Published in Inc42 on 24 May 2020.
A Community Blog by CYFIRMA’s Founder and CEO, Kumar Ritesh.
> Our immune system is like a self-policing, machine-learning mechanism
> Enrich the decision engine with ‘inside-out’ and ‘outside-in’ intelligence to identify new threats
> Artificial intelligence should enable autonomous system remediation and acclimatize of new patterns
Cyberattacks are expected to increase exponentially in volume and sophistication, yet defences remain rudimentary. Overwhelmingly, security efforts by most organizations focus on building strong defensive walls designed to keep malicious actors, viruses and programs out; the reality is that these defensive walls will only last until the attackers find a way to jump over the wall.
The battle between the virus and its target (in biological terms, the “host”) has been going on in biological organisms for millions of years. Through evolution, human beings have developed sophisticated defence systems that block external viruses and bacteria and at the same time monitor and attack internal threats.
Just like the Covid-19 pandemic the world is witnessing right now, new virus strains will develop, and over time, the human physiology will develop antibodies to fend off attacks.
Our skin is the first layer of defence, acting as a sophisticated barrier much like a firewall. The skin prevents external threats and can repair itself after an attack. Its capabilities are complemented by the work of the immune system, which acts as a second layer of defence.
Our immune system is like a self-policing, machine-learning mechanism. It monitors the internal environment of the body; defines and learns what is considered normal cell behaviour; and when an anomaly occurs, reacts to it in real-time.
While the human body is unable to win every battle against viruses and foreign elements, its self-monitoring, learning and healing capabilities provide insight into how future cybersecurity solutions should work.
The self-defence system should be able to identify abnormal foreign elements, activities, programmes and mal-codes using adaptive machine learning based on an understanding of the normal system, application and data flow behaviour.
I see four key elements as fundamental components of self-defence systems. These core elements are essentially the refining of an automated set of rules designed to monitor system behaviour, diagnose potential abnormalities, reactivate the system by removing malicious components and, finally, incorporate new normal/abnormal behavioural patterns into the system.
Continuously check against the baseline, enrich the decision engine with ‘inside-out’ and ‘outside-in’ intelligence to identify new threats
Identification of the abnormal attribute and correlation of situations
Revitalization with state-based revival model by making bad functions, unknown programs and foreign executables dysfunctional
Acclimatize and immunize by embedding new normal/abnormal patterns in decision-making engines
Using historical behaviour mapping and analysis, self-defence systems should make real-time recommendations for action to be taken in response to an external ‘abnormal’ event. This is also commonly defined as adaptive machine learning, which would involve:
> Defining normal and abnormal status (system state capture)
> Monitoring current system status (system health analysis)
> Determining “WHO” and identifying the cause of incidents (suspected analysis)
> Understanding “WHAT,” “HOW” and “WHY” of incidents (content and context)
> Applying business intelligence to understand threats in the context of the organization’s industry (industry-specific threat co-relation)
> Identifying and analysing potential systems gaps (asset vulnerability life cycle)
In addition, artificial intelligence should enable autonomous system remediation and acclimatizing of new patterns by:
> Monitoring and neutralizing abnormal behaviour of all externally introduced files, functions, programs and executables (foreign element neutralization)
> Creating a virtual environment for foreign elements demonstrating abnormal behaviour (real-time jail boxing)
> Creating systems’ responses to potential attack scenarios based on threat intelligence (attack vector reply)
> Monitoring all threats to systems’ assets with active risk mitigation model (threat modelling immunization)
> Activating real-time risk alert for all applications (system distress management)
> Co-relating intelligence gathered about systems’ vulnerability and assess the potential for any exploits (vulnerability and exploit correlation)
> Assessing the possibility of threats based on threat actor behaviour analysis (threat predictive modelling)
In summary, the next frontier of cybersecurity solutions will most probably be self-defence systems that continuously find, respond to and recover from new threats. This type of system will reduce the risk of attack significantly; more important, it will reduce the attractiveness of an organization as a hacking target for threat actors.