Indicator Removal on Host

Adversaries may delete or alter generated event files on a host system, including potentially captured files such as quarantined malware. This may compromise the integrity of the security solution, causing events to go unreported, or make forensic analysis and incident response more difficult due to lack of sufficient data to determine what occurred. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1070.

One key difference between the Veramine platform and other similar large scale collection systems (such as GRR, osquery, Tanium, etc) is our eagerness to send event data off the host from which it is collected as quickly as possible. We operate under the assumption that the host is compromised and our server is the only safe place to store and operate on the data. Some detection systems, such as those listed above, instead operate on the model of event data being stored client-side to allow the host to respond to any kind of query from the server should the need arise. In these systems built by other companies, the information useful for forensic analysis and incident response is available to be queried but it is queried from the host being investigated. In our model, the data is always available to be queried (regardless of whether the host is currently offline) and the query is against our database and not the compromised host.