Advances in cybersecurity have come fast and furious in recent years. Yet, despite all the gains, there has never been more pain. Hacking, cracking, and attacking techniques are more sophisticated than ever, and more and more organizations are succumbing to breaches and breakdowns.
Global cybercrime has reached US $1 trillion, a 50% increase in just the last two years. Every day, headlines trumpet a new ransomware attack or other event. "Traditional approaches to cybersecurity, which rely on signatures, are increasingly ineffective," says Steven Hofmeyr, a computational researcher at Lawrence Berkeley National Laboratory.
As a result, there's renewed interest in adapting biological models to data and system protection. The concept, which dates back to at least the early 2000s, borrows concepts from the natural world — including human immune responses and vaccine models — to ratchet up protection.
Tapping algorithms and endpoint monitoring techniques to identify and thwart attackers, a handful of vendors are developing products in the space. "Deterministic protection is not a panacea, but it can help shrink exposed attack surfaces without relying on signatures, tuning, or learning," states Tony Palmer, lab senior engineer at consulting service ESG.
Bio-based security tools swap out whitelists, blacklists, and other conventional detection methods for a framework that spots anomalies in real time. Just as a human body mounts a response to a foreign agent using antibodies, T-cells, and other mechanisms, a computer network attempts to shut down an invasion before it can spread and do any damage.
Hofmeyr, who helped pioneer the concept with a company called Sana Security (now part of AVG) nearly two decades ago, says that the iceberg has begun to flip — and there's growing interest in the idea. Advances in machine learning and artificial intelligence (AI) have also made the concept more viable. "When we introduced a product that relied on biological elements, people weren't interested in it. Today, there's a recognition that a more sophisticated framework is necessary."
The idea of introducing biological components through AI and machine learning is appealing — and elements of the concept are popping up in a class of endpoint software referred to as extended detection and response (EDR), says Eric Ahlm, a research director at Gartner. "Signal-to-noise ratios in cybersecurity are incredibly high. The ability to use AI and ML to identify unclear signals is extremely valuable."
Bio-based security doesn't replace other security tools; it complements and reinforces them by spotting attacks that often fly under the radar, Palmer notes. "Enforcing what is good and allowable based on deep knowledge of an application and its workloads makes much better sense than trying to blacklist every potential threat and/or focusing on higher-level system behaviors that can change and evolve over time," he says.
A New Model Emerges
A growing number of companies are introducing biological models to ratchet up protection. For example, cybersecurity firm Virsec aims to protect software workloads across an entire runtime stack — Web, host, and memory — regardless of the application type or environment. This includes bare metal, virtual machines (VMs), and cloud containers. Virsec allows only trusted execution and thwarts both known and unknown threats before they can launch — typically within milliseconds.
The framework is designed to inoculate a user from ransomware, remote code execution, supply chain poisoning, and memory-based attacks. "If we're going to change the way we protect assets, we need to take a completely different approach," says Dave Furneaux, CEO of Virsec. "Companies are spending more and more money on solutions and not seeing any improvement."
Furneaux likens the approach to the mRNA technology that vaccine makers Moderna and Pfizer have used. "Once you determine how to adapt a cell and the way it might behave in response to a threat, you can better protect the organism," Furneaux says.
In biology, the approach relies on an inside-out approach. In cybersecurity, the method goes down into the lowest building blocks of software — which are like the cells in a body — to protect the entire system. "By understanding the RNA and DNA, we can create the equivalent of a vaccine," Furneaux adds.
Other cybersecurity vendors, including Darktrace, Vectra AI, and BlackBerry Cybersecurity, have also developed products that rely to some degree on biological models. For example, Darktrace uses an algorithm to constantly monitor and analyze networks at a granular level. It builds a model of normal activity. Once it gains the ability to separate noise from threats, the program flags problems, and it can also automatically shut down access to sensitive information if it detects suspicious behavior.
Biology Takes Shape
For now, biological protection models remain in the nascent stages, and this group of security products have limitations. For instance, Virsec sits on the server side and doesn't support microsegmentation or extend protection to the Internet of Things (IoT). In addition, "any product that focuses on endpoint data — regardless of how good the analysis is — remains a bit blind to certain types of attacks," Ahlm says.
There's also no guarantee that cybercriminals won't adapt their methods and find ways to invade these systems, he adds.
Nevertheless, the field is taking shape. Peters says that he can foresee the possibility of deterministic approaches expanding beyond server workloads to protect the code running in devices up and down the stack. Not only could such a framework greatly reduce alerts and false positives, "it could eventually replace multiple, diverse tools, simplifying security architecture and deployment models," he explains.
In the end, perhaps only one thing is certain: Like biology, cybersecurity is a complex and messy space. "Human immune systems are not rigidly engineered. They must constantly adapt," Hofmeyr points out. "The idea of applying this approach to security will likely yield improvements. Conventional signature-based security is no longer sufficient. Polymorphic malware and more sophisticated attacks have introduced the need for a more dynamic and advanced framework."