What’s New in Lastline Enterprise Advanced Malware Detection and Management

Posted by Brian Laing on July 1, 2014 at 10:00 AM

At Lastline, we’re continuously strengthening and refining our advanced malware protection software and services that detect and block the advanced malware on the Web, in email and in mobile apps. As malware rapidly evolves, so do we.

In fact, using machine learning, we maintain an automated approach to advanced malware detection that flips the economics of malware on its head. Malware developers have to work much harder to catch up with our next-generation sandboxing technology, rather than the other way around.

Still, we’re working hard to stay ahead of advanced malware trends and techniques. Since 2011, we’ve analyzed billions of programs, documents, and URLs to identify and stop known and unknown threats. We’ve indexed billions of hashes, signatures and behavioral footprints of an exponentially growing class of advanced malware in our massive threat intelligence cloud.

When a Lastline virtual or bare-metal sensor detects suspicious or unrecognized code or network behavior, it cross-checks against these known threats. Then, if the threat status for a file is still unknown, it is sent to one of our next-generation sandboxes for high-resolution, dynamic analysis. Our scalable, elastic sandboxes emulate full computing systems, including CPU and memory, to remain invisible to evasive malware while having optimal visibility into malicious activity. And our dynamic analysis can literally speed up time to observe the behavior of malware that may loop or pause for hours or days to both evade and detect traditional sandboxing.

Given the rapid rise of advanced malware and adoption of first-generation sandboxing technology, our customers are drowning in security alerts -- both false positives and true threats -- so we offer prioritized event correlation with actionable intelligence to help besieged IT security teams separate the signals from the noise.

I’d like to highlight some key enhancements in Lastline Enterprise detection, analysis, notification and management since our last announcement:

  • Analysis engine enhancements: Includes an engine extension for extracting information from fake Android banking applications (APKs), support for extraction of full-process dumps in IDA-Pro compatible format for Windows PE analysis and now captures and analyzes files transferred by FTP.

  • In-depth malicious Java detection: Java applet analysis and reporting are new and improved.

  • Intelligent notifications: Users control which types of events trigger push notification, and whether they want emailed notification, CEF messages to SIEM systems and/or reputation information for network hosts to an HP Tipping Point SMS server. Event whitelisting is now available, so no alerts are triggered for IP ranges of open wireless networks or guest IPs, for example.

  • Incident response coordination: New workflow functionality has been added to our incident, event and analysis views that allows users to comment on individual detections on the network. This can be helpful for coordinating investigation and response to an incident, as well as providing feedback to Lastline about the accuracy of our detection.

  • Appliance status and metrics: Improved geolocation support for appliances using browsers’ geolocation APIs. New sensor status graphs include CPU and memory usage.

  • Improved analysis reports: Get greater visibility into keylogger behavior and representations of the relationships between analysis subjects as well as visited web pages. Reports load even faster.

  • Critical audit logging: A new audit log collects and displays security-relevant and other critical activities performed on the system.

  • Customization: Customers can add their own threat intelligence to our system, in case they know about threats that specifically target them.

Customers can get details about what’s new in each new version of Lastline Enterprise in the Release Notes pages at the top right of their management consoles.

Later this summer, we’ll be rolling out more improvements to our next-generation sandboxing technology, including dormant code analysis (inspecting suspicious code in memory that is not executed by the sandbox), a reputation system for Android APKs and new network anomaly detectors. We will also add enterprise features, such as active directory integration and improvements to our email solution.

For more on “What’s New in Lastline Enterprise” please register below to join me for a free webinar on July 8, 2014 at 9:00 a.m. PT with plenty of time for live Q&A.

Read More

Topics: Lastline Enterprise

Hottest IT Jobs of 2014? Malware Analyst Positions Up 60% YoY

Posted by Giovanni Vigna on June 7, 2014 at 1:26 PM

When my students ask me how their studies at UCSB might transfer into corporate IT positions, I point to the rapid rise in cyber-security -- and particularly malware analyst -- positions worldwide. In response to increasingly sophisticated, advanced malware that evades detection and the advanced persistent threats that are bombarding organizations, many IT teams are hiring malware researchers to make sense of the deluge.


Read More

Topics: Security Careers, Malware Analyst

Video: Simplifying Event Management

Posted by Brian Laing on April 28, 2014 at 9:30 AM

A walkthrough of event management in the Lastline Enterprise portal. 

Dealing with individual malware attack events is difficult — you have to look across a sea of events for other hosts on the network. Lastline makes event management easier. You can deal with all the events from a single host while still seeing how these events are related to a higher level infection. The system rolls correlated events into "incidents". Correlated incidents are then rolled up into "network infections".

Read More

Topics: Malware Analysis, Event Management

Video: Analyze Web and E-mail Downloads

Posted by Brian Laing on April 25, 2014 at 8:00 AM

Walkthrough the analysis of downloaded files in the Lastline Enterprise portal.

The "download" and "mail" tabs allow you to look at files downloaded by users on your network as an alternative to searching through events. This can be useful in gaining a comprehensive view of behaviors surrounding an attack, thus providing more clarity on the path toward remediation.

For more clips from this series, check out our YouTube Channel YouTube.

Read More

Topics: Lastline Enterprise, Malware Analysis

Video: Viewing the Entire Attack Chain for Targeted Attacks

Posted by Brian Laing on April 23, 2014 at 2:50 PM

Quickly find compromised hosts without having to scour through individual events. 

Lastline Enterprise exposes the end-to-end attack chain for APTs. By rolling "events" into "incidents" and "incidents" into "network infections", we enable you to focus on the hosts that need immediate attention.

Read More

Topics: Lastline Enterprise

Lastline Enterprise Certified for Integration with HP ArcSight SIEM

Posted by Matthew Baker on April 22, 2014 at 4:28 PM

Lastline Enterprise integrates with HP ArcSight SIEM

Lastline Enterprise 5.0 has been certified as an HP ArcSight Common Event Format (CEF) solution. This means that ArcSight ESM customers can now seamlessly integrate events generated by Lastline Enterprise, such as suspicious file downloads and irregular netflow profiles, into their holistic security reporting capabilities. 

Read More

Topics: Lastline Enterprise, SIEM Integration

Video: Interactive Malware Analysis with Lastline Enterprise

Posted by Brian Laing on April 21, 2014 at 7:00 AM

A quick overview of security event data in the Lastline Enterprise portal.

With Lastline Enterprise you can quickly drill in and see the specifics of pertinent network compromises without having to look through a large volume of events or even numerous pieces of network infection information.

Read More

Topics: Lastline Enterprise, Malware Analysis

Video: Investigating Malware Behaviors

Posted by Brian Laing on April 18, 2014 at 7:00 AM

Take a look inside the behaviors of detected malware to find out how evasion was attempted.

Lastline Enterprise provides a comprehensive view of malware's behavior to date, context within your network, and known information from a vast database of threat intelligence. Lastline also provides information on whether or not this threat is detected by a variety of AV systems. If your AV does not block the malware, you'll need to quickly investigate the host.

Read More

Topics: Lastline Enterprise, Malware Behavior

Lastline Interoperates with HP TippingPoint for Robust Advanced Malware Protection

Posted by Freddy Mangum on April 11, 2014 at 11:58 AM

Lastline recently announced interoperability with HP TippingPoint's Intrusion Prevention System (IPS) and Next-Generation Firewall (NGFW) via HP's Security Management System (SMS).   


This blog post is intended to provide more specifics on how Lastline's advanced malware protection platform interoperates with HP TippingPoint products, to offer best-of-breed network security against both known and unknown advanced threats. 

Option Lastline HP TippingPoint
1 Network Intelligence  Stop Inbound Threats 
2  Network and Object Intelligence Stop Inbound Threats and Outbound Leaks 

Read More

Topics: Defense Program, HP TippingPoint

FishNet Joins Lastline's Defense Program To Help Businesses Stop Advanced Cyber Threats

Posted by Tom Miller on April 7, 2014 at 7:00 AM

FishNet, one of the premier resellers in the United States, has been added to Lastline's Defense Program to help businesses of all sizes detect and stop advanced malware in their corporate networks.  


Read More