Today’s major IT systems are complex. They are so complex that they are approaching the size and scale of biological systems. Systems that incorporate Internet of Things (IoT), cloud and mobile components will soon span networks, time zones and continents. It is worth looking at how biological systems approach security to see how defenses deployed there can be applied to securing IT systems.
Anatomy of an IT System
A few years ago, I attended a talk on how the body protects the brain. There is a blood-brain barrier where the blood vessels limit the number of nutrients that pass through their walls and then into the brain. That is one reason why brain tumors and infections are difficult to treat: Many drugs that work within the rest of the body cannot pass through this barrier.
I was struck by the possibility that data passing through the data center could be likened to blood flow. These flows should be confined to known, trusted and approved formats. Not all data formats are acceptable.
Many tools can be used to control these data flows. These, historically, have been intrusion prevention systems (IPS) and proxy servers, such as web application firewalls (WAF) and application program interface (API) gateways. However, there is a general reluctance to deploy IPS systems in full blocking mode. Many are deployed in detection mode — so they notice that bad data is flowing, but they cannot prevent it.
Next-generation intrusion detection and prevention systems understand many protocols and data formats. They can, for example, identify executable code embedded in documents. These devices know the difference between HTML over HTTP, and text or chat over HTTP, and can also identify threats such as SQL injection.
Other tools, such as proxies, consume content and rewrite requests before they are passed further down the IT stack. Proxies can also be used to inspect encrypted data for threats. Usual operations for these devices include decrypting data at the proxy, inspecting it, and either encrypting again or passing the data through, possibly in another format or protocol.
This approach can be likened to the way the body processes food. The various food groups are broken down, allowing nutrients to be absorbed and discarding many harmful or unusable compounds. Think of the proxies as the stomach — they accept all sorts of incoming data, but only limited and cleansed data should be passed onto the core IT systems, which are the brain of the organization.
A First-Aid Approach to Securing IT Systems
First-aid courses teach responders to prioritize treatment according to the level of urgency during an incident. Similarly, in an IT security event, responders must determine which threats must be addressed first.
While it’s important to know what happened, it’s equally critical to understand the scale of the incident and the criticality of the assets under attack. An overblown response to a phishing attack could reduce customer service if, for example, the email service is suspended. This could be likened to anaphylactic shock in response to a bee sting: It’s not the sting that causes the problem, but the body’s response. However, a slow response to a ransomware attack can lead to massive service interruption. Like a cancer, the problem starts as a small issue but it can have serious effects if left to spread uncontrollably.
The first-aid approach to IT security is also becoming more common. Many years ago, when I started my information security career, the three tenants of security were confidentiality, integrity and availability (CIA). Confidentiality was seen as the most important component of this three-legged stool. Over the years, as organizations have become more dependent on IT, the confidentiality angle has become less important than availability. This is evidenced by organizations favoring intrusion detection systems (IDS) over IPS.
Downtime Costs Money
Many organizations will accept some degree of compromise and recognize the need to keep the business running, but they don’t want to trigger an allergic response to a small incident. A modern and comprehensive protection strategy for your IT systems should identify which critical systems keep the organization alive. Protection and recovery processes should be in line with keeping these key systems running and potentially sacrificing the service provided by other, less important systems.
However, as with all complex problems, understanding the challenge, knowing what the extent of the issue is and applying the appropriate response requires experience, knowledge and the tools for the job. The challenge is also constantly evolving. Yesterday’s assessment of threats and vulnerabilities may not hold true today.
IBM has been working for more than 20 years to develop the tools and acquire the technology to control and mitigate IT security challenges. It has also invested heavily in embedding intelligence into these tools and systems to ensure responses are proportionate. Now, IBM is applying cognitive computing to IT security to enable systems to truly act intelligently.
As with all progress, care should be taken not to rely too heavily on these systems. As IBM trains Watson to comprehend the vast amount of security research and apply it to defending IT, the black-hat community will be crafting tools and techniques to circumvent these cognitive systems. They will launch attacks that desensitize these systems and pass as low risk or false positives. They could even attempt to make them overly sensitive to generate an overwhelming volume of results.
Watson has been trained to consume structured and unstructured security information such as log files and security research papers. It is integrated with IBM’s QRadar platform to allow organizations to sense attacks through log-file events and network flows, and to produce assessments of security incidents. Because Watson has an understanding of incidents across organizations and can consume vast amounts of research as well as incident data, it can help a security operations center (SOC) operator make more accurate and timely decisions. Watson has the potential to become a collective conscience for security.
Watson can gather information about attacks against other organizations and help analysts apply these insights to fight threats. We don’t all need to go through the trauma of a Chimera ransomware attack, for example, to be able to spot one in progress and know how to contain it. Hopefully, this herd mentality will reduce the profits that cybercriminals make from exploiting IT vulnerabilities.
When a serious disease breaks out within a population, it can potentially lead the to extinction of a species. Within the IT world, do we all have a recovery plan in the event of mass compromise? Can you, as an IT professional, say with confidence that you can recover from such a significant event?
I don’t think we have yet seen this type of IT system contagion. We have seen some outbreaks, such as Code Red and SQL Slammer, that have spread widely and quickly. However, these have been a bit like Ebola infections in that they frequently kill the host but limit the spread. More insidious infections that have long incubation periods have the potential to propagate widely before the effects are understood and felt.
In the nightmare scenario in which root certificates are compromised, are other trusted certificates available as a backup? If a directory is compromised, can you reprovision IDs and passwords to your users? If so, what is the order in which you recover? My personal recommendation is to prioritize admin users, followed by employees and then customers. But this assumes that you can differentiate these populations and have the process in place. If systems are infected, can you reprovision OS and applications quickly? Do you have the installation images and data backups? Are these images and backup on compromised systems too?
The risk of IT contagion is currently low, but the consequences are potentially catastrophic. IT staff must be empowered to kick-start the company. If we can learn from some of the approaches used in biology and apply them to securing IT systems now, we may be able to avoid systemic failures in the future.