News   Events   About Us   Careers  


Triumfant Resolution Manager

A Close Look at Triumfant's Patented, Innovative Technology

Triumfant represents a unique approach to detecting malicious attacks, using comprehensive, continuous monitoring and patented analytics to detect malicious attacks and other compromises to endpoint machines and servers. Triumfant’s architecture couples agent-based precision with server-based analysis that leverages the context of the machine population to ensure accuracy and eliminate false positives. Triumfant adds a unique remediation capability so detected attacks can be stopped and the damage repaired to eliminate further risk and minimize interruption.

See the many solutions enabled through Triumfant Resolution Manager

Agent-Level Precision

Because Resolution Manager does not rely on prior knowledge, it must take an “Assume Nothing, Scan Everything Approach” that translates to continuous monitoring of over 500,000 state attributes per machine:

• Registry keys
• MD5 hash of every file
• Processes
• Services
• Event Logs
• Security Settings
• Hardware Attributes
• Open Ports
• Performance Metrics

The Triumfant agent is the perfect balance of performance and precision, performing its scanning with minimal intrusion on the host machine. Once the agent has made a complete scan of the machine, it then looks for changes in the state attributes and captures those changes for analysis by the server. Using change-data-capture further ensures efficiency and minimizes impact to the host machine and the network.

The agent sends changes to the server once per day for analysis by default, but the agent employs a real-time scan that looks for specific changes that malware frequently employ, such as autostart mechanisms. Encountering one of these markers of malicious activity immediately triggers immediate contact with the server to start the analytic process, enabling real-time analysis of attacks.

Server-based Analysis in Context

The analysis of detected changes is done on the Resolution Manager Server. Accurately analyzing change is complex, and performing the analysis on the server protects the performance of the host machine. More importantly, it enables Triumfant to analyze changes in the context of the broader machine population. This context is a key differentiator of Resolution Manager - while most tools perform analysis only in the context of the affected machine, Triumfant’s analytics evaluate change against the learned context of the machine population.

Triumfant uniquely learns about the distinct profile of each organization and adapts its analytical process to that profile. Resolution Manager’s analytics apply sophisticated grouping, correlation and pattern matching algorithms to the collected attribute data to create a normative baseline for the endpoint population. This context continuously learns and evolves as the organization’s endpoint population evolves.

Detecting the Attacks that Evade Other Protections

As changes are detected by the agent and sent to the server, the analytics leverage the learned context to identify those changes that are anomalous and potentially malicious. The analytics employ sophisticated algorithms and correlation functions to group changes into broader incidents and identify the full extent of the damage done to the machine. The analytics may send information to the agent to leverage a wide variety of correlation routines that further identify changes related to the attack.

The result is a comprehensive and detailed analysis of every attribute affected by the attack – registry keys, files, services, processes and ports. Triumfant sees all of the collateral damage done to the machine and will identify secondary payloads and other components of dynamic targeted exploits. Within minutes of the infection, Triumfant returns a wealth of information about the attack that would take experienced analysts hours or days to prepare.

Real-time Remediation

The story does not stop at detection, as Triumfant leverages its detailed, complete knowledge of the changes on the affected machine to build a situational, surgical and comprehensive remediation for each detected attack. While other tools may only kill the malicious executable, they may leave a potential host of changes that can compromise the machine and make it vulnerable to further attack. Only Resolution Manager builds a comprehensive remediation to stop the malicious executable and repair all of the associated damage to the machine. Open ports are closed, modified configuration settings are restored, and registry entries are repaired, eliminating the costly process of re-imaging the machine. Resolution Manager can detect, analyze and remediate an attack in minutes, drastically reducing the time from detection to remediation.

Automating remediation is not trivial, so this capability represents a fundamental change in IT security. One attack may change hundreds of registry entries, add or alter multiple files, open a port, change configuration settings, and corrupt system calls. Remediating today's malicious attack requires sophisticated counter-measures such as ejecting rootkits, neutralizing watchdog processes, uncloaking hidden processes, and identifying randomly named executables. Generic remediation approaches such as pre-written scripts can't handle this complexity.

The other challenge of remediation is replacing missing or corrupted attributes. Here again the unique context of Triumfant’s analytics enables Resolution Manager to address this challenge through a patented process called Donor Technology. Triumfant leverages the context to identify machines that have the appropriate profile to be used as a donor to provide the attributes needed for remediation. The donor process is fully automated, effectively eliminating the need for IT intervention.

Remediations require an administrator’s confirmation to execute, and every remediation is reversible. The remediation performs without interruption to the user with no need to re-boot the machine. With Triumfant, machines go from infection to remediation in minutes.

Continuous Enforcement of Policies and Configurations

The same analytic process used to detect malware are equally effective at continuously enforcing security configurations and policies. These can be either the configurations learned in the model from scanning the endpoint population, or explicit configurations expressed as user-defined policies. When non-compliance is detected, Resolution Manager builds a remediation and returns the machine to compliance. Triumfant also ensures that traditional endpoint security tools are properly deployed, properly configured, and fully operational to effectively perform their roles. This continuous enforcement of configurations and policies raises the security readiness of every machine and effectively lowers risk. Learn more about continuous enforcment of policies and configurations.

Unmatched Visibility

The depth and breadth of Resolution Manager's scan scope makes it uniquely capable of delivering more state data about the machine population than any other solution available. Collecting the detailed state data at the server level provides Triumfant with enormous flexibility for reporting and analysis. Because Triumfant scans everything and then stores that data at the server, new questions do not necessitate rescanning of the host machines to acquire more data. This increases responsiveness and eliminates repetitive scans and their impact on the network and the host machines, as well as the associated labor costs. The organization gets answers to critical questions in the time it takes to query the detailed state data already on the server. Learn more about Triumfant and Continuous Monitoring.






Next Steps:

Contact us to learn more about Triumfant

  Request a Demo to see Triumfant firsthand
     
Resources:

Introduction to Triumfant   The Triumfant Difference
Introduction to Triumfant   The Triumfant Difference
 
Solution Brief: Malware Detection and Remediation   White Paper: Malware Detection and Remediation
     

"...the definition of successful defense has to change from “keeping attackers out” to “sometimes attackers are going to get in; detect them as early as possible and minimize the damage.” Assume that your organization might already be compromised and go from there."

When Advanced Persistent Threats Go Mainstream
Security for Business Innovation Council
August, 2011

 

© 2012 Triumfant, Inc. | Website by Ashley Cyber Services, LLC
Resource Library | Site Map | Privacy Policy | Contact Us