Cyberattacks are expected to increase exponentially in volume and sophistication, yet defences remain rudimentary. Overwhelmingly, security efforts by most organizations focus on building strong defensive walls designed to keep malicious actors, viruses and programs out; the reality is that these defensive walls will only last until the attackers find a way to jump over the wall.
Organizations must move towards ensuring their systems, networks, environment and data are resilient and capable of self-defence.
Drawing References From Biology
The battle between the virus and its target (in biological terms, the “host”) has been going on in biological organisms for millions of years. Through evolution, human beings have developed sophisticated defence systems that block external viruses and bacteria and at the same time monitor and attack internal threats.
Just like the Covid-19 pandemic the world is witnessing right now, new virus strains will develop, and over time, the human physiology will develop antibodies to fend off attacks.
Our skin is the first layer of defence, acting as a sophisticated barrier much like a firewall. The skin prevents external threats and can repair itself after an attack. Its capabilities are complemented by the work of the immune system, which acts as a second layer of defence.
Our immune system is like a self-policing, machine-learning mechanism. It monitors the internal environment of the body; defines and learns what is considered normal cell behaviour; and when an anomaly occurs, reacts to it in real-time.
The Future Of Cybersecurity Lies In Self-Defence Systems
While the human body is unable to win every battle against viruses and foreign elements, its self-monitoring, learning and healing capabilities provide insight into how future cybersecurity solutions should work.
The self-defence system should be able to identify abnormal foreign elements, activities, programmes and mal-codes using adaptive machine learning based on an understanding of the normal system, application and data flow behaviour.
The system should also be able to independently restore normal functionality by making foreign elements and malicious programs dysfunctional.
Self-Defence Systems Framework
I see four key elements as fundamental components of self-defence systems. These core elements are essentially the refining of an automated set of rules designed to monitor system behaviour, diagnose potential abnormalities, reactivate the system by removing malicious components and, finally, incorporate new normal/abnormal behavioural patterns into the system.
These capabilities are made possible by increasing the core elements of artificial intelligence, machine learning and predictive analytical technologies.
Continuously check against the baseline, enrich the decision engine with ‘inside-out’ and ‘outside-in’ intelligence to identify new threats
Identification of the abnormal attribute and correlation of situations
Revitalization with state-based revival model by making bad functions, unknown programs and foreign executables dysfunctional
Acclimatize and immunize by embedding new normal/abnormal patterns in decision-making engines
Technology That Augments The Four Core Elements
Using historical behaviour mapping and analysis, self-defence systems should make real-time recommendations for action to be taken in response to an external ‘abnormal’ event. This is also commonly defined as adaptive machine learning, which would involve:
- Defining normal and abnormal status (system state capture)
- Monitoring current system status (system health analysis)
- Determining “WHO” and identifying the cause of incidents (suspected analysis)
- Understanding “WHAT,” “HOW” and “WHY” of incidents (content and context)
- Applying business intelligence to understand threats in the context of the organization’s industry (industry-specific threat co-relation)
- Identifying and analysing potential systems gaps (asset vulnerability life cycle)
In addition, artificial intelligence should enable autonomous system remediation and acclimatizing of new patterns by:
- Monitoring and neutralizing abnormal behaviour of all externally introduced files, functions, programs and executables (foreign element neutralization)
- Creating a virtual environment for foreign elements demonstrating abnormal behaviour (real-time jail boxing)
- Creating systems’ responses to potential attack scenarios based on threat intelligence (attack vector reply)
- Monitoring all threats to systems’ assets with active risk mitigation model (threat modelling immunization)
- Activating real-time risk alert for all applications (system distress management)
- Co-relating intelligence gathered about systems’ vulnerability and assess the potential for any exploits (vulnerability and exploit correlation)
- Assessing the possibility of threats based on threat actor behaviour analysis (threat predictive modelling)
In summary, the next frontier of cybersecurity solutions will most probably be self-defence systems that continuously find, respond to and recover from new threats. This type of system will reduce the risk of attack significantly; more important, it will reduce the attractiveness of an organization as a hacking target for threat actors.