Lastline Breach Detection Platform

Transcription

1 Lastline Breach Detection Platform Quickly and accurately detect, block and respond to active breaches in your network. Highlights Integrate with existing security systems through API to optimize IR workflows and reduce exposure gaps License per user to budget predictably - not by location, appliance or bandwidth Catch evasive threats others miss using a full-system emulation sandbox Inspect Web, , file, and mobile apps Support for Windows, Android and Mac OSX Operating Systems Install software on standard server hardware or virtual instances Analyze suspicious traffic and objects in real time Even an organization s most advanced defenses next-generation firewalls, S, and first-generation sandbox-based security appliances are no match for the sophisticated and highly-evasive attacks being deployed today. Lastline s unique approach to breach detection is the culmination of more than ten years of R&D specifically focused on advanced and evasive breach weaponry and tactics. The result is a software-based platform designed to integrate breach detection capabilities seamlessly into your existing security portfolio and rapidly detect active breaches. Cover Your Entire Enterprise Lastline provides comprehensive detection of advanced and evasive threats across your entire enterprise Operating systems (Windows, Mac OS X, and Android), physical and virtual hosts, services, users, network infrastructure and Web, , file, and mobile applications. Lastline s flexible software-based platform allows organizations to scale their breach defenses on a predictable basis, from a single location to any number of remote, branch, and mobile offices. Licensing is done by user - not by location, appliance or bandwidth. Detect Evasive Threats That Others Miss Lastline detects unknown threats specifically designed to evade first-generation sandbox appliances. When compared to competing approaches, Lastline s fullsystem emulation sandbox provides the deepest level of visibility into unknown malware behavior and is also the hardest for evasive malware to circumvent. The result is the successful detection of malicious attacks that others simply don t see. Respond to Advanced Attacks Breach analysis results are presented using an incident-centric approach in which evidence from sandbox analysis, network monitoring, and anomaly detection are correlated to provide actionable analyses of ongoing incidents. Indicators of compromise (IOCs) associated with evasive malware and command and control traffic are prioritized to reduce noise and save responders time. APAC: of 8

2 How It Works The Lastline Platform is comprised of four core components: Sensor, Engine, Manager and Advanced Threat Intelligence. The four components work together to continuously monitor all datastreams, expose IOCs related to active data breaches, and prioritize incidence response. Step 1 Monitor Step 2 Analyze Step 3 Prioritize Step 4 Update Sensor Engine Manager Threat Intelligence 3rd Party Collectors Step 1: Sensors Continuously Monitor Datastreams Lastline Sensors continuously monitor distributed network activity to gather information specifically related to active breaches in your network. Suspicious objects are extracted from the wire across vectors such as Web, , and file sharing. Objects can also be extracted from 3rd party security systems (such as S, UTM, NGFW, EPP) and be submitted to the Lastline platform via APIs and connectors. Known malicious objects and network callbacks are automatically blocked. Unknown suspect objects are sent to the Lastline s next-generation sandbox for in-depth analysis. Sensors can be deployed off of a span port. Objects can be collected through IMAP, POP, or SMTP. Sensors can run on standard server hardware or virtual instances (VMWare). Step 2: Next-Generation Sandbox Engines Expose IOCs in Your Environment Suspicious objects are analyzed in the Lastline Engine, a unique full-system emulation sandbox, to produce detailed behavioral profiling including IOCs related to active breaches. This method of sandboxing is superior to competing methods, such as OS emulation and virtualization, as it provides greater visibility into behaviors, resistance to detection, and scalability. The behavioral profile generated from the Engine is then sent to the Lastline Manager for incident-centric correlation and prioritization. Elastic analysis capabilities allow the Engine to handle changes in volume without compromising the speed or integrity of analysis. Suspicious traffic and objects are analyzed in real time not minutes or hours providing the quickest time to notification and remediation. Engines can be installed on standard server hardware or hosted by Lastline, and can be clustered to scale to process millions of suspicious artifacts. APAC: of 8

3 APAC: of 8 Step 3: Managers Prioritize Incident Response and Block Breach Attempts The Lastline Manager gathers data collected from Sensors, connectors, APIs and object analysis evidence from Engines. This low-level event data is then linked together and rolled up into a security incident. The connection of the various pieces of an incident provides a comprehensive view of the entire attack chain, increasing the confidence in assigned threat scores and reducing the occurrence of false positives. This incident-centric approach reduces noise generated from alerts and enables SOC and IR staff to quickly prioritize and respond to active breaches. Analysis results from the Manger are presented to the system administrator via a web-based portal. Managers can be installed on standard server hardware or hosted by Lastline. Step 4: Threat Intelligence Updates in Real-Time Lastline s unique threat intelligence database contains advanced and evasive attack information that no other security vendor can provide. This knowledge base contains active command and control servers, objects with zero-day exploits, toxic web sites and malware distribution points identified as having breach intent. Import custom IDS/S rules, YARA rules, and threat intelligence to adjust environment for analysis and defend against threats specific to your organization. This database continuously updates in real-time with intelligence from partner and customer environments. Threat Intelligence is available as a subscription service. Integrate with your existing security with simple connectors and open APIs Lastline s open architecture was designed to complement existing security investments and optimize existing SOC and IR workflows. Through APIs, third-party solutions can be integrated bi-directionally to extend data collection, pull evasive malware understanding, receive incident-centric alerts, and block breach attempts. With Lastline s Platform you can push blocking rules to Next-Generation Firewalls (NGFWs), send breach event information to your Security Information Event Management system (SIEMs), block in-line with Intrusion Prevention Systems (Ss) and add evasive malware understanding to Secure Web Gateways (SWGs). Endpoint VDI Systems Web Content SEG, SWG Endpoint NGFW SIEM S UTM Emulate Programs Programs OS OS CPU CPU Memory Memory Analyze Correlate Advanced Threat Intelligence Lastline Breach Detection Platform

4 Deployment Options Lastline s unique approach to breach detection is based on a flexible software architecture where components can be installed completely on customer premises or partially hosted in Lastline s secure data centers. All components can be installed on standard server hardware. Sensor components can also be installed on virtual instances. Hosted Lastline Environment Enterprise Environment Enterprise Locations HQ Security Operations Center Integrate with existing management Correlate events Web Threat Intelligence SITE 1 Hosted by Lastline Content SITE 2 Multi-Tenant Manager SITE 3 Engines 3rdMobile Party Sensor API In the hosted deployment model, the Manager and Engine components are hosted in Lastline s secure data centers. Sensors are placed anywhere within the customer s virtual or physical network, across any number of locations. These Sensors interact with the Manager that is hosted by Lastline and is accessed through SSL-encrypted connections, providing complete protection of the customer s confidential information. Only Sensor instances have to be deployed, substantially reducing the total cost of ownership (TCO). With a hosted deployment model, you can be up and running in less than half an hour. On-Premise Lastline Platform Enterprise Environment Enterprise Locations HQ Security Operations Center Integrate with existing management Correlate events Web SITE 1 Data Center Content SITE 2 API Management, Data, Threat Intelligence Managers SITE 3 Engines API 3rd Party Sensor Enterprises restricted by strict privacy laws and policies can choose to deploy on-premise, and install components in a private data center. The Manager component and one or more Engine components are installed on site. Sensors are placed anywhere within the customer s virtual or physical network, across any number of locations. Americas: EMEA: APAC: +1 (877) (0) of 8

5 Quick Facts Deployment Form factor of components (appliance, VM, cloud) Raw throughput Deployment options and integration techniques (ICAP, WCCP, standalone) SSL decryption Triage process before sandboxing decision is made Supported network protocols Static-detection techniques Dynamic-analysis technique Object types supported Emulated environments Dynamic-analysis sandbox processing time Egress (C&C) protocols inspected Egress (C&C) detection techniques Physical appliance, software (ISO Image) on COTS hardware, sensor on virtual machine (VMware ESX), cloud (hosted by Lastline) Sensor: 2 x 5Gbps or 10Gbps interfaces Out-of-band (SPAN/TAP), in-line, integration with SWG via ICAP, SMTP sniffing, MTA or BCC integration for analysis Through third party or integration with SWG via ICAP or other SWG features Detection URL//Domain reputation, file reputation, static detection, decoding and decompression, communication fingerprinting (see details below) All protocols and application-level traffic are inspected for command and control (C&C); including HTTP, DNS, FTP; artifacts for sandbox analysis extracted from HTTP, FTP, SMB and other protocols; SMTP, IMAP, and POP for analysis Signatures of known command and control channels, and domain reputation, file heuristics (packer info, signatures, abnormal code and document structure, suspicious embedded objects) Full-system emulation (CPU, memory, devices) with real operating system, provides machine-instruction-level visibility without any in-guest (OS or app) modifications Over 40 file types including: PE (32 or 64-bit executable programs and DLLs), Microsoft Office documents (.doc,.docx,.xls,.xlsx,.ppt,.pptx,.docm,.xlsm,.pptm,.rtf), PDF, HWP, XPF, CHM, JAR, APK Archives (Z, BZ, GZ, RAR, TAR, LHA / LZH, XZ) as well as URLs Windows XP, 7, 32/64 bits, multiple Office and Acrobat versions, Android OS, Mac OS X, multi-personality browser Average analysis time is 85 seconds. All egress ports and TCP/UDP traffic are checked for command and control (C&C) traffic, independent of application protocol (only one sensor required) / domain reputation, payload (signature)-based detection, heuristic contentbased detection, anomaly-based (big data-based) detection, traffic flow models (fingerprints) APAC: of 8

6 Quick Facts (Continued) In-line blocking Other prevention Mechanisms Remediation assistance of infected endpoints Threat indicator sharing Centralized policy and reporting Customizability Prevention Command and control blocking, along with connections to known bad /domains (does not require in-line deployment when using TCP reset and DNS sinkholing) API access to pull blacklist data, which can be used to create blocking rules in other network gateways Bi-directional TCP reset injection, DNS sinkholing injection, third-party product integration (such as SWG, SIEM, or host-based product) Response Detections and network events exported into SIEM systems, prioritization of alerts and infections through extensive event correlation to support rapid, focused response and triage Real-time threat intelligence updates of hashes of known bad files and results of cloud-based big data analysis of network flows and DNS (s, domains, payload signatures) Manageability and Usability Manager module (in cloud, as software installed on COTS hardware, or as appliance). System supports API for submitting files, retrieving threat intelligence and all UI data Ability to add threat intelligence: apply custom YARA rules, custom Suricata rules, and supplement threat intelligence (s and domains), APIs for easy integration APAC: of 8

7 Certified Hardware Specifications Virtual Machine 1G Sensor 10G Sensor Manager Engine Collection Collection Correlation Next-Gen Sandbox VMWare ESXi 5.1 or higher Base Model Dell R320 Dell R420 Dell R320 Dell R320 Form Factor 1U Rack-Mount 1U Rack-Mount 1U Rack-Mount 1U Rack-Mount Weight lbs (19.3 Kg) lbs (19.3 Kg) lbs (19.3 Kg) lbs (19.3 Kg) Dimensions 17.1 W x 25.3 D x 1.7 H (43.4 x 64.2 x 4.3 cm) 17.1 W x 25.3 D x 1.7 H (43.4 x 64.2 x 4.3 cm) 17.1 W x 25.3 D x 1.7 H (43.4 x 64.2 x 4.3 cm) 17.1 W x 25.3 D x 1.7 H (43.4 x 64.2 x 4.3 cm) Enclosure Fits 19-inch rack Fits 19-inch rack Fits 19-inch rack Fits 19-inch rack Monitoring Ports Management Ports AC Input Voltage/ Current Power Supply Operating Temp (4) 10/100/1000 Base-T Ports *** (2) 10/100/1000 Base-T Ports 100~240 VAC / A Dual Hot Plug Power 350W 10 C to 35 C (50 F to 95 F) (up to 4) 10/100/1000Base-T or (up to 2) 10GBase-T (Intel X520) *** (2) 10/100/1000 Base-T Ports 100~240 VAC / A Dual Hot Plug Power 350W 10 C to 35 C (50 F to 95 F) - - (2) 10/100/1000 Base-T Ports 100~240 VAC / A Dual Hot Plug Power 350W 10 C to 35 C (50 F to 95 F) (2) 10/100/1000 Base-T Ports 100~240 VAC / A Dual Hot Plug Power 350W 10 C to 35 C (50 F to 95 F) Network Performance Up to 1Gb traffic Up to 5Gb traffic - - Performance Objects Per Day** Up to 750,000 s per day* Up to 100,000 objects per day* Up to 750,000 s per day* Up to 100,000 objects per day** Files Analyzed in Sandbox Up to 10,000 per day* Scalability of Engines - - Up to 30 Engines per Manager - Scalability of Sensors - - Up to 200 Sensors per Manager Estimated Server Cost**** $2,500 USD $3,500 USD $4,000 USD $3,000 USD - * Cluster N number of components to scale as needed. Performance varies by object type. ** Apply pre-filter to quickly determine maliciousness and submit unknown files for detailed analysis by next-generation sandbox *** Supported Intel NIC required for throughput over 200 Mbps **** Standard-server costs are are subject to third-party vendors price fluctuations by geography and availability. Lastline does NOT resell hardware. Note: Performance values are based on standard profile. Values may vary depending on your environment. APAC: of 8

8 Product Packaging Lastline Enterprise Lastline Analyst Security Operations Incident Response Malware Researchers Number of Soft Appliance Installations Allowed Coverage Unlimited - Deploy to any number of network locations and next-generation sandboxes with full-system emulation Restricted - Tied to one physical standard server Monitor 10G to 10MB Networks Deploy On-Premise / Hosted Detection of Attack Chain Delivery Drive-By Exploit / Install Evasive Malware Command & Control Management, Correlation and Integration Event Correlation 3rd Party API Integration Advanced Threat Intelligence Addresses Associated with Malware Distribution Sites Objects Containing Advanced Malware Pricing Licensing Model Per User Per Server Licensing Terms Annual Subscription Annual Subscription Lastline s package offerings are highly flexible and can be tailored to meet the various needs of your organization. To learn more, please visit or contact us at APAC: of 8