Avanan Partner Series: How Lastline Detects Malware
- Posted by
Michael Landewe on October 11, 2017
With each day bringing new and different threats, we are always seeking out the next-gen technology that can defend against these next generation attacks.
This is the first in our series highlighting each security partner and what they bring to the Avanan platform. A look under the hood at each of the security tools we’ve chosen and why we believe they have something unique to offer when defending the cloud.
Who is Lastline?
Dr. Chris Kruegel, Lastline’s CEO, and two of his peers in academia, Dr. Engin Kirda and Dr. Giovanni Vigna, shared an interest in understanding malware and how to detect it. In the early 2000s they developed a technique that would eventually become known as sandboxing. They developed two system – Anubis (for analyzing unknown files), and Wepawet (for analyzing web pages) – which launched the trend of using behavioral analytics and machine learning to detect malware.
In 2011, they founded Lastline to bring these technologies to market. While there are a number of companies that offer sandboxing techniques, what makes Lastline different is the three founder’s roots in academia, with the rigor and pursuit of perfection that is often lost in vendor’s drive to get a product to market. As Chris likes to say, “At Lastline, ‘good enough’ isn’t. The goal is to get it right.”
Lastline Malware Detection
We have seen Lastline identify even the most sophisticated and evasive malware. Their technology, called Deep Content Inspection, is a unique approach to isolating and analyzing threats to detect malware.
Typically, sandbox tools monitor the interaction between an object and the operating system, looking for suspicious behavior. Lastline, instead, emulates a complete operating system and hardware environment to analyze behavior at the object level, looking at every instruction sent to the CPU. This makes it possible to look for activity within the malware itself, within OS processes and within other programs that the malware might invoke.
Because of this level of analysis, Lastline provides a tremendous amount of information to the Avanan policy engine in order to make a quarantine decision. For example, here is a screenshot of the information provided about a single piece of malware which is exhibiting multiple behaviors that would clearly not be found in benign code, such as overwriting the master boot record (line 4) and attempts to evade detection (line 9).
When we evaluate malware vendors for the Avanan platform, we don’t ask the question “does this catch more than the others?” No single vendor can catch everything. We ask “can this product catch things that the others don’t?”
We have found that the best defense is a combination of tools that each use different techniques and different philosophies in order to detect attacks.
Lastline provides a level of detail that has proven to catch malware that would otherwise be missed.
Avanan is the only cloud security platform that allows you to combine tools such as Lastline with other best-of-breed security tools to create a multi-layer defense system that will truly protect your cloud against tomorrow’s attacks.