The American Airlines Phishing Attack – Front Row Seat to the Psychology of an Attack

January 6, 2012 by Leave a Comment

Today I came face to face with the phishing attack and was able to watch firsthand as the attack worked on the human element of IT security.  This morning I contacted by a friend who had received an email that confirmed the purchase of a flight on American Airlines.   The friend was now convinced that a credit card had been compromised and that immediate steps were necessary.

Savvy IT security guy that I am, I immediately smelled a rat and asked that my friend (who lives close by) bring the PC with the email to me.  After all, I did not want potentially malicious stuff on my machine.

Sure enough, everything about the email spoke of fraud.  The appearance and format of the email was not even close to looking like a professional email from a large company that does lots of business online.  The email address was suspect, and having been on an airplane or two (or a thousand), I noted that the flight number was not even close to the American Airlines flight numbering system.  Lastly, there was the ubiquitous .zip file attached, just waiting to be clicked.  An example fo the email can be found on the American Web site here.

What was an interesting study was the reaction of my friend to all of this.  I have had a credit card stolen so I knew it was not the end of the world.  I also knew that the credit card companies actually handle fraud pretty well, so every second did not really count.  My friend was very nervous about the credit card being used to buy all manner of unseemly things all the while laying waste to credit ratings.

But most of all, I noted that the .zip file hung like a ball of yarn in front of an over-caffeinated kitten.  My friend so wanted to click on that file.  The psychological pull was palatable.

I walked my friend through the process of recognizing such an attack, and went to the American Airlines web page to demonstrate that the flight number on the email did not exist.  In fact, it was a digit longer than the field on the site for the flight number status.  Next I listened as my friend called American, and then the credit card company.  Both verified that no transaction had occurred and that this was part of a wide reaching scheme.  The American agent actually spent a lot of time walking my friend through the phishing concept at a high level an provided steps on how to dispose of the email without releasing the malware.  I was impressed.

I had several takeaways from the experience.  First, while the attack seemed amateurish and hackneyed to me, I was taken by how quickly my friend swallowed the hook and was quickly prepared to react.  The simple psychology involved was brutally effective, and I saw why such attacks succeed.  If a wide enough net is cast, someone will react the way the bad guys want.

Second, it reinforced the critical nature of the human element in IT security.  My friend is bright, educated, and computer savvy.  Yet that same person immediately and kinetically reacted to what was a cut-rate phishing attack.  People will always be the X-factor in IT security whether it be opening .zip files, shutting off their AV software, or gleefully inserting USB devices from any and every source.

Lastly, the experience screamed for the need for Rapid Detection and Response, because in spite of shields and protections the human factor can be leveraged to bypass or evade those protections.  Stuff gets through, and in front of me was a simple example of how.

I have to go, I just received another email from another friend who says he just got a confirmation for a flight to Atlanta he did not buy.  Seriously.

Filed under Configuration and Compliance Management Tagged with , , , ,

USB Drives – Cool Tool or Malware Delivery Device

May 17, 2011 by 1 Comment

Behold the USB drive. Simple. Functional. Efficient. The USB device is also a symbol of all that makes IT security so difficult. But take heart, because the USB device is also illustrative of the functions and benefits of Triumfant.

Why does the USB key represent the difficulties with IT security? Because a USB device
is an infiltration and exfiltration method wrapped into one tidy package. The bad guys are using USB devices to deliver malicious payload to host machines because this vector readily evades perimeter network defenses that use techniques like deep packet inspection and sandboxing. Unfortunately, techniques require that the attack come across the wire to work, so the attacks delivered by a USB device easily fly under their radar. The USB device has become a very effective mechanism for delivering the targeted and sophisticated zero day attacks and advanced persistent threats that are becoming increasingly difficult to detect.For an example, start with Stuxnet, the malicious attack that grabbed more headlines than a Britney Spears midnight trip for a haircut. Stuxnet evaded protection by using USB drives for transport to the host machines from which the attack spawned.

In regards to exfiltration, there is no simpler tool for offloading data than a USB device. While this has great utility, it is a major problem in the context of data loss prevention (DLP) activities, as once data is loaded onto a device there is absolutely no control of where that data may land. All bets are off.

You would think that USB devices would be the bane of every IT security person on the planet, yet security vendors give them away at industry tradeshows. Most people will pop in a USB key with little thought of the risk, so a “just say no” approach is not effective. Our CTO was at a customer recently and was told that USB devices were not allowed at the site. Minutes later he produced a report that showed that USB devices had been used in over 20% of the machines in the past two weeks. So much for strongly worded guidelines.

The problems surrounding USB devices are useful in pointing out the value of Triumfant:

Malware detection and remediation. Triumfant will detect attacks that are delivered to a machine via a USB device, analyze the attack, and build a remediation to stop the attack and repair all of the damage to the machine. Infection to remediation in minutes. Remember, Triumfant detects attacks by identifying and analyzing changes to the machine, and is therefore attack vector agnostic.

Continuous enforcement of policies and configurations. With Triumfant you can build and enforce policies that disables the use of removable media like USB devices. Triumfant will set the policy and remediate any machine found to be out of compliance.

Continuous monitoring/situational awareness. Your organization may choose to not disable USB devices. Triumfant can provide information about what machines have had a USB device inserted and can identify machines with unusually high levels of data movement. Alternately, if you do disable the devices you may also have users with Admin rights to their machines, enabling them to change the configuration of the machine to override the policies. Triumfant can provide information about what machines have had a USB device inserted and identify those machines where the policy has been altered. Triumfant is not a data loss prevention (DLP) tool and therefore cannot tell you what, if any, data was exfiltrated, but we can tell you that such an exfiltration was possible.

In summary, Triumfant is able to protect machines from attacks delivered by USB devices,
is able to enforce configurations that disable the use of USB devices, and provide insight into usage patterns of USB devices.

If only Triumfant could help me find the numerous USB devices my teenagers borrow and never return. Of course, once they have them, perhaps it is best I don’t plug them into my machine.

Filed under Configuration and Compliance Management, Continuous Monitoring, Endpoint Security Tagged with , , , , , , ,

The Readers Speak! – Top 10 Posts for 2010

December 22, 2010 by Leave a Comment

The Triumfant blog has been up and running for two years now and I am always flattered that anyone would take time from their day to read a post.  As we end the year, I thought I would post a list of the top 10 posts for the year, as determined by the number of views.

Advanced Persistent Threat: Solution – No, Effective Detection – Yes

This post is about how Triumfant uses its unique approach – change detection and contextual analysis to see the attacks characterized by the Advanced Persistent Threat.

Antivirus Detection Rates – Undetected Attacks Are Still Attacks

This is one of my favorites and addresses a critical concept – the reporting from your current defenses will obviously not tell you what attacks are getting through.  The see no evil approach does not mean that you are not getting attacked.

Antivirus Detection Rates – It is Clear You Need a Plan B

There are any number of reports and studies that clearly show that AV detection rates are bad and getting worse.  So what are organizations doing about that fact (if anything)?

Tired of the Term Advanced Persistent Threat – How About Cold Harsh Reality?

This post followed a spirited exchange in the blogosphere and twitterverse about the term Advanced Persistent Threat and whether APT is more about the adversary or the attacks.  This post was my entry into the conversation.

Intel Acquires McAfee, IBM Acquires BigFix – What Does It Mean to You?

2010 was a tumultuous year for the security industry and these two acquisitions are at the front of that tumult.  This post is my take on what these acquisitions mean and what happens to smaller companies when subsumed by larger ones.

Antivirus Detection Rates Study Shows the Real Exposure to Your Organization

Another post that follows yet another study on AV detection rates.  The goal was simple: there are lots of these reports and studies published, but very little pragmatic assessment about what that means in regards to risks for the organization.

Triumfant and Operation Aurora – Detecting the Advanced Persistent Threat

Remember back before Stuxnet?  When Operation Aurora hit, I got lots of inquiries of whether Triumfant would have detected the attack.  Because none of our customers were hit by the attack, our CTO Dave hooks broke down all of the data on Aurora and created this in depth case study.

Oh the Animals You Will See at the RSA Zoo (Conference)

This was written as a bit of a joke but reflects my many years of exhibiting at the RSA show.  It was one of those posts that sounded good when written, but gives pause before you post because of the fear that it will be funny to no one else but you.  I was pleased with the spirit in which it was received.

Security Configuration Management – Plugging the Holes in Your Endpoint Security

This post dug into the concepts of security configuration management in depth and provided a pragmatic conversation about the approach of Triumfant that includes our normative baseline and our automated remediation capabilities.

The Yin and Yang of Triumfant – Agent Based Precision With Network Level Analytical Context

This very recent post grabbed a significant quantity of views faster than just about any post.  The post discusses the ability of Triumfant to deliver agent level precision with the power and context of server based analysis.

So there you have the top ten as voted by you, the readers.  Thank you for reading and the feedback you provide.  Have a great holiday and a Happy New Year.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , , , ,

Triumfant Implements SCAP / Trusted Network Connect

September 28, 2010 by Leave a Comment

Today Triumfant was part of a broader announcement by the Trusted Computing Group (TCG) about the integration of the Trusted Network Connect (TNC) security specifications with the Security Content Automation Protocol (SCAP) from National Institute of Standards and Technology (NIST).  Triumfant was listed in the press release as having implemented the TNC/SCAP integration in collaboration with Juniper Networks and we demonstrated this capability for the past two days at the NIST IT Security Automation Conference at the Baltimore Convention center.

Let me pause for an acronym break and level set.  The Trusted  Computing Group is a not-for-profit organization that promotes open, vendor-neutral, industry standards for trusted computing by helping define standard and specifications for sharing information across multiple computing platforms.  Triumfant is a member of TCG.

TCG’s Trusted Network Connect (TNC) architecture is a standards-based framework for Network Access Control (NAC) that bases network access decisions on security state information.  The objective of the TNC architecture is to deny network access to endpoints that do not meet certain minimum security criteria or are found to be corrupted or under malicious attack.  The TNC architecture may invoke NAC operations to place machines in quarantine to prevent further infection.

It may sound elemental, but implementing TNC implies that an organization must have some common minimum security criteria to apply, which surprisingly is not always the case.  This is where the integration with SCAP was so natural, as SCAP provides a standard set of criteria that is well defined and readily applicable to the TNC process.  Triumfant’s specific and unique methods for monitoring SCAP criteria made our implementation an even tighter fit, as Triumfant maintains a central repository of SCAP compliance data that can be readily accessed to verify minimum compliance.

Triumfant worked with the good folks at Juniper Networks to build the current TNC/SCAP implementation and was able to code the software necessary to make the process work using the TNC framework from TCG and SDK’s from Juniper.  I will skip the execution details, but you can get all of the information you require through our TNC white paper and our TNC Fact Sheet or from our TNC web page.

From my side, the entire TNC process just makes sense.  Machines have to meet some minimum standard to connect and if they don’t, then they have to be brought into compliance.  Since drift happens, the machine must be periodically checked to ensure that is still in the proper compliant state to stay connected.  If a machine is not compliant or is under attack, it must be remediated quickly and with minimal human intervention to restore the machine and therefore its ability to connect.  All of this needs to be done transparently and without any undo intrusion on the endpoint.  The TNC/SCAP implementation from Triumfant and Juniper does just that.

In short, the TNC implementation checks the minimum security criteria at log-in and at regular intervals while the machine is connected to the network.  If the compliance assessment fails, the NAC is triggered to take some form of action, normally moving the machine to a remediation network.  Here the compliance problems can be addressed and the compliance assessment process executed again, with the goal of moving the machine back to the primary network when the assessment is positive.

Triumfant was an early adopter of SCAP and the SCAP standards are fully integrated into our processing.  Triumfant provides policies for the SCAP configuration standards and executes those policies as an optional part of our daily processing.  Implementing the TNC/SCAP integration simply requires that the administrator chose what SCAP criteria are to be used as the criteria set for connection.  Triumfant performs continuous monitoring of the SCAP policies and stores the actual results of the SCAP policies in the server repository, so it is possible to check a machine’s compliance status without having to do a lengthy scan of the machine on-demand.  This capability provides the TNC/SCAP implementation the ability to check compliance at log-in without creating long delays while the security criteria is verified.

A critical differentiator of Triumfant has always been our unique ability to build as situational remediation to fix the problems we find, both non-compliance and malware.  This capability aligns perfectly with the TNC process of remediating the problem and restoring the affected machine.  Triumfant builds the appropriate remediation to address the detected problems, after which the compliance assessment can be executed to verify that the machine may be returned to the primary network.

Of course, the Triumfant TNC implementation is not limited to SCAP criteria.  Any security configuration policy defined to Triumfant may be applied.  That being said, the integration of TNC with SCAP is just one of those hand-in-glove combinations that makes too much sense.  Furthermore, the TNC process can also be triggered if Triumfant detects malware on the machine, and in fact, our demonstration implementation shows that capability. This helps protect your network when we detect an attack that gets past your traditional shields (which of course they do).

It is always fulfilling to participate in activities like the TNC implementation because it provides a practical and visual illustration of the capabilities of Triumfant.  It has also been a pleasure to work with the folks at TCG and with the team at Juniper, specifically Steve Hannah who is a distinguished engineer with Juniper and a very active member of the TCG.

Filed under Configuration and Compliance Management, Endpoint Security

USB Security Issues Illustrate the Last Mile Problem of IT Security

September 1, 2010 by Leave a Comment

There has been a lot of news lately about USB security problems.  A recent Government Computing News article by William Jackson referenced the 2008 Pentagon breach that started from a worm uploaded from a USB flash drive.  Computerworld has an article by Darlene Storm that recounts several “USB security blunders”, including malware on free USB tradeshow giveaways.

USB devices and their use illustrate how little real information that IT departments have available about their endpoint populations.  It is a strange derivation of the “last mile” phenomenon – they closely measure and monitor networks and servers, but have very little insight into what is on, or what is happening on, endpoint machines which are the last mile of the IT architecture.

For example, our CTO Dave Hooks was at a customer site where they told him that USB keys were forbidden and that they had eliminated their use within the organization.  Dave promptly ran a report easily accessible from the data in the Triumfant repository to show that a USB storage device had in fact been used on over 10 percent of the machines in the organization over the past two weeks.  This information certainly opened some eyes.

You see, because Triumfant scans for over 200,000 attributes per machine, we have that data available to produce such a report.  But unless an organization has Triumfant or some other means to collect that information, they have no idea about the extent of such activity.  That is why the Computerworld article notes that agencies have resorted to gluing shut USB ports in the absence of actionable data.

When I write about Triumfant it is to educate on the capabilities of the tool given that it is unlike other tools on the market.  The ability report on machines that use USB storage devices is a small but significant example of what Triumfant can do – provide information where there is a vacuum.  Information drives understanding which drive analysis which drives action.  Secondly, disabling autoplay is one step an organization can take in defending against malware on USB devices – one of the actions borne of information.  Continuously enforcing that configuration setting is easily accomplished by Triumfant.

The threat presented by USB devices is also a reminder that all of the network security in the world won’t protect against malware introduced directly to the machine.  Here again Triumfant comes to the rescue as Triumfant is able to detect attacks such as the Pentagon worm that made it through the endpoint defenses.  In such cases, Triumfant would have seen the worm when it executed, analyzed the threat, and built a remediation to remove the worm on every machine where it was introduced.  The time from infection to remediation would have been under five minutes, which likely would have kept it from propagating.

The threat represented by USB storage devices is not new and it is certainly not the last threat organizations will face.  It is an example of how detailed information about the endpoint population can help address such threats, and how organizations must look past traditional defenses to guard against such threats.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , , ,

1.6 Reasons Why Triumfant’s Automated Remediation Approach is Superior

August 16, 2010 by Leave a Comment

Remediation is becoming a hot topic and already the FUD is flying.  Of course, we are excited about our remediation story and I am often asked why our approach to remediation is different from others on the market.  Let me see if I can help by borrowing a statistic.

I was at a meeting at Symantec headquarters on Friday where Francis deSouza, senior vice president of the Enterprise Security Group at Symantec, was first on the agenda.  In his presentation, deSouza noted that Symantec research indicated that attacks are morphing so quickly that any given variation of an attack is used against 1.6 machines before a new variant appears.

Most companies (maybe everyone but Triumfant) employ an approach to remediation that employs previously written scripts that are matched to detected attacks.  This approach of course requires that such scripts can only be written for known attacks.  While there are some generic approaches that may apply to previously unknown attacks, for any moderately complex unknown attack there will likely be no remediation script.

Now let us put deSouza’s statistic to work in the discussion about remediation.  If we put the script-based approach in the context of deSouza’s statistic, we can conclude that any remediation script is good for 1.6 machines.  Makes sense because if the remediation is morphing, then it follows that the remediation needs would also change.  New variant requires a new script.

I am already reluctant to believe that any pre-written script can be completely effective for attacks of even moderate complexity because attacks may cause varying primary and secondary damage based on the unique combination of factors for any given machine such as OS version, installed applications, and differences in configuration.  Adding the restriction to previously known attacks and Mr. deSouza’s statistic and a logical conclusion is that scripted remediations will fall short.  Even if a script will apply, it is reasonable to doubt that the script is capable of remediating the machine without leaving one or more artifacts that will make the machine vulnerable.  This doubt normally translates to organizations re-imaging the machine as a matter of standard.

There are other differences such as the need for context.  For example, a process may be part of an attack.  A generic script may mark that process for deletion, when it may be a process shared by other benign applications.  A script would have to either shoot it on sight, potentially corrupting other applications, or contain the logic required to know what other applications the process shared and then have the ability to determine if those applications were installed on the machine.  Accounting for every “except for” would certainly be aq challenge.

Triumfant constructs a remediation that is specific to the identified incident for that machine and requires no previous knowledge to build this remediation.  We correlate all of the changes to the machine to build a remediation so complete you should not have to reimage the machine.  The remediation is surgical, contextual and specific.  As a bonus, our remediations can leverage our patent pending donor technology to restore deleted or corrupted files.

There is more, but I feel like the point has been made and anything else would be showing off.  The difference between common remediation solutions and Triumfant’s approach are profound.  Now I need to figure out how you attack 0.6 of a machine.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , ,

Have No Fear: Triumfant’s Remediation Capability is Automated, Not Automatic

July 9, 2010 by Leave a Comment

In my previous blog entry I attempted to unravel some of the fear, uncertainty and doubt around our automated remediation capabilities.  After a week of quiet contemplation at the beach and writing a whitepaper on the subject I had an epiphany.  I think the fear comes from a misunderstanding between the words “automated” and “automatic”.  Allow me to explain.

Triumfant has automated the construction of a remediation for any malicious attack or anomalous incident it finds.  The detail is all there in the blog entry.  But in short, because Triumfant knows what has changed and knows the value of every attribute or file before it was changed, it is a logical next step to build a remediation script to return the affected attributes to their pre-attack condition.  No spooky “thinking computer” stuff, just sound logic driven by the capabilities of our granular change detection.

The automated remediation Triumfant creates is not automatic in its execution.  The Triumfant administrator must perform a one-touch confirm of the remediation before it is sent to the agent for execution.  Triumfant does the heavy lifting of analyzing the attack or problem and building a comprehensive remediation script.  It is automated.  There is still the failsafe of human interaction as a confirmation.  It is not automatic.

There does exist easily implemented mechanisms to make remediations automatic for incidents encountered in the past and for configuration and policy enforcement.  In these cases the remediations are known and the customer is comfortable with their effects.  For example we have customers who identify specific applications they want removed from endpoint machines and these remediations are automatic.  But for anything new encountered by Triumfant such as a zero day attack or an Advanced Persistent Threat type attack, the default is the one-touch confirm by the administrator, providing oversight and control.

Why am I writing about this subject?  People seem to have a love/fear relationship with the concept of automated remediation.  For example, at the NIST Security Automation Conference last October in Baltimore I asked the attendees in my presentation two questions:

Q1: Who wants automated remediation?  A: Every hand in the room enthusiastically shot up.

Q2: Who is ready to implement automated remediation?   A: Crickets.

All I can surmise is that security people suffer from what I have dubbed “SkyNet Syndrome” – the lingering effects of watching science fiction movies and television series that ultimately play the “smart computer comes to life and destroys the world” card.  The list is long and distinguished: M5 and Nomad on Star Trek the Original Series, V’Ger on the first Star Trek Movie, Colussus from Colossus: The Forbin Project, Proteus on The Demon Seed, and, of course, SkyNet from The Terminator.

Notice that I did not include W.O.P.R. from WarGames as he was hacked and did not become sentient.  Of course he was hacked because he had poorly configured endpoint protection that could have been easily recognized through change detection and quickly addressed by Triumfant through an automated remediation.  But I digress.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , , ,

Security Configuration Management – Don’t Fall for the Old Saw of Patch Management

April 16, 2010 by Leave a Comment

Yesterday I attended a customer event for one of the larger IT security firms and one of our partners.  During one of the sessions, another partner gave a presentation on security configuration management that nearly drove me to a Kanye West “grab the microphone” moment.

The partner in question regaled the attendees with a story of automated configuration management that involved long intrusive scans, followed by analysis to identify problems, followed by the issuance of what are essentially patches to correct non-compliant machines.  This process seemed horribly cumbersome and certainly did not meet my definition of automated.  And the remediations for the detected problems were pulled from a list of pre-written remediations in a one-size-fits-all approach.

Worse of all, the process happened infrequently – monthly at best, perhaps quarterly or twice yearly.

The saw blades are a visual of configuration drift over time. The length of the saw teeth represents the amount of drift and the size of the gap between them represents the time between corrections.  If the height of each saw tooth indicates how much configuration drift you will experience with large gaps between configuration corrections, which do you think represents the most secure environment?  The bigger the teeth, the higher the organizational risk.  You want the hacksaw blade.

My negative reaction comes from knowing there is a better way to deliver security configuration management Triumfant will continuously scan for changes to endpoint machines and detect when the machine is in a non-compliant state.  Triumfant’s analytics will evaluate the changes to the machine, create a remediation for that problem, and return the machine to compliance.  Remediations are created on the fly to address specific detected problems on each machine.  The remediations are surgical, contextual, and situational.  The remediation is delivered to the machine and executed by the agent.  All of this can be set to a one-touch confirm from the administrative console or fully automated.  And we will open a touble ticket, populate the ticket, and close it to track the process.

The result – your organization starts every day in an audit ready state.  The maximum drift is 23 hours and 59 minutes.  Not a month, 3 months, or 6 months.  No need for heavy, obtrusive scans, no human intervention needed to write remediation scripts, no additional patching activity.

Folks, patching is a big part of the problem, so why would you get excited about any so-called solution that is essentially a patch management process?  Patching is hard and rarely done well.  Why do you think there is so large a time gap between correction cycles with this technique?  Take a hard look at many of the companies pushing configuration management – they often have their roots in patch management and that is how they address the problem.

Security configuration management effectively reduces the attack surface on each machine, but this is achieved only when the configurations are continuously enforced.  When you can detect and remediate problems every day, you create what we call persistent security readiness.  Don’t settle for old school techniques and large gaps between corrections because monthly or quarterly is not persistent.  There is a better way.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , , ,

Cyber Czar Announcement Slipped Under the Door – What Does That Say?

December 22, 2009 by Leave a Comment

Today it was announced that Howard Schmidt was appointed to the White House Cybersecurity Coordinator position otherwise known as the cyber czar.  Much has been written in our blog about this position since it was announced, and the timing and approach to the announcement has done nothing to eliminate the concerns previously expressed.  I have much reading to do before I comment directly on Mr. Schmidt, but I do have very strong impressions from the way it has been handled.

The position was originally announced at a press conference in late May on the Friday before Memorial Day.  Not exactly a day and time that you would select for something of importance or to maximize the impact.  Months passed as candidates not only turned down the position, but candidates like Melissa Hathaway left the government for the private sector. 

And now we get an announcement stating the position has been filled on the Tuesday of Christmas week, in a city where most of the government is closed because of a record setting snowstorm.  The announcement gets a mention on the White House blog with a picture of the President shaking hands with his new Cybersecurity Coordinator in what appears to be a hallway.  No press conference, no fanfare, no President standing at the side of the new Czar as a show of support to the position and a commitment to the idea of cyber security. 

I went to the White House press page at 11:00 am EST and there is no formal announcement.  There is news about the Enactment of the Airline Flight Crew Technical Corrections Act, something about agencies cutting spending by $19B, and some nominations that were sent to the Senate, but nothing about this position. 

I am sure there will be Obama acolytes that will line up to applaud the announcement, but I find myself angry today as I weigh what I see from the White House.  I have the somewhat unique perspective of being a marketing person in cyber security.  That means that cyber security is important to me and I have a taste of the threat against our country.  As a marketing person, I see the not so subtle signals being sent by the White House regarding this subject.  Put this in context of the amount of energy thrown at other items such as the Chicago Olympic bid, and it is reasonable to draw the conclusion that the White House is not committed to cyber security and this role.  

I would be a lot angrier if I had not spent the last year working with people at NIST, the NSA, the intelligence community and the DoD who are proactively and energetically looking for new and innovative ways to protect our government from malicious attacks.  Best of all, these groups are working together to share data and knowledge in a way that would make taxpayers happy and proud.  So I’ve seen real, actionable progress taking place long before Mr. Schmidt assumed this role.   

To be clear, I never viewed the cyber czar as some sort of mythical figure that could solve our cyber security problems with a wave of the hand, but I was hopeful that the role would serve as a way to focus attention on the problem and help create a sense of urgency toward progress.  And if that person was seen as having the “full faith and credit” of the President, it would give that person some authority to be something other than a figurehead. But that is exactly how I view this position today – a campaign promised fulfilled in the least effective way possible and with minimal authority, buried in slow press days.

This week we got news that our military drones had been hacked with $26 software, a plea was entered in the Heartland breach by the same person who pulled off the TJX breach (who used a simplistic and well known SQL injection technique to penetrate Heartland), and that Twitter was disabled completely by a DNS attack.  And we get a tepid announcement the Tuesday before Christmas on a position that it took them seven months to fill.  I’d hate to see what type of catastrophic, IT security based incident it would take to make the White House treat the problem with the seriousness it deserves.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , ,

Triumfant is Now McAfee Compatible – Our Integration with McAfee ePolicy Orchestrator

October 19, 2009 by Leave a Comment

On October 5 it was announced that Triumfant had achieved McAfee Compatible status in McAfee’s Security Innovation Alliance (SIA).  This status is achieved when a vendor like ourselves is able to demonstrate interoperability between McAfee ePolicy Orchestrator (ePO) and Resolution Manager in testing conducted by McAfee. 

So what does that mean and what level of integration and interoperability exists?  The integration with ePO is being done in phases with the first phase available today.  In the first phase, information from Resolution Manager is available through the ePO console, with drill-downs to Resolution Manager for more details on specific incidents and events.   In the next phase scheduled to be completed by year end, there will be additional integrations:

  • The ability to push out the Triumfant agents from within ePO.
  • Direct integration with the ePO event tables.  Resolution Manager will use database to database integration to move event information from Resolution Manager directly to the ePO event table.   This allows data collected by Triumfant to be a part of the integrated reporting of ePO.
  • Additional drill down capabilities from the ePO console to view to our machine status, configuration, change history, incident history, performance, and diagnosis screens.  These links provide ready access to as much data from Resolution Manager as possible into the ePO console. 

Additional phases are still being scoped and will be shaped by the needs of our customers once they put the integrations to use.  Likely additions include integration of the wealth of asset data collected by Resolution Manager to the ePO asset data stores. 

What does our integration with McAfee mean and why is it important?  We understand that companies are inundated with new interfaces, making integration points for presentation and management – the elusive single pane of glass – very important.  For McAfee customers, ePO is that integration point.  This was very apparent to me at the McAfee FOCUS 09 User Conference as most of the people who came by our booth started the conversation with a query about our ePO integration.  It was obvious that such integration was a gating factor in their decision to looking deeper into our offering. 

We have always positioned our product as a complement to traditional endpoint protection tools like McAfee, and our relationship with McAfee is a natural extension of that philosophy.  It is clear from the McAfee customers that they embrace ePO as a single point of command and control for endpoint protection, so it is an equally natural extension to integrate Resolution Manager into ePO.  I commend McAfee for their desire to build an ecosystem for their customers that includes third party vendor partners, and we are very pleased to have achieved the McAfee Compatible designation.

As always, we are happy to demonstrate our capabilities, including our integration with ePO and I invite you to contact us to set up an online demo.  I think you will see the benefits of our collaboration with McAfee and the value of adding Resolution Manager to the McAfee suite will be readily apparent.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 408 other followers