press release

Lastline Adds Rapid Host Breach Verification, Bridging Network and Endpoint Security

Lastline Adds Rapid Host Breach Verification, Bridging Network and Endpoint Security

Evasive Malware Detection Pioneer Expands Platform to Verify Endpoint Compromises

Redwood City, Calif. – May 18, 2015 — Global breach detection provider Lastline today announced the addition of host breach verification to the Lastline Breach Detection Platform. Combined with existing network breach verification, the new endpoint breach verification tools and integrations will give users — including SOC operators, incident responders and security management — a unified, comprehensive and timely view into indicators of compromise (IOCs) across networks and endpoints. This makes detection and response to breaches faster and more focused on advanced threats, reducing the duration of compromises or “dwell times.”

“Concurrently, Long dwell times are a hallmark of successful advanced attacks,” said Peter Firstbrook, research VP, John Girard, VP and distinguished analyst and Neil MacDonald, VP and distinguished analyst at Gartner. “Gartner Clients are searching for tools that can help reduce these long dwell times.”1

When a malicious program or document is detected on the network, it is important to determine whether it has successfully compromised a host such as a laptop or other endpoint. With unified network and endpoint breach verification from Lastline, security personnel can quickly and easily verify compromises on endpoints using new Lastline tools as well as with integrated endpoint agents.

“Delivering rapid, accurate and comprehensive breach verification requires a sophisticated bridging of network and host-based monitoring and analysis few enterprise security offerings can provide,” said Jens Andreassen. “Our open architecture and full-system emulation approach to breach detection makes true breach verification possible. The addition of host breach verification is an important milestone for our company, our customers and the security industry as we all work hard to quickly and decisively root-out threat actors across networks and endpoints.”

Zero-in on Compromised Machines Rather than Chasing Ghost Alerts

Breach verification helps security personnel prioritize remediation of compromised machines rather than wasting time chasing ghost alerts. Ghost alerts occur when security systems without breach verification flag IOCs on the network but cannot check whether they have successfully compromised an endpoint. Prior to the addition of endpoint breach verification, Lastline addressed ghost alerts with network-based breach verification, including monitoring for outbound traffic to malicious command and control (C&C) servers. With this update, Lastline will continue to rely on network breach verification but can now also automatically check for IOCs on all endpoints, including detecting compromises on additional endpoints after the initial compromise.

Host Breach Verification Operates in Two Phases

  1. In the first phase, malware is captured from the wire and analyzed in Lastline’s full-system emulation (FUSE) sandbox. As part of the analysis, Lastline extracts high quality IOCs that capture the changes to the operating system that occur during a breach.
  2. In the second phase, Lastline verification tools search the potentially compromised endpoint(s) for the presence of these IOCs. When a match is found, the breach is verified, and the impact of the incident is triaged appropriately.

Lastline Adds STIX Support, Verified by Soltra

Lastline has also added support for Structured Threat Information eXpression (STIX) — a widely adopted threat information format — to its breach detection platform. This allows for improved sharing of IOCs and host breach verification with industry leading endpoint agents that use the STIX format. Lastline’s STIX implementation has been verified by Soltra as fulfilling best practices for STIX as outlined by MITRE.

Bringing OpenIOC to the Lastline Breach Detection Platform

In addition to STIX, Lastline has added support for OpenIOC — which stands for Open Indicators of Compromise — which is a standards-based schema for describing and sharing IOCs to enhance detection, verification and remediation of breaches within and between hosts, networks and organizations.

The Lastline Breach Detection Platform is subscription-based and can be deployed hosted or on-premise to an unlimited number of network locations and inspect any number of protocols. The updates announced today come at no additional cost. To learn more about Lastline, please visit:

To learn more about Lastline, please visit:

1Gartner, “Magic Quadrant for Endpoint Protection Platforms,” Peter Firstbrook, John Girard, Neil MacDonald, 22 December, 2014

About Lastline

Lastline is innovating the way companies detect active breaches caused by advanced persistent threats, targeted attacks and evasive malware with its software-based Breach Detection Platform. Lastline’s open architecture integrates advanced threat defenses and intelligence into existing operational workflows and security systems. Inspection of suspicious objects occurs at scale in real-time using a full-system emulation approach to sandboxing that is superior to virtual machine-based and OS emulation techniques. Lastline’s technology correlates network and object analysis to achieve timely breach confirmation and incident response. Lastline was built by Anubis and Wepawet researchers and industry veterans with decades of experience focused specifically on advanced breach weaponry and tactics.

Headquartered in Redwood City, California with offices throughout North America, Europe and Asia, Lastline’s platform is used by global managed security service providers, Global 2000 enterprises and leading security vendors worldwide. To learn more, visit


Jeannie Hornung