It's pretty much a given in the security industry that the bad guys have been winning, said Ridgely C. Evers. And yet, when he joined endpoint security startup TrustPipe in 2010, he realized not much had changed since he headed nCircle, a company later acquired by Tripwire, earlier in the decade.
"There's a less than two handfuls of big companies in security and then there's like 1,500 smaller ones, but the big guys are pretty much all the same. The technologies are pretty much all the same. It's like 'Our dial goes to 11,'" Evers said. "Hackers have gotten a lot better. They have better tools, they're better funded, they're more patient and so forth; they're much more persistent. And the reason is between 10 years and today, there is a vibrant market for stolen data."
Defense boils down to two models: signatures, which can confidently identify a virus but lack resiliency because they go out of date; and heuristics, which takes a probabilistic approach to security that is resilient but can generate false positives.
"So basically, we're bringing two rubber chickens to a digital gun fight," Evers said.
Digital DNA and Security
Kanen Flowers approached Evers about a way to shift the balance for white hats, based on a realization he had. The two had worked together at nCircle Security, which Flowers founded in 1997. Though Flowers is an IT security veteran, with an online bio that says he started as a teenage white hat hacker, he's clearly not your typical network security wonk. His LinkedIn profile lists "University of Life" under education, and he heads a studio company which is producing his film, "Hero Punk."
Flowers, now chief strategy officer at TrustPipe, had realized that digital data contained markers, much like the DNA markers used to identify traits, heritage, disease and species. In the same way scientists can identify cancer risks by looking for cancer markers in DNA samples, Flowers theorized security pros could identify markers for each type of cyber attack. Once the markers were known, a lightweight agent could be used to find and stop attacks.
The first phase involved creating a digital taxonomy of sorts. To do that, Flowers and Evers focused on the full conversation computers have when they connect.
"We're looking at full bi-directional conversations, which is quite unusual, and the reason we do that is that an attack is not an arrow that suddenly hits you. An attack is the culmination of a conversation: 'Hi, I'd like to connect to you.' 'OK, why don't we use this port.' And you go back and forth," Evers said. "It's a stimulus response situation, so you need full bi-directional conversations."
They collected terabytes of data on malicious attacks, as well as data from harmless traffic. This step, called distillation, required a significant amount of processing power. They "template-ized" the traffic, then converted it into integers. A marker is just an array of integers, "which is a computer's very happy place," since "computers do almost nothing better than comparing two integers," Evers explained.
While distillation required massive amounts of compute, the results were shockingly light, according to Evers:
"Now we fed hundreds of millions of vectors in at the top, and what came out blew my mind: All of them fall into only about 1,000 species. Think about that. There are, for example, 120,000 new vectors per day because of all the polymorphic stuff that floats around. Everything aligns into about 1,000 digital species, and the total data set necessary to find all of those species is 300,000 bytes, 300 kilobytes - which means, on average, about 300 bytes per species.
And that data set doesn't change. Once I figured out what a mouse is, I've got mouse. Even as hackers evolve the subspecies, the markers remain."
That allows for a lightweight client on the end point. It turns every conversation into integers, then maps that conversation against its marker sets, first determining the operating system, then the type of connection, Evers said.
"If I'm on windows 7 and this is an SSH connection, I don't need to look at stuff for Windows XP and HTTP. So the number of marker sets that could apply to any given conversation is quite small," he said. "Then we're able to track the conversation against those marker sets with just a small array of pointers, which is really easy and therefore has virtually no impact regardless of speed on CPU or throughput or anything else."
Once a marker set "lights up" from a traffic match, you can be 100 percent confident it's found a match for an attack marker in that digital data, he said. The attack is then stopped before it can launch.
Identifying Compromises Before Attacks Begin
TrustPipe didn’t stop with attack markers. The company sponsored the Bounty Box, a hack-a-thon that offered 5,000 euros (U.S. $5,700) for any hacker who could gain root access to access the "flag," a specific file left on each machine. The event involved hundreds of vulnerable systems in the cloud, on machines running different OSes, with different services and levels of patching, protected only by TrustPipe.
"So hundreds of millions of events, tens of millions of valid attack vectors, and no system was compromised. That was great; that was a nice proof point," he said. "But that was actually a secondary objective. The primary objective was to get all that traffic."
TrustPipe wanted to identify what it called the "death rattle" for each variation of machine. The death rattle is a sort of an involuntary "you got me" a service issues when it's compromised, but not yet under the control of the attacker. It's a signal to hackers that the attack worked. TrustPipe ran this digital data through its distillers to create digital markers for death rattles, so they can identify the compromise before an attack is launched.
When the solution detects a "death rattle," the engine does three things:
- Stops the signal from transmitting back to attackers so they don’t realize they’ve succeeded
- Seals off the compromised instance of the services
- Creates a new provisional marker set that detects this new vector at the endpoint
The provisional marker means TrustPipe's engine essentially learns new attacks as they emerge, Evers said. "This all happens completely autonomously; no teams of monkeys on typewriters around the world trying to keep up with the bad guys."
Unusual Business Model
TrustPipe also has an unusual funding model. Thus far, it's been funded privately and without venture capital. "We've raised no venture capital because we needed to be patient. We have an amazing group of folks around the company but this is not a venture-style business," Evers said.
That worked to the company's advantage when, after a release in 2014, they withdrew the product to rebuild it. Originally the founders planned to offer TrustPipe as a cloud service, but they realized enterprises would prefer a standalone solution.
Evers said it's also unusual for a small company to have an intellectual property foundation, particularly since their patent on the core IP contains no prior art. The head of Morrison & Foerster's software practice handles the IP for TrustPipe. PlainSite reports the company has 18 patent assignments to date.
"No-prior-art patents are rarer than unicorns in Silicon Valley" Evers said.
Finally, the company opted to go to market through partners such as NCR Corporation, an approach that Evers said allows the startup to reach enterprises efficiently and quickly. Since its new launch in January, TrustPipe is already "north of $50 million in revenues in the pipeline this year," he said.
It’s a far cry from the nCircle days, he added, when "we would celebrate sales to a phone booth, not a phone company."
Fast Facts about TrustPipe
Founders: Kanen Flowers and Ridgely Evers
HQ: Healdsburg, Calif.
Product: Endpoint security
Customers: 10, though no names provided
Funding: Privately funded by its founders and a small group of undisclosed investors with backgrounds spanning cybersecurity and large-scale networked systems
Loraine Lawson is a freelance writer specializing in technology and business issues, including integration, health care IT, cloud and Big Data.