By Maxwell Block • July 13, 2018

The Retrospective Security Time Machine

Retrospective security is a term provided by Cisco in their Advanced Malware Protection (AMP) service. It refers to the ability to track the progress of any file that enters a network and, in the event of a cyberattack, rewind time to see how, when, and where that file became malicious.

Retrospective security is often compared to point-in-time security, which can only examine the state of a network at, you guessed it, a given point in time. Point-in-time security is not a bad security solution, as it utilizes features like sandboxing and artificial intelligence to expose hidden malware. However, it's not the most comprehensive solution because retrospective security also uses those features in addition to others like attack chain correlation and behavioral indicators of compromise (BIOCs).

To demonstrate the great degree of difference between point-in-time and retrospective security, we've presented you with a cyberattack scenario for a hypothetical company. We'll then describe what you could do to remediate the situation if your company had point-in-time security, followed by if they had retrospective security.

The Attack

Your company has just migrated their server to the cloud a month ago. After years of suffering through slow loading speeds and intermittent disconnects, you've finally virtualized.

After messing around in Office 365 to get a feel for the provider, you get an email from what appears to be your company's IT department to download a desktop version of the Office Suite. Not knowing much about email security, you decide to download the file since it passed by the email filter.

Bad move.

Unbeknownst to you, that version of the Microsoft Office suite actually contained some fileless malware that immediately began infecting your computer, but here's where the type of endpoint security you have becomes critical:


Because this faux Microsoft Office bundle passed by the initial content filter as safe, it was never taken into the sandbox to run in a quarantined environment. Instead, the file was released into your network without any knowledge of its malicious intent. Also, since point-in-time does not continuously analyze that file, it isn't tracked when it begins spreading itself to other computers in your network.

Right under your nose, malware has infected your network and you won't even find out that this happened until it's too late. After the industry average of 100 days post-attack, you'll need to hire an incident response consultant to study the attack pattern of the virus. You have no information about the source of the attack, nor the scope of the damage and can only pray that no sensitive data from your company was released to the public internet.

Angry businessman holding hammer over laptop in his office



With a retrospective security solution, continuous analysis will ensure that the "Microsoft Office bundle" is constantly monitored after entering the network despite being classified as safe. BIOCs will notice as soon as the file begins spreading to other devices in your network and your security solution can locate all instances of the file on your network and make them inaccessible. The file can then be quarantined for a sandbox experiment to study the behavior of the malware.

Using retrospective security, IT administrators from your company are able to view the attack timeline of the virus and patch any network vulnerabilities that allowed the malware in. Finally, your IT department can roll the server back to right before the file was downloaded to prevent it from ever reaching your network. And this is all done without having to hire any sort of outside service.

Very excited woman with a laptop and arms up - isolated over white


The Result

It's pretty clear to see how much easier it is to deal with a cybersecurity attack when you've got retrospective security. Not only is it less expensive, but it saves time and stress for your IT department so that they can work on the business that really matters to your company. Using a solution that encompasses retrospective security is a core component of your cybersecurity strategy. 

If your IT department already has a lot on their plate and can't spare the time reading a retrospective security report, you're in luck. Tekscape provides the option of managed services as part of Arma, an end-to end retrospective security solution designed to protect your business beyond the network perimeters. Integrating components of Cisco's leading portfolio, Arma is a scalable solution that protects your organization throughout the entire attack continuum.

AMP CiscoDownload Guide: Buyer's Guide Cisco Advanced Malware Protection for Endpoints

Identify the essential capabilities you need in and advanced malware protection solution, key questions to ask vendors, and how Cisco uses a combination of capabilities to prevent advanced malware attacks. 

What's Next? Download the guide and consider all the options Cisco has to offer when protecting your endpoints.

Download Guide