Report: Startup promises to catch 100 per cent of network attacks with unique detection technology

First version of TrustPipe security software aimed at Microsoft Windows XP users.

Startup TrustPipe is announcing a security platform that categorizes network-based attacks and blocks them. The company claims that in two years of testing the software has never let attackers compromise the systems it has been protecting.

As it emerges from three years of stealth mode TrustPipe is announcing perhaps surprisingly that its first version, called Trust XP, is written specifically for Windows XP, an operating system Microsoft stopped supporting last spring.

But XP is still in use in countless devices particularly point-of-sale (POS) machines as well as millions of PCs around the world, especially in China. Trust XP has the potential to address security concerns about these systems and keep them in service longer.

The company has won the confidence of NCR, a major supplier of POS devices, which plans to offer Trust XP as a service.

These unsupported XP devices can benefit from TrustPipe because it will block attacks before they have the chance to carry out exploits against newly discovered vulnerabilities for which Microsoft will never issue patches, says TrustPoint co-founder and CEO Ridgely Evers.

He says the company will ship versions for other Windows OSs, Linux and Macs by the end of 2015.

The company's goal is to make TrustPipe available for any device phones, tablets, computers, industrial controls systems, light switches, thermostats, the entire Internet of Things.

This is possible in part because the entire body of expressions to identify all malicious events across all operating systems is just 1.5MB plus a 500kB engine to scan traffic, Evers says. By contrast, typical anti-virus signature libraries range from 50M to 350MB and TrustPipe claims that it defends against all known network attacks not just viruses.

Independent testing from West Coast Labs says it has been unable to break through TrustPipe defenses in two years of trying and has found no cases of the platform delivering false positives or false negatives. "We couldn't effectively compromise the endpoints behind the router that the [TrustPipe] engine was on via network attacks, which is something new for us," says West Coast Labs CEO Scott Markle.

The system consists of a server and a software agent that checks traffic to and from the host machines looking for markers that definitively identify malicious traffic and blocks it.

The server provides a management interface for the agents, receives traffic captures of new threats that are collected by the agents, writes markers for these threats and distributes the new markers to all the agents. Typically these updates are necessary once or twice a year, Evers says.

The servers are deployed within what the company calls a Trust Cloud, and that can be either public or private. NCR will run its own, and the one run by TrustPipe itself is based inside Amazon Web Services' cloud, he says. All Trust Clouds share markers for newly discovered attacks.

Each agent contains the entire body of markers the metaexpression that can identify all known network attacks. These makers, or behavior expressions, are sufficient to determine whether any given network conversation is a member of a known set of attacks.

These markers were created using extensive, time-consuming packet-level analysis of network conversations carried on by known attacks. The analysis breaks down the packet stream into conversations and assigns integer values to represent certain characteristics of the packets that make up each conversation, such as protocol, category and content.

These integers are then assembled to represent the stream and the analysis notes such characteristics as the frequency of the integers, their proximity to other integers and and the distance between each occurrence. These values are in turn assigned integers. The result is what TrustPipe calls a behavior expression for a given set of data being analyzed.

One or more behavior expressions come out of analyzing each network conversation. These expressions represent the behaviors necessary to define a conversation as part of a known attack.

As it turns out, it takes relatively few sets of behavior expressions to define all known attacks. For example, TrustPipe can identify all known viruses using just 14 sets of behavior expressions.

If a new variant of a virus is written, a traditional anti-virus platform would have to add a new signature to its library in order to detect it. By contrast, a new variant of a known virus would be detected by TrustPipe without adding anything to its body of behavior expressions, Evers says. New variants can change a virus's signature but not the behavior expressions that define it. "It's virtually impossible to obfuscate," he says.

In operation, the TrustPipe agent transforms each network transaction into a representation of integers that is mapped against the metaexpression to look for matches. When it finds them, it blocks the traffic. The agent is a network-layer shim in the operating system.

The company holds two U.S. patents on its technology.

TrustPipe is not a forensic tool, Evers says. While it is quick and accurate at detecting and blocking threats it can't identify which variant it has blocked. Other tools, such as anti-virus, are needed for that.

"It's not designed to replace anything," says West Coast Labs' Markle and it works differently from any other security technology he's come across. "What it does and the way it does it you can't say it's part firewall, part IPS. It just does what it does in an effective way."

TrustPipe is privately funded. Co-founder Kanen Flowers is the chief scientist and the principle inventor of the technology. He was a founder of nCircle Network Security. Evers was CEO of nCircle and led the team that created QuickBooks. He and Flowers have both worked at nCircle, kozoru and Inquisit.

The advisory board includes a former assistant secretary for cyber security for the Department of Homeland Security, a former payment card executive and a former CEO of health care provider Kaiser Permanente.

The consumer version of Trust XP is available now for $5 for a five-year agent license, including all updates. The company is working on an enterprise version that would offer granularity not available in the consumer version. For example, the consumer version would block port scanning. But the enterprise version would have the option to allow port scanning as part of penetration testing.

The enterprise version might also be customized to support payment card industry standards, for example.

Join the CSO newsletter!

Error: Please check your email address.

Tags ncrMicrosoftsecurityendpoint security

More about Amazon Web ServicesinventorIPSLinuxMacsMicrosoftnCirclenCircle Network SecurityWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts