I caught up with Lastline at RSA 2019, reconnecting with Co-Founder and CTO Giovanni Vigna, PhD. When we met at RSA 2018, Vigna had offered an insight that underscored just how challenging it is to make AI truly effective in cyber defense. As he put it, “There seems to be an industry credo that anomaly detection is the key to uncovering a threat. This is not always true. Not all malicious behaviors create anomalies, and not all anomalies are malicious.”
The Lastline approach has been to put AI to work in untangling the puzzling false positives and discovering actual threats amid the noise. This takes some skill and a lot of perseverance. (Note to all fellow smug over-achievers: if you need get over yourself, hang around with some Lastline PhDs and you’ll see that you should have paid more attention in school… Just sayin’.)
Lastline has applied research to the process of detection, to understanding and observing incidents of compromise. It’s not signature- or volume-based approach. The solution employs network-based sensors as well as sensors in email and IoT devices to analyze north-south traffic and public cloud traffic.
“It’s hard to sniff traffic in the cloud,” Vigna explained. “What we have to do, instead, is act like a transparent gateway. We can then apply threat intel and other models to traffic, both inside and outside of the VPC [virtual private cloud].”
The Lastline sensors are on task at the head end of the cloud. “Lastline goes to work when you spin up an AMI [Amazon Machine Image],” added Vigna. “We also harvest and ingest VPC logs, to look at anomalies within the VPC.” From there, Lastline uses many layers and types of AI, leveraging a native sandbox to “detonate” files and examine the effects. Deep learning, expert systems and heuristics work automatically, using untended AI to classify threats.
The solution has been able to work in some previously difficult cybersecurity use cases. For example, with corporate traffic moving to the cloud, it can be hard to detect lateral movements of threats in the cloud. Further to the idea of differentiating an anomaly from an actual attack, Vigna noted, “When you see weird behavior on the network, you have to understand if it’s what we call ‘good weird’ or ‘bad weird.’ You have to prioritize and take only the most serious-looking problems to the SOC analyst.”
The strategy seems to be paying. The company now has over 400 customers and is growing. They are also cultivating a significant OEM following.