Web Security For Advanced Malware And Persistent Threats

Web Security For Advanced Malware And Persistent Threats

Web traffic continues to be the most prevalent source of traffic on the Internet, but it is also a key delivery vehicle for malware.  There are multiple SWG (Secure Web Gateway) vendors that offer network appliances to help organizations defend against malware and enforce policies.  Traditional SWGs are a great first line of defense, but unfortunately, hackers have evolved and developed advanced malware and APTs (Advanced Persistent Threats) to bypass SWG defenses.

Lastline Enterprise is a complementary solution to traditional SWG products, which offers a specialized layer of defense to protect organizations against advanced malware, APTs and active backdoors in your network.

Here is how Lastline Enterprise works with traditional SWG products.


  1. Advanced malware is delivered through an HTTP connection in the form of a web object and can be distributed by leveraging an ad network that posts a malicious ad on a legitimate web page
  2. The cyber threat (ex. zero-day exploit, APT) evades detection and bypasses traditional SWG product
  3. Inbound monitoring – The Lastline Enterprise Sensor
    • monitors HTTP traffic via passive monitoring, alternatively the Sensor can connect to the SWG through ICAP (Internet Content Application Protocol), which also allows inspection of HTTPS traffic
    • if the threat is known by Lastline, the Sensor can block incoming connections via TCP reset (if monitoring passively)
    • if the traffic exhibits suspicious behavior, the Sensor extracts content (ex. binaries, documents) for further analysis
  4. Outbound monitoring – The Lastline Enterprise Sensor
    • if a host (ex. Windows machine) has been infected by advanced malware and connects to a known C&C (Command & Control) system, the Sensor can block outgoing connections via TCP reset
    • if the outbound traffic does not match Lastline’s threat intelligence, additional anomaly detection techniques can identify previously unknown malware connections
  5. Analysis of suspicious content -The Lastline Enterprise Engine
    • the Sensor(s) captures content (ex. binaries or documents containing exploits) from the wire (parses out web downloads)
    • objects are sent via the Lastline Enterprise Manager to the Engine to be executed in a high-resolution analysis environment (using CPU emulation)
    • our CPU emulation technique defuses malware, identifies zero-day threats and provides high-resolution analysis of advanced threats
  6. Correlation and Interoperability – The Lastline Enterprise Manager
    • the Manager correlates multiple (low level) events into high-level advanced malware infections, making it easier for security operators to focus on high-priority infections
    • via Lastline API or syslog export on the Manager, security operators can modify policy on the SWG to stop inbound and outbound connections