIA​ administrator no longer needs to enable SafeSearch. A YouTube drop-down menu is now available in the new Browsing Restrictions section of the general policy settings. Administrators can choose from Unrestricted, Moderate, or Strict modes. By default, YouTube is set to Unrestricted mode.

• Block – DNS policy action now available for an Akamai Security List. Administrators can choose the Block – DNS policy for an ​Akamai​ Security List. In the last release, this action was not available for ​Akamai​ Security Lists.

• Roaming location replaced with new Unidentified IPs location. Like the roaming location, the new Unidentified IPs location applies to users who are remote or make DNS requests from unexpected IP addresses or locations that are not already configured in ​SIA​. This location is available in ​SIA​ by default. A switch is also available on the Locations page where administrators can choose to allow or block traffic from Unidentified IP addresses.

• New Location IP Address/CIDR requirements. When configuring a location, these apply:

  • The bit prefix for an IPv4 address must be between 24 and 32.
  • The bit prefix for an IPv6 address must be between 120 and 128.
  • A location cannot use an IP address that is claimed or used by another organization.
  • A location cannot use an IP address that is configured for another ​SIA​ location in your network.

• Various reporting user interface updates:

  • In addition to the selected date range or applied filters, events are organized by the dimension a report viewer selects. For example, if the domain dimension is selected, events are grouped by domain.
  • A new Top 6 area lists the Top 6 values for the selected dimension. This data is also shown in a graph.
  • Event details and Indicators of Compromise (IOC) details are now accessible in a separate window when a user selects to view more event or domain information.
  • If your organization uses Enterprise Security Connector, Security Connector events are now available on the Security Connector tab of the Activity page (Monitoring > Activity).
  • The Threat Analysis page is now called Event Analysis (Monitoring > Events).

• ​Secure Internet Access Enterprise​ Guest Wi-Fi now available. ​SIA​ Guest Wi-Fi is a cloud-based solution that organizations can use to specifically configure, apply, and monitor an Acceptable Use Policy (AUP) for a guest wi-fi network.

• Upgrade functionality. An ​SIA​ administrator can now upgrade the Security Connector software. When an upgrade is available, an upgrade button is shown with the security connector configuration in ​SIA​. The upgrade process reboots the virtual machine and automatically updates the Security Connector software. This operation may take up to 10 minutes to complete.

• Reporting of Affected Machine Name. In addition to reporting the infected machine’s IP address, Security Connector now reports the name of the compromised machine. This information is reported to ​SIA​ if DNS Pointer (PTR) records are configured on the DNS name server that communicates with the security connector. ​SIA​ performs a reverse IP address lookup to identify this information. The Affected Machine Name appears as a filter or dimension on the Security Connector Events tab of the Threat Analysis page (Monitoring > Events).

• Support for VMware Tools. VMware tools in VMware ESXi 5.5 or later are now supported to manage and improve performance of the Security Connector virtual machine.

• YouTube Restricted Mode. ​SIA​ administrators can prevent end users from accessing mature video content. This setting is available within a policy configuration. If Safe Search is enabled, administrators can choose from strict and moderate restriction modes.

• Top-Level Domains List. ​SIA​ administrators can now create a list with top-level domains. This feature allows an enterprise to apply policy actions to requests based on the top-level domain. You can create a top-level domains list on the Custom Lists page (Configuration > Lists).

• New policy action. ​SIA​ now includes an Allow policy action. When assigned to a list in a policy, this action grants end users access to the domains and IP addresses in the list.

• Policy action name changes. These policy actions were renamed:

  • Sinkhole action is now called Block – Sinkhole

  • Block Page action is now called Block – Error Page

  • Deny action is now called Block - DNS

    The behavior of these policy actions are the same. These actions continue to block DNS requests and direct end users to an error message.

• Deny policy action no longer available for Akamai Security Lists. The Deny (now called Block – DNS) action is no longer available as a policy action for Akamai Security Lists. You can assign the Block – DNS action to custom lists only.

• If an existing policy configuration used the Deny action for an Akamai Security List, this action was replaced with the
  Block – Error Page action. Block – Error Page directs end users to custom error pages that are designed in ​SIA​.

• General availability of Enterprise Client Connector, a DNS proxy application that you download from ​SIA​ and configure for installation on users’ laptops. Client Connector allows organizations to protect laptops that are off the corporate network. With Client Connector, you can detect an end user’s network conditions, send off-network DNS requests to ​SIA​, log Client Connector activity, and identify the machine name. Client Connector is supported on the following operating systems: Microsoft Windows 10, Windows 7, Apple macOS Sierra, Mac OS X El Capitan, and Mac OS X Yosemite.

• General availability of Enterprise Security Connector, a virtual machine that you download from ​SIA​ and deploy in your network to collect suspicious or malicious traffic, identify machines or laptops that are infected with malware or are making requests to malicious domains. This information is directed to Security Connector based on the policy configuration. ​SIA​ reports on this data and allows administrators to correlate this data with threat event information. Security Connector is supported on VMware ESXi version 5.5 or later.

• In Akamai Control Center, ​SIA​ is now available under the Enterprise Security category. You can access ​SIA​ from these menu paths:

  • Monitor > Enterprise Security > ​Secure Internet Access Enterprise​

  • Configure > Enterprise Security > ​Secure Internet Access Enterprise​

    The former category Enterprise Cloud Networking was deprecated.

• An ​SIA​ administrator can now choose to allow or block traffic from the Roaming location, an ​SIA​ location that is reserved for users who are remote and make DNS requests from unexpected IP addresses. This option is available on the Locations page.

Akamai Support Access

• An ​SIA​ administrator can now enable Safe Search in a policy configuration. This feature allows you to block or prohibit adult and explicit content in search results that are completed by end users on Google or Bing search engines.

• An ​SIA​ administrator can now report a domain is a potential threat and include supporting information for our analysts to review.

• If an end user attempts to access a domain or IP address that is included in the Deny List, the end user is directed to an error page that indicates access to the domain is prohibited.

• Protect laptops that are off-network with the Enterprise Client Connector, a DNS proxy application that you download from the ​SIA​ portal and configure for installation on enterprise users’ laptops. The Client Connector allows you to apply an ​SIA​ policy to DNS requests that are made outside the corporate network. With the Client Connector, you can detect an end user’s network conditions, send off-network DNS requests to ​SIA​, log Client Connector activity, and identify the machine name.

• Identify the IP address of devices with the Enterprise Security Connector, a virtual machine that you deploy in your network to collect suspicious or malicious traffic, identify machines or laptops that are infected with malware or are making requests to malicious domains. This information is directed to the Security Connector based on the policy configuration. ​SIA​ reports on this data and allows administrators to correlate this data with threat event information.

• ​SIA​ administrators can now schedule a daily or weekly report that generates with alerts or all event data for the selected time period. Reports are generated and emailed to users who an administrator configures to receive scheduled report notifications.

• From the Communication tab on the Utilities page, ​SIA​ administrators can now easily provide email addresses for alert notifications. In future releases, the improved design of the Communication tab will allow administrators to configure notification emails for specific ​SIA​ features.

• From the Sinkhole tab on the Utilities page, ​SIA​ administrators complete a new process to create a custom sinkhole. ​SIA​ administrators can also now modify a sinkhole policy assignment.

• In an upcoming release, ​SIA​ administrators will be able to download an OVA file to create a virtual machine that is configured as a sinkhole in your network. The ​SIA​ sinkhole receives suspicious or malicious traffic and identifies machines that are infected with malware. To participate in the beta of the ​SIA​ sinkhole feature, contact your account representative.

• New reporting criteria or dimensions, including additional reporting dimensions for DNS activity. On the DNS Activity page, users can now view DNS activity data based on threat category and Autonomous System (AS) Name.

• The ability to create a PDF of the Dashboard or the DNS Activity page. Each PDF contains an image of the entire page, including the data, graphs, and applied filters.

• ​SIA​ administrators can now manage sinkholes from the Utilities page. A new Sinkhole tab is available.

• New options are available to upload text files that contain known or suspected domains or IP addresses for a custom list configuration.

• ​SIA​ administrators can now report a domain they believe is misclassified in a security list or incorrectly categorized in the Acceptable Use Policy.

• The “Drop” list action in a policy configuration is no longer available. If a list was previously assigned the “Drop” action, the lists are instead assigned the “Deny” action.

• The “Warning” action for a security or custom list in a policy is now called “Blockpage”. The behavior of the action has not changed.

• To share domain search results, an ​SIA​ user can now provide the URL of the Indicator Search results page to other ​SIA​ users.

• If a malicious or harmful domain is found with the Indicator Search, the search results now list known bad URLs within those domains.

• Event reports now generate data at near realtime.

• The ​SIA​ user documentation is updated, including the online help, User Guide, and Quick Start Guide.