Version 9.0
New Features
- Restrict incidents to a single threat
- Security Analyst Triage Workboard
- Customer and Account usernames no longer required to be email addresses
- Updatable Lastline YARA signatures
- Add fail open configuration options under sensor mail configuration
- Display 'Processing' and 'Delivery' information in the Mail Message Details view
- Create suppression rules based on incident and host in UI
- Add "other host" filter to alert suppression wizard
- Implement LDAP integration for authentication and authorization
- Provide screenshots of PDF files in events
- Display 'Message Header' in mail message details view
- UI support for configuring partial backup
- Add tagging to host profile view
- New contextual WHOIS modal
- Support for account roles
- New threats tab in host profile
RESTRICT INCIDENTS TO A SINGLE THREAT
Prior to this release, Lastline performed correlation on network events at two levels: incidents (on a single host), and intrusions (that can span multiple hosts). An individual incident could involve multiple different threats.
With this release, correlation will only be performed to create intrusions. Incidents are now a simple aggregation of events involving the same threat on the same host. Correlation of different threats on one or more hosts will instead lead to the creation of an intrusion object.
As a result of this change security analysts will now have a more streamlined threat triage workflow.
This new feature was tracked internally as FEAT-3279
SECURITY ANALYST TRIAGE WORKBOARD
Lastline Defender has two primary workflows for security analysts - 1) Triaging intrusions, which are a correlation of threats across multiple hosts and 2) Triaging threats on Hosts, which provides a prioritized list of hosts that need to be investigated. This new feature provides a Triage Workboard which will be the primary entry point for security analysts for these two triage workflows. The workboard provides a personalized view of Intrusions assigned to the security analyst, open intrusions that waiting to be triaged, and intrusions and hosts currently being investigated.
This new feature was tracked internally as FEAT-4402
CUSTOMER AND ACCOUNT USERNAMES NO LONGER REQUIRED TO BE EMAIL ADDRESSES
Previously when creating user and customer accounts, Lastline required that the user and account had to be email addresses. This can be problematic when users leave an organization and the user account is still valid within Lastline. This release now supports the creation of customer and user accounts without requiring them to be email addresses.
This new feature was tracked internally as FEAT-4334
UPDATABLE LASTLINE YARA SIGNATURES
Lastline now supports the ability to push new YARA signature updates to all customers in a matter of minutes without the need to upgrade to a newer version.
This new feature was tracked internally as FEAT-4234
ADD FAIL OPEN CONFIGURATION OPTIONS UNDER SENSOR MAIL CONFIGURATION
It is now possible using the sensor configuration UI to configure the behavior of the mail analysis component in case of unexpected issues. This includes: - Ability to specify the maximum amount of time that the sensor is allowed to hold an email message for analysis. - Ability to specify the behavior of the sensor analysis when the queue is full: whether to reject new incoming messages, or to still accept them and forward them without analysis. - Ability to specify the behavior of the in-depth analysis when the sensor is unable to communicate with the manager. - Maximum amount of time the sensor is allowed to wait for the completion of a backend analysis of a URL or file.
This new feature was tracked internally as FEAT-4229
DISPLAY 'PROCESSING' AND 'DELIVERY' INFORMATION IN THE MAIL MESSAGE DETAILS VIEW
A user can now see up-to-date processing and delivery information for emails.
This new feature was tracked internally as FEAT-4214
CREATE SUPPRESSION RULES BASED ON INCIDENT AND HOST IN UI
Security Analysts can suppress future events related to a threat that matches certain criteria such as source IP, destination IP, etc. In addition to having this functionality be accessible from events, suppress functionality has been made available from Incidents and Hosts. When triaging threats on the host, security analysts can now choose to suppress future events as an action for each threat.
This new feature was tracked internally as FEAT-4174
ADD "OTHER HOST" FILTER TO ALERT SUPPRESSION WIZARD
A new filter was added to the alert suppression wizard to support matching events where the "other host" of the detection is in the configured home network.
This new feature was tracked internally as FEAT-4173
IMPLEMENT LDAP INTEGRATION FOR AUTHENTICATION AND AUTHORIZATION
This release now allows organization to use their LDAP server to centrally manage access and assigned privileges to users. Used in conjunction with user groups an organization can assign users to roles within their LDAP server. For more details see our documentation.
This new feature was tracked internally as FEAT-4168
PROVIDE SCREENSHOTS OF PDF FILES IN EVENTS
Security Analysts will be provided with screenshots of PDF files analyzed to be suspicious. Screenshots of these suspicious PDF files will be available as part of the event data (file analysis report)
This new feature was tracked internally as FEAT-4149
DISPLAY 'MESSAGE HEADER' IN MAIL MESSAGE DETAILS VIEW
A new message header section was added to the mail message details view.
This new feature was tracked internally as FEAT-4148
UI SUPPORT FOR CONFIGURING PARTIAL BACKUP
The "Essential files only" toggle has been added to the Backup page to speed up the backup process. When you enable this toggle, the system will only backup the backend database but not any pcap or analysis files.
This new feature was tracked internally as FEAT-4135
ADD TAGGING TO HOST PROFILE VIEW
The host profile overview summary section now includes a new tag widget. As a result, dynamic tags can be associated with a host.
This new feature was tracked internally as FEAT-4133
NEW CONTEXTUAL WHOIS MODAL
Security Analysts will be provided with key contextual information on External IPs and Domains by providing WHOIS information inline as part of the event data. A new icon has been added for external IPs and Domains which brings up contextual WHOIS information.
This new feature was tracked internally as FEAT-4040
SUPPORT FOR ACCOUNT ROLES
The Lastline Portal has been extended to support granting roles to accounts. A role grants a user a number of permissions that are pre-defined for that role. As an example, the "read_only" role grants a number of different permissions that allow viewing of appliance and detection data.
A new roles section has been added to the Admin > Accounts > My Account view, showing which roles the user's account has. Administrators can now grant and revoke roles from an account. To grant a role, a user selects a role from a pre-defined list of roles by clicking on the Add role tile. Clicking on an already assigned role tile enables the user to remove it from the account.
In addition to a small number of built-in roles, administrators can create additional custom roles that grant arbitrary sets of permissions. This functionality however is not yet exposed in the Lastline UI, so APIs need to be used to configure custom roles.
This new feature was tracked internally as FEAT-3984
NEW THREATS TAB IN HOST PROFILE
Enhanced Threat Page for Host Profile delivers a simplified view of all threats seen on a host. These threats now have clear threat score based on impact, timeline of when the threats happened on the host, and an easy to access list of associated evidence for that threat, specifically showing the network interactions and network IOCs.
This new feature was tracked internally as FEAT-3559
Detection Improvements
- FEAT-4101: Improved detection of evasive MS Office documents which use country checks and other localization information to bypass sandbox analysis.
- TRES-752: Improved detection of Trickbot malware (disabling windows defender).
- TRES-714: Improved detection of ursniff family XLS downloader.
- TRES-712: Reduced false positive rate for publisher documents analysis.
- TRES-698: Improved detection of benign tools used by the security application (Kingsoft).
- TRES-683: Reduced false positive rate for memory injection detection.
- TRES-652: Improved detection of XL4 macro documents.
- TRES-630: Improve detection of MS Office document file contains external remote links.
- TRES-619: Improved detection of Microsoft Excel XL4 malicious macros.
- TRES-599: Improved detection of VBS script-based downloader.
- TRES-468: Reduced false positives on benign binaries signed by Trend Micro.
- TRES-365: Improved detection of malicious Microsoft Office documents using ActiveX functions.
- TRES-364: Improved detection of malware which disables the windows defender by removing its signatures.
- TRES-269: Reduced false positives on benign Microsoft office documents which have excel worksheet file as a table.
Bug Fixes and Improvements
- ANST-465: Add data retention of "process snapshots" generated during dynamic analysis.
- USER-3545: Fixed an issue where DHCP configuration tab failed to load successfully for some users.
- USER-3431: Fixed issue where Host profile page displayed incorrect values regarding whether or not the host was whitelisted, or in the home network.
- TRES-650: Improved stability of detection scanners.
- TRES-563: Reduced false positive rate for executables.
- TRES-426: Added DMG support in OSX sandbox.
- SENT-2539: Fix to performance issues in the sensor component in charge of serving threat intelligence data. The performance issues would particularly affect the operation of the ICAP service under significant load.
- MALS-2932: More aggressively invalidate dynamic analysis results for file analysis subjects.
- MALS-2908: Improved handling of signed Microsoft Windows SFX (installer) files.
- FEAT-4389: Marking an intrusion as "Done" will now cause all incidents within that intrusion to also be marked as done ("Archived").
- FEAT-102: The Lastline Analyst API now allows downloading analysis artifacts, including the sample submitted for analysis, via password-protected ZIP archives. This allows more secure handling of potentially malicious content by users. A complete UI will follow in a future release.
- ANST-466: Fix regression in analysis data retention for non-confidential files.
Deprecation of API Methods
No additional API methods are being deprecated or discontinued in this release.
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:
- Lastline Manager version 1070
- Lastline Engine version 1070
- Lastline Sensor version 1101
- Lastline All-in-one (Pinbox) version 1070
Released Sandbox Images Versions
The sandbox images version will remain at 2019-04-18-01.
Software Update CDN
The installation and update services of Lastline appliances need to connect to external servers for downloading software and data bundles (such as sandbox images). While Lastline supports downloading of large files from content distribution network (CDN) servers, this feature is disabled by default.
The 9.0 release is the last release with this default behavior, and - starting from 9.1 - appliances will contact CDN servers for the download of large files unless the appliance is specifically configured to disable the use of CDNs.
As CDN hosts are geographically distributed, the contacted hosts may vary from system to system, and hosts outside the documented list may be contacted for downloads. Please be aware that with this setting enabled, firewalls may need to be updated to allow the download traffic.
Detailed steps on how to disable this setting can be found in the Lastline Installation Guide.
Distribution Upgrade
Version 8.3.2 was the final version to support Ubuntu Trusty as our operating system distribution. In order to upgrade to 9.0, you must be running Xenial as the operating system distribution.
You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", the appliance distribution needs to be upgraded.
For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.