Infection Rates are Up, Attack Vectors are Evolving, and Traditional Tools are Not Standing Their Ground

October 29, 2009

Our contention is that companies and government agencies must look toward new approaches and products to help them stand against the rising and evolving cyber security threats. I am catching up on email after being away from the office at the NIST IT Security Automation Show and came across these two pieces of information as two more proof points to validate our contention.

The first proof point comes from Elinor Mills from CNET News in her InSecurity Complex blog where she reports that the number of Web sites hosting malicious software is rising rapidly with more than 640,000 Web sites and about 5.8 million pages infected with malware. Mills also reports that the number of sites on the Google blacklist of malware infected sites has more than doubled over the last year. Firthermore, Google registered as many as 40,000 new sites in one week. Many of these sites are not willing or intentional carriers of malicious code and in fact have been hijacked into being unwitting parties to the process.

In a separate CNET blog entry by Lance Whitney, he reports that a study from Panda Software shows a 15 percent rise in the number of infected PCs worldwide just from August to September. The study also notes that globally the average number of PCs hit by malware now is now at an all-time high of 59 percent.

The facts are, as they say, self-evident. Attacks are up, the vectors are evolving, and traditional tools are not standing their ground. The industry is looking for answers and we believe that at least a critical part of those answers is available today in the form of Triumfant Resolution Manager.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Triumfant to be Speaking at the 5th Annual NIST Security Automation Conference

October 26, 2009

I have the great privilege to have been asked to speak tomorrow at the NIST Security Automation Conference.  My presentation will address how the unique approach and technology behind our offering helps drive three critical shifts in the thinking behind endpoint security:

The move from manual to automated processes.   Triumfant represents a significant step forward in automating the detect-analyze-act cycle. Most if not all tools automated the detect activities, but as you move through analysis and ultimately action in the form of remediation, manual intervention by specialized security personnel is required.  Triumfant uses our Adaptive Reference Model to analyze events in the context of the broader endpoint population and group changes into broader events.  Most tools only see events on the context of the affected machine, and further analysis becomes a manual process.  Remediations are performed manually and require some form of script to be written by either a vendor or in-house security staff.   Triumfant builds a comprehensive remediation that fixes the malicious code and all the collateral damage of the attack.  This remediation is written automatically, and is applied to the affected machine without interaction from the user, without the need for rebooting, and without the need to re-image.   Only Triumfant can demonstrate the complete automation of the detect-analyze-act cycle.  And we haven’t even begun to discuss the ramifications in regards to costs saved by automating the remediation process.

The move from periodic to continuous activities.  Triumfant continuously scans and remediates, creating a state of what we call persistent security readiness.   The automated processes continuously enforce policies and configurations by monitoring the machines, using changes at the granular level to trigger analysis and determining the ultimate affect of those changes on each machine.  Triumfant then builds a remediation to return the machine to compliance.  The result is every machine, every day readiness.  We also use the SCAP vulnerability database to scan each machine for vulnerabilities and detail the patches required to eliminate those vulnerabilities. 

The move from global to contextual requirements.  As stated, most endpoint protection tools view events in the context of the affected machine.   And they only see the malicious code and have no way to know the collateral damage from the attack.  They may address the malicious code, but leave all forms of collateral damage such as altered configuration settings, open ports and secondary payloads to name a few.  Only Triumfant provides the contextual information needed to fully remediate a machine under attack.  By monitoring over 200,000 elemental attributes for every machine, only Triumfant sees all of the damage to the machine and can build a remediation that is in complete context with the attack and the specific needs of the attacked machine.  Other tools may have pre-written remediations, but this is a one-size-fits-all approach that can leave a machine vulnerable.  And of course, this approach assumes prior knowledge of the attack while Triumfant requires no such knowledge. 

Because we fully automate the detect-analyze-act cycle, Triumfant addresses malicious attacks in less than five minutes from infection to remediation.  This includes targeted attacks and attacks for which there is no prior knowledge.  But we also continuously maintain the endpoints in a state of persistent security readiness, thereby reducing the attacks surface for those machines and ensuring that all of the protections, not just Triumfant, are in place, properly configured and fully operational. 

Needless to say I am excited about the opportunity to tell our story to such a group focused on automating security processes.  It is an exciting topic, and I have had the opportunity to speak to the really smart people at NIST and NSA that are driving some very progressive thinking on the subject.  Best of all, it is exciting to know that many of the capabilities thought to be critical by these smart people in regards to securing the endpoint already exist in our product today. 

If you are at the show, please stop by our booth (312) and we will be happy to show you a demonstration of how all of this works and talk about how we can put these capabilities to work for your organization.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Triumfant is Now McAfee Compatible – Our Integration with McAfee ePolicy Orchestrator

October 19, 2009

On October 5 it was announced that Triumfant had achieved McAfee Compatible status in McAfee’s Security Innovation Alliance (SIA).  This status is achieved when a vendor like ourselves is able to demonstrate interoperability between McAfee ePolicy Orchestrator (ePO) and Resolution Manager in testing conducted by McAfee. 

So what does that mean and what level of integration and interoperability exists?  The integration with ePO is being done in phases with the first phase available today.  In the first phase, information from Resolution Manager is available through the ePO console, with drill-downs to Resolution Manager for more details on specific incidents and events.   In the next phase scheduled to be completed by year end, there will be additional integrations:

  • The ability to push out the Triumfant agents from within ePO.
  • Direct integration with the ePO event tables.  Resolution Manager will use database to database integration to move event information from Resolution Manager directly to the ePO event table.   This allows data collected by Triumfant to be a part of the integrated reporting of ePO.
  • Additional drill down capabilities from the ePO console to view to our machine status, configuration, change history, incident history, performance, and diagnosis screens.  These links provide ready access to as much data from Resolution Manager as possible into the ePO console. 

Additional phases are still being scoped and will be shaped by the needs of our customers once they put the integrations to use.  Likely additions include integration of the wealth of asset data collected by Resolution Manager to the ePO asset data stores. 

What does our integration with McAfee mean and why is it important?  We understand that companies are inundated with new interfaces, making integration points for presentation and management – the elusive single pane of glass – very important.  For McAfee customers, ePO is that integration point.  This was very apparent to me at the McAfee FOCUS 09 User Conference as most of the people who came by our booth started the conversation with a query about our ePO integration.  It was obvious that such integration was a gating factor in their decision to looking deeper into our offering. 

We have always positioned our product as a complement to traditional endpoint protection tools like McAfee, and our relationship with McAfee is a natural extension of that philosophy.  It is clear from the McAfee customers that they embrace ePO as a single point of command and control for endpoint protection, so it is an equally natural extension to integrate Resolution Manager into ePO.  I commend McAfee for their desire to build an ecosystem for their customers that includes third party vendor partners, and we are very pleased to have achieved the McAfee Compatible designation.

As always, we are happy to demonstrate our capabilities, including our integration with ePO and I invite you to contact us to set up an online demo.  I think you will see the benefits of our collaboration with McAfee and the value of adding Resolution Manager to the McAfee suite will be readily apparent.

Leave a Comment » | Compliance and Configuration Management, Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

As Malware Infection Rates Rise, Triumfant is Tamiflu for the Endpoint

October 13, 2009

I am writing today from the guest bedroom in our home, where I have been living since arriving home from the McAfee FOCUS 09 show in Las Vegas late Friday evening.  Turns out that my steadily declining physical state that started the moment I was dropped off at the LV airport was the onset of the flu. 

Spending now four days in quarantine gives one plenty of time to reflect and think.  Like just how much I really missed HD TV over a football filled weekend.  Or how much I really enjoyed zipping around Las Vegas Motor Speedway at 150+ mph in a “retired” Sprint Cup race car at the McAfee User party Thursday night at the conference. Or how glad I am that they invented Tamiflu.

Thank you, Tamiflu. In these days of flu shot stories and an emphasis on preventing the virus from taking root, I am real glad that someone also spent the effort to develop a drug that quickly eradicated the flu if it managed to evade all of the defensive precautions and find a home in your body.  Saturday I was a shivering, hacking, fevered glob of goo.  But thanks to quick diagnosis and immediate application of Tamiflu, I was back to being very close to normal (for me) by noon Sunday.  No more aches, no more fever, no more chills.  Prevention is a laudable goal, but thankfully there are pragmatic types that understand that something must also be in place when prevention does not work

Of course, there is a parallel here in regards to Triumfant.  No matter how much people try to keep bad things from endpoint machines, the bad things are making it to these machines in increasing frequency.  Just look at today where Microsoft came out with patches for over 34 vulnerabilities, many of which already have exploits in the wild.  The McAfee conference featured the McAfee suite of products plus 81 partners all trying a wide variety of ways to protect networks and machines from being infected, but every speaker noted that infection rates have never been higher. 

This is the world in which IT Security must function – there is no magic flu shot for the endpoint. In spite of the best efforts by really smart people to shield machines from infection, malware gets through and turns them into the silicon equivalent of shivering, hacking, fevered globs of goo.  And that is where Triumfant excels, because it will see such an attack, perform a diagnosis and build a Tamiflu injection in the form of a situational remediation. From infection to cure in 5 minutes or less.  Furthermore,  it does so if this is a known problem or an entirely new problem because it does not rely on prior knowledge of an attack to do its job.

And best of all, your computer does not have to spend a week in the guest room without HD TV.

Leave a Comment » | Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers

Day One from McAfee FOCUS 09 – People Get It

October 7, 2009

I am in Las Vegas at the McAfee FOCUS 09 user conference and yesterday was a very invigorating first day on the exhibit floor.  As a member of the McAfee Security Innovation Alliance and newly designated McAfee Compatible offering, we are a sponsor of the show. 

We always set up our three minute malware challenge demo at shows where we release a rootkit on a victim VM machine and show our server detecting the rootkit, repairing the hooked system calls, correlating the changes to the machine made by the rootkit and building a remediation for the attack all in three minutes. 

After more years than I can count working tradeshows and conferences, I can honestly say that Resolution Manager is by far the easiest product to strike up a conversation about on a show floor.  First, it really is unique in its ability to spot malware or compliance issues on an endpoint.  Second, the ability of the product to build a remediation on the fly really is intriguing to people and gets their mind running in a thousand different directions.  Third, we normally have a screen up on the monitor in the booth that shows the hundreds of thousands of attributes that we collect and monitor, so that helps people see the depth of our scan scope and the amount of situational awareness we can bring to the party.

At that point I normally stop talking and watch the inevitable result of seeing all of these elements of Resolution Manager – people get it.  And they get it in a variety of ways because each comes to the booth with their own set of needs and problems, and there are so many ways Resolution Manager can address those needs and problems.  Of course, if they have time to see the demo, they are really hooked.  And given that we were just announced as being McAfee Compatible, they understand that they can access the information from resolution Manager through McAfee’s ePolicy Orchestrator which gives them a single point of access.

Some days on a show floor, the minutes go by at a glacier’s pace.  Last night, the exhibit hours were over before I even took a minute to check my watch.  If you have spent an hour manning a booth you know how refreshing that can be.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Four Months Later and the Best the White House Gives Us is “Practice Safe Computing”

October 2, 2009

I happened to glance at the morning news to see President Obama fervently pitching the Chicago bid for the 2016 Olympics in Copenhagen with the First Lady.  Clearly the President’s priority has shifted from cyber security to more important matters.  In fairness, the President did seem to find time between appearances on David Lettermen and other important media exposures to declare October National Cybersecurity Awareness Month

Four months have now passed since the original announcement of the cyber czar position in late May, and we have an awareness month with no cyber security leader to preside over the proceedings.  But we have a proclamation from the White House urging all of to “practice safe computing”.  Is it just me or does this sound like “just say no to malware”?  Now we have the cyber criminals on the run!

We need to share information and we need to focus on the greater good, so that we can stop the next cyber attack.  The longer this post remains vacant, the longer the government’s security efforts continue to lack a unified approach.  A September 27 article in the MIT Technology Review indicates that there are now 18 separate bills introduced in Congress to “give federal authorities the power to protect the country in the event of a massive cyberattack.”  There are 18 bills because others are moving to fill the void that exists because four months after the position was announced there still is no leadership.

Our President acknowledged months ago that we need to make a change, but to date the biggest change continues to get delayed.  Maybe it is because no one wants it, because the role has not been positioned to succeed.  Regardless of the reason, we need a cyber security leader now, and we need the president to make this a priority again.

In the official proclamation, President Obama makes calls “upon the people of the United States to recognize the importance of cybersecurity”.  Good advice indeed, Mr. President.  Perhaps you would like to lead by example and fill the position you promised four months ago.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers