This is the second in a series of how Triumfant helps plug gaps in your endpoint security defense-in-depth strategy. In this entry I will address holistic remediation to clean up all of the damage done by an attack – not just deleting the malicious executable – that may cause additional vulnerabilities.
Just as the process of detecting malicious software must evolve to address the changing face of malicious attacks, so must the way we remediate an attack once it is discovered. Earlier it was enough to spot malicious code and simply eradicate or isolate that code. But this new generation of attacks requires much more, as the collateral damage from an attack can open up a host of new vulnerabilities if they are not addressed.
The complex attacks of today seek to change security settings, open ports, and disable other defensive software, with Conficker being one of today’s extreme examples. Simply killing the original executable is not enough, as these changes can be exploited by other subsequent attacks. Evidence shows that multi-stage attacks now seek to soften the defenses of the PC in the first wave to prepare for subsequent payloads of more dangerous intent. This is why many organizations feel compelled to re-image machines that have been the target of an attack.
The ability of Triumfant to detect changes at the most granular level uniquely allows us to synthesize remediations that are far more comprehensive and capable of addressing the collateral damage of an attack. Because we see what changes and know what something looked like before the change, we can restore the machine – registry settings, port settings, configuration settings – back to their pre-attack values. This is not reverting to a “golden image”. It is anomaly detection derived from an adaptive reference model. If a user installs software that is not authorized, we can remove the software the same way, bypassing the uninstall scripts that may not completely remove the software or purposely leave behind code that carries malicious intent.
In summary, we see attacks others can’t and we clean up the mess in ways no one else can. The same change detection capability that allows Triumfant to spot zero-day malware and variants of known attacks enables Triumfant to effectively and completely remove the malicious code and restore the collateral damage done by the attack. Even if your AV software spots the attacks, Triumfant can come behind and do a far better job of remediation. For those organizations that feel forced to re-image a machine post-attack, the ability to holistically repair an infected machine could save significant labor costs and minimize the loss of productivity.
Click here to subscribe
[...] Triumfant detects a problem on an endpoint machine, it will build a remediation for that machine on the fly. We can do that because we scan 200,000 or more attributes on a [...]