Lastline Defender and Analyst Hosted Release Notes

Version 2018.1

New features

  • Updated look and feel for Lastline Portal
  • Local callback detection
  • Support granular permissions for viewing and managing individual appliances

New Product Announcement

Lastline is excited to announce the availability of Breach Defender. Lastline Breach Defender provides the security operations team with superior awareness of threats operating inside your organization’s network, identifying malicious behavior and systems affected by the attack.

Security Operations teams face multiple challenges:

  • Alert Fatigue

    • SOC Analysts have to triage too many granular events from a variety of sources.
    • It is extremely time-consuming to sift through each individual event without context and an understanding of how these events could be related.
    • Many alerts from existing systems are noise and prove to be a distraction from actual threats.

  • Lack of Accurate Threat Assessment

    • Many existing network security solutions miss advanced attacks and often incorrectly identify attacks.
    • SOC Analysts struggle to answer the basic question of “Are we at risk?”

  • Repeated Manual Steps

    • SOC Analysts have to spend considerable time performing data collection and analysis across a wide range of sources.

  • SOC Analysts can’t “Connect the Dots” to Identify Attack Campaigns

    • For SOC analysts to manually “connect the dots” requires accurate assessment of network threats and deep understanding of hundreds of patterns of malicious behaviors.
    • Manually reconstructing the attacks from granular events is extremely time consuming and error prone.

Breach Defender gives SOC analysts the insight they need to be more effective, in light of the above challenges.

  • Deterministic Detection by Combining Network and Malware Data

    • Breach Defender combines a deep understanding of every malicious behavior engineered into a piece of malware with awareness of malicious activity on the network to create a deterministic model. Unlike predictive approaches that guess as to what is malicious, combining unmatched malware analysis with network activity informs the SOC team which specific activity represents the greatest threat right now.

  • Consolidation of Diverse Threat Activity from Across Your Network

    • Breach Defender gathers a wide range of data from across the network, eliminating the need for SOC teams to sift through logs from multiple systems to hunt for IoCs (Indicators of Compromise) related to an attack campaign.

  • Identification of Affected Systems and Data So You Can Respond Faster

    • Breach Defender tracks the malicious activities as they traverse your network, showing all affected resources, enabling SOC Analysts to respond faster and with fewer resources.

If you are interested to find more details about Breach Defender, please contact sales@lastline.com

Updated look and feel for Lastline Portal

This release introduces a new styling for the Lastline Portal, with the aim of reducing visual clutter and adopting a more up-to-date look-and-feel. Note that this does not change the overall structure and functionality of the Portal: while the Portal looks different, the same functionality remains available in the same places, so existing users should be able to quickly adapt to the new look.

This change was tracked internally as FEAT-2790

Local callback detection

When a malware sample detected in the protected network is analyzed by detonating it in the Lastline sandbox, this analysis can generate network IoCs. These contain information about domains, IP addresses, or URLs that the malware uses to communicate with the outside world, upgrade itself or receive commands (Command and Control behavior).

With this release, Lastline Sensors automatically make use of these network IoCs to detect the execution of that sample on a host in the protected network.

With this functionality, once a malware sample is analyzed the network IoCs generated are shared with all sensors within the same sensor group and can immediately be used for detection. For customers who have multiple Lastline Sensors protecting their organization, we recommend configuring sensor groups so that these network IoCs can be shared across sensors.

This change was tracked internally as FEAT-2606

Support granular permissions for viewing and managing individual appliances

With this release, we are increasing the granularity of our permissions to support granting permissions to view and manage specific appliances. This change affects the existing permissions:

  • can_view_appliances: this permission allows viewing information about appliances, such as overall status, configuration, logs and metrics.

  • can_manage_appliances: this permission allows to perform administrative tasks on an appliance, including installation, configuration and upgrade.

Prior to this change, these two permissions could only be granted for all of a customer's appliances. With this change, they can now also be granted on individual licenses or sensors, providing fine-grained control on which appliances an account can view and manage.

This change was tracked internally as FEAT-1662

Detection Improvements

  • SENT-840: Sensor has now the capability to extract CSV and SLK files for analysis.
  • FEAT-2868: We have introduced new heuristics for the identification of suspicious URLs in email messages. The heuristics focus on the identification of URL patterns that are common in large scale malspam campaigns such as Emotet.
  • FEAT-2829: Support the analysis of SYLK (SYmbolic LinKs) files in Lastline Sandbox, to be opened in Excel and other spreadsheet applications.

Bug Fixes and Improvements

  • USER-2792: Fixed a regression that displayed all the sensors as inactive in the UI. Correct status of a sensor is now shown.
  • SURI-700: Fix to a problem in the extraction of files over FTP where the file extraction could be affected by anomalous bidirectional data transfers.
  • PLTF-190: Fix bug that could cause HTTP 500 error when filtering mails view with non-ascii email subject
  • LLADOC-568: Improve reliability of parsing large XML files in the Lastline document prefilter.

Deprecation of API methods

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1000.1

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1000.1, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

7.34 2018.2