As defenders focus on traditional software threats, adversaries have shifted to targeting firmware in servers, laptops, and networking equipment—areas where security teams lack visibility and control. By exploiting vulnerabilities, compromising the supply chain, or gaining physical access, attackers infiltrate trusted infrastructure, bypassing standard defenses.
The Eclypsium solution enhances visibility to detect compromised or tampered firmware (including supply chain threats), identify critical hardware and firmware vulnerabilities, and improve firmware update management for enterprise systems. It also enables organizations to monitor and respond to compromised or vulnerable devices across their endpoints and servers.
The Eclypsium solution consists of two primary components:
- Eclypsium Administration and Analytics Service: hosted in the cloud or self-hosted on-premises, this service analyzes data from monitored systems and provides a web-based interface for administrators and users.
- Eclypsium Device Scanner (including kernel module/driver): deployed temporarily or permanently on target systems, the Scanner collects firmware and hardware data, then uploads it to the Analytics Service.
The Eclypsium Device Scanner uses a kernel driver to collect data and configuration from processor and chipset hardware, system firmware (e.g., UEFI or BIOS), management controllers (e.g., Intel Management Engine or BMCs), and system devices (e.g., hard drives, network cards, graphics cards). This data is transmitted securely over an encrypted and authenticated channel to the Analytics Service, while minimizing data transfer.
In addition to collecting telemetry, the Scanner performs real-time analysis of system configuration and operation to detect suspicious behaviors that may indicate malicious implants.
The Eclypsium Administration and Analytics Service performs multiple analyses and adversary detections based on telemetry data from monitored systems. These analyses include:
- Firmware binary image and configuration review for known implants, using indicators of compromise or infection markers. For example, detecting malicious UEFI executables or new UEFI variables introduced by an implant.
- Integrity confirmation of firmware images against known-good databases ("whitelisting"), with support for creating and managing a custom organization-specific database. This helps detect attacks that modify or install new firmware executables.
- Continuous monitoring of firmware integrity and configuration, with alerts and tracking for any changes. For instance, firmware may be tampered with when employees travel with laptops.
- Continuous monitoring of supported devices attached to monitored systems, detecting threats such as rogue devices (hardware implants) that may bypass software security controls.
- Cross-correlation and discrepancy detection of firmware data collected through independent methods, both on a single system and across multiple systems.
- Heuristic model creation and analysis of system behavior, with alerts for anomalies. For example, detecting firmware implants that use hardware mechanisms to avoid detection.
- Monitoring of Scanner operational health and integrity to ensure consistent functionality.