Comparison: Point-in-time vs. Retrospective Security

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Comparison: Point-in-time vs. Retrospective Security</span>

Feb 24

Feb 24



Cybersecurity defense continues to advance, but the reality is that hackers are still a step ahead.

A good example is antivirus protection. According to Cisco experts, antivirus systems have created protection for more than 20 million known viruses, but hackers are estimated to have created more than 100 million--and that number grows more and more each year.

The cyber landscape constantly changes, and protections need to change along with it. For a long time, professionals relied on point-in-time security, but that method is no longer adequate. That’s why Cisco has become an innovator in retrospective security--a new type of security that is better suited to today’s cyber world.

So what’s the difference between the two? Let’s find out.

The Challenge

Before looking at solutions, businesses first need to understand what they are up against. Hackers and other malicious actors are incredibly advanced in their approach, developing new methods to break into networks and systems by preying on the weak points in security infrastructure.

Their prize comes in mostly two forms: personal information and intellectual property. Both hold real-world monetary value that can be bought and sold on the black market. With relaxed international cyber laws and the difficulty of proving such cases in court, cybercrime is a lucrative, almost risk-free enterprise.

In some cases, it’s not even that difficult. Nefarious organizations will sell methods of attack for others to use. They will provide instructions on how to use them and, in some cases, even 24-hour support. It’s hard to believe, but transactions like this happen every day.

The cost to an organization can be huge. A large cyber breach can cost an organization an estimated $4.5 million between the money spent to remedy the security failure and the lost business and customer trust. That number grows, too, increasing an estimated $900,000 each year.


For a long time, cybersecurity providers turned to point-in-time security. In this method, security measures serve as gatekeepers to a network. If a piece of code passes certain tests, it’s granted access.

Some of the key technologies used in point-in-time security include:

Signatures: Each code features identifiers that indicate who created it and where it was created. While this helps provide information about legitimate software, it is something hackers can easily manipulate for their own good.

Sandboxing: In this method, a piece of code is placed in a sectioned-off computing environment similar to the system it wants to join. Cyber professionals watch to see how the code reacts in this environment before inserting it into the real enterprise. This is a valuable tool, but once again, hackers have learned tricks to get around it, primarily by creating codes that do not act immediately, but instead have built-in delays that activate after they pass initial tests.

Fuzzy fingerprinting: This method looks at families of malware. When a certain piece of code does not check the usual danger boxes but shares traits with other known viruses, it can be identified as malicious based on similar threats that exist.

Machine learning: One of the more advanced point-in-time methods, machine learning is just what it sounds like: a system watches a certain piece of code, and if it starts acting contrary to expectations, it's determined to be bad.

Point-in-time protection has its benefits, but as its name suggests, it only looks at code during a single period. As hackers create threats that can change and alter their state, businesses need more comprehensive security solutions. That’s where retrospective security comes in.

Looking at Retrospective Security

Cisco’s Advanced Malware Protection (AMP) created the term “retrospective security” as a protection system that covers the entire attack continuum, which begins before an attack happens and includes continuous analysis and advanced analytics during and after the event.

Retrospective security lets administrators look at their systems as if they had a time machine. They can view any point in the past with tools such as retrospection, attack chain correlation, behavioral indications of compromise (IOCs), trajectory and breach hunting. Plus, they can see how their security environments have changed, rather than just viewing network aspects at a single point.

This increased visibility allows administrators to thoroughly analyze what happened during a breach. They can see how the system was entered, what was done and what they need to do to fix it in the future. This is incredibly valuable because the majority of money spent in cybersecurity comes after a breach. Instead of hiring expensive consultants to come in and do the work, administrators can easily handle it themselves with information provided by Cisco AMP.

Retrospective security solves the problem of malicious files that get through point-in-time security through continuous analysis. Cisco’s AMP, for instance, delivers dashboards and reports that quickly show the location and scope of the breach and the timeline and root cause of the infection.

The Changing Ideals of Security

The old idea behind cybersecurity focused on perimeter protection. The thinking was that if you could simply keep a virus out of your network, then there would not be any problems.

This, though, proved to be impossible because of the sheer volume of attacks out there. For example, the Department of Defense (DOD) is one of the most attacked organizations in the world. In a 2015 memo titled, “Department of Defense Cybersecurity Culture and Compliance Initiative (DC3I),” security leaders said the DOD was subject to 30 million malware intrusions during a 10-month period, which translates to 3 million attacks per month and 10,000 per day.

According to department officials, .01 percent of those 3 million attacks were successful. While that percentage is incredibly low, it still means there were 30,000 successful attacks against DOD networks in just 10 months, even though the DOD spends hundreds of millions of dollars each year and hires some of the smartest people in the world to protect its networks. The lesson is that no matter how good you are, hackers will find a way in.

That is why the security paradigm has changed. Organizations need to assume that their networks will be breached, if they haven’t been already. The key is being able to control those malicious actors once they’re inside. That includes limiting privileged credentials, minimizing data transfer and watching for escalating attacks.

The most important thing for businesses to remember is that security is a never-ending battle. If you talk to security experts, they will say we are in the middle of an arms race with the hacking community. Hackers keep developing new techniques to intrude into systems, and those being attacked must come up with new defenses in return. Sadly, this battle shows no signs of slowing and the severity of threats continues to grow. Retrospective security provides organizations with the best form of security right now to handle these ever-changing environments.


Topics: Security