Dell To Add Off-Host BIOS Verification To Endpoint Security Suite Enterpriseby Brett Howse on February 4, 2016 9:00 AM EST
At CES this year, Dell kind of broke from tradition and focused more on their business products. When I had a chance to talk to them, they were very enthusiastic about the fact that Dell is one of the few companies that does complete end to end solutions for the enterprise. Part of that end to end solution is Dell’s Endpoint Security Suite Enterprise, which includes data protection, authentication, and malware prevention.
A new feature coming to this suite is going to be BIOS verification. Dell found that there was a gap in the market with regards to securing the boot process. BIOS attacks are especially nasty, because they load up before the operating system and can more easily avoid detection. Most malware protection products focus on heuristics and virus signatures, but that landscape is changing with less mass targeting of malware and more directed attacks at specific companies, or even people. Dell’s Endpoint suite was recently updated to use Cylance as their anti-virus engine, and it uses machine learning which, according to Dell, can stop 99% of malware, even if it’s a zero-day or unknown exploit. Signature based detection is accurate 50% or less of the time, according to the same tests.
But all of that is to protect the operating system. If malware gets into the BIOS, it can be very difficult to detect. There are already methods to help deal with this – Microsoft Windows offers protection called Measured Boot which verifies the BIOS with help of the Trusted Platform Module. Dell wants to take this one step further, and remove the local host from the equation at all. Instead, Dell computers with the Endpoint Suite will be able to compare a SHA256 hash of the BIOS against a known good version kept on Dell’s servers. Since Dell is the one that originally creates the BIOS, they would be the authority to ensure that it has not been compromised.
Dell’s suite will perform a hash function on the BIOS, and send it to Dell. If the BIOS is found to have a non-matching return value, Dell’s servers will send an alert to the designated IT admins for the organization.
Unlike Secure Boot, Dell’s solution does not actually stop the device from booting, or even alert the end user. The hashing and comparison is not done in real-time, but rather after the machine finishes booting, the Endpoint Suite will send it to Dell. Dell made it very clear that their intention was not to interfere with the device itself, but rather to give the IT admins notification of an issue so that they can deal with it through their own response and policy.
One obvious question I had to ask was if this same hashing could be done on a continuous basis, rather than just at boot, because the Endpoint Suite is what gathers the information and sends it to Dell. They were happy to let me know that a policy based scan of the BIOS is something they are working on, and they are hoping for it to be available in Q2 of this year. Scanning the BIOS every hour, or whatever is deemed a good time by the IT admins, would give them a leg up to catch the software before it even gets to go through a boot process and get itself into the system.
Dell has focused very much on being a one-stop shop for all of a companies computing needs, from servers, to desktops, to displays, and even services. This addition to their Enterprise Security Suite Enterprise will initially be available for Dell’s lineup of commercial PCs based on 6th generation Intel processors. They were keen to point out that BIOS attacks are not anywhere near as commonplace as traditional malware, but it is important to be out in front of these types of attacks.