Triumfant Blog

Today Triumfant announced the latest release of Resolution Manager.  With this release, we have taken what we feel is an exciting step forward in the real-time detection and remediation of malicious activity.  So let me start by telling you what is different in this release, and then discuss why it is important.

The release includes two major enhancements to Resolution Manager, specifically in the realm of endpoint security.  First, detection of malicious activity is now real-time.  In this release, the agent now scans for approximately 200 security specific attributes that are markers of malicious activity in a continuous loop, and immediately interacts with the Triumfant server if it detects anything that may be malicious activity.  This kicks off the analysis process, and if it is determined that it is indeed a malicious attack, a remediation is synthesized and sent to the agent for execution.  This entire process from infection to detection to remediation spans mere minutes.  While Resolution Manager has always been able to detect malicious code and the agent has always continuously scanned endpoint machines to detect unusual or suspicious changes, the agent previously communicated its results to the server once per day by default, giving the detection process a 24 hour cycle. 

Second, the remediation capabilities for security specific incidents have been significantly enhanced.  As a result, Resolution Manager is now able to synthesize a remediation in all but the most extreme circumstances, eliminating the need for human intervention in creating the remediation.  By eliminating human element and associated lag between detection and remediation, Resolution Manager instantaneously address the problem before the malware can further damage the machine or propagate to other machines.

So there is the “what”, no let’s get to the “so what”.

The ability to identify malicious activity without the need for signatures or any prior knowledge of the attack makes Triumfant unique in its ability to see the complex, directed attacks that evade traditional, signature based defensive software, as well as see the work of maliciously intended insiders.  By making this detection capability real-time, Triumfant addressed an enormous gap in endpoint security and delivers true protection against the rapidly evolving nature of cyber crime. 

Let me say a word about false positives.  Whenever we brief analysts, press, and prospective customers, the question of false positives frequently is raised, as past attempts to use change detection or anomaly detection have been hindered by the false positive problem.  The engineers at Triumfant have eliminated the false positive problem by performing quite elaborate and complex comparative analysis of detected changes across the broader population of machines allowing them to see if a change is truly anomalous.  These analytics are quite innovative, and the subject of pending patents, and we will post a more detailed explanation of how they work very soon, likely written by someone far smarter than me.  But on a more practical scale, we can honestly say that none of our customers have encountered false positive problems.  The bottom line is that while others have tried new methods for detection, Triumfant has delivered an innovative and sound approach to malware detection to the mainstream.

While the detection capability of Triumfant is news to itself, the automated remediation capability is an enormous step forward in endpoint protection.  When a new variant of an existing attack or a zero day attack occurs, organizations must rely on human intervention to perform the analysis and write some form of script or new signature to address the problem. This process may take hours or even days, allowing the attack to spread and cause significant interruptions of service and potentially damaging loss of sensitive data.  By synthesizing a holistic remediation on the fly, Triumfant becomes the first tool to be able to address such attacks without the need for human intervention, narrowing the gap between detection and remediation by many orders of magnitude. And since Triumfant sees all of the changes to the infected machine, the synthesized remediation removes the offending code and repairs all of the collateral damage of the attack, restoring the machine to its pre-attack status and eliminating the need for costly and intrusive re-imaging.

So there you have it.  We think this is a pretty significant step forward as malicious attacks are growing in volume and complexity at a geometric rate, and defensive products that rely on signatures to detect an attack, remediate an attack, or both, are using a model that we, and a lot of other very smart people, believe is simply not sustainable.  We also believe that this release changes the game for endpoint security with a product that automatically detects and remediates malware without the need for signatures or prior knowledge of the attack.  By compressing the entire process of detection, analysis and remediation down to minutes instead of hours or days and eliminating the need for human intervention, we think that organizations will also see this as a significant step forward.