The second path gets to the same destination, but the conversation includes a line of discussion where people seek a reference point to compare Triumfant with other endpoint protection products or product categories.  This is natural and I by no means imply that such people are not smart or perceptive – it is human nature to build new knowledge off our existing points of reference.  This path begins with the phrase “oh, so you are like <insert product name or product category here>?”, and that is where the fun begins as we spend some time discovering what our product is not. 

Which leads me to today’s post – I thought I would provide a primer on what we are not:

• Antivirus – If you did not know this, you must be a first time visitor and may want to check out the post on our malware counter.  We are most definitely not an antivirus product and do not use signatures to detect malicious activity.  Not that there is anything wrong with that.
• Behavioral Analysis – behavioral analysis is getting some attention as an alternative to AV but has been met with mixed results.  Essentially behavioral analysis tools watch running processes and create an alert if the process does something that it deems suspicious.  These tools are touted as protection against zero-day attacks but can suffer from false positives that make them problematic.  (Note: Some vendors will position their behavioral based tools as comparable to Triumfant.  The comparisons don’t stand up.)
• Heuristics – heuristic analysis attempt to operationalize experience to identify new malware or variants of known malware. Three methods are used: file analysis, file emulation, and generic signatures, all of which require some previous knowledge of the attack and therefore suffer from the same diminishing (Gartner’s word, not mine) capabilities as signature based AV software as the number of attacks grow geometrically. Triumfant makes use of some heuristic analysis once we detect an attack, but it is not how we detect an attack.
• HIPS – some people feel that HIPS (host intrusion based protection) tools are a close match to Triumfant. These tools use a combination of firewall, system-level action control and sandboxing in an attempt to detect malware and prevent it from being loaded onto the host machine.  These tools have found limited success and are considered resource intensive and prone to false positives. Triumfant takes a very different approach to HIPS and does not require extensive blacklisting, nor does it result in resource issues on the host machine or the network. 

It should be noted that none of these tools include the capabilities of synthesizing situational remediations for detected problems that fix not only the malicious attack but all of the collateral damage associated with the attack.

So there you go – a brief discussion of what we are not.  You can now free your mind and think about what we are: a unique tool that uses granular change to detect, analyze and remediate unexpected changes to endpoint machines and servers.  Understanding how we are different further frees you mind to grasp the practical applications of our technology such as the real-time detection and remediation of malicious attacks. For a better explanation let me suggest you start with our web site or with some of the following blog entries:

• The Triumfant three minute malware challenge
• Triumfant announces real-time malware detection and remediation

The release includes two major enhancements to Resolution Manager, specifically in the realm of endpoint security.  First, detection of malicious activity is now real-time.  In this release, the agent now scans for approximately 200 security specific attributes that are markers of malicious activity in a continuous loop, and immediately interacts with the Triumfant server if it detects anything that may be malicious activity.  This kicks off the analysis process, and if it is determined that it is indeed a malicious attack, a remediation is synthesized and sent to the agent for execution.  This entire process from infection to detection to remediation spans mere minutes.  While Resolution Manager has always been able to detect malicious code and the agent has always continuously scanned endpoint machines to detect unusual or suspicious changes, the agent previously communicated its results to the server once per day by default, giving the detection process a 24 hour cycle. 

Second, the remediation capabilities for security specific incidents have been significantly enhanced.  As a result, Resolution Manager is now able to synthesize a remediation in all but the most extreme circumstances, eliminating the need for human intervention in creating the remediation.  By eliminating human element and associated lag between detection and remediation, Resolution Manager instantaneously address the problem before the malware can further damage the machine or propagate to other machines.

So there is the “what”, no let’s get to the “so what”.

The ability to identify malicious activity without the need for signatures or any prior knowledge of the attack makes Triumfant unique in its ability to see the complex, directed attacks that evade traditional, signature based defensive software, as well as see the work of maliciously intended insiders.  By making this detection capability real-time, Triumfant addressed an enormous gap in endpoint security and delivers true protection against the rapidly evolving nature of cyber crime. 

Let me say a word about false positives.  Whenever we brief analysts, press, and prospective customers, the question of false positives frequently is raised, as past attempts to use change detection or anomaly detection have been hindered by the false positive problem.  The engineers at Triumfant have eliminated the false positive problem by performing quite elaborate and complex comparative analysis of detected changes across the broader population of machines allowing them to see if a change is truly anomalous.  These analytics are quite innovative, and the subject of pending patents, and we will post a more detailed explanation of how they work very soon, likely written by someone far smarter than me.  But on a more practical scale, we can honestly say that none of our customers have encountered false positive problems.  The bottom line is that while others have tried new methods for detection, Triumfant has delivered an innovative and sound approach to malware detection to the mainstream.

While the detection capability of Triumfant is news to itself, the automated remediation capability is an enormous step forward in endpoint protection.  When a new variant of an existing attack or a zero day attack occurs, organizations must rely on human intervention to perform the analysis and write some form of script or new signature to address the problem. This process may take hours or even days, allowing the attack to spread and cause significant interruptions of service and potentially damaging loss of sensitive data.  By synthesizing a holistic remediation on the fly, Triumfant becomes the first tool to be able to address such attacks without the need for human intervention, narrowing the gap between detection and remediation by many orders of magnitude. And since Triumfant sees all of the changes to the infected machine, the synthesized remediation removes the offending code and repairs all of the collateral damage of the attack, restoring the machine to its pre-attack status and eliminating the need for costly and intrusive re-imaging.

So there you have it.  We think this is a pretty significant step forward as malicious attacks are growing in volume and complexity at a geometric rate, and defensive products that rely on signatures to detect an attack, remediate an attack, or both, are using a model that we, and a lot of other very smart people, believe is simply not sustainable.  We also believe that this release changes the game for endpoint security with a product that automatically detects and remediates malware without the need for signatures or prior knowledge of the attack.  By compressing the entire process of detection, analysis and remediation down to minutes instead of hours or days and eliminating the need for human intervention, we think that organizations will also see this as a significant step forward.   

The first article was the CNET Article by Elinor Mills about the $100 million the DoD has spent cleaning up after internet and network attacks over the past six months.  Seems that the DoD took over 1,500 machines offline last year due to cyber attack.  I am quite sure we could have helped.

When Triumfant detects a problem on an endpoint machine, it will build a remediation for that machine on the fly.  We can do that because we scan 200,000 or more attributes on a machine and can detect changes to each and every one of those attributes.  This gives our product the ability to see what was done to the machine by the attack, so we can easily reverse the effects of the attack.  It is not voodoo or something that is too good to be true.  It is sound and innovative technology!  We clean up all of the collateral damage of the attack – open ports are closed, configuration settings are restored and registry entries are repaired – eliminating the need to re-image a machine.  And with the new release of our product due out Monday, the time from detection to remediation is minutes not hours or days.

There is no writing of scripts or no intervention from a vendor needed.  This elimination of human intervention translates to an elimination of the associated costs with that intervention.  So I am totally confident that by using Triumfant, the DoD could have eliminated some of that $100 million.  How much I cannot say without knowing the data behind that number.  But I can say with total confidence that we would have saved them more money than the cost of our product.  Remember the $100 million was for six months, so I believe with total confidence that the DoD would have made up their investment in less than six months.

The article also mentioned that the $100 million included money spent on “inadvertent security problems” – which I interpret to be human error and user ignorance.  Triumfant detects and remediates incidents when users – either through ignorance or malicious intent – make changes to a machine.  We enforce policies and configurations without the need for, and cost of, human intervention.  So we would have saved them money there too.

“But wait” you say, “others claim automated remediation.”  Yes they do.  But dig deeper.  They either require someone to write a script or they leverage scores of pre-written remediations and invoke the remediation that best fits the detected problem.  Call them fixlets, remedies, scripts or anything else but they are not automated nor are they specific to the attacked machine.  In some ways, they are just like signatures in that they require previous knowledge of an attack to work.  If there is no fit, you need someone or a group of someones to write a script.  And they often do not fix all of the damage from an attack, leaving the machine dangerously vulnerable to future attacks. (more to say on this subject soon)

Of course, if the security industry would look past signature based protections to more innovative ways of detecting attacks, we could also directly impact the cleanup costs.  Which brings me to the second article which declared that IBM now estimates that 4 percent of computers worldwide are infected with Conficker.  This means that we have gone from early estimates of two to four million to ten to twenty million (or more).  The proverbial barn door swung open in November and we are still counting how many horses we lost.  And that barn door is not yet shut and we haven’t yet cleaned up the mess to know how much that cleanup will cost.  Conservative math says 10 million machines at $100 per machine is $1 billion dollars.

This is not an “AV is dead” rant.  AV is a necessary component of endpoint defense, and whether here in this blog or at a sales call, you will never hear anyone from Triumfant say otherwise.  We are in fact building partnerships with several of the leading AV vendors and will be in the partner booth of one such vendor at the RSA show.   But the facts do show that the complexity and volume attacks are growing geometrically, and the basic premise of signature based products – there needs to be a prior knowledge of the attack – makes it impossible for vendors to keep pace with both detection and remediation.  Conficker is just the latest embodiment of the problem.

Triumfant requires no prior knowledge to detect an attack so we see known attacks, variants of known attacks, and zero day attacks.  And we are already established that what we see, we can clean.  How many of those attacks that created the DoD’s $100 million cleanup could we have stopped?  I am not so bold to say all, but my guess is that we would have stopped more than enough to dramatically reduce both the costs and the amount of work lost from having to take so many PCs offline.

I am not claiming that Triumfant is the answer to every security problem we have today.  I do think Triumfant is one of the few real innovative approaches to cyber security in the past several years.  I have talked to a lot of industry analysts and writers, and presented to scores of security professionals in the government and commercial sectors, and no one can point me to another solution that does what we do.   Some are close, but when you dig deep you will find critical differences.

Many of you will be at RSA in two weeks, and I invite you to find our modest little booth (2535) and talk to us about how we might address your specific needs.  Or better yet, give us a call and we will be happy to come on your site and do a pilot.  We are used to healthy skepticism and pilots allow you to see for yourself how the product works. 

I will bet you that we will find at least one piece of malware on your machines that you did not know was there, and we will remediate it without any human intervention.  Who wants to go first?

Such is the case with Triumfant. Our software, Resolution Manager, is truly unique, and because of that, the things we can do for our customers are equally unique. The depth at which we scan endpoint computers and servers is unprecedented, so our ability to spot changes that may be indicators of potential problems or a malicious attack is equally unprecedented. Because we see all of the changes to a machine at a granular level, we have the unique ability to build a remediation on the fly specific to a given incident for that computer at that point in time. Can other products remediate? Sure. But only if the problem fits the patterns of pre-defined remediations, or if someone builds a remediation script which is then pushed to every machine in the population. No product that I know of builds a surgical, fully reversible remediation on the spot.

So until someone knows how we do what we do, it is often hard to fully appreciate what we can do. How we can see the malicious code that other signature based endpoint security products miss, because we detect the tell-tale indicators at the most granular level. How we can ensure that every machine can start every day compliant and audit ready to any numbers of policies and controls. How customers can expect a 20% to 40% drop in trouble ticket volume because we can spot and fix a problem before it interrupts service.

The beauty of the conversation is that as someone begins to understand the how, they often quickly connect the dots to the what. For example, I can’t tell you how many times experienced IT security people immediately grasp our ability to detect malicious attacks very early into the explanation of the how well before we get to the what part of the conversation.

So forgive us sometimes when we seem to ignore early comparisons with other products or start with descriptions of our technology before jumping into the application and benefits of the product. Sometimes describing the unique takes a slightly different approach.