VIEW 15
The immune system and the SIEM
In cyber security, models that depend on drawing a dividing line between inside and outside are becoming increasingly outmoded. The growth in cloud computing and home working has blurred this distinction; a trend known as de-perimeterization. As a result, the “zero trust” concept, where everyone is suspect until verified, has become the dominant trope. This has much in common with the human immune system. Our bodies are constantly under attack from microbes, and so our immune system has evolved to deliver speedy and effective counter-attacks.
The immune system has two parts—an innate system at the initial stages which is the same for all attacks, and an adaptive system that kicks in at a later stage with a bespoke response to a specific attack.
In humans, the innate system consists of barriers to infection such as skin, mucous membranes, saliva (which has antibacterial properties), and the tonsils in the throat. These are designed to deter and delay infection from germs.
More interesting is the adaptive immune system. Once a virus enters our bodies it causes local inflammation, which is the first warning sign that something is wrong. This, in turn, acts as a trigger for the production of white blood cells, which then go on to produce antibodies that bind with pathogens and killer T cells to destroy the virus. Once these lymphocytes have done their job, the body is able to recover.
Detect, respond, recover The steps in this process are exactly analogous to the steps required in a cyber incident response plan: deter, delay, detect, respond, and recover.
The innate immune system, like skin and tonsils, corresponds to a company’s cyber security policies and firewall settings. These present a common front, to resist all forms of attacks.
Things become more interesting when responding to a specific attack. The detection phase deals with the question of whether to raise an alert and escalate the incident. In the body this would be a local inflammation, in a Security Information and Event Management (SIEM) this would be a red flag. The adaptive immune system has learnt to recognize any molecule it has previously encountered (for example through vaccination).
Likewise, an SIEM can interrogate a threat database to spot patterns and identify malware.
Then come the respond and recovery phases. In the body, T-lymphocytes trigger the production of specific killer T cells to attack the pathogen, and B-lymphocytes produce matching antibodies. The clean-up and recovery is left to macrophages, which digest the cellular debris. In a cyber incident, this is still a fairly manual process run by an incident manager, who will co-ordinate the activities of legal, forensics, and data recovery experts. But in time, as SIEMs develop in sophistication, these parts of the process may become more automated and approach the extraordinary efficiency of the human immune system.
