Web Security For Advanced Malware And Persistent Threats
Web traffic continues to be the most prevalent source of traffic on the Internet, but it is also a key delivery vehicle for malware. There are multiple SWG (Secure Web Gateway) vendors that offer network appliances to help organizations defend against malware and enforce policies. Traditional SWGs are a great first line of defense, but unfortunately, hackers have evolved and developed advanced malware and APTs (Advanced Persistent Threats) to bypass SWG defenses.
Lastline Enterprise is a complementary solution to traditional SWG products, which offers a specialized layer of defense to protect organizations against advanced malware, APTs and active backdoors in your network.
Here is how Lastline Enterprise works with traditional SWG products.
- Advanced malware is delivered through an HTTP connection in the form of a web object and can be distributed by leveraging an ad network that posts a malicious ad on a legitimate web page
- The cyber threat (ex. zero-day exploit, APT) evades detection and bypasses traditional SWG product
- Inbound monitoring – The Lastline Enterprise Sensor
- monitors HTTP traffic via passive monitoring, alternatively the Sensor can also connect to the Sensor through ICAP (Internet Content Application Protocol), which also allows inspection of HTTPS traffic
- if the threat is known by Lastline, the Sensor can block incoming connections via TCP reset (if monitoring passively)
- if the traffic exhibits suspicious behavior, the Sensor extracts content (ex. binaries, documents) for further analysis
- Outbound monitoring – The Lastline Enterprise Sensor
- if a host (ex. Windows machine) has been infected by advanced malware and connects to a known C&C (Command & Control) system, the Sensor can block outgoing connections via TCP reset
- if the outbound traffic does not match Lastline’s threat intelligence, additional anomaly detection techniques can identify previously unknown malware connections
- Analysis of suspicious content -The Lastline Enterprise Engine
- the Sensor(s) captures content (ex. binaries or documents containing exploits) from the wire (parses out web downloads)
- objects are sent via the Lastline Enterprise Manager to the Engine to be executed in a high-resolution analysis environment (using CPU emulation)
- our CPU emulation technique defuses malware, identifies zero-day threats and provides high-resolution analysis of advanced threats
- Correlation and Interoperability – The Lastline Enterprise Manager
- the Manager correlates multiple (low level) events into high-level advanced malware infections, making it easier for security operators to focus on high-priority infections
- via Lastline API or syslog export on the Manager, security operators can modify policy on the SWG to stop inbound and outbound connections
Latest posts by Freddy Mangum (see all)
- Gartner Video: A New Generation of Sandboxing for the Next Generation of Threats - March 10, 2015
- Lastline Breach Detection Platform for Virtual Desktop Infrastructure - December 15, 2014
- Blue Coat Partners and Integrates with Lastline - December 12, 2014