Einsteinstraat 30F - 1446 VG Purmerend
088 160 2000



The term “artificial intelligence” (AI) has become ubiquitous in the description of modern applications,
services, and user interfaces. The security domain is not an exception. Companies today are touting almost
every new service or product as AI-based. The use of the term “AI” is so widespread, in fact, that it has become
difficult to see beyond the hype and understand what “AI-based” really means.
This white paper provides a high-level description of what AI means, and explains some of the key terms
surrounding AI and machine learning (ML) and their security applications, including anomaly detection. It
also identifies some pitfalls in the use of AI in network security. Finally, it describes how we use AI at Lastline.

Why Lastline?


Lastline® delivers the industry’s most accurate AI-powered network security. Informed by years of threat research and attack investigation, our products provide high fidelity insights into advanced threats entering or operating inside your network.

We use a combination of three complementary techniques to eliminate false positives:

  • First, we leverage the knowledge in our Global Threat Intelligence Network to scan traffic metadata and payloads for variants of known threats
  • Second, we apply unsupervised AI to monitor network behavior and detect protocol and traffic anomalies
  • Third, we use supervised AI to automatically create classifiers that recognize malicious network behaviors and previously unknown malware

Most AI-based network security products implement only the first two detection techniques. These probabilistic approaches to monitoring network behavior lead to many false positives – after all, not all anomalies are the result of attacks.

Applying AI techniques to network traffic will find anomalous patterns of behavior within the network traffic, because that’s what AI is designed to do. It is virtually impossible for other AI-based tools to understand if the detected anomaly is malicious or benign.

Lastline is different. Our solutions leverage AI that is automatically trained both on network traffic and malicious behaviors. This unique combination enables deterministic detections and eliminates false positives. That’s why we call it “AI Done Right.”



Advanced Network Traffic Analytics


Lastline Defender improves threat detection by monitoring your network activity, including low-level events and seemingly benign activity, to uncover all malicious incidents. It analyzes a range of traffic, including:


Reputation Information: Delivers fast classification of known bad and good domains, IPs and URLs

Protocol Anomalies: Identifies unusual protocols in your network, including:

  • DNS tunneling
  • DNS zone transfers
  • Suspicious HTTP headers
  • Suspicious TLS certificates

Traffic Anomalies: Discovers unusual traffic in your network, including:

  • Port scans
  • Brute force logins
  • DNS fast flux
  • Remote file execution
  • Web shell
  • Web proxy bypass
  • Bitcoin mining

Host Anomalies: Identifies unusual behavior by your hosts, including:

  • Upload/download volume
  • Port profile anomaly
  • Unusual geo destinations
  • Periodic check-ins
  • Lateral movement


Lastline Defender’s network traffic analytics provides a detailed understanding of a threat’s scope by identifying compromised systems, communication between local and external systems, and data sets that might have been accessed or uploaded. It facilitates hunting of latent threats resulting from file downloads, website content, and email attachments that are now hiding in your network.

Lastline Defender also gives you immediate visibility into malicious activity entering and operating within your AWS environment, including:

  • Inbound exploits of cloud workloads that target vulnerable applications and services
  • Malicious lateral traffic when an attacker scans for other workloads
  • Data exfiltration from anomalous data access


Complete Threat Detection


Lastline delivers complete detection of advanced threats by unifying two complementary technologies in a single solution that provides the broadest threat protection possible for your network:

  • Superior AI-powered network detection
  • Market-leading sandbox technology

Our AI-powered threat detection generates the highest-fidelity insights into advanced threats attempting to operate in your entire network, both on-premises and cloud. By incorporating our sandbox technology, we also deliver protection from threats attempting to enter your network.

Our patented technology deconstructs every malicious behavior engineered into an object entering via mail or web traffic, such as a file attachment or download. We see:

  • All instructions that a program executes
  • All memory content
  • All operating system activity

This visibility enables us to inventory unique file behaviors that other tools fail to detect, such as activity observed when executing programs, opening documents, unpacking archives, and rendering web content.

Our superior visibility makes the analysis much harder to evade. Alternative methods, like OS emulation and virtualization, are fooled by sophisticated evasion techniques. They are easily bypassed and therefore miss many advanced attacks.




Comprehensive Threat Visibility


Attackers use different paths to compromise and move around your network. It is critical for a threat detection solution to monitor them all and deliver complete visibility into the entire attack chain.

Lastline Defender™ provides unmatched visibility into traffic that crosses the network perimeter as well as traffic moving laterally inside the perimeter:

  • The protection of traffic crossing your perimeter is critical to stop inbound threats in the early stages of the attack chain.
  • The protection of internal traffic is critical for later stages of the attack chain, to detect lateral movement and threats operating inside your network. These threats include those that evaded perimeter defenses, compromised personal devices outside the protected network, infected your network via malicious USB sticks, or were the result of insider threats.

Lastline also detects email threats, such as file-based and fileless malware, malicious URLs, and phishing attempts. Moreover, our products connect threats identified in emails with intrusion activity on the network, such as command & control communication, privilege escalation, and data exfiltration, to provide complete visibility of the entire attack chain.

You can augment your existing email security controls with a complementary layer of protection from Lastline, whether you have on-premises or hosted email system, or a cloud-based system like Microsoft Office 365 or Gmail.


Threat Detection

Visualize the
Entire Breach Chain

Incident Response

Immediate Response


Lastline automates protection by integrating with your third-party products, incident response workflows, and custom applications throughout your organization, whether on-premises or in the cloud.

Your existing security controls can automatically send unknown objects and websites to Lastline for analysis and receive actionable threat intelligence to automate threat response workflows, before you suffer any business disruption.

Lastline has a modular, scalable architecture and offers a rich set of open APIs that facilitate an easy integration of the product into existing systems and workflows. The APIs are complemented by powerful, built-in integrations with products from our Technology Alliance Partner ecosystem, such as SIEMs, gateway and network devices, and endpoint agents.

You have the choice of using the built-in integration offered by our Technology Partners or you can use our robust APIs to optimize your current technologies, staff, and processes.



Why lastline:

Lastline Solutions:

AiDoneRight PDF:

LastlineDefender PDF: