Trusteer's three-pronged approach to advanced threat protection

Trusteer Apex and IBM Security Solutions combine to create a protective shield

Explore how to help protect your IT environment from exploitation, exfiltration, and credential theft by adding Trusteer Apex. Discover how the Apex software performs these tasks. See how Apex (and other Trusteer software) combines with IBM® security products to create a more secure shield for your organization's data.


developerWorks security editors, IBM staff, IBM

Security icon imageThis article is brought to you by the editors of the developerWorks Security site.

20 January 2014

Also available in Russian

Detecting advanced persistent threats

Thumbnail image of white paper cover about detecting advanced persistent threats

Application scanning is one component of endpoint management and protection against advanced persistent threats. Learn about the comprehensive strategies for risk mitigation by using IBM Endpoint Manager, read "Proactive response to today's advanced persistent threats."

The main infection vectors of today's advanced information-stealing malware are exploitation of application vulnerabilities and social engineering schemes that result in direct malware installation. This type of malware circumvents blacklisting of signatures and malicious behaviors, while whitelisting approaches (which can minimize malware evasion) are difficult to implement and manage.

Trusteer Apex is an automated solution that prevents exploits and malware from compromising enterprise endpoints and extracting information by providing three layers of security — exploit prevention, data exfiltration prevention, and credentials protection. Apex focuses on the behaviors of a small group of applications responsible for most exploitation events — Java™ technology, Adobe® Reader and Flash®, and Microsoft® Office.

Figure 1 details how these attacks unfold and the points at which Trusteer Apex stops the intrusion.

Figure 1. Where Trusteer Apex stops the attacks
Diagram of where Trusteer Apex stops the attacks

The attacker can use a spear-phishing email to send an employee a weaponized document, one that contains hidden exploit code. When the user opens the document with a viewer, such as Adobe Acrobat or Word, the exploit code runs and attaches to an application vulnerability to silently download malware on the employee computer. The employee is never aware of this download.

Another option is to send a user a link to a malicious site. It can be a malicious website that contains an exploit code or a legitimate website that was compromised (through a watering hole attack). When the employee clicks the link and the browser renders the HTML content, the exploit code runs and latches onto a browser (or browser plug-in) vulnerability to silently download malware on the employee computer.

The link can also direct the user to a phishing site (like a fake web app login page) to convince the user to submit corporate credentials.

After the attacker infects the computer with advanced malware or compromises corporate credentials, he's established a foothold within the corporate network and then can advance the attack.

Trusteer Apex protects organizations against such threats at three junctions:

  1. Exploit Prevention prevents exploiting attempts from compromising user computers
  2. Exfiltration Prevention prevents malware from communicating with the attacker and sending out information if the machine is already infected with malware.
  3. Credentials Protection prevent users from using corporate credentials on non-approved corporate sites (including phishing or and public sites like social networks or e-commerce, for example.).

Trusteer Apex applies a new approach to stop zero-day application exploits and data exfiltration. By analyzing what application operations and state, the software can automatically and accurately determine whether an application action is legitimate or malicious.

A closer look at Trusteer Apex

As mentioned, the key capabilities of Trusteer Apex include the ability to:

  • Shield endpoint apps from zero-day exploits.
  • Prevent data exfiltration and credentials theft.
  • Automate application state updates.

Look at each in a little more detail.

Shield endpoint apps from zero-day exploits

Trusteer Apex protects commonly exploited and widely used applications that process untrusted external content that includes web browsers, Adobe Acrobat, Flash, Java, and Microsoft Office. It monitors application states and validates legitimate operations, such as file system access. It blocks the execution of files that are written to the file system through exploitation of vulnerabilities (such as when the application enters an unknown state), preventing malware from compromising the endpoint.

Apex performs these tasks by using stateful application control. It analyzes the action that occurs (the behavior) and the application memory state when it executes the action. It maps out all the legitimate application states for applications that are targeted and created a whitelist of approved contexts. Trusteer also maps contexts that represent malicious data exfiltration. It compares these records to reality to determine whether an action is legitimate, malicious, or suspicious.

This technology doesn't scan the entire file system, so its impact on system resources and the endpoint is minimal.

Prevent data exfiltration

Information-stealing malware can be directly installed on endpoints by the user without requiring an exploit. To exfiltrate data, the malware must communicate with the Internet directly or through a compromised application process. Advanced malware uses a few evasion techniques to bypass detection. For example, it compromises another legitimate application process and might communicate with the attacker over legitimate websites (like Forums and Google Docs).

Trusteer Apex stops the execution of untrusted code that exhibits data exfiltration states. It validates that only trusted programs are allowed to use data exfiltration techniques to communicate with external networks. The software uses a few different techniques to identify unauthorized exfiltration states and malicious communication channels and blocks them. Because it monitors the activity on the host itself, it has better visibility and can accurately detect and block these exfiltration states.

Prevent credentials theft

Employee credentials are a prime target for cyber criminals. If compromised, a hacker can use these credentials to log in and access sensitive business information. Key loggers are often used for stealing user credentials. They can target VPN clients that are used by remote employees to access the enterprise network or specific enterprise applications.

Trusteer Apex encrypts the keystrokes that are entered by the user. It prevents users from submitting credentials to phishing sites by validating the site to which they connect and blocking attempts to submit corporate credentials to unapproved sites.

In addition, Apex prevents users from reusing enterprise passwords on public sites that are constant targets of hackers who attempt to steal lists of user credentials. Users don't want to remember many passwords, so they tend to reuse passwords.

The Apex admin configures in the Trusteer Management Application a list of approved URLs for enterprise application login. The agent keeps a one-way hash of the passwords locally and compares against it when the users tries to login to a web application. If the login is to an approved URL, it is allowed. If the URL is not on the approved list, the user is not be allowed to use that password. This feature is optional and does not have to be enabled.

Automate application state updates

The Trusteer Apex Stateful Application Control engine is easy to manage and maintain because it is based on validation of legitimate application states that are few and stable. New legitimate application states are automatically detected based on research that is continuously performed on a network of 30 million protected endpoints. Trusteer automatic updates do not require user disruption.

Apex comes with a complete whitelist of legitimate application states that are based on intelligence that is gathered from these 30 million endpoints. Because the software already protects both managed and unmanaged endpoints that belong to customers of financial institutions, Trusteer assembled and tested a full roster of real-world platform/application combinations.

When an unknown application state is detected, the Trusteer software automatically handles the whitelisting process for that state. This level of automation removes much of the management efforts that are associated with application control implementations.

How Trusteer fits into IBM Security Systems

The family of Trusteer cloud-based software provides two layers of protection and a top-level database, arranged in the following way:

  • The components in the first layer provide endpoint security:
    • Trusteer Mobile offers an embedded security library for native mobile apps, a dedicated mobile browser, and out-of-band authentication.
    • Trusteer Rapport offers prevention and remediation of malware and phishing threats on PCs and Macs.
    • Trusteer Apex handles zero-day exploits and data exfiltration prevention for employees' endpoints.
  • The components in the second layer deliver clientless fraud protection:
    • Trusteer Pinpoint consists of two products:
      • Account Takeover (ATO) Detection correlates multiple fraud risk indicators for conclusive account takeover and mobile risk detection.
      • Malware Detection performs clientless detection of Man-in-the-Browser malware-infected endpoints.
    • Trusteer Mobile Risk Engine is designed to detect mobile and cross-channel fraud.
  • At the top is the Trusteer Cybercrime Intelligence, a global threat intelligence and fraudster database that includes data from tens of millions of Trusteer-protected endpoints.

Figure 2 shows architectural structure of the Trusteer component products.

Figure 2. The Trusteer products hierarchy
Diagram of the Trusteer products hierarchy

The IBM Security Framework (Figure 3) gains from integrating Trusteer component features by:

  • Strengthening web-based fraud protections for financial services and web commerce customers.
  • Adding to IBM MobileFirst security initiatives by enabling secure transactions from devices to back-office servers.
  • Extending ATP capabilities (Advanced Threat Protection) by increasing the ability to identify and stop advanced threats.
  • Delivering security-as-a-service and enabling rapid deployment of security-related products and updates.
Figure 3. The IBM Security Framework
Diagram of the IBM Security Framework

Creating a stronger security profile

Together, IBM and Trusteer products can create a strong security profile for your organization by helping you to:

  • Enhance your threat intelligence to quickly adapt and respond to malware and emerging threats. Combine the Trusteer Cybercrime Intelligence database with IBM X-Force's Global Threat Intelligence and research and development.
  • Increase mobile transaction security. Connect Trusteer Mobile Risk Engine with IBM's MobileFirst platform, the IBM Worklight mobile development environment, and IBM Endpoint Manager software.
  • Extend fraud detection to e-commerce and identity and access management. Use Trusteer Pinpoint and Rapport with IBM Security Access Manager and IBM WebSphere Application Server.
  • Counter advanced threats (including zero-day exploits). Try Trusteer Apex with IBM QRadar Security Intelligence Platform, IBM Security Network Intrusion Prevention System (IPS), and Endpoint Manager.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.


  • Get involved in the developerWorks community. Connect with other developerWorks users while you explore the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

Zone=Security, Mobile development
ArticleTitle=Trusteer's three-pronged approach to advanced threat protection