How to build an immune system for cybersecurity attacks
This is the second in a three-part series on building a government cybersecurity ecosystem.
The Department of Homeland Security and the National Institutes of Standards and Technology are spearheading an effort to develop a self-healing cyber “ecosystem” across government and industry organizations that could automatically assess and respond to threats.
The agencies, which asked for input on the idea in a recent request for proposals, say the seriousness and the scale of today’s cyber threats make the idea of a self-defending network an idea whose time has come.
Yet the search for models for an “automated collective action” goes back a decade or more. Most recently, creating a healthy, secure cyber ecosystem was one of the two focus areas identified in the DHS Blueprint for a Secure Cyber Future, released in late 2011. The other was protection of the nation’s critical infrastructure.
Work on the idea dates to much earlier, however. The earliest technical reference in the RFI was a paper from 1990, An Immunological Model of Distributed Detection and Its Application to Computer Security, by Steven A. Hofmeyr.
The paper that spurred the current request for information, entitled Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action and published in March 2011, also uses the human immune system as a model.
It was written under the direction of Philip Reitinger, then DHS deputy under secretary for the National Protection and Programs Directorate who has since moved on to Sony Corp.
It envisions “a ‘healthy cyber ecosystem’ -- where cyber devices collaborate in near‐real time in their own defense.” In such a system, “power is distributed among participants, and near‐real time coordination is enabled by combining the innate and interoperable capabilities of individual devices with trusted information exchanges and shared, configurable policies.”
Such a system is not a perfect model, however. In humans, auto-immune diseases lead the immune system to attack the body it is supposed to protect, a situation that researchers and developers want to avoid in a secure cyber ecosystem.
The ecosystem would start where continuous monitoring for vulnerabilities is today, and the end state would advance to include automated responses, with broad-based threat and incident monitoring, data dissemination, threat analysis, intervention recommendations and coordination of preventive actions. The three building blocks identified in the Reitinger paper as necessary to enable such a system are:
- Automation, which would enable the system and devices connected with it to respond at machine speeds based on conditions being monitored and data being gathered in near-real time.
- Interoperability, which includes semantic elements such as standardized lexicons; technical interoperability between different brands and types of products and tools; and policy. Security management already is taking advantage of some of these elements; Security Content Automation Protocol (SCAP), for instance, is an example of semantic interoperability. The challenge is moving beyond management to operational security.
- Authentication, which is necessary to provide the trust needed for information sharing and automation. “The paper looks to the emerging National Strategy for Trusted Identities in Cyberspace to build a shared foundation,” the executive summary said.
Tools embodying these elements would not have to be universally deployed to enable a secure ecosystem. “Some simulations indicate that about 30 to 35 percent of devices would need to cooperate in order for such a course of action to work,” the paper says. “These numbers are important, because they indicate that success is not dependent on the participation of all or even a majority of devices; therefore, large‐scale infrastructure modification is not required to make the ecosystem fundamentally more secure.”
NEXT: Laying the groundwork for a collective automated cybersecurity system.
PREVIOUS: Could a cyber ecosystem automatically defend government networks?