I was reading Byron Acohido’s latest post in The Last Watchdog about the new SMB2 zero day vulnerability and it provoked a lot of thinking around how Triumfant is characterized as endpoint protection. Specifically, we get asked if we consider Triumfant a first line of defense or a last line of defense. Reading Acohido’s post made me realize the answer is “yes”.
In the case of the SMB2 zero day vulnerability there is no patch and no malware has been detected that exploits the vulnerability as of yesterday (9/9/09). Traditional defenses for the endpoint will have no knowledge of the eventual attacks that will undoubtedly come and will therefore be ineffective in shielding endpoints from the malware. In this case the traditional defenses offer no defense, so Triumfant is the first line of defense for the endpoint machine. Because Triumfant uses granular change detection to detect attacks and therefore does not require prior knowledge of the attack, it is uniquely able to protect the machine. Acohido predicts that the eventual exploit could be a “Conficker-type worm attack” and when it eventually comes, Triumfant will see it and protect the affected machines.
In short, if the incoming attacks is specifically designed to evade detection from traditional endpoint defense or is a zero day (or very early in its lifecycle), then it is as if the traditional defenses are not even there. So Triumfant becomes the de facto first line of defense. Add to the list rootkits, the work of maliciously intended insiders and corruption to the software supply chain and you get a lot of vectors where Triumfant is the endpoint protection that first engages the enemy. I always add the caveat that we do not position Triumfant as a shield – it detects the malware when it gets to the machine.
In the case of known attacks that the other tools simply miss or the variants that just slip past the signatures or those attacks that get through because the defensive software is improperly configured or deployed, then Triumfant is the last line of defense. Everything that falls through the nets – and there is a lot of evidence (read here, here and here) that there is plenty that does – and makes it to the endpoint will be detected and remediated by Triumfant. We have never positioned Triumfant as a replacement for the existing nets, but we do believe that the holes in those nets are plentiful enough that we provide an excellent complement to traditional defenses.
So there you are – Triumfant is both a first and last line of defense. It simply depends on the context of the attack. Either way, Triumfant is filling critical and frequent gaps in endpoint protection. What makes the story even better is that Triumfant remediates what it detects by synthesizing a remediation and restoring the machine to its pre-attack condition in minutes without human intervention.
Whether it is acting as the tip of the spear or backstop, Triumfant does what no other endpoint protection product can. So when I answer “yes” to the first line or last line of defense question I am not being glib or sarcastic, just accurate.
Click here to subscribe
