Triumfant and Situational Awareness – The Google Model
February 2, 2011 Leave a comment
I have written in this blog that while Triumfant is useful, innovative technology, I often struggle to come up with word pictures or analogies that help others grasp how useful and innovative it really is. Thankfully, we employ lots of smart people and one of our developers came up with what I think is an exceptional analogy.
Because Triumfant assumes nothing, it scans just about every persistent attribute on every machine in the endpoint population and sends this to the server for analysis. Since the majority of the state data on each machine rarely changes, after the first snapshot is collected the Triumfant agent performs change data capture and only sends changes up the wire for subsequent scans. This is, of course, the proven, prudent and efficient way to monitor large amounts of data that is predominantly static. Otherwise, you end up moving large answer sets across the wire needlessly. The data is available at the server level in a repository to power all forms of situational awareness.
The analogy suggested by our developer is the Google approach. Google does not know what questions will be asked of its search engine, so it uses crawlers to traverse the World Wide Web to collect data and store it in anticipation of any question. Google puts that raw data through correlation and pattern matching algorithms to further speed the search process. The logic is simple – a search against the open Internet would be grossly inefficient and utterly preposterous. By gathering the data before the question is asked, Google actually returns answers while you are asking the question.
Triumfant does essentially the same thing as Google for endpoint state data, because like Google, we do not know the question until it is asked. Triumfant does not rely on prior knowledge and instead detects malware and configuration problems by monitoring change. We use our agent to continuously monitor over 200,000 attributes per machine and then collect that data at the server level. Queries, online views, and data feeds execute against the repository data at the server and require no interaction with the endpoints. Put this in contrast to other tools that have to get the data from the endpoint for every question asked.
Triumfant’s repository can be queried directly and a report produced in hours (more likely minutes but I don’t like to show off). You would know almost immediately how many machines have the new vulnerability and therefore be able to assess the risk to your organization. It would not matter what machines are connected at that time nor would it impact the network or the endpoints. Why? Because like Google, the hard work of gathering and processing the raw data is done and the data readily available. Best of all, the Triumfant agent performs its continuous monitoring unobtrusively and efficiently, and only sends back changes across the wire once a day. You get faster access to the data with no impact to the endpoints or your network.
With other tools, you would either have to initiate an agentless scan of the machines to collect the required information, or push some new query or script to the endpoint agents for execution. Either way, this activity places a burden on the endpoint and on the network as potentially large answer sets are returned across the wire. The necessary data would then be collected in some repository and evaluated over time. I was recently at a prospect that I would judge to be progressive and perceptive, and that prospect told me that it takes two weeks to identify machines affected by a new vulnerability for a population that is not large by most standards.
One hour versus two weeks. Impressive. Most Impressive.
But wait, there is more. Most vulnerabilities have a short term mitigation strategy that involves setting some registry keys to temporarily disable the vulnerability until a patch is created and applied. With Triumfant, a simple policy can enforce the temporary fix and applied in less than 24 hours. Since there is likely no signature for an attack that quickly moves to leverage the new vulnerability, Triumfant will see those attacks and build a remediation to stop the attack. Triumfant sees the new vulnerability, effectively closes the vulnerability, and detects anything that attempted to exploit the vulnerability.
The concept of accessing the central repository rather than continuously interrogating the endpoint machines works for all forms of situational awareness, business intelligence, data mining and analysis, and external feeds. For example, Triumfant stores SCAP attributes for CCEs, CPEs and CVEs in the repository, so when the organization wants to build a CyberScope (Triumfant is a certified CyberScope provider) feed it does so from the repository without intrusion on the endpoint or consumption of network bandwidth.
So there you go. Triumfant is like a web crawling search engine for the state data of your endpoint population. The data is there so you can ask questions and get the situational awareness your organization needs to keep pace. Gartner and other have been talking with increasing frequency about the importance of situational awareness and Enterprise Security Intelligence. I cannot think of a more more efficient and detailed source for endpoint state data than Triumfant.