SafeBIOS Events and IoA detects BIOS changes for indicators of attack.
Dell is boosting its commercial PC security at the BIOS level to address the surge in remote employees from COVID-19.
The PC maker on Friday launched SafeBIOS Events and Indicators of Attack (IoA). The new tool uses anomaly detection to discover attacks against the BIOS of its PCs. Attackers have stepped up their attacks on PCs’ BIOS, the software underneath the operating system that issues boot commands and stores system and user credentials.
Dell will include SafeBIOS Events and IoA with its commercial PC models including Latitude, Precision, Optiplex, Vostro and XPS. Dell will release a download for existing systems.
The tool is only available for Dell commercial PCs, said David Konetski, a Dell Fellow and VP of client solutions. Konetski says that’s because Dell’s commercial PCs have BIOS capable of sharing telemetry to determine indicators of an attack. Over time, he said Dell hopes to bring that capability to its consumer systems as well.
Improving PC security at the BIOS level has become increasingly more important. Forrester Consulting did a survey for Dell last year. It revealed that 60% of companies with more than 500 employees were concerned about exploits to BIOS and firmware.
OEMs are paying greater attention to enhancing endpoint security below the operating system. HP last month said it will bring more of the Sure Click application isolation technology from its Bromium acquisition into more of its commercial PCs. While it’s a different approach to Dell’s, it points to OEMs extending endpoint protection below the OS.
“It’s a good thing for organizations to have that level of instrumentation and attack detection,” said Scott Crawford, VP of 451 Research’s information security practice.
An intruder who successfully gains access to a system’s BIOS potentially could use those credentials to gain access to an organization’s entire infrastructure. Intruders can also alter BIOS configuration to carry out a broader attack.
Konetski told Channel Futures that SafeBIOS Events and IoA uses anomaly detection. If the tool discovers changes to a BIOS configuration, it alerts security and IT administrators. Managed security services providers (MSSPs) can also get alerts from the tool, he explained.
Dell’s new tool builds on the company’s SafeBIOSm which offers BIOS verification. SafeBIOS measures the BIOS and compares it to a measurement taken from the host. It ensures no modifications were made to the BIOS when it is preparing to boot. It runs the verification in runtime mode as well. Using machine learning, it measures the behaviors at the OS level and generates attack indicators to protect machines above the OS and application layer.
Now, SafeBIOS Events and IoA builds on that approach below the operating system.
“We now look at changes to the BIOS configurations and modifications below the OS and string those things those events together to create indicators of attack,” Konetski said.
MSSPs and administrators can look at machine logs, available in any management system, to present potentially malicious changes below the OS.
“It’s a very unique thing that we are doing,” he said. “It really has not existed in the industry before. And we’re kind of pioneering this with Dell platforms. And then of course, working with our partners, Carbon Black from VMware and Secureworks, to be able to consume these indicators of attack and be able to protect our customers.”
While Dell integrated SafeBIOS CrowdStrike last year, the company hasn’t integrated the new tool with CrowdStrike. Since then, VMware, a Dell Technologies company, acquired Carbon Black.
Asked about other MSSPs and partners, Konetski said Dell will offer technical documentation to them.
Dell also announced it is offering temporary Dell Encryption licenses through May 15. Last month, Dell lifted the number of devices its VMware Carbon Black endpoint detection and response software covers through June 20.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.