Triumfant Blog » Resolution Manager

Remediation Without Re-Imaging

Jim Ivers — Tue, 16 Jun 2009 11:35:17 +0000

One of the benefits of the Triumfant solution for endpoint security is that it builds a situational remediation for the problems it detects. These remediations not only address the source of the problem, but also clean up all the collateral damage of the attack. This unique ability has an interesting associated benefit of eliminating the need to re-image the infected machine.

The analytics of Triumfant Resolution Manager do a remarkable job of finding the boundaries of an attack and all of the changes to the machine within those boundaries. Triumfant continually scans endpoint machines for over 200,000 attributes to identify all of the changes in that machine. When it detects an attack it uses dependency walks on the affected files and temporal analysis to ensure that it sees all of the related ripples. In this way, Triumfant sees the attack in its complete form and knows everything that was changed in that machine. While other tools simply kill the offending executable, Triumfant builds a surgical remediation that restores the machine back to the pre-attack condition, changed attribute by changed attribute. No roll-backs or logs, no need to reboot. And best of all, no need to re-image.

Think about the time and money that would be saved by eliminating the re-imaging process. I know that in these days of virtual machines the process is not that complicated from a technical point of view, but it is still an intrusion on the user and still uses up valuable people time on the IT staff.

In my time in the security industry, I have found that most CISOs and IT security managers look for ways to move their teams from the defensive, reactive work of fixing problems to the offensive, proactive work of protecting the organization. Eliminating the need to write a remediation for an infected machine and further eliminating the need to re-image the machine would seem to be two pretty good places to recover people time from the reactive side of the ledger.

Tagged: defense in depth, endpoint protection, Endpoint Security, malware, Resolution Manager

The Triumfant 3 Minute Malware Challenge is Not Hype – We Have the Video to Prove It

Jim Ivers — Wed, 29 Apr 2009 16:10:57 +0000

For those of you who may have thought that the Triumfant 3 Minute Malware Challenge at RSA 2009 was hype, the video team from Infoweek/Dark reading came to our booth and recorded Dave Hooks, our CTO, doing the demo. Have a look at http://tinyurl.com/y94sgly

Dave’s set-up was live and he was careful to ensure that Triumfant Resolution Manager was free of any policies or controls that would have given it any prior knowledge of the malware. For this demo he is actually running the server and the client in two different virtual machines on his laptop – not exactly a configuration optimized for speed. Dave clicks on the malware and the date/time stamps on the screen tell the story: 3 minutes from introduction to remediation. He even takes the time to show the effects of the malware such as the disabling of Task Manager to show the machine was in fact infected.

Watch the video and step back for a second. Think of your endpoint machines being attacked. First, you hope that the traditional signature based antivirus on your machine will detect the attack, which if there is no signature Gartner says your chances are 50/50. If your defensive software does see the attack, your security people would get an alert and start to investigate. Before your security people likely open their first screen for analysis, Triumfant has analyzed the attack, built a custom yet completely comprehensive remediation on the fly, and is executing it on the machine to kill the attack and address all of the collateral damage of the attack.

Done. Fixed. No human interaction, no re-imaging.

You however still have to call your A/V vendor, hope that their “A” team is on deck, and get them to write you a new signature and a remediation script. At best, four hours later (I use that time because an AV vendor was positively giddy about a four hour turnaround on a recent web cast) you get back the signature and script. Now you get to send the signature out to the endpoints and then push the script out like a patch. And then you get to start the process of re-imaging any infected machines, because the remediation you received will likely miss changes to the machine that could result in new vulnerabilities. Think about that in the context of the demo.

There is a better way out there. While the established vendors are talking about innovation, an evolved way of detecting and remediating malware is here and it works – in 3 minutes! And now we have the video to prove it.

Tagged: Endpoint Security, perfecting the obsolete, Resolution Manager, RSA Conference 2009

Triumfant Joins McAfee Security Innovation Alliance (SIA) Partner Program

John Prisco — Tue, 21 Apr 2009 17:40:34 +0000

Today Triumfant announced that we are now a part of the McAfee Security Innovation Alliance (SIA) Partner Program. We feel our capabilities to detect and remediate potentially malicious changes to endpoint computers is a perfect complement to the McAfee product portfolio and we are pleased to be working with a company that has such distinguished history in IT security. We are deep into the process of integrating Triumfant Resolution Manager with McAfee ePolicy Orchestrator so customers can administer and view our product from one centralized console.

We have always held that Triumfant is a complement to antivirus software, not a replacement. In fact, our ability to ensure that security configurations are enforced on a daily basis allows McAfee customers to get the maximum protection from their investment. Triumfant continuously checks security configurations and automatically remediates any detected problems so that every computer starts every day properly configured and in the highest possible state of security readiness.

Triumfant’s ability to detect any and all changes to an endpoint machine enables Resolution manager to identify changes that may be markers of malicious activity, providing further endpoint protection. These changes may be the work of a maliciously intended insider or the result of user modifications that unwittingly create vulnerabilities. Either way, Triumfant can detect these changes and restore the machine without human intervention.

It is clear that IT security must begin to look past traditional signature based models to protect endpoint machines against the evolving nature of cyber crime. Triumfant and McAfee represent a well paired merging of traditional and new technologies to provide that protection. As signature based companies continue to acknowledge that they are writing millions of signatures a year, it is becoming readily apparent that the adoption of new technologies like Triumfant is the clear way forward.

Triumfant will be in the McAfee Security Innovation Alliance (SIA) Partner Pavilion at RSA through Thursday, as well as in booth 2535.

Tagged: endpoint protection, Endpoint Security, Resolution Manager, RSA Conference 2009

Triumfant Resolution Manager – Describing the Unique

Jim Ivers — Tue, 24 Mar 2009 11:48:39 +0000

Describing the unique can be a challenge. You see, the human mind prefers reference points when it considers something new. It seeks to immediately compare and categorize the new item with what it already knows. So when something is completely unique and novel, the mind sometimes has trouble grasping it because it either has no worthy comparative for context, or the mind incorrectly attempts to draw false parallels and therefore creates predispositions that often are not true.

Such is the case with Triumfant. Our software, Resolution Manager, is truly unique, and because of that, the things we can do for our customers are equally unique. The depth at which we scan endpoint computers and servers is unprecedented, so our ability to spot changes that may be indicators of potential problems or a malicious attack is equally unprecedented. Because we see all of the changes to a machine at a granular level, we have the unique ability to build a remediation on the fly specific to a given incident for that computer at that point in time. Can other products remediate? Sure. But only if the problem fits the patterns of pre-defined remediations, or if someone builds a remediation script which is then pushed to every machine in the population. No product that I know of builds a surgical, fully reversible remediation on the spot.

So until someone knows how we do what we do, it is often hard to fully appreciate what we can do. How we can see the malicious code that other signature based endpoint security products miss, because we detect the tell-tale indicators at the most granular level. How we can ensure that every machine can start every day compliant and audit ready to any numbers of policies and controls. How customers can expect a 20% to 40% drop in trouble ticket volume because we can spot and fix a problem before it interrupts service.

The beauty of the conversation is that as someone begins to understand the how, they often quickly connect the dots to the what. For example, I can’t tell you how many times experienced IT security people immediately grasp our ability to detect malicious attacks very early into the explanation of the how well before we get to the what part of the conversation.

So forgive us sometimes when we seem to ignore early comparisons with other products or start with descriptions of our technology before jumping into the application and benefits of the product. Sometimes describing the unique takes a slightly different approach.

Tagged: Endpoint Security, Resolution Manager