What is most valuable?
The Internet is a nasty place, and getting nastier. Current breach detection products using traditional anti-malware sandbox technologies can’t keep up with advanced persistent and hyper-evasive threats that pummel enterprise networks on an hourly basis. Malware authors encode their exploits with a number of operational vectors, so in case one entry point doesn’t work they can still find a way into your network to do their dirty work. And as more businesses hire more outsourced consultants, part-time workers, and employ mobile devices, they open up additional mechanisms for malware to enter their corporate networks.
Some traditional AV and endpoint protection vendors have responded to these threats by adding features to their security products to do a better job of anticipating badly behaving packets coming through their detectors. They make use of limited virtual machines or operating system emulators to view how a piece of malware operates. That is great, but it isn’t enough. Many malware authors can detect when these simulated environments are active and can evade detection accordingly. For example, some exploits such as W32.DelfInj can literally go to sleep for several days to avoid any detector that will just scan an infected system for the first several minutes.
What is needed is a next-generation sandbox that can correlate a series of particular breach events add IP and object based reputation analysis and do this in near real-time. This is what the Lastline Breach Detection Platform does. What makes them unique is their range of discovery, the way they can effectively mimic actual PC or smartphone endpoints to examine malware behavior.
Download my full review of their system here.
How has it helped my organization?
Lastline has four major components:
Network sensors. Lots of security tools have sensors, and certainly this is the cornerstone of any modern security tool. What makes Lastline more interesting is that it combines IP and domain reputation analysis with malware fingerprinting techniques.
Advanced sandbox screening tool. collected from the sensors analyzed with the Lastline sandbox, which emulates a complete endpoint. Other sandboxing tools leave small in-guest code stubs that can reveal they aren’t “real” endpoints; Lastline doesn’t have these clues for malware to key into and looks just like regular computers.
Reporting and threat analysis tool. Low-level event data is then collected and correlated into a particular security incident, which then updates an online threat database. For example, just by clicking on a few different menu items, we can see how often the same infection was downloaded by a particular endpoint, or why a particular event led to other activities across our network, or how a piece of malware was attached to a series of different email messages.
What needs improvement?
They just announced added Mac OS X support, which I didn't get to test.
What was my experience with deployment of the solution?
It is a bit tricky to install the various components and to get it set up properly. But once you do, you can take full advantage of its features.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
No, indeed this is one of its main benefits. You can scale it up to handle very large networks with their modular and SaaS-based tools.
To add flexibility to its system, both the next-generation sandbox and reporting tool can be either hosted or installed on-premises.
Which solution did I use previously and why did I switch?
Their core idea is to run a piece of suspected malware in such a way as to provide the ultimate examination of its operations. Suspected code is extracted from the network traffic flow, analyzed andcorrelated with other network-level events to provide a full picture of what happened. It has one of the most throughout analysis sandbox engines. But what is more important is how they are able to provide actionable intelligence to a wide variety of leading security vendors’ intrusion prevention and unified threat management platforms from WatchGuard, Barracuda, TippingPoint, Juniper, Tripwire and others. Through a combination of application programming interfaces, Lastline can send and receive firewall blocking rules and breach event data to/from the appropriate systems that you have already purchased, so that these threats can be quickly stopped.
Yes, there are other sandboxing securing tools out there, but they aren't as thorough as what Lastline does.
What about the implementation team?
Vendor team was first rate.