U.S. criminal law prohibits trying a defendant on the same or similar charges to which they were previous acquitted or convicted. In a way, the same concept used to apply in the security world. Security professionals used to have just one opportunity to "try" a file and determine its "guilt" or "innocence." If the file was determined to be guilty, or malicious, they blocked its access to the company's environment. An innocent or harmless file, on the other hand, received safe passage.
While this point-in-time approach worked well, modern attackers have evolved their tactics. They learned that they must "appear in court" only once to convince the company of the file's guilt or innocence.
While double jeopardy applies in criminal courts, the concept should not apply in the security world.
Now, in an effort to pass undetected through an organization's point-in-time defenses, attackers use tools and tactics designed to ensure that a malicious file appears harmless.
Once a file enters the network, security professionals often lack the tools to monitor the file's behavior. In essence, using the point-in-time model, the security professional cannot retry the file for guilt or innocence.
Sophisticated Attackers Know How Your Technology Works
To mount its attack, a file must morph from seemingly harmless to malicious when no one is watching. Unfortunately, once a file receives permission to enter the network, often no one is watching, which is exactly what the attacker wants.
Worse, once compromised, security professionals engage in a game of "catch-up" where the attacker has already established a considerable head start. In reality, once organizations determine that a malicious file entered the organization, the attackers are either long gone, or able to remain hidden despite the security department's best efforts to unmask and eradicate them from the network.
Since attackers know how to mask the character of a file to appear innocent, companies must reserve the right, or more specifically, possess the tools to rescreen files that passed the initial screening. Double jeopardy need not apply.
There is a Better Way: Retrospection
Securing the organization requires more than a one-time look at files as they enter the organization. By continually monitoring files, security professionals can catch files that passed point-of-entry security then changed from innocent to guilty, or safe to malicious.
Retrospection unites big data with a continuous monitoring to provide companies with the ability observe files beyond the point-of-entry, to dissemination within the company's network, and post-infection remediation. By applying the latest threat intelligence and advanced algorithms, companies can monitor file activity and communication over time for signs of suspicious activity.
Here's how retrospection works:
- Over an extended period, file retrospection continues to analyze files that passed the initial point-of-entry screening.
- Communication retrospection monitors communication to and from endpoints and the associated application.
- Process retrospection analyzes system input and output over time.
No longer do organizations need to rely on a file presenting telltale signs of guilt at initial screening - which is exactly when the attacker knows that they need to ensure that the file is on its best behavior. File, communication, and process retrospection intertwines data to improve and maintain visibility of files entering and circulating within its network.
Increased Visibility of the Attack Lifecycle
While double jeopardy applies in criminal courts, the concept should not apply in the security world. Organizations no longer have to place all of their trust in the initial screening of a file. Technologies today allow security professionals more than one attempt to detect and prevent attacks.
Retrospection allows companies to revisit files as they evolve within their environment. Instead of focusing their efforts on the company's perimeter, via retrospection, the security professional gains visibility to critical steps within the entire attack lifecycle. In turn, this allows the company to update their point-of-entry security to combat future attacks. In fact, stopping increasingly complex attacks may depend on a company's ability to look just as hard at files on the outside of their organization as files within it.
Cisco Advanced Malware Protection (AMP) offers the only advanced malware protection system that covers the entire attack continuum - before, during and after an attack. It provides the continuous analysis and advanced analytics that support Cisco's retrospective security capabilities. Learn more at www.cisco.com/go/amp
Paul McCormack, CFE, is a freelance business writer and consultant. His areas of expertise include accounting, banking, cloud computing, corporate governance, corruption, cybersecurity, executive protection, fraud, intellectual property and money laundering.