Lastline Defender and Analyst Hosted Release Notes

Version 2019.10

New Features

  • Implement new hosts listing view
  • Enable reputation feed on sensor
  • Support for account roles
  • Support for email static detections

IMPLEMENT NEW HOSTS LISTING VIEW

Lastline has expanded the Host Lists to show all hosts seen on the network - expanding from just showing hosts with security incidents. Security Analysts will now be able to get complete visibility on all hosts on their network and filter the list based on host attributes such as OS, Applications seen on the hosts etc. This provides a central interface to investigate threats on hosts and investigate hosts that may not have an active security incident associated with them.

This new feature was tracked internally as FEAT-3558

ENABLE REPUTATION FEED ON SENSOR

Sensors with this release will start to benefit from a new URL reputation pipeline that will be used to make prefiltering and detection decisions in all modes. The new URL reputation pipeline will improve detection coverage, especially for phishing threats that can be found in email processing.

This new feature was tracked internally as SENT-2518

SUPPORT FOR ACCOUNT ROLES

The Lastline Portal has been extended to support granting roles to accounts. A role grants a user a number of permissions that are pre-defined for that role. As an example, the "read_only" role grants a number of different permissions that allow viewing of appliance and detection data.

A new roles section has been added to the Admin > Accounts > My Account view, showing which roles the user's account has. Administrators can now grant and revoke roles from an account. To grant a role, a user selects a role from a pre-defined list of roles by clicking on the Add role tile. Clicking on an already assigned role tile enables the user to remove it from the account.

In addition to a small number of built-in roles, administrators can create additional custom roles that grant arbitrary sets of permissions. This functionality however is not yet exposed in the Lastline UI, so APIs need to be used to configure custom roles.

This new feature was tracked internally as FEAT-3984

SUPPORT FOR EMAIL STATIC DETECTIONS

The sensor can now identify harmful content in an email message independently from the analysis of its attachments or URLs. This allows the identification of threats that may be located in the message body or metadata. This includes failed SPF checks and other evidence of spam behavior.

This new feature was tracked internally as FEAT-3633

Detection Improvements

  • FEAT-4372: Unknown URLs extracted from script or process memory during dynamic analysis in Windows sandboxes are analyzed in the instrumented browser to expose potential CnC or malicious updates.
  • TRES-752: Improved detection of Trickbot malware (disabling windows defender).
  • TRES-619: Improved detection of Microsoft Excel XL4 malicious macros.
  • TRES-599: Improved detection of VBS script-based downloader.
  • FEAT-4512: Incorporate additional file reputation in the classification of benign applications.
  • FEAT-4420: Unknown URLs extracted from MS Office documents or PDFs are analyzed in an instrumented browser to expose potential drive-by exploits or phishing pages.

Bug Fixes and Improvements

  • FEAT-4293: Improved analysis performance for benign web analysis file subjects, such as Javascript or HTML files.
  • SENT-2539: Fix to performance issues in the sensor component in charge of serving threat intelligence data. The performance issues would particularly affect the operation of the ICAP service under significant load.
  • SENT-2511: Fix to a bug that would cause the file processing pipeline to slow down under extreme load.
  • SENT-2431: Improvement to the heuristics used by mail processing for flagging interesting URLs based on the file extension.
  • MALS-2908: Improved handling of signed Microsoft Windows SFX (installer) files.
  • FEAT-4591: Increase the maximum size of metadata files extracted as part of dynamic analysis from 10MB to 64MB.
  • FEAT-4568: Expose MITRE ATT&CK stage data as part of the Analyst API analysis/detection results.
  • FEAT-4496: Improvements to the logic responsible for inferring the directionality of the alerts when processing custom IDS rules generated with the Lastline Custom Intelligence API. Previous sensors would not report correctly the endpoints involved in the alert if the signature was matching on packets sent by the server towards the client. This change also ensures that custom IDS rules are always associated to a snip of the network interaction that triggered them.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1110

Distribution Upgrade

Sensor 1110, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor {sensor_version}. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.

2019.9 2019.11