Reflections on retrospective security

Virtually every vehicle these days comes equipped with a rear-view mirror and side view mirrors, and with good reason. Imagine the safety issues with no visibility. How would you know if there’s a pedestrian walking by as you pull out of parking space? Or a police, fire or rescue vehicle coming up from behind, responding to a call? Or another driver trying to pass you?  Talk about a blind spot!

It wasn’t always this way though. For the first 30 years gas powered automobiles operated without mirrors. They weren’t even a consideration. With no congestion and slow speeds, drivers could focus on the road ahead, avoid obvious hazards and remain fairly safe. But as the automobile became more popular and more powerful, new dangers emerged and lack of visibility became a challenge. Rear view and side view mirrors were developed and quickly became ‘must haves.’

We’re at a similar inflection point in the IT security industry. When the first PC viruses appeared nearly 25 years ago, defenders could protect against them by detecting and blocking files as they attempted to enter the network. But now threats have evolved and are more cunning than any we’ve experienced before – able to disguise themselves as safe, pass through defences unnoticed, remain undetected and later exhibit malicious behavior. Focusing only on what’s ahead (i.e., scanning files once at an initial point in time to determine if they are malicious) is no longer sufficient. Once files enter a network, most security professionals have no way to look back. Without ‘mirrors’ they can’t continue to monitor files and take action should the files later prove to be malicious.

So how can you gain visibility and control after an unknown or suspicious file has permeated the network? Retrospective security serves as those ‘mirrors,’ enabling a new level of security effectiveness that combines retrospective detection and remediation with up-to-the-minute protection. IT security staff can continue to track, analyse and be alerted to files previously classified as safe but subsequently identified as malware and then take action to quarantine those files, remediate and create protections to prevent the risk of reinfection.

Key technologies have advanced to enable retrospective security. The first is big data analytics. Emerging with the explosive growth of data, storage and processing power, big data is a term used to characterise massively large data sets ranging in terabytes or petabytes. Retrospective security accesses big data and turns that data into information for automated actions as well as actionable intelligence that IT security teams can use to make more informed, timely security decisions after an attack.

Cloud computing is another powerful new tool to enable retrospective security. Leveraging the virtually unlimited, cost-effective storage and processing power of the cloud, retrospective security applies big data to continuously track and store file information across a widespread community and analyse how these files are behaving against the latest threat intelligence stored in the cloud.

Armed with this knowledge IT security staff can rapidly identify a file that begins to act maliciously and move quickly to understand the scope of the damage, contain the threat, remediate it and bring operations back to normal. They can also move forward with more effective security by automatically updating protections and implementing integrated rules on the perimeter security gateway, within security appliances protecting internal networks and on endpoints to detect and block the same attack.

New threats and new technologies are coming together to bring a new perspective to security. Just as rear-view and side view mirrors were added to automobiles when the time was right, the time is right now for IT security to include retrospective security.

Chris Wood is the regional director for Sourcefire's Australia & New Zealand division.