Triumfant Earns GCN Reviewer’s Choice in Endpoint Security Software Suite Review

August 11, 2009

For an emerging company like Triumfant, building your reputation is a deliberate process accomplished brick by hard-earned brick.  I am proud to say we recently added a great new brick in our reputational wall with a very positive review in Government Computer News where we earned a Reviewer’s Choice in a review of security software suites on the endpoint.  Specifically we “earned an A+ by far exceeding the other products in its ability to detect and remediate malware” which is precisely the goal of our product.

 This review came on the heels of what I believe to be a generally positive review of Triumfant Resolution Manager by Paul Roberts of the 451 Group.  I have a lot of respect for Paul and his knowledge of the industry and have always found the folks at 451 to be smart and extremely fair.  Paul took a lot of time to research our offering and approach to Malware detection, and his review captured what we do and the value of our capabilities very well.  For those of you who cast a cynical eye on industry analysts as pay-for-play, I would point out that Triumfant was not a 451 customer at the time Paul wrote his research, which underscores the fairness and integrity of Paul and the 451 Group.  If you are a customer of the 451, I invite you to access Paul’s through your organization’s subscription. 

When you are fighting for credibility, it is critical that the market sees you through the eyes of the press and the analysts in order to add credibility to your story.  Ultimately, customer success stories are the best bricks in the credibility wall, but those are also amassed over time and I am quite confident we will soon have some stellar customer stories to tell. 

But in the meantime, I think Triumfant is beginning to make a pretty solid case with what is now available from the analysts and the press.  Richard Stiennon referenced Triumfant as a “Best of Show for RSA 2009”.  Eric Ogren of the Ogren Group posted a review of our offering in June.  An article in Government Computing News described how Triumfant is one of the innovators looking past signatures for malware detection.    The Worldwide Signature Counter has provoked some interesting conversations about the diminishing viability of signature based technologies for endpoint protection. 

If you have not taken the time to get more details on what we can do and how we do it, we will be happy to walk you through our technology and show you a demo of our real-time malware detection and remediation actually detecting, analyzing and ultimately deleting live malware such as rootkits and other pretty nasty malware.  Because here is another reputational brick that you just have to take at my word: every time we demonstrate our product we get very positive feedback.  And no one – prospects, analysts, or press – has said that they have seen another product that does what we do.  Could be 30 minutes of time very well spent. And who knows, you could end up being one of those great customer success stories.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

Rating Endpoint Protection Platforms – Who is Best at Perfecting the Obsolete

May 7, 2009

Given the mountain of evidence at the inability of traditional, signature based defensive software to keep up with the geometric growth in volume and complexity of attacks, any evaluation of signature based tools strikes me somewhat as a Consumer Reports evaluation of standard definition, analog televisions.  In other words, which vendor is excelling at perfecting the obsolete.  

The Magic Quadrant for Endpoint Protection Platforms was released by Gartner on May 4.  I am not saying that this report serves no purpose – I understand that organizations need to know which one of these suites offers them the best protection, even if that protection erodes by the moment.  For at least the near term, you will need the defensive software such as the software covered in this research, and Gartner does an excellent job of evaluating the offerings to ensure that you get the most out of your investment. 

This is also not a rant by a vendor with hurt feelings of where their dot was placed on the quadrant.  Triumfant is not part of this research, as we don’t pass the basic requirements of having a personal firewall and antivirus capability in our offering.  We knew that before the research was done and we do not position ourselves as an end-to-end suite and we have no issues with the research or the results.  To reiterate, we have never positioned ourselves as a replacement for antivirus software, but as a complement and extension and as such we are partners with some of the vendors on the magic quadrant.

If you are a Gartner customer, you owe it to yourself to read the market overview at the beginning of the report.  It notes that the ability of signature based technologies – antivirus, heuristics and HIPS – is “declining” and that Gartner clients have seen increases in infection rates in 2008 and the first parts of 2009.  I will keep myself out of trouble and let you interpret these remarks for yourselves, but I think there is plenty of information between the lines.

Our CEO, John Prisco hit the nail on the head in his RSA Keynote from the Outer Aisles when he said that organizations need to look outside of the “usual suspects” for innovation.   My hats are off to the vendors on this quadrant because I have spent more than a little bit of energy in my time trying to move my dot into the top right of such research. But many of these companies are the ones promising innovation rather than delivering at the moment, and customers owe it to themselves to look beyond the vendors on this report for alternative approaches to detecting and remediating malware.

When it is your data, your endpoints, your company’s reputation, the word “declining” should send a shiver down your spine.  And to play out the analog television analogy, don’t look toward the usual suspects to help you “bridge the gap” that Gartner points out in the study.  You may end up with a really high end VHS deck to go with that analog television.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

An RSA Keynote from the Outer Aisles – Demand Disruption

May 4, 2009

When you are located on the third row of demo booths from the side walls at RSA, suffice it to say, you are not asked to deliver a keynote.  But after the show I have spent some time thinking of what I would have said if I had been given that chance.  Best of all, I will be brief.  So here is a summary:

With all due respect to these distinguished speakers, I would challenge them to walk toward either wall on the exhibit floor and see that there are small, innovative companies that have already solved or are 95% of the way toward solving these problems.  The change that must happen for the market to move forward must come in the attitudes of the larger vendors and the expectations of the users of security products. 

You see, the larger vendors, particularly the ones with signature based technologies, have a lot riding on the continued use of signature based tools.  They have built large infrastructures that feed the beast they have created, positioning armies of people around the world to try and run in front of the avalanche of new attacks that are growing in volume and complexity at an alarming rate.  The admission by Symantec that they had to create 1.6M signatures in 2008 should be a terrifying revelation to users.  So should the fact that this reflected a growth rate of 254% year over year and was 160% more that the total number of combined signatures in 2007 (1M). 

But stepping away from signatures means the fundamental disruption of an ecosystem that has arisen to feed the signature beast, which could put the revenue of some of these companies in danger if they cannot bring an innovative alternative to market.  So while they may speak of innovation, they may in fact have a vested interest in the status quo.  We have gone to calling this process “perfecting the obsolete”.  Many of these companies share a not-invented-here bias or continue to tell their customers that they have alternative solutions that fill the gaps.  But the numbers say otherwise as does their response when they see the capabilities of products like Triumfant Resolution Manager. 

I don’t want to paint all of the market leaders with the same brush as some of the large companies are stepping out and putting real action behind their promises.  As you may know, we announced at RSA that we have joined the McAfee Security Innovation Alliance, and actually were in McAfee’s partner pavilion.  We are pleased that McAfee has taken the time to learn about what Triumfant can offer and sees complementary capabilities.  In speaking with their people, I get a real sense that they know the market has to evolve, and they are looking inside and outside of McAfee to bring to market a solution that provides their customers with an innovative and evolved offering.  But others seem content only to make promises yet simply deliver more of the same.

Make no mistake; promises are frequently a blocking technique to keep customers from looking elsewhere for innovation. All the promises in the world cannot hide the fact that the innovation has been already been realized on the outer aisles of RSA. And not just realized, but available on the market as working viable products, with Triumfant just one proof point.  Today, Triumfant can demonstrate the ability to detect, analyze and remediate a malicious attack without a signature, prior knowledge of the attack, or human intervention in three minutes (view a video demonstration here).  No calls to the vendor to get a script or signature written, no need to push a new signature to the endpoints, no bloated agent with scores of pre-written remediations that may or may not fit the situation, no need to re-image the infected machine.  Three minutes – not four hours or, more likely, days or weeks.  Not a promise, but a reality we are willing to install at a customer site and let them see for themselves in their own environment.

The blame cannot rest completely with the vendors.  Customers bear a responsibility to facilitate the necessary disruption of the security market and should be outraged that the protection of their corporate IT assets is contingent on 15- to 20-year old technologies such as signatures and firewalls.  Organizations allow themselves to enjoy a false sense of security as long as they are not the ones targeted, when in fact they may be under massive and costly attacks now that they have not yet detected because their defensive software misses such attacks at a rate of fifty percent or higher.   Fifty percent is not my number, but Gartner’s, and you can find reputable studies that show a bigger number when looking at the percent of attacks that evade traditional signature based software when there is no known signature.  The fact that customers will accept such a rate of failure means that businesses and government agencies are, at a minimum, an enabling partner in the lack of innovation.  Markets evolve when users demand that they evolve.  It is time to start demanding.

Customers must also not be a slave to old thinking or rely on the large vendors to define their expectation.  For example, one pushback we get is the need to run an agent to use our software.  But open minded customers see that in fact Triumfant can do the work of a security configuration management tool, a whitelist/blacklist tool, an FDCC compliance tool, and even perform endpoint power management – all with one agent and one console.  With a little up-front discomfort to unplug some point solutions, an organization could add the one-of-a-kind capabilities of Triumfant and eliminate some agents.  Don’t let the big boys talk you out of some disruptive change.

In closing, I urge the market to return to the days when we worried less about protecting established ecosystems and concentrated on making customers safer and more secure.  I urge customers to not accept more of the same.  It is your data and your organizational reputation that stands in the balance and you should not accept fifty percent failure rates when the stakes are so very high.  This market has always been about keeping pace with the evolution of cyber crime.  Customers must put pressure on trusted vendors to integrate new technologies, even if they are invented elsewhere.

I fear that we have let hubris give the bad guys too much of an edge while we make promises and proclamations without real progress.   There is innovation out there that can make up lost ground, and the market must accept disruption to move forward. Customers must demand that this disruption happen and happen now.

5 Comments | Endpoint Security | Tagged: , , , , , | Permalink
Posted by John Prisco

The Triumfant 3 Minute Malware Challenge is Not Hype – We Have the Video to Prove It

April 29, 2009

For those of you who may have thought that the Triumfant 3 Minute Malware Challenge at RSA 2009 was hype, the video team from Infoweek/Dark reading came to our booth and recorded Dave Hooks, our CTO, doing the demo.   Have a look at http://tinyurl.com/y94sgly

Dave’s set-up was live and he was careful to ensure that Triumfant Resolution Manager was free of any policies or controls that would have given it any prior knowledge of the malware.  For this demo he is actually running the server and the client in two different virtual machines on his laptop – not exactly a configuration optimized for speed.  Dave clicks on the malware and the date/time stamps on the screen tell the story: 3 minutes from introduction to remediation.  He even takes the time to show the effects of the malware such as the disabling of Task Manager to show the machine was in fact infected.

Watch the video and step back for a second.   Think of your endpoint machines being attacked.  First, you hope that the traditional signature based antivirus on your machine will detect the attack, which if there is no signature Gartner says your chances are 50/50.  If your defensive software does see the attack, your security people would get an alert and start to investigate.   Before your security people likely open their first screen for analysis, Triumfant has analyzed the attack, built a custom yet completely comprehensive remediation on the fly, and is executing it on the machine to kill the attack and address all of the collateral damage of the attack. 

Done.  Fixed.  No human interaction, no re-imaging.

You however still have to call your A/V vendor, hope that their “A” team is on deck, and get them to write you a new signature and a remediation script.  At best, four hours later (I use that time because an AV vendor was positively giddy about a four hour turnaround on a recent web cast) you get back the signature and script.  Now you get to send the signature out to the endpoints and then push the script out like a patch.  And then you get to start the process of re-imaging any infected machines, because the remediation you received will likely miss changes to the machine that could result in new vulnerabilities. Think about that in the context of the demo. 

There is a better way out there.  While the established vendors are talking about innovation, an evolved way of detecting and remediating malware is here and it works – in 3 minutes!  And now we have the video to prove it. 

10 Comments | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Perfecting the Obsolete, Part 3 – Customers Need to Demand “That”

April 28, 2009

For some of the Triumfant team, 2009 was their first RSA experience.  To a person, each remarked to me that when they listened to the pitches by other vendors, they had the same observation: “everyone says that they can do what we do”.   Welcome to RSA, where the innovation was thin but the claims are thick and confusing.  

Such confusing claims are a fundamental component of what I call perfecting the obsolete – the IT security market continuing to push signature based malware detection software on the market in spite of overwhelming evidence that the technology is no longer sustainable. Spackling the cracks in the signature façade with some heuristics or behavioral analysis was a common method used to give the appearance of evolution, but customers need to dig deeper to get the full story.  

Many of the traditional signature based vendors have shown interest in our offering and most came by our booth for a demo during the show.  Just to be clear, these are not marketing or business development folks, they are often technical people or product managers.  In initial conversations when they get a high level overview of our product, they will tell me that they have tools that can detect the malware that evades their signature based software, including zero day attacks.  Many say they can do remediations of such attacks.  That is before they either see the Triumfant product or get a more detailed description. The common reply: “well, we don’t do that”.

But the that is precisely what is needed: the ability to detect, analyze and remediate malicious attacks in real-time without the need for a signature or any other previous knowledge of the attack.  Without the need for human intervention or call the vendor for an emergency signature.  Until these vendors can do that instead of just saying they do, then there is a critical gap in endpoint protection.  And detection is no longer enough – they must also be able to immediately remediate a machine when it is attacked without the need for human intervention to do the analysis and write a script. 

And thatis exactly what the customers should not only expect, but demand. After stepping back from RSA for several days and thinking through the entire scene, I have to put some of the blame on the IT security professionals in the companies and government agencies that use these products.  Because the security companies will continue to say they address the obvious gaps in endpoint protection as long as the buyers in the market continue to accept obvious obfuscations as truth.  Everyone perpetuates the ecosystem that has been created – the vendors, the hackers, and yes, even the customers.  Because the customers will live in blissful denial that they are secure right up until the point they end up on the front page of the Wall Street Journal as being the victim of a major breach.

As long as the IT security ecosystem exists undisturbed, we will continue to see more of the same.  The ultimate power to disrupt the ecosystem is with the customers, who vote with their budgets to demand more from the market.  Given what little innovation we saw at RSA, it is time for business and government agencies to exercise that right.

Leave a Comment » | Endpoint Security | Tagged: , , , , , | Permalink
Posted by Jim Ivers

Stiennon’s Best of Show for RSA 2009 and Extending the 3 Minute Malware Challenge

April 27, 2009

The ability for Triumfant to detect and remediate malicious attacks has gotten a lot of attention, particularly since RSA.  I just received word this morning that Richard Stiennon selected us for one of his Best of Show awards for RSA 2009.  It was fun to see someone of Richard’s reputation and experience see the product demonstration and get his feedback.

If you read his summary Richard says: “They give a great demo”.  That is because Triumfant is really different from any other product on the market, and no matter how much we talk, PowerPoint, or wave our hands, nothing replaces seeing it in action.  We created what we called the 3 minute malware challenge at our RSA booth to invite people to really see about how we can detect and remediate malware with no signatures first hand.

It is also thought provoking to see that there is technology available that can address the signature problem that the entire industry seems willing to ignore.  In a show where “more of the same” seemed to rule, there are companies not content with perfecting the obsolete and not trying to pass off signature based technology as a sustainable method for malware detection.

Missed RSA or was at RSA and could not get by our booth?  We would be more than happy to show you that very same demo via a web based meeting at your convenience.  In fact, I think you owe it to yourself to see Triumfant first hand.  It won’t take long, and I can promise you that if we have not gotten your attention in 10 minutes we will set you free.  Who knows – it may be the most important 10 minutes you will spend in regards to protecting your endpoint computers.  It will certainly provoke some interesting thinking about where malware detection and remediation is going in the future.  You can email me directly and I will set up a demo for you.

2 Comments | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Some Quick Thoughts and Random Musings from RSA

April 23, 2009

Some quick thoughts from RSA:

Dave Hooks, our CTO, likely did 50 demos of our product in two days at the show.  He was literally introducing malware to his machine and Triumfant would dutifully detect it, analyze it, and remediate it.  It was great fun to watch the reaction of people as they saw the entire process roll across the screen.  The funny thing was that it does such a great job of remediation, there is near-zero reset of the computer to run the demo again.   My guess is at the rate Dave was going, he could identify and stop an attack 20 times in the same time it would have taken an organization to get a signature back from a traditional anti-virus company.  And all dave was doing was showing the console and opening windows, as all of the work was done without human intervention.   My thanks to Dave – he worked non-stop without complaint.  But of course, he never gets tired of showing off what he has created.

We spoke to a lot of other vendors – isn’t that what RSA is for – who were very interested in the synergies between their products and Triumfant.  With all due respect to those folks, many walked in convinced that they did most of not all what we do.   Without one exception, all left 10 minutes later with a completely different impression.   I am a bit of a student of body language and it was interesting to watch the changes in posture and the rapidly increasing blink rates as Dave did his demo.  The bottom line is that lots of people claim they do what we do, but I have not found anyone who is immersed in the industry that can show me a product that actually does.   Until someone does, then I will stand by my claim that Triumfant is truly unique in what it does and how it does it.  I will be happy to set up a 10 minute webex demo for you if you want to see for yourself.

While at the McAfee party last night I ran into the super smart guys that write the Verizon Business Breach Investigations Report for 2009.  We caught up a bit and then they asked me about Triumfant.  When I was done they laughed and reminded me that one of their recommendations at the end of the report was to find a way to look for anomalous behaviors.   Like I said – smart guys. 

Yesterday was a long and really busy day at the show.  Unlike my memories of past RSA shows where traffic drops off on Wednesday, yesterday was a constant stream of people at the booth.  Throw in press and analyst briefings, a presentation in the McAfee partner pavilion, the Greylock reception and the Bloggers Meet-up and I was really running on empty by the time I got to the McAfee party.   But seeing the Triumfant logo on the wall every 90 seconds at the party was all the adrenaline I needed to have a good time at the party.

My thanks to the organizers of the RSA Bloggers Meet-up for letting me in at the last minute.  Cool place and a lively crew.

This show has been an education for me in a lot of ways. In particular, I had to do all of the logistic work to order and set up our booth.   I always had the nagging doubt I forgot something and now I know without doubt what that is: carpet padding.   My feet are killing me.   Next time I do this, I can assure you that carpet padding will be the first thing I order.

Off to the floor for the last day of exhibits.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

The IT Security Ecosystem – Time for Some Constructive Disruption

April 22, 2009

In a quiet moment in the middle of what was an exceptionally busy day yesterday I took the opportunity to walk through the length of the RSA exhibit hall.  And that is when it really hit me: when you are at RSA you are looking into a fascinating ecosystem.   One that has good guys and bad guys, successes and failures, established upper class and driven climbers.  And it is an ecosystem that is self-sustaining; with the ultimate irony being the bad guys for whom the ecosystem is created to protect us against are the fuel that keeps the whole system running.   And I would add that it is an ecosystem that no one seems to want to disturb, even if it may no longer be serving the best interests of the IT security user.

It all started with Microsoft and the proliferation of computers on the endpoint. This created an industry of people who looked to penetrate these machines.  At first, these attacks were just relatively disruptive, but it has evolved into serious, financially driven cyber crime.   As a result, an industry of defensive software was built on the notion that a hashed signature of maliciously intended software would protect our endpoint machines. 

This in turn started an interesting game of cat and mouse, as hackers sought new vulnerabilities and ways to evade this new defensive software.  Microsoft and other development shops fed the game by releasing software with plenty of vulnerabilities to exploit, complete with a strange new ritual called Patch Tuesday to discuss these vulnerabilities in a large ongoing public forum.   The bad guys of course leapt upon these vulnerabilities, which created new attacks that had to be addressed by new signatures.  

Rinse, repeat.

Lots of defensive software gets sold, lots of people make money (good and bad guys), and the ecosystem grows and flourishes.   And those for which the system presents a lucrative living, there is very little motivation to interrupt the system.  (As a disclaimer, the IT Security industry has been the revenue source by which I pay my mortgage for some time, so I guess I am part of the ecosystem.)   Even the customers served by the system are content to leave it the way it is and live under a perception of false security, even when the statistics tell a different story.  Because as long as they are not the ones targeted by these attacks (as far as they know), they prefer to feel secure rather than see that the system is in fact flawed.

The statistics are everywhere, so I won’t grind through them again.  Signature-based defensive software is simply no longer sustainable, and in spite of the flourishing ecosystem, more data was lost last year than the previous four years combined according to the Verizon Business 2009 Data Breach Investigations Report.  The neatly constructed ecosystem is unraveling like a cheap sweater and all of the flash and glitz and messaging on display at RSA cannot change that fact.

To be clear, I am not accusing IT security companies of something evil, premeditated, or contrived.  These companies are full of bright, thoughtful and innovative people who by and large have a passion for security.  And Microsoft is no evil Darth Vader. You don’t ever set out to build a comfortably numb ecosystem like we have today, it happens over time in a way that is gradual and is established before you know you are even in it.

We are at a crossroads.  Only time will tell if the industry is willing to make the necessary change constructively or if it will be dragged kicking and screaming because the customers eventually decided that, happy ecosystem or not, they are not being served.  Either way, it will likely be a very eventful 3-5 years for IT security.

1 Comment | Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers

Triumfant Joins McAfee Security Innovation Alliance (SIA) Partner Program

April 21, 2009

Today Triumfant announced that we are now a part of the McAfee Security Innovation Alliance (SIA) Partner Program.  We feel our capabilities to detect and remediate potentially malicious changes to endpoint computers is a perfect complement to the McAfee product portfolio and we are pleased to be working with a company that has such distinguished history in IT security.  We are deep into the process of integrating Triumfant Resolution Manager with McAfee ePolicy Orchestrator so customers can administer and view our product from one centralized console.

We have always held that Triumfant is a complement to antivirus software, not a replacement.  In fact, our ability to ensure that security configurations are enforced on a daily basis allows McAfee customers to get the maximum protection from their investment.  Triumfant continuously checks security configurations and automatically remediates any detected problems so that every computer starts every day properly configured and in the highest possible state of security readiness. 

Triumfant’s ability to detect any and all changes to an endpoint machine enables Resolution manager to identify changes that may be markers of malicious activity, providing further endpoint protection.  These changes may be the work of a maliciously intended insider or the result of user modifications that unwittingly create vulnerabilities.   Either way, Triumfant can detect these changes and restore the machine without human intervention.

It is clear that IT security must begin to look past traditional signature based models to protect endpoint machines against the evolving nature of cyber crime.  Triumfant and McAfee represent a well paired merging of traditional and new technologies to provide that protection.  As signature based companies continue to acknowledge that they are writing millions of signatures a year, it is becoming readily apparent that the adoption of new technologies like Triumfant is the clear way forward.

Triumfant will be in the McAfee Security Innovation Alliance (SIA) Partner Pavilion at RSA through Thursday, as well as in booth 2535.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by John Prisco

RSA Conference 2009 and the Triumfant 3 Minute Malware Challenge

April 20, 2009

At RSA Conference 2009 Triumfant will be demonstrating its ability to detect and remove all remnants of a malware infection within three minutes without the need for virus signatures, previous knowledge of the malicious code or human intervention. We call this the “3 Minute Malware Challenge” and it is designed to highlight that Triumfant really is a new and innovative approach to malware detection and remediation.

With our product release last week (4/14) Triumfant brought real-time detection and advanced remediation to the market. Triumfant Resolution Manager is able to identify and remove malware, reset any changes made by the infection and return the machine to its original state within a matter of minutes. While I am admittedly biased, it may be one of the truly groundbreaking innovations at the show.

Why is it innovative? Unlike traditional signature based anti-malware solutions, Triumfant:

- Uses no signatures
- Needs no previous knowledge of the malware or its variants
- Requires no human intervention – not even from virus researchers
- Remediates all collateral damage to a machine, eliminating the need for re-imaging

We will be at booth 2535. We invite you to come by and see the demonstration yourself. If you think all of this is too good to be true, you would not be the first, so we have plenty of practice at proving our abilities to the skeptical. I will guarantee you this much – you will not see another product like it on the floor.

So come by and see us. No gimmicks, no flashing bouncing balls or other giveaways, and certainly not an expensive and elaborate booth. But what you may see is the future of malicious detection and remediation, and certainly a product that will make you re-think how you are protecting you endpoint machines.

2 Comments | Endpoint Security | Tagged: , , , , , | Permalink
Posted by John Prisco

« Previous Entries