Dell To Add Off-Host BIOS Verification To Endpoint Security Suite Enterpriseby Brett Howse on February 4, 2016 9:00 AM EST
- Posted in
At CES this year, Dell kind of broke from tradition and focused more on their business products. When I had a chance to talk to them, they were very enthusiastic about the fact that Dell is one of the few companies that does complete end to end solutions for the enterprise. Part of that end to end solution is Dell’s Endpoint Security Suite Enterprise, which includes data protection, authentication, and malware prevention.
A new feature coming to this suite is going to be BIOS verification. Dell found that there was a gap in the market with regards to securing the boot process. BIOS attacks are especially nasty, because they load up before the operating system and can more easily avoid detection. Most malware protection products focus on heuristics and virus signatures, but that landscape is changing with less mass targeting of malware and more directed attacks at specific companies, or even people. Dell’s Endpoint suite was recently updated to use Cylance as their anti-virus engine, and it uses machine learning which, according to Dell, can stop 99% of malware, even if it’s a zero-day or unknown exploit. Signature based detection is accurate 50% or less of the time, according to the same tests.
But all of that is to protect the operating system. If malware gets into the BIOS, it can be very difficult to detect. There are already methods to help deal with this – Microsoft Windows offers protection called Measured Boot which verifies the BIOS with help of the Trusted Platform Module. Dell wants to take this one step further, and remove the local host from the equation at all. Instead, Dell computers with the Endpoint Suite will be able to compare a SHA256 hash of the BIOS against a known good version kept on Dell’s servers. Since Dell is the one that originally creates the BIOS, they would be the authority to ensure that it has not been compromised.
Dell’s suite will perform a hash function on the BIOS, and send it to Dell. If the BIOS is found to have a non-matching return value, Dell’s servers will send an alert to the designated IT admins for the organization.
Dell's Latitude 13 7000 will be available with BIOS Verification
Unlike Secure Boot, Dell’s solution does not actually stop the device from booting, or even alert the end user. The hashing and comparison is not done in real-time, but rather after the machine finishes booting, the Endpoint Suite will send it to Dell. Dell made it very clear that their intention was not to interfere with the device itself, but rather to give the IT admins notification of an issue so that they can deal with it through their own response and policy.
One obvious question I had to ask was if this same hashing could be done on a continuous basis, rather than just at boot, because the Endpoint Suite is what gathers the information and sends it to Dell. They were happy to let me know that a policy based scan of the BIOS is something they are working on, and they are hoping for it to be available in Q2 of this year. Scanning the BIOS every hour, or whatever is deemed a good time by the IT admins, would give them a leg up to catch the software before it even gets to go through a boot process and get itself into the system.
Dell has focused very much on being a one-stop shop for all of a companies computing needs, from servers, to desktops, to displays, and even services. This addition to their Enterprise Security Suite Enterprise will initially be available for Dell’s lineup of commercial PCs based on 6th generation Intel processors. They were keen to point out that BIOS attacks are not anywhere near as commonplace as traditional malware, but it is important to be out in front of these types of attacks.
Post Your CommentPlease log in or sign up to comment.
View All Comments
edzieba - Thursday, February 4, 2016 - link"The hashing and comparison is not done in real-time, but rather after the machine finishes booting, the Endpoint Suite will send it to Dell. "
The obvious exploit would be for any BIOS malware (or any other malware) to swap out a 'good' hash for whatever real hash the Endpoint Suite would be about to upload.
DanNeely - Thursday, February 4, 2016 - linkIf it'd work would depend on where the hashing is done. Some enterprise management tools run on processors other than the CPU the OS uses; if that's the case here malware in the OS or BIOS wouldn't be able to get at it due to hardware isolation. OTOH I've only seen this type of software mentioned in terms of servers not client computers. Other than PCB space being extremely tight, there's no reason Dell couldn't've crammed it into their laptop though.
letsief - Thursday, February 4, 2016 - linkI've seen this mistake in a lot of tech writing, and I'd really like it to stop. UEFI Secure Boot has next to nothing to do with a TPM. The related TPM-based technology would be some form of a measured boot, where you collect measurements of firmware in the TPM registers so you can (later) report on what executed. Windows boxes have support for measured boot, too, but that's completely separate from UEFI Secure Boot.
Brett Howse - Thursday, February 4, 2016 - linkSorry I meant Measured Boot, not Secure Boot. I was referring to the Windows mechanism and not the BIOS one. I've fixed up the text. Thanks for the feedback!
onlynowyoufixit - Friday, February 5, 2016 - linkIt's when I read posts like this one, a long time after the release of Snowden documents like this one (https://www.eff.org/document/20131230-appelbaum-ns... that I realize how far behind the US government the industry is. There are weak links in a system like Dell's, but at least someone's trying.
onlynowyoufixit - Friday, February 5, 2016 - linkHeh, OK, first time posting a link in the comments here. Again. https://www.eff.org/document/20131230-appelbaum-ns...
speculatrix - Thursday, February 18, 2016 - linkI've had many desktop PCs whose motherboard has a jumper to disable bios flash updates.
Why not just use this?
On a laptop, put a switch in the battery compartment. Or under a flap.
Seriously, do you really need to update your bios or firmware more than once a year? Or once *ever* if you buy a newly released product which was released a bit early.
XmppTextingBloodsport - Saturday, March 19, 2016 - linkBend over and accept a return to the Client Server model.