Yesterday I detailed my impressions after being briefed by Symantec on their new Quorum product. In summary, I was impressed with the implementation of the technology, but was not convinced that it solves the malware detection gap for enterprise customers, particularly those under the dynamic persistent threat scenario that see precise, well engineered and targeted threats on a continuous basis.
For such customers I believe that Triumfant’s approach to prevalence is far more applicable and practical. When Triumfant scans an organization’s endpoint population, it builds a rule in the Adaptive Reference Model for every piece of software it discovers, along with information about the files and other elements associated with that software. In other words, the model builds a functional whitelist that contains prevalence data specific to the organization and not based on the collective wisdom of a community. And you can build models that address the entire endpoint population, or build models to specific groups of machines as appropriate. The model is refreshed weekly to ensure that it accurately represents the desired evolution of the endpoint population.
You do not have to tell the model what is acceptable in your specific environment, it learns it. You can, however, build policies and explicitly define authorized applications through a wizard driven interface. If there is software already on the machines that ultimately is not in the desired list of authorized applications and programs for the organization, then it is a simple act to build what we call a filter to exclude specific software from the model and therefore the whitelist.
Once the model is built, any application or program added to an endpoint machine or server that is not in the model as an authorized application is called to the attention of the administrative console. Resolution Manager synthesizes a situational remediation to remove the application from the machine and ensure that every change to the machine made as part of the installation is reversed. The remediation can be configured to execute automatically, or be set to require confirmation by an administrator prior to execution. Either way, no human intervention is required to write the remediation, and every remediation if fully reversible.
Because Triumfant sees all of the changes to the affected machine that were part of the unauthorized software’s installation process, it has the information necessary to build a remediation that removes the malicious code and all collateral elements from the machine. Why is this important? The installed application could be a trojan horse or be desgned to make configuration changes to weaken the defenses of the machine. So if the install included a secondary malicious payload, Resolution Manager will see it and kill it. If the install opened a port or changes a security configuration setting, Resolution Manager will see it reverse the process.
Symantec allows you to build custom alerts based on prevalence data returned from the Symantec reputation database, but from what I saw it does not included automated remediation. The information I saw from Symantec indicated that it was the role of the client to block a file when an unacceptable reputation score was returned. Given we can’t teach users to not open suspicious emails or click through social engineering; this would seem to be problematic. And because the application must install for it to be checked by the Symantec product, removal of the suspicious executable and all associated changes to the machine becomes critical. That is why Triumfant would seem to offer a superior solution.
Finally, I would add that the capabilities I describe for Triumfant exist today and are up and working at customer sites – this is not a future.
I want to take the time again to acknowledge the Symantec team and their willingness to share the details of the product, as well as reiterate my belief that this technology will serve them well in the consumer market. But for large organizations, I do believe that organization based prevalence is more practical than a community based prevalence. I also think that Triumfant’s remediation capabilities address a significant shortcoming in the Symantec offering.
But more importantly, just how much of the detection gap does Symantec expect this to solve? By my calculations, Symantec added approximately 1,700,000 in new signatures in the first half of 2009. More than they added in 2008 total. That equates to just about 9,000 new signatures a day. McAfee noted in an entry in their Avert Labs blog that they were writing over 6,000 new signatures a day and they don’t count what is caught by their generic filters and heuristics. Will this catch 10% of the attacks already evading the other protections? 50%? Unless Symantec thinks this will be a near 100% solution, there would still seem to be a gap.
And that is where Triumfant really stands out: we believe Triumfant closes far more of the gap than any alternative detection and remediation tool. We would never stand up and say that we close the gap completely, but we think we can make a case that we are pretty darn close. Because we track all of the changes to each and every endpoint, you would have to be able to construct an attack that does its malicious activity without changing the attacked machine for Triumfant to not see the attack. So while prevalence may close part of the gap, why have a gap at all? And for you folks that are not Symantec customers and like the idea of adding prevalence to your existing protections, we can do that for you and – a lot more – by providing the perfect complement to your antivirus software regardless of the vendor.
Click here to subscribe
