Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

In the “Security Court,” Double Jeopardy is Dead

In the criminal courts double jeopardy prohibits anyone from being tried twice for the same crime. Innocent or guilty, the verdict stands. Prosecutors are forced to gather as much evidence as they can and determine if they have a case for conviction. They only get one chance.

In the criminal courts double jeopardy prohibits anyone from being tried twice for the same crime. Innocent or guilty, the verdict stands. Prosecutors are forced to gather as much evidence as they can and determine if they have a case for conviction. They only get one chance.

Until recently, that’s how “security courts” worked as well. Relying on a conviction paradigm that provided a single point in time to get a conviction right, like blocking and prevention technologies and policy-based controls, security professionals had one shot to pass judgment on files and either identify them as safe and allow them through or determine they are guilty and block them. During a time when threats were less sophisticated and less stealthy these defenses were mostly adequate. But attacks have evolved and relying exclusively on point-in-time defenses is no longer sufficient.

Modern attackers have honed their strategies, frequently using tools that have been developed specifically to circumvent the target’s chosen security infrastructure. They go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible indicators of compromise. Once advanced malware, zero-day attacks, and advanced persistent threats (APTs) enter a network, most security professionals have no way to continue to monitor these files and take action when the files later exhibit malicious behavior.

In order to be effective, our security courts must evolve so that security professionals can continue to gather evidence and retry files after the initial acquittal. This requires a security model that combines a big data architecture with a continuous approach to provide protection and visibility along the full attack continuum – from point of entry, through propagation, and post-infection remediation.

One of the innovations this model enables is called retrospection and it provides the ability to continuously monitor files, communication, and process activity against the latest intelligence and advanced algorithms over an extended period of time, not just at an initial point in time. It also offers significant advantages over event-driven data collection or scheduled scans for new data, as it captures attacks as they happen. In effect, unknown, suspicious, and previously deemed ‘innocent’ files can be tried again. Here’s how it works:

● After initial detection analysis, file retrospection continues to interrogate files over an extended period of time with the latest detection capabilities and collective threat intelligence, allowing for an updated disposition to be rendered and further analysis to be conducted well beyond the initial point-in-time it was first seen.

Communication retrospection continuously captures communication to and from an endpoint and the associated application and process that initiated or received the communication for added contextual data.

● Similar to file retrospection, process retrospection continuously captures and analyzes system process input-output over an extended period of time.

File, communication, and process data is continuously woven together to create a lineage of activity to gain unprecedented insights into an attack as it happens. With this information security professionals can quickly pivot from detection to a full understanding of the scope of the outbreak and take action to head off wider compromises. Protections can be automatically updated so that security professionals can make the right verdict up front to prevent similar, future attacks.

Double jeopardy has a long history in the criminal courts. But it has no place in the security courts. Technologies have advanced to the point where security professionals can have more than one opportunity to detect and stop attacks. Retrospection is one of the latest techniques security professionals can use to deliver the right verdict and the right sentence, at the right time, any time.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.