Using APIs to Knit Lastline into an Enterprise Defense Fabric

Using APIs to Knit Lastline into an Enterprise Defense Fabric

It takes multiple cyber-defense and reporting platforms to create an effective, unified front against today’s online threats. No single product suite or one vendor can supply best-in-class protection from the network core to enterprise endpoints. However, the security team that stands the best chance of success against today’s changing threat landscape will select the best tools from each security segment. They will then connect them through API integration and a common reporting tool, to provide an integrated view of the health of the network.

There are several key security system components that are typically incorporated in a well-designed system against cyber-attacks in today’s enterprise:

  1. Next Generation Firewalls (NGFW)
    1. Palo Alto Networks, Cisco, Barracuda Networks, WatchGuard
  2. Intrusion Prevention Systems (IPS)
    1. Dell SecureWorks, Intel Security (McAfee), Radware, IBM
  3. Secure Web Gateway (SWG)
    1. Blue Coat, Barracuda, Zscaler, Cisco, Intel, Trend Micro, Sophos
  4. Endpoint Protection
    1. Symantec, Sophos, McAfee, Bitdefender
  5. Advanced Malware Protection (AMP)
    1. Lastline, the only full-system emulation detonator available
  6. All reporting up through a Security Information and Event Management system (SIEM)
    1. HP ArcSight, Splunk, IBM, LogRythm

automated malware analysis

Lastline Enterprise can be implemented so that all network traffic flows in and out through its filters directly. It can also can be implemented as a backstop to a first line of filtering from the firewalls and web filters.

At Lastline, we supply well-defined, well-documented APIs. Depending on the how the system is implemented, our Automated Malware Analysis & Protection Platform often acts as the “last line of defense” to the web gateways, intrusion prevention systems, firewalls, and endpoint systems. When a file is either pushed or pulled into the enterprise, depending on the scenario, one of the defense systems above will check the files against a hash to see if it is known to be good, bad, or unknown. If a file hash lookup returns “unknown”, the firewall or web gateway will trigger and call the Lastline API for identification. If the file is unknown to Lastline’s universe of users as well, Lastline will execute the full-system emulation detonation process. During this process, the file is closely examined for any suspicious behavior. Lastline will then push results and responses back to the requesting system through the API, report to the SIEM through a messaging protocol, and update the Lastline Knowledge Base. This ensures that the malicious file will be known going forward.

The process of malware checking, testing, and validating are constant and do not require the administrator’s intervention thanks to APIs between Lastline and the various systems that form a strong enterprise defense strategy. The assembly of best-in-class solutions, making up the defense fabric, will work as a unified whole. This ensures the optimal chance of success against the ever-changing threatscape hitting the enterprise.