By Leon Ward, Director of Product Management, Sourcefire
There’s something about being able time travel that’s captured the imagination of writers and composers for decades. If it’s not Kylie Minogue wanting to step back in time or Cher crooning about wanting to turn back time, it’s Matt Smith hurtling around the galaxy in a blue police box. From a security professional perspective, being able to go back to an earlier point in time, observe what happened and then learn from those events to improve the present and future is a powerful notion. The old adage ‘learn from your mistakes’ certainly rings true for IT security.
The problem is that traditional detection-only defences are stuck firmly in the present. They conduct inspection at a single, initial point in time and they have no memory. They allow anything they don’t recognize immediately as a threat through and forget that the file ever existed.
Capitalising on this limitation, advanced malware writers continuously innovate, use a variety of techniques to obscure malware and make it much harder to initially detect. And once a threat does enter a network, most IT security professionals have no way to go back in time, see what happened, when it happened, identify the root cause and determine the extent of the damage and remediate.
To detect, understand and stop these increasingly evasive threats you need new tools and techniques that enable you to always watch, never forget and then take action should a file be determined to be malicious at a later time. In effect, you need to be able to turn back time.
The good news is that technology advances have made this possible – specifically big data and retrospective security capabilities. Big data adds ‘memory’ to security. The widespread availability of affordable storage capacity and processing power along with sophisticated data mining techniques mean we no longer have to discard files that aren’t recognised as threats upon initial inspection. We can collect this data and continuously monitor and analyse files that have moved across the wire into the network or from endpoint to endpoint and identify subsequent malicious behaviour whenever it may begin.
Retrospective security uses this continuous capability to let you travel back in time identifying which devices have been exposed to malware, regardless of when the file is identified as malware. This requires not just tracking every file but also the full lineage of every action that happens on every protected device and mapping how the files travel through the organisation and what the files do on the system. By being able to determine the scope of an outbreak and root cause(s), you can quickly switch to response mode during an attack and effectively determine and implement the necessary controls and remediation steps. Delving into the rich history that big data provides you can also identify the point of entry and prevent reinfection, automatically.
Travelling back in time isn’t something to relinquish to science fiction. Just as advancements in other fields – cloning, space travel and bionics – have made seemingly far-fetched ideas reality, big data analytics is making time travel a reality in security. Now you can learn instantly from the past and come back to create a more secure present and future.