The integration of Triumfant with the Security Content Automation Protocol (SCAP) goes well beyond NIST SCAP Federal Desktop Core Configuration (FDCC) certification. Triumfant has fully integrated the SCAP guidelines and specifications into the Resolution Manager platform and the unique capabilities of Triumfant represent significant steps forward in adopting the philosophies of SCAP.
Triumfant Resolution Manager fully supports the use of Open Vulnerability and Assessment Language (OVAL) to accept SCAP compatible checklists written in the eXtensible Configuration Checklist Description Format (XCCDF). These checklists can originate from the National Checklist Program (NCP) or from checklists created internally. Triumfant stores the contents of each valid OVAL file in the system database and this content can be viewed from the Administrative console along with other relevant information such as the date generated, date imported, and schema version. OVAL based assessments can be scheduled to execute daily, enabling continuous monitoring of compliance. The results from each assessment are automatically collected and combined with the information in the appropriate XCCDF profile to produce compliance reports. The reports can be arranged to display results by computer or by rule ID and can display all rules that were evaluated or only those that were non-compliant.
Triumfant leverages the SCAP Common Configuration Enumeration (CCE) to identify and describe configuration items when applicable. CCE data is visible from the product user interface and included in various report formats allowing reports to be constructed based on a single CCE, a selection of CCEs, or all of the CCEs for a group of computers. Triumfant also supports the the Common Platform Enumeration (CPE) naming scheme. The SCAP data stream includes CPE naming data that is evaluated prior to the execution of a benchmark to determine if the benchmark being applied is appropriate for the target computer.
Triumfant is integrated with the SCAP National Vulnerability Database (NVD) to drive continuous monitoring of endpoint vulnerabilities using the Common Vulnerability Scoring System (CVSS). The integration with the NVD uses web links that provide Triumfant real-time access to the CVSS information including CVSS vectors and CVSS base scores. Triumfant integrates the CVSS data into the ongoing scanning process for each endpoint that uses a flat scoring model compatible with CVSS. The resulting data is presented in actionable that shows the benchmark scores for each machine and provides details into the discovered vulnerabilities. Using this information, agencies and organizations can quickly identify vulnerabilities caused by missing or mismatched patches and close those vulnerabilities via the appropriate patch management process.
For a complete discussion of how Triumfant does SCAP Vulnerability Scanning, refer to the Triumfant White Paper Using Triumfant for SCAP Vulnerability Scanning
Security Automation Realized
SCAP is a broader roadmap toward automating the process of securing endpoint machines and enforcing configurations and policies. Specifically, SCAP seeks to move from static verifications of security checklists to an automated, continuous, and contextual process. Triumfant is uniquely capable of helping drive the three fundamental shifts needed to realize security automation:
Manual to Automated Processes. Only Triumfant can demonstrate the complete automation of the detect-analyze-act cycle. Traditional endpoint security products automate the detect activities, but as you move through analysis and ultimately action (remediation), manual intervention by specialized security personnel is required. In regards to analysis, most products only see events in the context of the affected machine, and further analysis becomes a manual process. In regards to action, remediations are performed manually and require some form of script to be written by either a vendor or in-house security staff. Triumfant uses our Adaptive Reference Model to analyze events in the context of the broader endpoint population and group changes into broader events. Triumfant builds a comprehensive remediation that fixes the malicious code and all the collateral damage of the attack. This remediation is written automatically, and is applied to the affected machine without interaction from the user, without the need for rebooting, and without the need to re-image. No manual labor is required to complete the analysis, write a script, distribute the script, or re-image the machine.
Periodic to Continuous Activities. Triumfant continuously enforces policies and configurations by monitoring endpoint machines, using detected changes at the granular level to trigger analysis and building a remediation to return the machine to compliance. The result is every machine, every day compliance to configurations and policies we call Persistent Security Readiness. We extend this continuous enforcement by integrating the SCAP National Vulnerability Database (NVD) to scan each machine for vulnerabilities and detail the patches required to eliminate those vulnerabilities. The scan for malicious attacks cycles approximately every 30 seconds, And any indicators of malicious activity are immediately analyzed. As a result, time from infection to remediation is normally five minutes or less. Triumfant scans machines even when they are not connected to the network, and will address any detected problems the next time the machine is reconnected.
Global to Contextual Requirements. Triumfant turns the normal contextual orientation of traditional endpoint protection tools a complete 180 degrees. Traditional tools can only view a malicious attack in the context of the affected machine and do not see the significant collateral damage that may be associated with an attack. Remediation is only implemented by applying one-size-fits-all generic remediations (if one exists) that only address the offending executable. Triumfant views attacks in the context of the broader endpoint population, eliminating false positives and using the unique context of our patented analytics to fully assess the damage to the machine and its impact. Triumfant builds a remediation on the fly that is specific, contextual, and situational - addressing the offending executable and all of the collateral damage including altered configuration settings, open ports and secondary payloads. Only Triumfant is empowered with the contextual information needed to fully remediate a machine in the complete perspective of the attack and the specific needs of the attacked machine. Best of all, Triumfant requires no prior knowledge of the attack, so this applies to zero day and targeted attacks.