Triumfant Detects Heartbleed Bug on the Endpoint — Underscores Need for Endpoint Breach Prevention and Complete Defense-in-Depth Strategy

The recently discovered Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library that allows cybercriminals to steal information that would normally be protected by the SSL/TLS encryption used to secure the Internet.  While the industry is scrambling to fix the problem and patch the hole, which was revealed just this week but has been around for more than two years, Heartbleed represents a much bigger security issue — it demonstrates that traditional perimeter security is not enough and that security breaches are inevitable.  A new approach is needed, one that combines network security measures (firewall, IPS/IDS, sandbox) with the endpoint. 

Image

Heartbleed is a defect in the OpenSSL implementation that allows the attacker to obtain random chunks of memory data by simply asking.  While the industry collectively works to remediate the Heartbleed bug and shore-up systems, Triumfant’s memory process scanner, the first ever Advanced Volatile Threat (AVT) module to detect and stop in-memory malware attacks, can be used by organizations to detect if the version of OpenSSL being used on any computer has the exploit.  In the mad dash to upgrade to the latest version of OpenSSL free from Heartbleed (Open SSL 1.0.1g or later) Triumfant can help organizations guarantee that the version of OpenSSL used on computers throughout the enterprise is not the one susceptible to this exploit. 

Rapid detection is the new prevention.  Organizations must allocate resources to finding and containing threats once adversaries have gained access.  With Triumfant organizations can create a multi-faceted defense against today’s most advanced cyber threats in RAM and on the hard drive. Attacks happen, but compromises don’t have to become a full breach.  Endpoint security is the final frontier of defense, with solutions like Triumfant picking up where network-based tools fall short. 

John Prisco, CEO of Triumfant 

USB Drives – Cool Tool or Malware Delivery Device

Behold the USB drive. Simple. Functional. Efficient. The USB device is also a symbol of all that makes IT security so difficult. But take heart, because the USB device is also illustrative of the functions and benefits of Triumfant.

Why does the USB key represent the difficulties with IT security? Because a USB device
is an infiltration and exfiltration method wrapped into one tidy package. The bad guys are using USB devices to deliver malicious payload to host machines because this vector readily evades perimeter network defenses that use techniques like deep packet inspection and sandboxing. Unfortunately, techniques require that the attack come across the wire to work, so the attacks delivered by a USB device easily fly under their radar. The USB device has become a very effective mechanism for delivering the targeted and sophisticated zero day attacks and advanced persistent threats that are becoming increasingly difficult to detect.For an example, start with Stuxnet, the malicious attack that grabbed more headlines than a Britney Spears midnight trip for a haircut. Stuxnet evaded protection by using USB drives for transport to the host machines from which the attack spawned.

In regards to exfiltration, there is no simpler tool for offloading data than a USB device. While this has great utility, it is a major problem in the context of data loss prevention (DLP) activities, as once data is loaded onto a device there is absolutely no control of where that data may land. All bets are off.

You would think that USB devices would be the bane of every IT security person on the planet, yet security vendors give them away at industry tradeshows. Most people will pop in a USB key with little thought of the risk, so a “just say no” approach is not effective. Our CTO was at a customer recently and was told that USB devices were not allowed at the site. Minutes later he produced a report that showed that USB devices had been used in over 20% of the machines in the past two weeks. So much for strongly worded guidelines.

The problems surrounding USB devices are useful in pointing out the value of Triumfant:

Malware detection and remediation. Triumfant will detect attacks that are delivered to a machine via a USB device, analyze the attack, and build a remediation to stop the attack and repair all of the damage to the machine. Infection to remediation in minutes. Remember, Triumfant detects attacks by identifying and analyzing changes to the machine, and is therefore attack vector agnostic.

Continuous enforcement of policies and configurations. With Triumfant you can build and enforce policies that disables the use of removable media like USB devices. Triumfant will set the policy and remediate any machine found to be out of compliance.

Continuous monitoring/situational awareness. Your organization may choose to not disable USB devices. Triumfant can provide information about what machines have had a USB device inserted and can identify machines with unusually high levels of data movement. Alternately, if you do disable the devices you may also have users with Admin rights to their machines, enabling them to change the configuration of the machine to override the policies. Triumfant can provide information about what machines have had a USB device inserted and identify those machines where the policy has been altered. Triumfant is not a data loss prevention (DLP) tool and therefore cannot tell you what, if any, data was exfiltrated, but we can tell you that such an exfiltration was possible.

In summary, Triumfant is able to protect machines from attacks delivered by USB devices,
is able to enforce configurations that disable the use of USB devices, and provide insight into usage patterns of USB devices.

If only Triumfant could help me find the numerous USB devices my teenagers borrow and never return. Of course, once they have them, perhaps it is best I don’t plug them into my machine.