I’ve often talked about “trial and error” hacking tactics and how organizations frequently build “rat maze” defenses in response to them. Each time they learn about a new attacker, they add or update a wall. However, a persistent rat can get through a maze, exploring different paths and gradually learning which ones are successful. Similarly, digital attackers are free to try again and again, with few consequences from a failed attempt. And unlike the human body, your enterprise is under constant attack from digital threats designed, shared, and constantly modified to damage or profit from your digital assets.
Humans are exposed to a wide variety of risks to health and personal security. We can erect barriers against some of these risks, with hand washing, surgical masks, protective clothing, or vaccines. Other risks, such as cuts, burns, or infections, are handled with education, teaching children what is hot or sharp, and with rapid response when necessary. Building barriers that protect us from all risks may be used temporarily or for the very vulnerable, but they are impractical as a permanent solution.
The first step in developing a digital immune system for a line of business is to get blunt, even amoral, answers to three key questions: How would attackers get rich off us? How would they ruin us? What regulations affect us? Armed with this information, you can design the appropriate security system, defend your plans, and put resources in the right place.
If we just use digital barriers for protection, our systems are not learning how to respond to attacks more effectively. Sure, after an attack we analyze log files and quarantined files or packets for clues, but the delay between an attack and adding a new defense leaves the system vulnerable. Meanwhile, the attacker has learned about our defenses and is adapting and probing again. According to a recent Verizon report on data breaches, the time between an attack, its discovery, and containment is growing, not shrinking.
Luckily for most of us, our personal health and safety is not subject to anywhere near the range and frequency of attacks that target our digital assets. But the body’s security system is constantly watching for internal and external threats, using our nerves, organs, and bloodstream. Conscious and subconscious processes choose the appropriate action, whether it is avoidance, prevention, or cure. New situations are added to the rule set, continuously improving our health and safety.
Today, the security central nervous system is a piecemeal integration of security components using proprietary APIs. This organism is very slow and constrains innovation. We need to open ourselves up, so that we can quickly learn from every attack and every time we defend ourselves. We need a data exchange layer that enables our sensors and processes to publish and use information, not just with each other, but with the information that provides context for real-time protection decisions.
For example, from the sea of computers, who is communicating and has found a new service, a new process, or a new download? At this point, we don’t know if this is good or bad. But our digital immune system can move at the speed of the attacker. What is the context of the internal connection point? Have other devices followed a similar pattern? Has the status of the employee recently changed? Then, in context, a decision can be made to kill it, approve it, or investigate further. Our attackers operate in real time; we cannot operate with only a historical view.