It’s late Monday morning when your computer security department notices that a suspicious message has been emailed to most of the email addresses at your company. It contains a malicious PDF that exploits a new vulnerability that came out over the weekend. The patch hasn’t been applied to the company workstations yet, and it’s too little, too late by the time the email goes out telling everyone not to click on the links.
By the time inboxes are scrubbed and most of the infections have been catalogued it’s clear that this is going to be a security nightmare, since a few dozen machines have been compromised. The attack will take a week or more to fix as desktops are reloaded, servers are checked for more intrusions, and any data losses are reported to the proper authorities.
This is how computer security has been operating at most corporations for a decade. Now enter the world of Secure Configuration and Change Management, or SCCM. SCCM can take the infection turnaround time from days and weeks to minutes or hours, and one of the products leading the charge is Triumfant.
Triumfant’s Configuration and Change Management Tool is an almost completely self-sufficent heuristic scanning software algorithm that manages to neatly sidestep some of the problems with traditional heuristic detection using a combination of patented intellectual property and a gradually changing baseline scanner that is able to move with an IT environment instead of against it.
In a Triumfant environment, baseline behaviors are scanned in groups weekly. These weekly scans are then compared against nightly aggregations of endpoint scans. The nightly aggregations are in turn made up of changes tracked by the user-agent on the endpoint. By comparing gradual baselines within user-defined groups, Triumfant is better able to understand what is and isn’t anomalous, thereby eliminating false positives and negatives.
How are anomalies detected?
The agent on the endpoint hashes all of the files on the hard disk with a cryptographic algorithm, generating a fingerprint for each file. If a file is changed, then the hash will change, signaling a need to compare the old and new versions. The endpoint agent then performs change detection sweeps, comparing hashes of older scans against the MD5 hashes of the current scan. When something changes, a flag is raised and an entry is made in a local change database. The agent also scans a list of over 3000 metrics (such as registry settings) that determine the behavior of the computer.
Every minute, the client makes a connection request to the Triumfant server. If the server responds with a request for the list of recent changes (which it does by default every night) the list is uploaded. All databases and lists are encrypted and signed.
When a rouge application, malware, or an unauthorized user make changes in the system registry, adds files to the hard drive, or modifies critical files in system directories, the endpoint client detects these changes and adds them to a behavior profile. If the behavior is deemed to be malicious, Triumfant flags it as a rouge application and gathers the related system events and changes up into a single, coherent event and prepares them for reversal in remediation. No white- or black-listing is used in this technique, meaning that the server does not need to be constantly updated with new profiles or lists, other than Microsoft windows update signatures, which are used to help determine the patch status of a machine.
Once an undesirable change or application has been discovered, and cataloged, it is presented to an administrator via the Triumfant web interface. The web interface is a highly customisable AJAX application that allows for the creation of new views, reports with charts and graphics, users with different groups and permissions, and the ability to remediate issues with only a few simple clicks.
Simply click on the problem, then click on the remediation button in the left-hand corner. The remediation will be performed automatically by the tool, then put into the list of remediated issues automatically. If for some reason the remediation cant be performed, then it is placed in the “unsuccessful remediation” category. Unsuccessful remediations are not commonplace. Even if important system files are deleted or corrupted, computers in the same group are able to copy files for other group members to use, provided that the hash values matched before corruption or deletion.
Taking it further:
Triumfant has extrapolated on their heuristic detection and automatic remedition because the scanning technology behind it can do so much more. Triumfant scans over 3000 parameters for use in their tool, and it collects this data inside of a large, highly-opimised database, allowing it to be easily used for other applications, such as compliance testing.
Inside of the Triumfant server tool, administrators can import SCAP files to use as templates in compliance testing. Once Triumfant has scanned it’s member computers and determined that they are outside of compliance, the template will be used to build remediations against whatever parameters are out of alignment with the SCAP specifications.
Triumfant can also take the data from its database and insert it into a variety of third-party applications with which it has integration, including ePO and the Remedy ticketing system for high cohesion with existing software. Triumfant has custom-built integration for custom ticketing and tracking systems as well.
Past and Present:
Due to the problems associated with heuristic detection, most CCM software has not seen deep market penetration. Triumfant’s tool has been around for some time, having been fire tested at the pentagon for almost 4 years now, while the company has been around since 2002.
In the next few months, Triumfant will be debuting an updated version of their tool that is able to perform all of it’s functions on Macs as well as Windows computers. By the end of the year a Unix or Unix-variant (Linux, BSD, Solaris) should be out, followed by smartphone variations.
Tools such as Triumfant may very well become the future of computer security configuration management over the next few years. Tools like those provided by Triumfant offer ease of use without sacrificing security, bringing thousand-system compliance requirements into the reach of even small IT security departments. It’s ability to remediate nasty infections (like rootkits) give it a leg up on many anti-virus vendors which must release signatures, patches, and fixes and which will forever lag behind heuristic detection technology.