TL; DR: Eclypsium offers a layer of security protection intended to defend vulnerabilities in the firmware and hardware layers below the operating system. Malicious actors know that traditional enterprise-grade security systems often lack visibility in this layer across laptops, servers, and networking infrastructure. Built on decades of firmware threat research and real-world experience, the Eclypsium platform provides a comprehensive hardware inventory, proactively identifies and manages firmware risk and patches, and protects devices from hidden firmware threats.
It’s hard to keep up with the cybersecurity scene these days without seeing a headline or two about vulnerabilities with foreboding names like Spectre, which translates to a ghostly figure, or Meltdown, named after the term for a disastrous nuclear event.
The two related speculative execution attacks exploit critical vulnerabilities in modern processors. Meltdown affects Intel chips by enabling attackers to access passwords and data stored in the operating system’s kernel.
Spectre, on the other hand, affects devices featuring a range of processors. The vulnerability, which manipulates applications into accessing random memory locations, is harder to exploit than Meltdown, and also more difficult to mitigate.
Current software patches exist to protect systems from Meltdown and Spectre. But, as any security expert knows, there’s no shortage of cyber ghouls waiting for their turn to terrorize the industry.
“If you’ve built up a bunch of assumptions regarding how a computer works, and then you have bugs at the lower layers like Meltdown and Spectre, everything will come crashing down,” said John Loucaides, VP Research and Development at Eclypsium.
Modern online criminals know that traditional enterprise-grade security systems often lack visibility in the firmware and hardware layer. That’s where Eclypsium, an enterprise firmware and hardware protection platform, comes in.
Eclypsium provides a comprehensive hardware inventory, proactively identifies and manages firmware risk and patches, and guards devices from dangers lurking within firmware across endpoints, datacenters, and infrastructure throughout the device life cycle, from deployment to operational use.
Addressing Unprotected Security Vulnerabilities Below the OS
John, who has vast experience in security evaluations, worked for the United States Department of Defense fresh out of college.
“I was mostly focused on what you would call high-assurance systems, which the defense department would spend millions of dollars trying to secure, particularly on the cyber side,” he said. “As part of that job, I became interested in stopping the vulnerabilities that had the potential to destroy years, even decades, of hard work and investments.”
His research led him to Intel, where he took a position on the product security incident response team.
“That’s the group that you reach out to when you’re going to report a bug,” he said. “It was great because they gave me this interesting perspective on both sides of the problem.”
It was at Intel that he met Yuriy Bulygin and Alex Bazhaniuk, who would go on to co-found Eclypsium as CEO and CTO, respectively.
“We ended up working together quite often, and quite well,” John said. “As part of our work, we released an open-source framework called CHIPSEC, which became the industry standard for checking or assessing the security of the platform layer. We also included a test suite aimed largely at researchers and, to some extent, the OEMs that wanted to make sure that they were releasing quality stuff.”
Those groups used the tool as expected. What the team didn’t expect was for IT departments to adopt the technology. But they did.
“IT departments ended up using it for two reasons,” John said. “One was to monitor for vulnerabilities present in their environments. The other one was almost like an acceptance test. They would be ordering thousands of computers, and if they were bad, they actually wouldn’t accept them. I found this out because of support tickets on the open-source project.”
That experience made the trio realize there was an emerging industry focus on firmware attacks and vulnerabilities. “Everything sort of added up, and Eclypsium was the natural next step,” John said.
Mitigating Firmware Weaknesses that Traditional Security Misses
John told us Eclypsium’s value proposition is twofold in IT operations and security.
“Operations-wise, there’s a common and fascinating problem where teams likely don’t have an inventory at the component and firmware level,” John said. “And If you don’t have that inventory, when the next Spectre-like vulnerability comes out, you’re not going to know how to figure out which systems are affected.”
Eclypsium’s firmware visibility and risk assessment features scan the inventory of an enterprise’s devices, including system firmware (BIOS, UEFI) and firmware within device components such as chipsets, PCI devices, and drives. An automated analysis reveals weaknesses, outdated firmware, or firmware with known vulnerabilities.
On the security side, Eclypsium can protect against a range of hardware and firmware vulnerabilities, including attacks such as Cloudborne, which allow hackers to exploit firmware backdoors on bare-metal cloud servers. Eclypsium discovered this vulnerability in 2019.
“You can actually have a piece of malware in a bare-metal cloud that propagates to these other tenants and nobody’s looking at it, not even the cloud provider,” John said. “It’s way easier to pull off than you might think — the kind of cloud provider that we found this flaw in wasn’t one of the little guys.”
The company frequently researches enterprise firmware security. In July 2019, the company announced weaknesses found in a firmware supplier that put servers from manufacturers, including Lenovo and Gigabyte, at risk. The discovery highlighted Eclypsium’s strength throughout the supply chain.
“Eclypsium will cover the entire life cycle of the device,” John said. “So you’re a supplier, and you run a scan in the supply chain, you know that you’re sending out good stuff because you’ve checked for vulnerabilities. When somebody receives what you’ve sent them, they can run a scan again. That scan can be compared with what you sent, and we can know that nothing has been modified in transit.”
Moreover, beginning with that very first scan, users start to create a historical profile — and John said that’s something most companies can’t offer. “It transitions into this continuous monitoring service, and ultimately, incident response if you do see something suspicious,” he said.
A Focus on System Behaviors and Integrity of Firmware
The Eclypsium platform boasts a good list of features, from scanning, monitoring, and detection, to response, forensics, and patching. John told us his favorite aspect of the platform is that the company isn’t putting all of its eggs in one basket, so to speak.
“The problem that you often face at this level is that you’re stuck hoping that whomever developed that firmware, built that system, manufactured that motherboard, and put everything together did it right,” John said. “They will do things like create a hardware root of trust; something they believe is very robust and well done — and in many cases, it really is.”
But the problem with that approach is that as soon as there’s one bug in it, everything comes crashing down. Again: A bunch of eggs, one vulnerable basket.
“We’re not trying to replace that,” John said. “We’re saying, ‘Yes, do that. But also look at how the system is behaving.’ The behaviors of the system will tell you whether a system is acting like every other one.”
John said these actions complement — not replace — technologies like Intel® Boot Guard, designed to prevent malware from replacing or altering low-level firmware; and HP Sure Start, which validates BIOS code integrity.
Up Next: Improved Component Coverage and Depth
Moving forward, Eclypsium will continue to leverage its experience and ongoing research into the threats targeting the foundations of our computing systems — and developing solutions accordingly.
Suzanne Balter, Sr. Director of Marketing at Eclypsium, told us the company recently published a new blog post centered on best practices for firmware updates. “Because firmware has vulnerabilities, disciplined updating is an essential element of good cybersecurity hygiene, but the process can be confusing for many enterprises,” Suzanne said.
The report provides readers with vital insights into update management and guidance on best practices. Meanwhile, John said Eclypsium will continue to help enterprises defend themselves against threats that traditional security software typically misses.
“We are always improving, whether that means including more components or exploring different analytic techniques to understand risk and integrity,” John said.