7.3

22 Feb 2016

Version 7.3

New features

Notifications for audit events
Improved notification configuration UI
Improved account management page
Include account actions in audit log
RADIUS authentication
Email analysis improvements
URL analysis report improvements
Home network filtering in UI and APIs
Sensor installation/registration improvements
Interface-specific packet filters on Sensors
Bug fixes and improvements

Notifications for audit events

Our syslog (SIEM) notifications, generic HTTP notifications and email notifications now also support notification of audit events.

Actions performed by a user on the portal, such as configuring an appliance or adding a user, will now also result in a notification being sent, if configured. Note that existing notification configurations are not being automatically updated to include this new type of message, so customers with existing notification configurations will have to enable audit event triggers in these configurations to start receiving these messages.

The syslog notification format version that includes these new messages is version 7.3. The formats of audit event syslog and HTTP messages are described in the integration guides available on the manuals page.

Improved notification configuration UI

The user interface for configuring notification integrations has been improved to better support the increased complexity of this functionality. The different types of triggers that can lead to notifications are now displayed in separate tables, and can now be enabled or disabled in bulk:

network triggers (for detections in network traffic)
mail triggers (for detections in mail messages)
appliance triggers (for appliances status)
audit triggers (for audit events)

The portal guide has also been updated to describe the new configuration UI.

Improved account management page

The (account management page)[/settings#/account/] has been improved.

Added functionality to block or unblock an account. Blocking an account is now the recommended way of disabling an end user's access to the system.
Certain sensitive operations on accounts, such as changing the password or email address of an account, now require the user to provide their password again for verification.
Fix bug that prevented adding some permissions again after they had been removed.

Include account actions in audit log

Audit log now includes additional events related to account management:

account created
account deleted
account blocked
account unblocked
account edited
account password changed
account email changed
password reset was requested
password reset was performed

RADIUS authentication

The Lastline portal of an on-premise installations can now be configured to use the RADIUS protocol to authenticate users through a centralized authentication server. The integration guide available from the manuals page, describes how to make use of this integration.

Email analysis improvements

General improvements:

Improved logging for tracing emails as they are analyzed by the Sensor (the MD5 for all attachments is now logged)
When brute-forcing encrypted archives, also try password "infected" and passwords from a user-defined list
More relaxed MIME header parsing, so that some malformed email are still analyzed

MTA in-line mode improvements:

Support for customizable warning/block messages in the email body
An X-Lastline header is added to all emails analyzed by a Sensor
Ability to silently drop malicious emails
Add to the Received header information about whether an email was received over SSL/TLS
Support client-side SSL/TLS certificates for SMTP
Retry delivering an email in case of a 4XX error from the SMTP next hop in response to RCPT TO and MAIL FROM commands
In case of a non-permanent error delivering an email to the next hop, the default time interval during which attempts to re-delivery the email are done is now increased to 2 hrs (and to 15 minutes for already installed Sensors)

URL analysis report improvements

Improved the detection of malicious code
Improved the display of interesting scripts
Improved the identification of malicious URLs among the list of those that were visited

Home network filtering in UI and APIs

The "home network", or homenet, is the network a Lastline Enterprise installation is protecting. This can be configured for each Lastine Sensor in a configuration page.

In this version, we have added support to APIs and UI for accessing detections on the network to filtering only detections involving hosts inside the homenet or only involving hosts outside the homenet or both. This filtering functionality can be accessed in the [console]/portal#/console/, events and downloads tabs and selecting the "Home net" filter.

Sensor installation/registration improvements

Completely rewritten lastline_test_appliance, improving the number and effectiveness of the health checks performed on a Sensor
Stricter requirements of NTP: an NTP server needs to reachable to complete installation, whether it is update.lastline.com or a user-provided one
Allow blank gateway and DNS server setting in lastline_setup

Interface-specific packet filters on Sensors

In scenarios where the surrounding network configuration makes it difficult to avoid sniffing redundant or conflicting traffic flows, the appliance now supports customizable packet filters for each sniffing interface. One example of this is SSL strippers, where the Sensor might see the encrypted SSL stream on one interface and a decrypted version using the same flow tuple on another.

This feature needs to be configured by a Lastline engineer, it is not UI-enabled.

Bug fixes and improvements

Improved packet capture performance on 10G Sensor appliances
Improved file classification accuracy and performance for text files as well as prefix-obfuscated MIME archives and MS Word documents
Improved document analysis and filtering to increase analysis throughput for benign documents
Additional table sorting options in file downloads, mail attachments and network event tables
Fix for spurious appliance error status when clock is in the future by a few seconds
Fix "Cannot switch to key" errors
Fix bug that prevented users from configuring integrations if main customer account had been deleted
Improvements to robustness and diagnostics for the SAML2 single sign on funcionality
Quick search inputs in the Portal will now display a warning if only a subset of the relevant data was loaded, to advise the user that results may be incomplete, and that filters should be used to refine the view.
Significantly faster and more accurate artifact prefiltering and processing on the Sensor
More reliable operation of Sensors deployed behind proxies
Much improved coverage of pcaps for alerted traffic flows
Auto-detection of additional Intel X520 variants for enhanced packet capture
Updated IDS codebase to Suricata 2
Improved ICAP support for file extraction
Improved OLE file classification
Improved robustness in the FTP analyzer
Improved accuracy of traffic volume counters
Added registry value details to IOC reports in OpenIOC format

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

Lastline Manager version 703.1
Lastline Engine version 703.1
Lastline Sensor version 704.1
Lastline All-in-one (pinbox) version 703.1

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

query_account_details
query_accounts
delete_account
update_account

Furthermore, the following deprecated methods of the legacy API are being removed in this version:

query_default_key

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.