VIEW 11
The immune system model
A more useful model than the static castle one (View #8), is a dynamic model based on the human immune system. The squid analogy (View #10) explained why reliance on an external perimeter for defence is outmoded (see also View #9). The immune system model presupposes that systems are constantly under attack and so the focus is on the speed and effectiveness of the counter attack.
The immune system has two parts – an innate system at the initial stages which is the same for all attacks and an adaptive system that kicks in at a later stage which is a bespoke response to that specific attack. In humans, the innate system consists of barriers to infection such as skin, mucous membranes, saliva (which has antibacterial properties) and the tonsils in the throat. These are designed to deter and delay infection from germs.
Detect, respond, recover
More interesting is the adaptive immune system. Once a virus enters our bodies it causes local inflammation which is the first warning sign that something is wrong. This in turn acts as a trigger for the production of white blood cells which then go on to produce antibodies that bind with pathogens and killer T cells which destroy the virus. Once these lymphocytes have done their job the body is able to recover.
The five steps in this process are exactly analogous to the five steps required in a cyber incident response plan: deter, delay, detect, respond and recover (See View #23). The innate immune system like skin and tonsils correspond to the cyber security policies and the firewall. The adaptive immune system covers the other three steps which in the cyber world are executed through system monitoring and the security operations centre (SOC). Large organisations may have more than one SOC, smaller companies tend to outsource this function to third parties.
