Lastline Enterprise On-Premises Release Notes

Version 7.7

New features

  • Support for shared virtual IP between managers in high availability configuration
  • UI on standby manager to trigger take-over in high availability configuration
  • Lastline Knowledge Base clustering
  • Improved workflow in Incident Console
  • Display country information for network events
  • "Bump in the wire" improvements to the inline Sensor
  • Lastline Portal support for upgrading multiple appliances
  • Updated End User License Agreement
  • Support for customizing analysis via application bundles
  • Email analysis improvements
  • Bugfixes and improvements

Support for shared virtual IP between managers in high availability configuration

In a high availability configuration Lastline Enterprise customers deploy an active Manager appliance as well as a standby Manager appliance that acts as a hot standby.

With this release, the active and standby Manager can be configured with a shared virtual IP address. This is the IP through which Sensors and Engine appliances, as well as API and UI users will reach the manager. Initially, this address will be controlled by the active Manager. When take-over is triggered on the standby Manager, the standby Manager will take control of the virtual IP as it takes over the active role. This avoids the need to reconfigure the DNS or appliances to reach the new active manager. See the Lastline Manager installation manual for more information.

UI on standby manager to trigger take-over in high availability configuration

In a high availability configuration for Lastline Managers, to trigger a take-over operation to make the standby Manager take over the active role users can use a command-line utility on the standby manager.

With this release, take-over can also be triggered through a web-based user interface on the standby manager. See the Lastline Manager installation manual for more information.

Lastline Knowledge Base clustering

The Knowledge Base now offers clustering services in order to group analyzed executables into families of programs or threats. The service supports multiple clustering perspectives by considering different approaches to compare samples and determine their similarity:

  • Similarity based on runtime activity: Dynamic clusters identify malware families sharing a common C&C infrastructure, reusing the same persistency mechanisms, or targeting and tampering with the same system components.

  • Similarity based on code structure: Code-hashes clusters identify malware families sharing important portions of their code base. These clusters are less influenced by dynamic environment and configuration to rely on stricter functionality terms.

The clustering results provided by the service are leveraged to attribute samples to known threat families. Attribution helps Incident Response (IR) and Security Operations Center (SOC) teams in their processes of remediation and recovery.

Samples are automatically clustered after analysis and the clustering results can be accessed as part of the analysis report. Associated clusters are displayed in the analysis overview within a new section called 'Analysis Attribution'. Clusters can also be searched directly from the dedicated intelligence search interface.

Improved workflow in Incident Console

The Console tab of the Lastline Portal has been redesigned to improve the workflow and make key functionality more visible. Navigation between the views of this tab has been improved, and now relies on navpills at the top of the page.

The default view of this tab is now the Incidents Console, which displays information about Incidents that Lastline detected. Incidents provide a higher level view of security events in a protected network and can avoid the need to investigate individual network events, as they can consist of several network events that have been correlated together.

The Infections view on the other hand displays information for potentially infected hosts in the protected network.

Both views now can show key additional information by expanding individual table rows.

Display country information for network events

The Lastline Portal now displays a flag icon next to IP addresses showing the country that address is located in. This functionality is available:

  • In the Network events table, which is displayed in the Network events tab and in other parts of the portal.

  • In the table displaying network traffic capture, which is shows in several parts of the portal such as when showing details about a single infected host.

"Bump in the wire" improvements to the inline Sensor

When deployed inline, the Sensor so far acted as a learning bridge, meaning it would only forward packets if the bridge believed the intended destination to be reachable via forwarding. This could cause problems in setups where source and destination addresses intentionally reside on a single side of the bridge. In inline mode the Sensor now relays any packets received between the inline interface pair, making it act more transparently.

Lastline Portal support for upgrading multiple appliances

The Lastline Portal now provides better support for customers who need to manage many appliances but prefer to disable auto-upgrade of appliances to new releases. For this, the

appliances overview now offers a "Batch Upgrade" button that allows to update groups of outdated appliances, so long as the appliances to upgrade are currently online.

Note that the "Batch Upgrade" button is only visible when a customer has outdated online appliances.

Updated End User License Agreement

Lastline has updated the End User License Agreement (EULA). Lastline now requires each user upon first login, or whenever the EULA changes, to agree to our terms and conditions. Any questions regarding the end user license should be directed to product@lastline.com.

Support for customizing analysis via application bundles

The analysis engine now provides an easier way to provide a custom command line for programs started in the analysis environment. By default, the system automatically infers the most applicable way to trigger analysis.

By submitting application bundles, the user can specify the exact command line and details of the environment to be used for analysis. Lastline provides utility code written in Python to generate and manipulate these bundles as described in more detail in the Analyst API documentation.

Email analysis improvements

The URL extraction from emails has been improved. Additionally, the following improvements and features for in-line mode have been added:

  • Support multiple nexthop SMTP servers, with loadbalancing and failover.
  • Reject emails via SMTP error 421 if communication with the nexthop is not possible.
  • Emails that fail to be delivered to the nexthop will be stored in a local maildir mailbox. Such mailbox is rotated based on time and size.
  • Ability to configure the block/warn thresholds for attachments and URLs via the web UI.
  • Fix bug that would cause the sensor to fail dropping an email whose attachment is exactly at the maliciousness score threshold.
  • Ability to log the email tracing information in JSON to a syslog target.

Bugfixes and improvements

  • Analysis reports for executable now show the file name of each analysis subject instead of just naming subjects "Subject 1", "Subject 2", etc.

  • The Downloads tab has been improved to make navigation between the "unique" and "all" views more intuitive by using a dropdown menu at the top of the page.

  • Several fixes and robustness improvements to configuration updates that take the Sensor in/out of inline mode.

  • Detection of Microsoft Installer files extracted from traffic is now more robust.

  • The Monitoring Logs section in the web UI could in the past show erroneous warnings about PF_RING packet capture module lockups. This has been resolved.

  • Performance improvement when querying for submission completion in Analyst API.

Deprecation of API methods

No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 711
  • Lastline Engine version 711
  • Lastline Sensor version 710.3
  • Lastline All-in-one (pinbox) version 711
7.6.1 7.8