Startup TrustPipe is announcing a security platform that categorizes network-based attacks and blocks them. The company claims that in two years of testing the software has never let attackers compromise the systems it has been protecting.
As it emerges from three years of stealth mode TrustPipe is announcing perhaps surprisingly that its first version, called Trust XP, is written specifically for Windows XP, an operating system Microsoft stopped supporting last spring.
But XP is still in use in countless devices particularly point-of-sale (POS) machines as well as millions of PCs around the world, especially in China. Trust XP has the potential to address security concerns about these systems and keep them in service longer.
The company has won the confidence of NCR, a major supplier of POS devices, which plans to offer Trust XP as a service.
These unsupported XP devices can benefit from TrustPipe because it will block attacks before they have the chance to carry out exploits against newly discovered vulnerabilities for which Microsoft will never issue patches, says TrustPoint co-founder and CEO Ridgely Evers.
He says the company will ship versions for other Windows OSs, Linux and Macs by the end of 2015.
The company's goal is to make TrustPipe available for any device phones, tablets, computers, industrial controls systems, light switches, thermostats, the entire Internet of Things.
This is possible in part because the entire body of expressions to identify all malicious events across all operating systems is just 1.5MB plus a 500kB engine to scan traffic, Evers says. By contrast, typical anti-virus signature libraries range from 50M to 350MB and TrustPipe claims that it defends against all known network attacks not just viruses.
Independent testing from West Coast Labs says it has been unable to break through TrustPipe defenses in two years of trying and has found no cases of the platform delivering false positives or false negatives. "We couldn't effectively compromise the endpoints behind the router that the [TrustPipe] engine was on via network attacks, which is something new for us," says West Coast Labs CEO Scott Markle.
The system consists of a server and a software agent that checks traffic to and from the host machines looking for markers that definitively identify malicious traffic and blocks it.
The server provides a management interface for the agents, receives traffic captures of new threats that are collected by the agents, writes markers for these threats and distributes the new markers to all the agents. Typically these updates are necessary once or twice a year, Evers says.
The servers are deployed within what the company calls a Trust Cloud, and that can be either public or private. NCR will run its own, and the one run by TrustPipe itself is based inside Amazon Web Services' cloud, he says. All Trust Clouds share markers for newly discovered attacks.
Each agent contains the entire body of markers the metaexpression that can identify all known network attacks. These makers, or behavior expressions, are sufficient to determine whether any given network conversation is a member of a known set of attacks.
These markers were created using extensive, time-consuming packet-level analysis of network conversations carried on by known attacks. The analysis breaks down the packet stream into conversations and assigns integer values to represent certain characteristics of the packets that make up each conversation, such as protocol, category and content.
These integers are then assembled to represent the stream and the analysis notes such characteristics as the frequency of the integers, their proximity to other integers and and the distance between each occurrence. These values are in turn assigned integers. The result is what TrustPipe calls a behavior expression for a given set of data being analyzed.
One or more behavior expressions come out of analyzing each network conversation. These expressions represent the behaviors necessary to define a conversation as part of a known attack.
As it turns out, it takes relatively few sets of behavior expressions to define all known attacks. For example, TrustPipe can identify all known viruses using just 14 sets of behavior expressions.
If a new variant of a virus is written, a traditional anti-virus platform would have to add a new signature to its library in order to detect it. By contrast, a new variant of a known virus would be detected by TrustPipe without adding anything to its body of behavior expressions, Evers says. New variants can change a virus's signature but not the behavior expressions that define it. "It's virtually impossible to obfuscate," he says.
In operation, the TrustPipe agent transforms each network transaction into a representation of integers that is mapped against the metaexpression to look for matches. When it finds them, it blocks the traffic. The agent is a network-layer shim in the operating system.
The company holds two U.S. patents on its technology.
TrustPipe is not a forensic tool, Evers says. While it is quick and accurate at detecting and blocking threats it can't identify which variant it has blocked. Other tools, such as anti-virus, are needed for that.
"It's not designed to replace anything," says West Coast Labs' Markle and it works differently from any other security technology he's come across. "What it does and the way it does it you can't say it's part firewall, part IPS. It just does what it does in an effective way."
TrustPipe is privately funded. Co-founder Kanen Flowers is the chief scientist and the principle inventor of the technology. He was a founder of nCircle Network Security. Evers was CEO of nCircle and led the team that created QuickBooks. He and Flowers have both worked at nCircle, kozoru and Inquisit.
The advisory board includes a former assistant secretary for cyber security for the Department of Homeland Security, a former payment card executive and a former CEO of health care provider Kaiser Permanente.
The consumer version of Trust XP is available now for $5 for a five-year agent license, including all updates. The company is working on an enterprise version that would offer granularity not available in the consumer version. For example, the consumer version would block port scanning. But the enterprise version would have the option to allow port scanning as part of penetration testing.
The enterprise version might also be customized to support payment card industry standards, for example.