DoD $100M Cleanup – There is a Better Mousetrap

Two articles converged on my computer screen yesterday that left me with a strange mix of excitement and agitation. The source of that mix is that I unashamedly believe that our company, Triumfant, can be a big part of the answer to the problems represented in these articles.  Sure this is a bit self serving but hear me out.

The first article was the CNET Article by Elinor Mills about the $100 million the DoD has spent cleaning up after internet and network attacks over the past six months.  Seems that the DoD took over 1,500 machines offline last year due to cyber attack.  I am quite sure we could have helped.

When Triumfant detects a problem on an endpoint machine, it will build a remediation for that machine on the fly.  We can do that because we scan 200,000 or more attributes on a machine and can detect changes to each and every one of those attributes.  This gives our product the ability to see what was done to the machine by the attack, so we can easily reverse the effects of the attack.  It is not voodoo or something that is too good to be true.  It is sound and innovative technology!  We clean up all of the collateral damage of the attack – open ports are closed, configuration settings are restored and registry entries are repaired – eliminating the need to re-image a machine.  And with the new release of our product due out Monday, the time from detection to remediation is minutes not hours or days.

There is no writing of scripts or no intervention from a vendor needed.  This elimination of human intervention translates to an elimination of the associated costs with that intervention.  So I am totally confident that by using Triumfant, the DoD could have eliminated some of that $100 million.  How much I cannot say without knowing the data behind that number.  But I can say with total confidence that we would have saved them more money than the cost of our product.  Remember the $100 million was for six months, so I believe with total confidence that the DoD would have made up their investment in less than six months.

The article also mentioned that the $100 million included money spent on “inadvertent security problems” – which I interpret to be human error and user ignorance.  Triumfant detects and remediates incidents when users – either through ignorance or malicious intent – make changes to a machine.  We enforce policies and configurations without the need for, and cost of, human intervention.  So we would have saved them money there too.

“But wait” you say, “others claim automated remediation.”  Yes they do.  But dig deeper.  They either require someone to write a script or they leverage scores of pre-written remediations and invoke the remediation that best fits the detected problem.  Call them fixlets, remedies, scripts or anything else but they are not automated nor are they specific to the attacked machine.  In some ways, they are just like signatures in that they require previous knowledge of an attack to work.  If there is no fit, you need someone or a group of someones to write a script.  And they often do not fix all of the damage from an attack, leaving the machine dangerously vulnerable to future attacks. (more to say on this subject soon)

Of course, if the security industry would look past signature based protections to more innovative ways of detecting attacks, we could also directly impact the cleanup costs.  Which brings me to the second article which declared that IBM now estimates that 4 percent of computers worldwide are infected with Conficker.  This means that we have gone from early estimates of two to four million to ten to twenty million (or more).  The proverbial barn door swung open in November and we are still counting how many horses we lost.  And that barn door is not yet shut and we haven’t yet cleaned up the mess to know how much that cleanup will cost.  Conservative math says 10 million machines at $100 per machine is $1 billion dollars.

This is not an “AV is dead” rant.  AV is a necessary component of endpoint defense, and whether here in this blog or at a sales call, you will never hear anyone from Triumfant say otherwise.  We are in fact building partnerships with several of the leading AV vendors and will be in the partner booth of one such vendor at the RSA show.   But the facts do show that the complexity and volume attacks are growing geometrically, and the basic premise of signature based products – there needs to be a prior knowledge of the attack – makes it impossible for vendors to keep pace with both detection and remediation.  Conficker is just the latest embodiment of the problem.

Triumfant requires no prior knowledge to detect an attack so we see known attacks, variants of known attacks, and zero day attacks.  And we are already established that what we see, we can clean.  How many of those attacks that created the DoD’s $100 million cleanup could we have stopped?  I am not so bold to say all, but my guess is that we would have stopped more than enough to dramatically reduce both the costs and the amount of work lost from having to take so many PCs offline.

I am not claiming that Triumfant is the answer to every security problem we have today.  I do think Triumfant is one of the few real innovative approaches to cyber security in the past several years.  I have talked to a lot of industry analysts and writers, and presented to scores of security professionals in the government and commercial sectors, and no one can point me to another solution that does what we do.   Some are close, but when you dig deep you will find critical differences.

Many of you will be at RSA in two weeks, and I invite you to find our modest little booth (2535) and talk to us about how we might address your specific needs.  Or better yet, give us a call and we will be happy to come on your site and do a pilot.  We are used to healthy skepticism and pilots allow you to see for yourself how the product works. 

I will bet you that we will find at least one piece of malware on your machines that you did not know was there, and we will remediate it without any human intervention.  Who wants to go first?