In the criminal courts double jeopardy prohibits anyone from being tried twice for the same crime. Innocent or guilty, the verdict stands. Prosecutors are forced to gather as much evidence as they can and determine if they have a case for conviction. They only get one chance.
Until recently, that’s how “security courts” worked as well. Relying on a conviction paradigm that provided a single point in time to get a conviction right, like blocking and prevention technologies and policy-based controls, security professionals had one shot to pass judgment on files and either identify them as safe and allow them through or determine they are guilty and block them. During a time when threats were less sophisticated and less stealthy these defenses were mostly adequate. But attacks have evolved and relying exclusively on point-in-time defenses is no longer sufficient.
Modern attackers have honed their strategies, frequently using tools that have been developed specifically to circumvent the target’s chosen security infrastructure. They go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible indicators of compromise. Once advanced malware, zero-day attacks, and advanced persistent threats (APTs) enter a network, most security professionals have no way to continue to monitor these files and take action when the files later exhibit malicious behavior.
In order to be effective, our security courts must evolve so that security professionals can continue to gather evidence and retry files after the initial acquittal. This requires a security model that combines a big data architecture with a continuous approach to provide protection and visibility along the full attack continuum – from point of entry, through propagation, and post-infection remediation.
One of the innovations this model enables is called retrospection and it provides the ability to continuously monitor files, communication, and process activity against the latest intelligence and advanced algorithms over an extended period of time, not just at an initial point in time. It also offers significant advantages over event-driven data collection or scheduled scans for new data, as it captures attacks as they happen. In effect, unknown, suspicious, and previously deemed ‘innocent’ files can be tried again. Here’s how it works:
● After initial detection analysis, file retrospection continues to interrogate files over an extended period of time with the latest detection capabilities and collective threat intelligence, allowing for an updated disposition to be rendered and further analysis to be conducted well beyond the initial point-in-time it was first seen.
● Communication retrospection continuously captures communication to and from an endpoint and the associated application and process that initiated or received the communication for added contextual data.
● Similar to file retrospection, process retrospection continuously captures and analyzes system process input-output over an extended period of time.
File, communication, and process data is continuously woven together to create a lineage of activity to gain unprecedented insights into an attack as it happens. With this information security professionals can quickly pivot from detection to a full understanding of the scope of the outbreak and take action to head off wider compromises. Protections can be automatically updated so that security professionals can make the right verdict up front to prevent similar, future attacks.
Double jeopardy has a long history in the criminal courts. But it has no place in the security courts. Technologies have advanced to the point where security professionals can have more than one opportunity to detect and stop attacks. Retrospection is one of the latest techniques security professionals can use to deliver the right verdict and the right sentence, at the right time, any time.