Enforcing Security Policies – Plugging the Holes in Your Endpoint Security

March 31, 2009

This is the fourth in a series of how Triumfant helps plug gaps in your endpoint security defense-in-depth strategy.  In this entry I will address the enforcement of security policies – starting every day with every endpoint machine in compliance with organizational or mandated policies.

Your first question may be why I differentiate between configuration management and policy management.  There are many similarities but some subtle differences, particularly when taken in the context of automated remediation.  First, I would offer that configuration management is more granular and deals with specific settings and installed software, where policy management tends to take a wider business orientation.  Of course, the wider business policies must eventually be expressed in the language of granular settings to be implemented.  In the context of remediation, where a configuration may be black and white in regards to remediation, a policy may call for multiple remediation scenarios based on user profiles, geographies, or other criteria.

Let me give you an example.  Triumfant does a great job of removing unauthorized software from endpoint machines, a topic I will detail in my next entry.  A configuration would tell Triumfant Resolution Manager that when it detects a specific program that it should perform an automatic removal of the software.  One cause, one action.  A policy would step in and determine that the software is unauthorized except for a specific group of machines within the broader population (an exception).  For those machines where the software is not authorized, the policy would further define three specific remediation actions for groups of endpoint machines based on the title of the machine owner: notification only for VPs and higher, automatic removal with notification for director and senior director, and automatic removal with no notification for everyone else.

Customers can use a wizard driven interface to capture the policies into Triumfant Resolution Manager so the policies can be broken into the specific pieces and parts that will be monitored.  As with configuration management, Triumfant will detect changes in the endpoint machine that place the machine out of compliance with a given policy, and will synthesize a remediation to correct the problem.  Any deviation from policy is detected and corrected in a 24 hour cycle or less, creating a continuous state of compliance.

The management of specific, granular configuration settings has enormous value, but the world is not always black and white.  In fact, the term “except for” is one that frequently causes lots of complication and special consideration.  Such grey areas can only be expressed in the business language of a policy.  Many tools can only process black or white through their interfaces and require that complex scripts be created by hand to handle more complex logic and exceptions.  The ability to go beyond the black and white and readily accommodate exceptions is yet another differentiator for Triumfant.

1 Comment | Compliance and Configuration Management, Endpoint Security | Tagged: , | Permalink
Posted by John Prisco

Conficker – Executing to a Roadmap of Malicious Intent

March 30, 2009

Conficker found its way to 60 Minutes last night and now I have friends wanting to know more.  While looking for materials to pass along, I found two great articles by Elinor Mills of CNET News this morning that follow along with my previous entry about “The Good Old Days of Conficker”.  The first is her March 25 article that gives a good overview of the Conficker worm.  The second is her March 28 look back to the 10 year anniversary of the Melissa virus . Look at the last question at the end of the Melissa piece about comparing Melissa to Conficker. 

Reading through Elinor’s timeline piece it struck me that Conficker is being developed in what has the appearance of an actual software development process like any application or software product.  The different versions (.B, .C) are in fact releases of the product that are being deployed at regular intervals to “enhance” the worm.  The group behind this may be so organized that there is a Conficker roadmap with a release schedule.  Shoot, there may be arguments amongst the Conficker dev team about the merits of waterfall versus iterative design as they converse before the next developer’s meeting of the coming 3/31 code drop.

It is not that farfetched.  Cyber crime is clearly more organized, so it is logical to think their processes are equally organized.  Some of you that have done orderly software design may be thinking that this may offer the world hope for endpoint security, as some form of organization and rigor are often seen as the culprit for slower development cycles and delays.  Ultimately though, the Conficker developers still have agility on their side, as they do not have to worry about integration testing, user interface design, downward compatibility, documentation, and any of the hundred other things that slow development cycles.  I am also quite sure they do not have a helpdesk, so development does not have a long list of bugs to address.

My point?  When we think about cyber crime being funded and organized, I am not sure we think about cyber criminals developing attacks with deliberate rigor.  But that may be exactly what we are up against.  It is no longer well funded, smart companies against a rogue hacker.  It is well funded smart companies against equally well funded, smart organizations executing against a maliciously intended roadmap.

1 Comment | Endpoint Security | Tagged: , | Permalink
Posted by Jim Ivers

Gartner Weighs In on Endpoint Power Management

March 27, 2009

Yesterday, Gartner released some studies about endpoint power management.  The first, “When to Consider Commercial PC Power Management Tools” is a good general guide to the subject, while the second, “PC Power Management Tools Market Update, 2009” does an in-depth look at the tools available on the market.  I invite you to download these reports via the Gartner web site.  Triumfant is pleased to be one of the tools assessed in the study and proud of what we believe to be a positive evaluation.

In both the wider study and the product update the Gartner Analyst, Terry Cosgrove, notes that power management is becoming an integrated element of broader offerings.  We at Triumfant believe that this is a logical evolution and will be the path to broader adoption of endpoint power management (see “What’s Next for IT Power Management for the Endpoint” ).  With all due respect to the other vendors that have point offerings, it just makes sense that Power Management would be a logical extension of existing tools for compliance and configuration on the desktop.  For Triumfant, Power Management literally uses 300 of the 200,000 attributes we track, the power policies are easily represented in our policy management processes, and our analytical capability allowed us to add some compelling capabilities to our Wake-on-LAN functionality.   The customer gets the capabilities they need without adding an additional agent or introducing a new management console.

Let me give you an analogy.  You own an office building and you know that turning off lights throughout the building when most offices are vacant will save you money.  You could hire someone to come in every day at 6pm and go office to office turning off every light.  But the cost of the extra person would greatly impact if not eliminate the savings.  Then it hits you – you already have someone who comes in at 6pm and goes office to office.  So you make it a new duty of the cleaning staff to turn off all lights on their way out of an office.  It is a very small fraction of their responsibilities and capabilities, and requires no additional costs or infrastructure.

Furthermore, broader offerings tend to have well developed reporting capabilities, which we have found to be a strong requirement with prospects.  As Terry Cosgrove points out in his studies, the people implementing and funding power management rarely see power bills, so they need actionable reports to show the return on investment.  In fact we find ourselves speaking with organizations that already have power management software but are looking for better reporting, specifically to show the ROI.

I think the path is clear, and power management just makes too much sense to ignore.  The disconnect is not technical but political, as the people that pay the bill are often completely disconnected from the IT staff that would procure, deploy, and manage the software.  It is up to companies to encourage and incent the IT staff to look for tools that have integrated power management and implement the policies to make it work.

Leave a Comment » | Green IT Power Management | Tagged: , | Permalink
Posted by John Prisco

The Good Old Days of Conficker

March 26, 2009

I have been doing a lot of reading this week about Conficker and the speculation about what it will do on April 1 (the March 19 article in the New York Times and great insights by Byron Acohido in his March 24 USA Today article and on his blog http://lastwatchdog.com/  to name a few).  Predictions and assessments range from it being a cruel April Fool’s Day prank to a “dark Google” to the “botnet of botnets” to Bill Murray’s classic line in Ghostbusters: “dogs and cats living together… mass hysteria!”.

It is clear that we have stepped into a new world of cyber attacks from an entirely different breed of cyber criminal.  This worm continues to function and evolve in full view, resisting the efforts of a distinguished consortium of vendors who have united to stop it.  And like the science fiction creatures of the 50’s, it continues to devour things in its path like defensive software and the ability to receive Microsoft updates as it grows.  Scary stuff or, again borrowing from Ghostbusters, a “ Class Five Full Roaming Vapor… A real nasty one, too”.

All of this leads me to wonder what we will see over the next ten years.  During my time at Cybertrust I had the opportunity to work with Dr. Peter Tippett – now at Verizon Business – who is credited with being one of the first people to create antivirus software and is also credited to have helped bring down some of the higher profile attacks earlier in the decade.  I am sure to the early pioneers of AV like Peter, worms like Slammer, Blaster and Zotob were really seen as quantum leaps in malicious attacks, much as Conficker is today.  While these previously nasty worms seem like ages ago, it is good to remember that Zotob was August of 2005.

My point?  As bad as Conficker may seem, we may find ourselves looking back on it wistfully sooner than we would care to think.  It is yet another warning that the old methods of endpoint security will need to evolve and evolve quickly to keep pace, as the next and likely even nastier worm is currently percolating somewhere in cyberspace.

I can almost see it now – longing for the good old days of Conficker.

1 Comment | Endpoint Security | Tagged: , | Permalink
Posted by Jim Ivers

Security Configuration Management – Plugging the Holes in Your Endpoint Security

March 25, 2009

This is the third entry in a series of how Triumfant helps plug gaps in your endpoint security defense-in-depth strategy.  In this entry I will address security configuration management – ensuring that the defensive software you have deployed is really deployed, properly configured, and in working order.

In my opening entry on this series I presented information about how many breaches do not come from some sophisticated malware or innovative attack vector, but rather as the result of missing or misconfigured software.  The source for such issues may be:

 - Deployment issues where software is simply not deployed, improperly deployed, or improperly configured. 

 - User ignorance in the form of altering configuration settings, turning off defensive software, or responding to social engineering.

 - A maliciously intended insider making changes to machines to either introduce malicious code or make the machine vulnerable to malicious code.

Security configuration management exists at the convergence of security and operations; combining elements of vulnerability assessment, automated remediation, and configuration compliance.  The end goal is to reduce risks by ensuring that systems are configured properly

Triumfant is extremely effective at security configuration management, and can enforce multiple security policies simultaneously on endpoint populations or specific groups within that population.  By using its patented analytics, Triumfant can detect configuration settings that depart from the normal settings of like computers, providing indicators of misconfiguration even if there is not a specific policy for that particular setting.  When Triumfant detects non-compliance, it can synthesize a remediation and return the machine to compliance automatically.

As a result, businesses and government agencies can start every day knowing that every computer is compliant with organizational security policies and/or with mandated policies such FDCC Compliance, FISMA, or PCI.  Defensive software is in place and executing properly, allowing it to do the job for which it was intended – to protect the machine.  Configuration settings at the operating system and application levels are set to organizational standards to maximize security and minimize risk.  And all of these tasks are executed on every computer every day, with minimal or even zero labor costs.  Our customers start every day audit ready and prepared to face the threats poised to attack any vulnerability.

This every computer, every day approach is unique to the industry and only possible because of Triumfant’s ability to detect unexpected changes and conditions on endpoint machines and automatically remediate the detected problems.  Think about how much time, money, and labor goes into endpoint security, only to have machines attacked because they are improperly configured, or the user simply turned off the antivirus agent because it slowed down the machine.  With Triumfant driving security configuration management, these vulnerabilities can be eliminated.

Best of all, if malicious code still evades all of this properly working and configured defensive software and finds its way to a machine, Triumfant will detect that attack and remediate the problem, with the same software used for security configuration management.  That is what I mean when I say we close all of the gaps in endpoint security.

2 Comments | Endpoint Security | Tagged: , , | Permalink
Posted by John Prisco

Triumfant Resolution Manager – Describing the Unique

March 24, 2009

Describing the unique can be a challenge. You see, the human mind prefers reference points when it considers something new. It seeks to immediately compare and categorize the new item with what it already knows. So when something is completely unique and novel, the mind sometimes has trouble grasping it because it either has no worthy comparative for context, or the mind incorrectly attempts to draw false parallels and therefore creates predispositions that often are not true.

Such is the case with Triumfant. Our software, Resolution Manager, is truly unique, and because of that, the things we can do for our customers are equally unique. The depth at which we scan endpoint computers and servers is unprecedented, so our ability to spot changes that may be indicators of potential problems or a malicious attack is equally unprecedented. Because we see all of the changes to a machine at a granular level, we have the unique ability to build a remediation on the fly specific to a given incident for that computer at that point in time. Can other products remediate? Sure. But only if the problem fits the patterns of pre-defined remediations, or if someone builds a remediation script which is then pushed to every machine in the population. No product that I know of builds a surgical, fully reversible remediation on the spot.

So until someone knows how we do what we do, it is often hard to fully appreciate what we can do. How we can see the malicious code that other signature based endpoint security products miss, because we detect the tell-tale indicators at the most granular level. How we can ensure that every machine can start every day compliant and audit ready to any numbers of policies and controls. How customers can expect a 20% to 40% drop in trouble ticket volume because we can spot and fix a problem before it interrupts service.

The beauty of the conversation is that as someone begins to understand the how, they often quickly connect the dots to the what. For example, I can’t tell you how many times experienced IT security people immediately grasp our ability to detect malicious attacks very early into the explanation of the how well before we get to the what part of the conversation.

So forgive us sometimes when we seem to ignore early comparisons with other products or start with descriptions of our technology before jumping into the application and benefits of the product. Sometimes describing the unique takes a slightly different approach.

Leave a Comment » | Triumfant Resolution Manager | Tagged: , | Permalink
Posted by Jim Ivers

Advanced Remediation – Plugging the Holes in Your Endpoint Security

March 20, 2009

This is the second in a series of how Triumfant helps plug gaps in your endpoint security defense-in-depth strategy.  In this entry I will address holistic remediation to clean up all of the damage done by an attack – not just deleting the malicious executable – that may cause additional vulnerabilities.

Just as the process of detecting malicious software must evolve to address the changing face of malicious attacks, so must the way we remediate an attack once it is discovered. Earlier it was enough to spot malicious code and simply eradicate or isolate that code.  But this new generation of attacks requires much more, as the collateral damage from an attack can open up a host of new vulnerabilities if they are not addressed.

The complex attacks of today seek to change security settings, open ports, and disable other defensive software, with Conficker being one of today’s extreme examples. Simply killing the original executable is not enough, as these changes can be exploited by other subsequent attacks.  Evidence shows that multi-stage attacks now seek to soften the defenses of the PC in the first wave to prepare for subsequent payloads of more dangerous intent.  This is why many organizations feel compelled to re-image machines that have been the target of an attack.

The ability of Triumfant to detect changes at the most granular level uniquely allows us to synthesize remediations that are far more comprehensive and capable of addressing the collateral damage of an attack.  Because we see what changes and know what something looked like before the change, we can restore the machine – registry settings, port settings, configuration settings – back to their pre-attack values. This is not reverting to a “golden image”.  It is anomaly detection derived from an adaptive reference model.  If a user installs software that is not authorized, we can remove the software the same way, bypassing the uninstall scripts that may not completely remove the software or purposely leave behind code that carries malicious intent. 

In summary, we see attacks others can’t and we clean up the mess in ways no one else can.  The same change detection capability that allows Triumfant to spot zero-day malware and variants of known attacks enables Triumfant to effectively and completely remove the malicious code and restore the collateral damage done by the attack.  Even if your AV software spots the attacks, Triumfant can come behind and do a far better job of remediation.  For those organizations that feel forced to re-image a machine post-attack, the ability to holistically repair an infected machine could save significant labor costs and minimize the loss of productivity.

1 Comment | Endpoint Security | Tagged: , , | Permalink
Posted by John Prisco

FDCC Compliance – What is the “Or Else”?

March 19, 2009

We are fast approaching another “line in the sand” date for FDCC Compliance, but there is much to be done before we reach a state of mass adoption.  On March 31, agencies are required to submit to NIST and OMB a technical report about the status of their implementations. But like many other deadlines in the FDCC timeline, this will pass with a large number of agencies either in progress or still squarely at the starting line with their FDCC initiatives.

The problem is certainly not a technical one, as there are many validated tools that can help with the process. Triumfant was one of the first vendors to be a NIST SCAP validated FDCC scanning tool, and we remain one of a very few tools that can deliver automated misconfiguration remediation according to NIST. Enforcing the FDCC policies is a relatively simple task for our solution, as these policies touch a very small percentage of the 200K+ attributes that we scan on a daily basis. The policies are not inherently complex nor do the policies pose a significant technical challenge to enforce. In fact, they represent common endpoint security policies that we often see in security configuration management.

But there is something lacking that seems a bit more obvious to me – the “or else”. As a father of two teenage boys, I can assure you that I have a firm grasp of the “or else” component of successful policy enforcement.  So just what is the “or else” for those agencies that miss the deadline? The answer, or lack of, maybe the real reason why many agencies will wave politely from the sideline as another deadline passes them by.

Leave a Comment » | Compliance and Configuration Management, FDCC Compliance | Tagged: , , | Permalink
Posted by Jim Ivers

Triumfant Selected by Gartner as a “Cool Vendor 2009″

March 17, 2009

Triumfant received word that we were selected as a “Cool Vendor” for 2009 in the Cool Vendors in IT Operations and Virtualization, 2009 report (http://tinyurl.com/CoolVend). Given that being designated “cool” is, well, cool, we are excited. Of course, the study itself is copyrighted property of Gartner, so I invite you to view the study through your paid subscription to Gartner.

Triumfant has received a lot of attention about our security capabilities in the recent months, specifically our ability to detect and remediate zero day malware. But the ability to identify and fix operational issues before they become a trouble ticket is at the foundational core of the formation of the company. So it goes without saying that we are delighted to be designated “cool” in this particular area of application for our solution. In tough economic times, the ability to detect, analyze, and repair problems with no human intervention has real value in the area of IT Operations and Services Management. Reducing trouble tickets by 20% to 40% is something organizations can easily quantify in regards to real dollars saved.

Much of the things that make Triumfant useful and noteworthy in IT Operations are also applicable in security (specifically security configuration management) and we think that makes a product like ours a great value for our customers. There is clearly a convergence of operations and security which we see in varying degrees of maturity as we visit customers and prospects, but it is happening. So having a single solution like ours that addresses both ends of this coming convergence is, in a word, cool.

I guess what I am saying is that we think that our “cool” is not limited just to IT Operations. Of course, that is an unofficial extrapolation on my part. But one I think is easy to defend.

Leave a Comment » | Endpoint Security, Incident and Problem Management | Tagged: , , | Permalink
Posted by Jim Ivers

Detecting Zero Day Malware – Plugging the Gaps in Endpoint Security

March 16, 2009

This is the second in a series of how Triumfant helps plug gaps in your endpoint security defense-in-depth strategy.  In this entry I will address the detection and remediation of zero day malware and the other attacks that traditional antivirus software does not see.

You do not need me to give you the hard facts on how many attacks evade traditional antivirus software, as the evidence and statistics are everywhere.  Clearly a new method for detecting malicious activity is required and we believe that Triumfant provides that method.  Triumfant sees what other defensive software cannot because it is the only software that uses granular change detection to spot malicious activity and; therefore, requires no prior knowledge or catalogued signature of an attack to detect it.  Let me explain.

Triumfant scans every endpoint computer for over 200,000 attributes including registry values, physical device settings and even memory tables.  These attributes are loaded onto our server where they feed our analytical model that continually analyzes these scans to detect unexpected changes (anomalies) or unexpected conditions (non-compliance with explicit policies) on a given computer.  When these unexpected changes follow the patterns of malicious activity such as unusual auto-start methods, stealth techniques such as those used by root kits, or unusual firewall exceptions, we create an alert and begin an automated analysis process to provide security administrators the information they need to make a final determination. The information and remediation for the attack is captured in something we call a filter, which you can then apply to all endpoint machines in your population to detect and remediate all occurrences of the attack.  

No signature or prior knowledge is required. This means that attacks won’t sneak through because signature files are not up to date or the new attack is a variant of an existing signature. Because Triumfant detects even the most seemingly harmless changes in endpoint computers, it can see indicators of even the most well disguised attacks. For example, we detect attacks that replace an executable with malicious code of the same name and size. If you are attacked, there is no lag between when you report the attack and a signature is produced and that new signature is pushed out to all of your endpoints (which could be weeks). Triumfant synthesizes a remediation on the spot, enabling incident response in near real time.    

In summary, Triumfant uses change detection at the most granular level to look for indicators of malicious activity.  Because it requires no known signatures or prior knowledge of any attack, it is able to spot and repair zero day malware and variants of known attacks. I invite you to check the statistics on the failure rate of traditional signature based antivirus software for yourself, and the value of Triumfant’s capabilities will be apparent.

1 Comment | Endpoint Security | Tagged: , , | Permalink
Posted by John Prisco

« Previous Entries