The Yin and Yang of Triumfant – Agent Based Precision With Network Level Analytical Context
December 16, 2010 Leave a comment
Yesterday I was in a conversation with Dave
Hooks, our CTO, and a very smart person from the intelligence community, and, as often happens when I engage with people smarter than myself, I had an epiphany:
Triumfant provides agent level precision, with network level analytical context.
There is a set of trade-offs when working with endpoint security tools based on their perspective and architecture. Agent based solutions allow for monitoring at very granular levels, but there are limitations to the amount of analysis they can perform. That is because when the analysis only happens in the context of the machine, the lack of broader context creates far too many false positives to make the analytic processes effective. In most tools, the agent uses prior knowledge to detect, remediate or both, resulting in the need to continuously update the prior knowledge on the agent, creating a network and administrative burden.
In contrast, a server-based agentless tool trades a lack of intrusiveness with a lack of precision. Even the most efficient scanning tools using credentialed scans cannot see the levels of detail needed to be absolutely sure about many potential problems, whether it be malicious activity or vulnerabilities or compliance. For example, a credentialed scan can point out machines that may have a specified vulnerability, while Triumfant can probe deeply to say without question if a given machine has a vulnerability. Agentless scanning also tends to gather large answer sets, which places a burden on the network.
Which leads me to my epiphany – Triumfant’s approach provides the best of both worlds while eliminating the drawbacks of each. Triumfant has achieved harmonic balance between what appear to be opposing forces – a true Yin/Yang relationship.
The Triumfant agent performs continuous scanning at a level of precision that I have not seen in any other tool – over 200,000 attributes per machine. The agent recognizes changes and sends only changes to the Triumfant server for analysis, minimizing network burden through an effective application of change data capture. The agent uses no prior knowledge, and therefore requires no regular updates of signature files or remediation scripts. No network impact outbound, very low network impact inbound.
Triumfant performs the analysis of the detailed data collected at the machine level on the Triumfant server, empowering Triumfant’s analytics to view changes in the context of the broader population, driving analytical accuracy and eliminating false positives. The context also empowers Triumfant’s patent pending donor technology that uses the population as a donor pool to build remediations that address missing and corrupted attributes. When a new attack is identified, the context allows for investigation of broader attack patterns which will ultimately provide the IT security team the information they need to proactively protect the organization from other similar attacks.
The context that I speak of in the previous paragraph is unique to Triumfant and is at the heart of our patents. The context takes the detailed attribute data collected by the agent and builds a normative, rule-based model of the endpoint population. Again the Yin/Yang relationship is manifested: the context thrives because of the detail provided by the agent, but logically and logistically can only be implemented at the server level.
By using the agent to do what it does best, and using the server to perform the heavy lifting of analysis, Triumfant captures the best of both worlds. The agent is extremely unobtrusive and efficient, and requires near-zero maintenance. Using change detection means that you can assume nothing, and must therefore monitor everything, which would be impossible to do efficiently and accurately without an agent. Equally impossible is the task of making sense of detected changes without a broader context. That is why performing the analysis at the server level is critical. It is important to note that the analysis is only as good as the data provided, and the server’s analysis would not have the depth and accuracy it generates without the granular data that could only be obtained through the agent.
So there you have my epiphany – Triumfant harnesses the data collection power of an agent based approach with the analytical power and contextual perspective of a server based approach. Triumfant uses the power of each to neutralize the weaknesses of the other to create a solution that is unique and certainly powerful. We can detect, analyze and assess the impact of changes to identify malicious attacks that evade other defenses, and build a contextual remediation to repair that attack. We can continuously enforce security policies and configurations. And we can provide deep insight into the endpoint population.