When an endpoint machine or server encounters a malicious attack that has no signature, your organization is set upon one of three timelines that is predetermined by the software you have in place.
The first timeline is not a good one, as it simply begins and runs into potentially infinity. Dramatic? Perhaps, but infinity is the proper term when the timeline has no apparent endpoint. Why no endpoint? Traditional signature based software misses attacks where there is no known signature at a rate of fifty percent or higher, depending on whose stats you use. I use fifty percent because that seems to me the median of the research I have found, and whilst I suppose I could hype toward the higher numbers, fifty seems fair. The bottom line is that reliance on signature based software puts your organization on a timeline where once the attack occurs, there is no detection, and therefore no remediation, and therefore a line extending forward into time with no logical endpoint. One out of every two times. The infected machine becomes part of a botnet, or serves as the portal for cyber criminals to begin silently removing valuable data from your organization.
The second timeline assumes you have signature based software and it in fact detects the attack. The next point on the timeline is your call to your vendor, who gets back to you with a signature. Vendors brag about four hours, but every security professional I have spoken to says 24 hours at a minimum. Next step is that you have to test the signature, because at the rate the antivirus guys are spitting them out – one every 20 seconds – I think there is reasonable suspicion about how much testing is being done. Then you have to begin the process of updating the endpoints and servers with the signature. This could be quick – a day or two - or extend into weeks (some research says 30-60 days). During the lag between infection and the push of the new signature, there is reasonable risk that other machines are being similarly infected.
Somewhere in that timeline in parallel you have to build a remediation script or your vendor has to build a remediation script, or you have to re-image the infected machine. Because even if your vendor says they have remediation capability, the remediations are pre-written scripts for known issues and this is not a known issue. The remediations follow the same path as the signature, or lack thereof. If you go the script route, the script has to be tested and then pushed out like a patch. Given that it is a generic patch, there is risk that all of the problems created by the attack and the nuances of the attack that result from the different profiles of each machine will not be addressed and the machines left in a vulnerable state.
The third timeline is the exclusive domain of the Triumfant customers. When the attack hits, Triumfant detects the unusual activity because it does not rely on signatures for detection. Triumfant scans machines every thirty seconds looking for marker of malicious activity, and when it sees such activity will send a message to the Triumfant server, which then launches an in-depth probe of the machine. If it is determined that an attack has indeed taken place, Triumfant will build a situational remediation on the fly and send it to the infected machine, ending the attack. Elapsed time: three minutes (see the video that proves it). Since Triumfant sees all of the changes to the machine caused by the attack, the remediation completely addresses everything done to the machine and restores it to its pre-attack condition. No re-imaging is required. The markers used to detect the attack can then be captured and a full scan initiated of the endpoint population. If the attack is found elsewhere and had not been already detected and remediated, it will be remediated by this full scan. A broad based attack can be stopped in under an hour.
Infinity, days, or three minutes. The choice is yours and I will leave it to you to consider the relative consequences of each.
Click here to subscribe
