Security / February 10, 2017

Moving Toward a Security Immune System

There’s no such thing as secure anymore. Breaches are inevitable. It’s a fact that everyone is finally beginning to accept. But why? Why has this become a fact of life? I can offer two key reasons:

  • The speed of data. With the speed at which data travels today, real-time security against unknown threats is a near impossibility. Just think about 100 Gigabit Ethernet links. The time between packets is 6.7 nanoseconds—that’s 6.7 billionths of a second. The information is moving so quickly that there isn’t enough time to do anything meaningful or intelligent with it in terms of application security or threat detection. What this means is that unknown threats will break through your defenses and propagate across your infrastructure.
  • Democratization of malware. Today, sophisticated malware, command and control infrastructures, and phishing campaigns are all available for rent. Consequently, compromising the human element through social engineering, leveraging large-scale botnets, etc., are not techniques limited to use by the elite, sophisticated hacker, but rather are available to the mass public. As a result, defenders are overwhelmed trying to deal with increasing volumes of incidents. This is an issue further compounded by the fact that organizations continue to use mostly manual workflows to address incidents, which often leads to their falling a step, if not several steps, behind attackers.

A Paradigm Shift: Building Immunity vs. Patching with Band-Aids

Shehzad Merchant presents at Gigamon Sales KickoffIf indeed we are to act under the assumption that we will be unable to keep all threats out, then our systems and, certainly, our entire security framework and model need to change to adapt to this new paradigm. And the best way to make that shift is to think about security from the perspective of building an immune system.

Today’s approach of plugging security products into portions of infrastructure is akin to putting Band-Aids on portions of the skin. The coverage Band-Aids provide is minimal, and they do not constrain exposure to airborne, waterborne, or other forms of communicable diseases.

The same is the case with cybersecurity—where it’s necessary to completely rethink the security model so that it more closely resembles the human immune system whose key characteristics include:

  1. It works from within.
  2. It covers the entire body.
  3. It learns, adapts, and remembers.
  4. It responds very quickly.

A comprehensive security framework for the next wave of security challenges needs to more closely mimic an immune system’s behavior. In effect, it requires a new model or framework within which organizations can build out their security posture and to which they can map various security products in order to better understand their own security readiness and gaps.

Four Pillars and a Foundational Layer

I would propose four pillars and a foundation layer for the new model, all of which work in a continuum:

  • Pillar 1: Good hygiene. Good hygiene is the precursor to a healthy immune system. Conversely, having an immune system does not mean you do not have good hygiene. Correspondingly, network segmentation, asset isolation, and department and perimeter protection are all steps in building good hygiene. They make it harder for adversaries to break through in the first place; and, if they ever were to break through, it forces them to take unnatural steps to spread the threat within the organization. In some sense, this pillar was the entire framework and model for security not too long ago. Today, it is a precursor to building a security immune system.
  • Pillar 2: Detection. Forcing the adversary to take unnatural steps provides an opportunity to detect anomalous activity within the organization. Detection of lateral movement of malware and behavioral anomalies within the organization forms the second pillar of a security immune system. Anomalies are relative to normal behavior and, consequently, detecting them requires that a baseline of normal-like behavior be established. This is the basis of many machine learning solutions in development today. Once they establish a baseline of normal-like behavior, user activity can be triangulated against that, as well as known bad behavior, to surface anomalies. In essence, machine learning technologies resemble the human immune system’s ability to learn, remember, and combat viruses and bacteria based on adaptation.
  • Pillar 3: Prediction. Surfacing anomalies allows the next phase of the security immune system to take effect: understanding intent (i.e., what the bad actor is intending to do or has already done). Simply surfacing an anomaly in many cases, taken by itself, does not mean much. One has to understand the intent of the bad behavior—and that’s the area of artificial intelligence (AI) and cognitive solutions. Since many of the threats, malware, command-and-control networks, etc., are essentially rented or purchased frameworks, it follows that subsequent actions in the attack cycle may mimic behavior that has been learnt or seen in the past, albeit morphed, disguised, etc. AI-based solutions attempt to uncover patterns in the face of polymorphism and guise to predict intent and underlying patterns of behavior and then generate a set of actions.
  • Pillar 4: Action. Once intent is uncovered, action can be taken to contain the threat, remediate the threat, or, even, allow contained detonation of the threat so as to better learn and understand the intent. While much of this now happens manually and straddles organizational boundaries, there are many solutions attempting to automate it. This is the area of automation and security workflow orchestration.
  • The Foundation Layer: Pervasive visibility. The lifeblood of a security immune system is pervasive visibility. Visibility across physical, virtual, and cloud infrastructures. Visibility into plain-text and encrypted traffic. Visibility inline with data flows and out-of-band to data flows. Visibility at the network-packet level and at the flow and metadata level. Without pervasive visibility, detection, prediction and containment will be patchy at best and could, essentially, defeat the objective of building out a security immune system. The best way to deliver the necessary level of visibility is through a Security Delivery Platform. Much like the human system, which relies on the blood circulation system to provide full coverage across all parts of the body, a Security Delivery Platform helps ensure coverage across the organization and allows for the delivery of diverse and sophisticated security services that can learn, detect, predict, and contain threats across an organization.

All the of the above pillars and the foundation layer work in a continuous cycle. In other words, a security immune system is a continual feedback cycle, constantly learning, adapting, predicting, and taking action based on past learnings and current incidents.

While there has been much talk about the role of machine learning and artificial intelligence in cybersecurity, it is important to step back and take an architectural approach to understand just how organizations may deploy these solutions. Approaching this from the perspective of a security immune system—one that builds on a Security Delivery Platform as the lifeblood and foundation layer and encompasses the four key pillars—can help organizations conceptualize their security strategy, understand where different solutions fit within this framework, and help identify gaps within their security posture.


Customers have saved millions in IT costs. How much can you save?
Learn how 1,200 of your IT security peers plan to fight cyberattacks
See how to finally achieve visibility to reduce costs and remove complexity
Four steps to become stronger during times of disruption

Back to top