Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

In the “Security Court,” Double Jeopardy is Dead

In the criminal courts double jeopardy prohibits anyone from being tried twice for the same crime. Innocent or guilty, the verdict stands. Prosecutors are forced to gather as much evidence as they can and determine if they have a case for conviction. They only get one chance.

In the criminal courts double jeopardy prohibits anyone from being tried twice for the same crime. Innocent or guilty, the verdict stands. Prosecutors are forced to gather as much evidence as they can and determine if they have a case for conviction. They only get one chance.

Until recently, that’s how “security courts” worked as well. Relying on a conviction paradigm that provided a single point in time to get a conviction right, like blocking and prevention technologies and policy-based controls, security professionals had one shot to pass judgment on files and either identify them as safe and allow them through or determine they are guilty and block them. During a time when threats were less sophisticated and less stealthy these defenses were mostly adequate. But attacks have evolved and relying exclusively on point-in-time defenses is no longer sufficient.

Modern attackers have honed their strategies, frequently using tools that have been developed specifically to circumvent the target’s chosen security infrastructure. They go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible indicators of compromise. Once advanced malware, zero-day attacks, and advanced persistent threats (APTs) enter a network, most security professionals have no way to continue to monitor these files and take action when the files later exhibit malicious behavior.

In order to be effective, our security courts must evolve so that security professionals can continue to gather evidence and retry files after the initial acquittal. This requires a security model that combines a big data architecture with a continuous approach to provide protection and visibility along the full attack continuum – from point of entry, through propagation, and post-infection remediation.

One of the innovations this model enables is called retrospection and it provides the ability to continuously monitor files, communication, and process activity against the latest intelligence and advanced algorithms over an extended period of time, not just at an initial point in time. It also offers significant advantages over event-driven data collection or scheduled scans for new data, as it captures attacks as they happen. In effect, unknown, suspicious, and previously deemed ‘innocent’ files can be tried again. Here’s how it works:

● After initial detection analysis, file retrospection continues to interrogate files over an extended period of time with the latest detection capabilities and collective threat intelligence, allowing for an updated disposition to be rendered and further analysis to be conducted well beyond the initial point-in-time it was first seen.

Communication retrospection continuously captures communication to and from an endpoint and the associated application and process that initiated or received the communication for added contextual data.

● Similar to file retrospection, process retrospection continuously captures and analyzes system process input-output over an extended period of time.

Advertisement. Scroll to continue reading.

File, communication, and process data is continuously woven together to create a lineage of activity to gain unprecedented insights into an attack as it happens. With this information security professionals can quickly pivot from detection to a full understanding of the scope of the outbreak and take action to head off wider compromises. Protections can be automatically updated so that security professionals can make the right verdict up front to prevent similar, future attacks.

Double jeopardy has a long history in the criminal courts. But it has no place in the security courts. Technologies have advanced to the point where security professionals can have more than one opportunity to detect and stop attacks. Retrospection is one of the latest techniques security professionals can use to deliver the right verdict and the right sentence, at the right time, any time.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.