Previct is a solution that addresses the threat of advanced malware, APTs, and 0-day attacks. Previct is built on top of years of research on identifying evasive malware in large-scale networks. Previct analyzes both the objects that enter a network (such as web downloads and mail attachments) and the traffic being generated by the internal hosts (such as DNS resolutions and network connections). The data is analyzed in an integrated fashion to provide to the network security administrator the most up-to-date view of internal malware infections and attempted targeted attacks.
The Previct solution includes a number of components that can be flexibly deployed to match different network configurations: Previct Sentinels are used to collect information and block malicious traffic. The Previct Manager is used to collect events and artifacts from Previct Sentinels, analyze them through one or more Previct Analysts, and present to the administrator an in-depth view into the threats that appeared on the network. In the following, we present these components in more detail.
Previct Sentinel is a physical appliance that monitors a network segment. Previct Sentinel can be deployed inline, on a span port, or integrated with a web proxy through ICAP. Previct Sentinel is responsible for four tasks:
- Collecting incoming artifacts (documents and executables) that are downloaded by internal host or received by users through email. These artifacts are then sent for analysis to the Previct Manager.
- Identifying behavior associated with malware activities in the network traffic generated by internal hosts (suspicious DNS requests, network connections to external Command-and-Control hosts, etc.). Previct Sentinels receive from the Previct Manager an updated set of network behavior models every few minutes. Evidence of malicious network behavior is sent to the Previct Manager for correlation and presentation.
- Collecting statistics about the network traffic. These records are used to perform anomaly detection of network malware activity using large-scale analysis algorithms.
- Blocking malware-initiated network activity to protect internal hosts from data loss and abuse.
Previct Sentinel is a lightweight component, which allows the administrator to deploy multiple monitoring points in a cost-effective way. This is key factor in complex network configurations, where malware-specific events might be visible only in specific segments of the network.
Previct Manager is a physical appliance that collects information from Previct Sentinel appliances, processes it, and presents it to the user. More precisely, Previct Manager receives artifacts (i.e., executables and documents) that are received or downloaded by the users and passes them to a Previct Analyst for immediate analysis. The results of the analysis are collected and presented to the user via a web portal using an incident-centered approach, in which evidence from run-time analysis, network monitoring, and anomaly detection are correlated to provide prioritized and actionable threat intelligence. As a result, the administrator is not overwhelmed by a large number of distinct alerts, but, instead, has access to an aggregate alert that shows how the various pieces of evidence were put together to come to a final decision about a malware attack.
Previct Manager is also responsible for downloading from Lastline the latest network behavior models that are associated with malware activity. These models are generated by Lastline Labs, whose researchers have created a large-scale, automated analysis infrastructure that analyzes thousands of malware samples every day and visits millions of websites, looking for evidence of web-based attacks.
Previct Analyst is the component that is responsible for the analysis of executables, documents, and other artifacts that are accessed by internal users and might be a venue for targeted attacks and malware infections. Previct Analyst is a physical appliance, and uses proprietary sandbox technology that implements high-resolution malware analysis. This fine-grained approach to the analysis of software artifacts provides deeper insight into the actions performed by malware, and, at the same time, supports countermeasures to the sophisticated evasion techniques adopted by advanced threats to prevent analysis and profiling. The results of the analysis are sent back to the Previct Manager and presented to the user in an integrated fashion.
The Previct Anti-Malware Solution has been designed to be flexible, so that it can easily match the vastly different characteristics of large enterprise networks.
There are two main deployment configurations: hosted or on-premises.
In the most common configuration, the Previct Manager and the Previct Analysts are hosted in Lastline’s data centers. The Previct Sentinels are placed within the customer network according to the needs of the customer and the characteristics of its network. These Sentinels interact with a Previct Manager that is hosted by Lastline and is accessed through SSL-encrypted connections, providing complete protections of the customer’s confidential information. The information processed by Previct Manager is accessible through a web interface.
This deployment has several advantages. First of all, the customer has only to deploy Previct Sentinel instances, while the operation of Previct Manager and Previct Analyst is managed by Lastline, substantially reducing the total cost of ownership (TCO). Second, the analysis of incoming artifact can leverage the elasticity of cloud-based computing, making it possible to dynamically adjust the need for analysis capacity during peaks and removing the need for over-provisioning. Finally, and most importantly, the information collected on the customer network can be analyzed with respect to the network behavior observed in other customers’ installations, improving anomaly-based detection and providing additional insights into large-scale malware campaigns.
In an on-premises deployment, the Previct Manager component and one or more Previct Analyst appliances are installed in the customer’s data center. This solution is suitable for customers with stringent constraints dictated by strict privacy laws and policies.
The Previct Manager stores all information regarding the detection of infected hosts and the analysis of software artifacts. The Previct Manager regularly downloads from Lastline Labs the network behavior models associated with malware activity and might, in a configurable way, share limited, non-private information with Lastline, to improve anomaly-based detection and malware identification.