Lastline Defender and Analyst Hosted Release Notes

Version 2019.9

New Features

  • Security Analyst Triage Workboard
  • Customer and User accounts can now be created without requiring these to be email addresses

SECURITY ANALYST TRIAGE WORKBOARD

Lastline Defender has 2 primary workflows for security analysts - 1) Triaging Intrusions which are correlation of threats across multiple hosts and 2) Triaging Threats on Hosts which provides a prioritized list of hosts that need to be investigated. This new feature provides a Triage Workboard which will be the primary entry point for the security analyst for these 2 triage workflows. The workboard provides a personalized view of Intrusions assigned to the security analyst, open intrusions that need to be triaged, Intrusions and hosts currently in progress for investigation

This new feature was tracked internally as FEAT-4402

CUSTOMER AND USER ACCOUNTS CAN NOW BE CREATED WITHOUT REQUIRING THESE TO BE EMAIL ADDRESSES

Previously when creating user and customer accounts, lastline required that the user and account had to be email addresses. This can be problematic when users leave the organization and the user account is still valid in Lastline. This release now supports creating customer and user accounts without requiring these to be email addresses.

This new feature was tracked internally as FEAT-4334

Detection Improvements

  • TRES-714: Improved detection of ursniff family XLS downloader
  • TRES-712: Reduced false positive rate for publisher documents analysis
  • TRES-698: Improved detection of benign tools used by the security application (Kingsoft)
  • TRES-683: Reduced false positive rate for memory injection detection
  • TRES-657: Improved detection of Ursnif downloaders.
  • TRES-652: Improved detection of XL4 macro documents
  • TRES-630: Improve detection of MS Office document file contains external remote links
  • TRES-364: Improved detection if malware is disabling widows defender by removing the signatures.
  • FEAT-4476: Improved detection of malicious MS Office documents which use EvilClippy technique to bypass detection by stomping VBA code.
  • FEAT-4258: Improved detection of Phishing URLs which use HTTPS to encrypt malicious payload.
  • FEAT-4101: Improved detection of evasive MS Office documents which use country checks and other localization information to bypass sandbox analysis.

Bug Fixes and Improvements

  • USER-3545: Fixed an issue where DHCP configuration tab failed to load successfully for some users.
  • USER-3431: Fixed issue where Host profile page displayed incorrect values regarding whether or not the host was whitelisted, or in the home network.
  • TRES-426: Added DMG support in OSX sandbox.
  • SENT-2482: Fixed an issue preventing the sensor inline bridge from forwarding IPv6 packets.
  • LLANTA-1019: Widgets in the Overview and Network Dashboards have been updated to correctly handle sensor groups.
  • FEAT-4389: Marking an intrusion as "Done" will now cause all incidents within that intrusion to also be marked as done ("Archived").
  • FEAT-4079: The Lastline Analyst API now allows submitting files for analysis using purely static- and AI-based analysis components. This allows trading classification performance for accuracy to detect known threats rapidly (but may have reduced detection accuracy for 0-day threats). This functionality is currently in BETA and exposed only to OEM integrations with specific, additional permissions.
  • FEAT-3367: Support for VXLAN decapsulation in the sniffing component.
  • FEAT-102: The Lastline Analyst API now allows downloading analysis artifacts, including the sample submitted for analysis, via password-protected ZIP archives. This allows more secure handling of potentially malicious content by users. A complete UI will follow in a future release.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1100

Distribution Upgrade

Sensor 1100, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor 1100. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.

2019.8 2019.10