There are four key metrics for evaluating computer security solutions; TrustPipe provides greater than 10X improvements across all four:
- ACCURACY — In years of testing and real-world usage, there have been zero false positives (acceptable traffic blocked) and zero false negatives: no device protected by TrustPipe has eversuffered a remote root compromise. (but…)
We’ve caught every “zero-day” event (a “new” attack vector) since we began testing – even ones no other technology detected. (but…)
We are unaware of any other technology that can support these claims. - EFFICIENCY — TrustPipe’s footprint is actually more than two orders of magnitude smaller than traditional solutions. And its impact on overall system performance is nearly undetectable.
- RESILIENCE — TrustPipe automatically adapts to changes in the threat environment, in real time. Within minutes of detecting a true zero-day event, the entire global hive of TrustPipes is inoculated against it.
- COST — TrustPipe’s technology allows us to operate far more efficiently as a business. We do not require the teams of people most security technologies need to stay current. And by keeping the team small and focused, we didn’t have to raise the large amounts of capital most security companies require to develop and bring their technologies to market. Plus, TrustPipe’s simplicity makes it easy for users to deploy, reducing their costs even further.
A Breakthrough Approach
These achievements are the direct result from a true breakthrough in data analysis, for which we received our core patent (here).
At a high level, it is a method for identifying the minimum set of markers that authoritatively define data as a member of a set.
It is easiest to think about this in terms of DNA analysis. For example, out of all the DNA in a mouse, only a tiny set of markers are necessary to identify it as a member of the mouse family. If another creature has those same markers, then it, too, must be a member of the mouse family; if it does not, then it is not a member.
TrustPipe understands network traffic at a similar level. We used our patented technology to analyze terabytes of network traffic that had been categorized by experts as being either bad (attacks, exploits, malware, botnets, viruses, and so forth) or good. Through this process, TrustPipe identified the markers that define traffic as bad. It also identified the markers that define good traffic.
As is the case with DNA, these markers are distinctive and authoritative. This means that, if a conversation between two computers has these markers, it must be bad and TrustPipe can confidently move to protect the target computer.
The markers TrustPipe looks for represent a tiny subset of the overall data flow. This means that TrustPipe is both compact and very efficient, because it doesn’t need to examine every bit and byte. As a result, TrustPipe is nearly undetectable in terms of overall system performance.
The bottom-line benefit is that TrustPipe overcomes the intrinsic flaws of both heuristic and signature-based security technologies.
Heuristic technologies deal in probabilities, rather than certainty, which means that while they are useful for drawing attention to a potential problem they are rarely sufficiently authoritative to actually take real-time action.
Signature-based approaches, on the other hand, are great when they work, because they are precise — when the system detects Signature A, it can confidently take action to block it.
The problem is, if the threat changes slightly, the system fails because there’s no longer an exact match. As a consequence, signature-based systems require constant updates, creating larger and larger sets of signatures that require growing compute resources — and they are always playing catch-up.
But what we discovered is that there are distinctive markers — similar to markers in DNA — that perfectly identify entire classes of threats.
As a result, our patented, marker-based approach is every bit as precise as the signature model, and dramatically superior by every other measure.
It detects and blocks all variants — past and future — of every threat class, without modification. For example, TrustPipe-protected systems were not vulnerable to the widely-publicized Heartbleed and Shellshock threats, because while those threats were new to signature-based systems, to us they were simply members of an existing class. No “urgent update” was required.
Moreover, the set of markers required to detect all classes of threat is remarkably compact. The entire TrustPipe dataset, spanning virtually every class of threat, is just 1.5MB — a sharp contrast to, for example, the nearly 400MB update for one well-known program that targets just antivirus. Our compact size translates directly into improved system performance and superior user experience.
Finally, TrustPipe is self-learning. In the rare case of a truly new threat class — an actual “zero-day”, which happens just once or twice each year — TrustPipe automatically discovers the new threat, protects the attacked computer in real time, and then shares its discovery with every other TrustPipe in the world, inoculating the entire TrustPipe ecosystem in minutes.
Together, this has obvious value in network security – an area in which founder Kanen Flowers has deep experience. In fact, it was his frustration with the failure of the vast panoply of security technologies to actually solve the network security problem that led to his discovery of this radical new approach.
How TrustPipe Works
Building TrustPipe involves three phases.
Phase I – Distillation
The Distillation phase, completed in 2012, started with data categorized by humans, which TrustPipe transformed into an entirely new and purely digital model that enables it to ascertain complex patterns well beyond the capabilities of humans to discern.
A key part of Distillation is the normalization of the data by processing entire bi-directional conversations between two or more devices, conversion of conversations to integer values, and elimination of extraneous elements. The Distillation process was understandably tremendously data- and compute-intensive, requiring multiple passes across terabytes of data to derive the “essence” of what binds the set together.
The result of Distillation was a “set of sets” of markers (which we call a MetaExpression) that fully define “acceptable” and “unacceptable” traffic, which TrustPipe then uses to evaluate and categorize random, real-time traffic.
Not only is this MetaExpression absolutely authoritative, it is also astonishingly compact: the version covering all network-based attacks – now and into the future – is less than 1.5MB.
Phase II – Runtime
TrustPipe is deployed as what is referred to as a “bump in the wire” – all traffic runs through it. On endpoint devices, this means it becomes part of the packet-processing flow of the operating system.
TrustPipe transforms each incoming conversation in the same way that occurs during Distillation. However, in sharp contrast to the Distillation phase, when TrustPipe is evaluating network traffic at runtime the process of examining a single conversation between two or more computers is remarkably lightweight, requiring trivial amounts of CPU and imposing a negligible penalty on throughput.
When TrustPipe encounters a segment of a network conversation that is unacceptable, it takes protective action, instructing the packet processor to either drop the offending segment or, in some cases, terminate the entire conversation.
Each TrustPipe checks in periodically with its TrustCloud™ – a cloud-resident system that ties all of its TrustPipes together into a “hive of protection”, keeping each TrustPipe up-to-date. The TrustCloud also enables device-by-device as well as group management and reporting. Typically, the TrustPipe-TrustCloud interactions involve one or two packets, so network impact is trivial.
Phase III – Learning
Because TrustPipe operates at the set-binding level rather than, say, at the signature or behavioral level, it is immune to the obfuscation techniques that most technologies are forced to treat as “new” threat types.
On rare occasion, however, something truly new and unacceptable emerges. In those cases (there have been fewer than five between 2012 and 2014), TrustPipe will not detect the attack itself, but it will detect the effect of the attack.
When that happens, TrustPipe moves to protect the impacted device, and at the same time provides its TrustCloud with information about the attack. The TrustCloud, in turn, updates all of its TrustPipes to inoculate them against the attack – all of which happens within minutes, without human intervention.
This revolutionary capability is the subject of our second core patent (here).
Finally, TrustPipe is continuously learning by watching for new vectors. So, when it detects traffic that doesn’t fall into either the “bad” or “acceptable” buckets, it reports that to the TrustCloud as well. The TrustCloud synthesizes all these reports of suspicious traffic from TrustPipes around the world and, if a particular type of suspicious traffic is deemed to belong in the “bad” bucket it automatically pushes a tiny update to every TrustPipe.
This updating capability isn’t limited to new threat vectors: the entire TrustPipe engine can be updated on-the-fly when we release a bug-fix or add new functionality. This allows us to keep your computer secure, and you safe, long into the future.
Perfect so far. But…
We’ve been around long enough to know that no technology is perfect. So, while TrustPipe has performed remarkably well so far, we assume that there will be issues in the future.
At the same time, we are absolutely confident that when (not if) that happens, the essential simplicity and dynamic nature of the TrustPipe technology will enable us to respond quickly and effectively.