Your information is your information, not ours.
We know nothing about you, your computers, or your network traffic. We do not collect or track your location, your activity, or any other data which might be used to identify you.
After installation, your TrustPipe automatically runs when you turn on your computer.
Your TrustPipe continuously examines all of the network traffic to and from it. Periodically, your TrustPipe connects over the Internet to its Zone Authority if it can reach it (this may not be possible if, for example, you are traveling with your TrustPipe-protected laptop), to do three things:
Typically, this happens every few minutes.
If your TrustPipe spots suspicious activity — traffic that appears to be doing something abnormal and potentially dangerous — it reports that activity to the location (typically a SIEM) you specify for analysis, using Common Export Format (CEF) syslog.
If your TrustPipe should detect a new attack type that causes an actual problem on your computer, it reports that attack via CEF, but also takes action to protect the computer from the effects of the attack. All of this happens automatically — no human is involved.
You are free to uninstall TrustPipe at any time.
After years of research and experience in high-threat environments, we concluded that the technologies typically deployed for network security – Signatures and Heuristics – are fundamentally analog models, the same models humans have been using to secure the physical world.
Overwhelming evidence proves that these models are simply not up to the task of securing a digital environment. Even the ways people label attacks reveals a human-biased taxonomy, when in fact many things that humans label similarly have nothing in common from a digital perspective.
To address these structural shortcomings, we developed (and patented) a method for analyzing a vast body of digital data. Comprehensive analysis would enable us to determine – from a purely digital perspective – what binds this data together.
It is easiest to think about this breakthrough in terms of DNA analysis.
For example, out of the 2.9 billion base pairs in the DNA of a mouse, a tiny set of genetic markers are common across the entire mouse family. If another creature has those same markers, then it, too, must be a member of the mouse family. If it does not, then it’s not a member.
We discovered that the same holds true in digital data: it is possible to build a ‘Digital Taxonomy’ out of a massive dataset, effectively identifying every species within it on the basis of common ‘digital markers’.
We used our patented Distillation technology to analyze petabytes of bi-directional network traffic – hundreds of millions of examples – that had been categorized by experts as being either malicious (attacks, exploits, malware, botnets, and so forth) or benign.
Through this process, TrustPipe determined that there are in fact fewer than 6,000 “species” of malicious traffic, with markers that are common across every member of each of those species.
Importantly, the Marker Set for each species is absolutely authoritative. A Marker Set match is 100% definitive: a match means that the data being evaluated is a member of the associated species. This means that if a conversation between two computers has these markers, it must be malicious and the TrustPipe engine on the endpoint can confidently move to protect the target device.
Checking for markers is extremely efficient.
The set of markers required to detect all species of network attack vectors is remarkably compact. In fact, the entire TrustPipe dataset is less 1.5MB.
At runtime, the endpoint engine is simply doing integer comparison, tracking each network conversation against the array of integers that comprise the dataset.
This results in remarkable efficiency, with nominal impact on both CPU and throughput, and delivers both a superior user experience as well as a major improvement in accuracy.
TrustPipe detects and blocks all variants of every species, even as they evolve.
Just as is the case with markers in DNA, the Marker Set that identifies all members of a species endures - even as hackers evolve the attack vector. The Marker Set isn’t what makes the traffic an attack; the Marker Set is what identifies it as a member of an attack species.
At the Marker Set level, virtually every “new” vector, including zero-days, is simply a variant of a known species and is detected by TrustPipe without modification. This is why our Marker Sets rarely (if ever) require updates or modifications to deal with the constantly shifting threat landscape.
TrustPipe adapts to change.
In the rare case of a truly new threat species — an actual "zero-day", which typically happens just once or twice each year — a TrustPipe-protected endpoint automatically discovers the new threat and protects itself in real time. We hold a patent on this capability.
For detailed information about the discoveries that inspired these patented processes, read the white paper from our Founder and Chief Scientist.
Distillation phase summary:
Our core breakthrough lies in discerning the distinctive sets of markers that bind the elements of a dataset together.
For the dataset, we started with hundreds of millions of conversations between computers that human experts deemed to be malicious, across dozens of human categories. We also included a large set of “good” conversations — ones where nothing bad happened.
Our patented Distillation process transformed the data, combining it into different subsets until it found a purely digital taxonomy in which every conversation is represented, and where each subset of conversations has digital markers in common — ones that are not found outside the subset. Conceptually, then, each of these subsets is actually a digital “species."
The Distillation process was computationally expensive, as it requires multiple passes to discover these digital species. But it only needed to happen once, because the Marker Set for each species is valid even as that species evolves. Collectively, the hundreds of millions of malicious conversations distilled into fewer than 6,000 species.
The end result is the collection of Marker Sets that define malicious network activity, which we refer to as the Traffic Set. Not only is it authoritative — each Marker Set represents 100% confidence — but also remarkably compact, at less than 1.5MB.
TrustPipe is deployed alongside the packet-handling system of the OS, parsing traffic in real time as it flows into and out of the system.
The set of markers required to detect all classes of threats is remarkably compact. The entire TrustPipe dataset is less than 1.5 MB.
TrustPipe transforms every conversation, inbound as well as outbound, in the same way that occurs during Distillation. However, in sharp contrast to the Distillation phase, when TrustPipe is evaluating network traffic at runtime, the process of looking for known Markers in a conversation between two computers is remarkably lightweight, requiring trivial amounts of CPU and imposing a negligible penalty on throughput.
When a Marker Set match happens, TrustPipe has 100% confidence that the conversation is malicious and can take appropriate action to protect the system and the user.
TrustPipe deployments are managed through a TrustZone Authority, which is an extension of proven DNS technology that is lightweight, resilient and scalable to millions of endpoints.
Because TrustPipe operates at the set-binding level rather than at the signature or behavioral level, it is immune to the obfuscation techniques that most technologies are forced to treat as “new” threat types.
The entire TrustPipe engine can be updated on-the-fly when we release a bug-fix or add new functionality. This allows us to keep every computer secure, and the user safe, long into the future.
On rare occasion, however, something truly new and unacceptable emerges. In those cases (there have been fewer than two per year since 2012), TrustPipe will not detect the attack itself, but it will detect the effect of the new attack - what we call a "Death Rattle".
When that happens, TrustPipe moves to protect the impacted device, and at the same time creates a new Marker Set to inoculate itself against a recurrence of the attack – all of which happens within minutes, without human intervention.
This revolutionary capability is the subject of our second core patent (here).
We've been around long enough to know that no technology is perfect. So, while TrustPipe has performed remarkably well so far, we assume that there will be issues in the future.
At the same time, we are absolutely confident that when (not if) that happens, the essential simplicity and dynamic nature of the TrustPipe technology will enable us to respond quickly and effectively.