In the natural world, new viral threats arise and existing viruses evolve to defeat our defenses. Just look at the flu — during the 2015 to 2016 flu season, people around the globe were fighting strains out of Switzerland and Phuket. This year, everyone’s worried about new flu varieties from California, Hong Kong and Brisbane. That’s why we get annual flu shots, to get immunity from the season’s new viruses.
It’s equally important to inoculate your organization against cybercrime. As my former Burton Group colleague Fred Cohen demonstrated back when he was in graduate school, computer viruses have a lot in common with viruses in the natural world. Both human and cyber viruses hide and evolve to get past perimeter defenses and attack from within.
Inoculate Your Organization and Strengthen Your Immune System
As humans, we are pretty well-equipped to fight off viruses. We have an immune system that is adept at coordinating a network of powerful resources to fight viral invasions. We help our immune system by supporting it in different ways. For example, I find that if I get at least eight hours of sleep a night, work out regularly, eat lots of green vegetables and consume plenty of vitamin C, I’m much less likely to get sick. We also have annual flu shots to protect against new virus strains, but what about protecting against new or evolved computer malware?
Unfortunately, the security programs in many organizations are nowhere near as coordinated as our human immune system. Although companies invest in support for their security programs, a lack of resources and the cybersecurity skills gap can make it very hard to ensure that the corporate security system is getting a full eight hours of sleep and extra vitamins.
Instead, the reality in many organizations is a set of disconnected security point solutions and perimeter products, typically provided by a host of vendors. Individual components don’t communicate with each other to fight cybercrime. The piecemeal nature of these systems makes them hard to monitor, and the expertise needed to manage them isn’t always available in-house. Faced with increasingly persistent and sophisticated cybercrime, organizations need security programs that act more like the human immune system.
Evolving Security Threats
Applying the idea of an immune system to cybersecurity can help organizations more effectively combat increasingly complex cyberthreats. Malware evolves as criminals create new viruses and as technologies such as cloud, mobile devices, social media and the Internet of Things (IoT) provide new attack vectors.
Ransomware is one example. CryptoLocker, which emerged in 2013, was quickly joined by CryptoWall, then ZeroLocker, CryptoWall 3.0, CTB-Locker and Locky, all pieces of malware that encrypt data, but with different signatures and profiles.
Similarly, the Shifu Trojan, which attacked Japanese banks in 2015, demonstrated this evolution through its “masterful” reconfiguration of leaked source codes. Just as some viruses mutate, Shifu was an amalgamation and mutation of previous malware including Shiz, Gozi, Zeus and Dridex. Much like a human virus, the Shifu malware used the parts of previous malcode that helped to successfully infect systems while shedding the features and functions that resulted in detection. After infecting Japanese banks, Shifu switched targets and focused on banks in the U.K.
The Role of Security Intelligence and Analytics
To inoculate your organization from cybercrime, your security systems must work more like the human immune system. That means devices, sensors and systems communicate, interact and work together to monitor activity and detect invaders, prevent infection and respond with appropriate measures. Of course, this integrated system needs a “brain” to help manage and coordinate it.
Security intelligence analytics sit at the core of a security immune system. These analytics work with network monitoring capabilities, network protection capabilities and identity controls to parse through massive amounts of data and provide alerts when suspicious, potentially criminal activity is detected. The earlier IT professionals discover anomalous behavior, the better the chances they will be able to prevent data loss and fraud.
Give Your Security System a Flu Shot
Security analytics are only as good as the intelligence that feeds them. While critical data companies can learn a lot from their own net flow and log file data, that isn’t enough to prevent infection in the cloud- and mobile-dependent world. That’s why, just like the human body needs a flu shot to introduce new “intelligence” about evolving virus strains, a security system needs new intelligence to defend itself from the latest threats.
The IT security community needs to find ways to work together and share information that will help all organizations become more immune to cybercrime. For example, the IBM X-Force Exchange has 14,000 members that contribute to an open, 700-TB database of threat intelligence. Members can use this information to help inoculate their own systems against evolving viruses and other malware.
Coupling external threat intelligence with a system of connected security tools and services, companies can move toward the model of a cybersecurity immune system and inoculate themselves against new attacks by ingesting and using the latest threat intelligence.