Detecting Zero Day Malware – Plugging the Gaps in Endpoint Security

This is the second in a series of how Triumfant helps plug gaps in your endpoint security defense-in-depth strategy.  In this entry I will address the detection and remediation of zero day malware and the other attacks that traditional antivirus software does not see.

You do not need me to give you the hard facts on how many attacks evade traditional antivirus software, as the evidence and statistics are everywhere.  Clearly a new method for detecting malicious activity is required and we believe that Triumfant provides that method.  Triumfant sees what other defensive software cannot because it is the only software that uses granular change detection to spot malicious activity and; therefore, requires no prior knowledge or catalogued signature of an attack to detect it.  Let me explain.

Triumfant scans every endpoint computer for over 200,000 attributes including registry values, physical device settings and even memory tables.  These attributes are loaded onto our server where they feed our analytical model that continually analyzes these scans to detect unexpected changes (anomalies) or unexpected conditions (non-compliance with explicit policies) on a given computer.  When these unexpected changes follow the patterns of malicious activity such as unusual auto-start methods, stealth techniques such as those used by root kits, or unusual firewall exceptions, we create an alert and begin an automated analysis process to provide security administrators the information they need to make a final determination. The information and remediation for the attack is captured in something we call a filter, which you can then apply to all endpoint machines in your population to detect and remediate all occurrences of the attack.  

No signature or prior knowledge is required. This means that attacks won’t sneak through because signature files are not up to date or the new attack is a variant of an existing signature. Because Triumfant detects even the most seemingly harmless changes in endpoint computers, it can see indicators of even the most well disguised attacks. For example, we detect attacks that replace an executable with malicious code of the same name and size. If you are attacked, there is no lag between when you report the attack and a signature is produced and that new signature is pushed out to all of your endpoints (which could be weeks). Triumfant synthesizes a remediation on the spot, enabling incident response in near real time.    

In summary, Triumfant uses change detection at the most granular level to look for indicators of malicious activity.  Because it requires no known signatures or prior knowledge of any attack, it is able to spot and repair zero day malware and variants of known attacks. I invite you to check the statistics on the failure rate of traditional signature based antivirus software for yourself, and the value of Triumfant’s capabilities will be apparent.