In the opening presentation of Reset 2018 yesterday Mary Haigh, product director BAE Systems dissected the analogy of cyber-immune systems and biological immune systems, concluding there were indeed parallels - but that it was not an exact fit.
The idea that a cyber-immune system - adaptive defence - is a self healing system that adapts to mutations and environmental threats is an attractive one, but it suggests that it will cope by itself - that the analytics will learn without feedback. In reality these systems always need feedback on what is good and bad says Haigh.
However,she notes that it is also true that a human immune system also needs a lot of help to remain healthy - eg for the flu virus - we research how it mutates and what vaccinations we need - which is going on in the background. Then there are the things we choose to do ourselves. If we go to exotic locations like a jungle, we would get jabs before we go. So there are environmental choices we make ourselves, and background factors.
Unfortunately we do not have the kind of world mat of threats, showing what threats we face in each country and what mitigation strategies we should choose. But we can feed in threat intelligence to understand the threat landscape - but it can't be done in isolation. Eg if you were to isolate and close down a server to patch malware and it were mission critical, it could be the wrong business decision. And sometimes we will choose to accept the extra risk for the extra opportunity - whether that is moving to the cloud, taking on new partnerships in a supply chain or undertaking an acquisition. And as with our jabs for our exotic trip, we should be aware of the risk and take appropriate mitigation measures.
Moving on to how we handle the information we get, Haigh cited figures from a Ponemon study that found 77 percent describing threat intel reports as a good idea, whereas only 50 percent of incident responders use threat data when deciding how to respond to threats. And only 27 percent actually find threat intel effective to pinpoint cyber-threats.
Reasons suggested included too much data, and too much complexity - with 32 percent reporting blocking legitimate traffic due to misinterpreting threat intel. It was suggested that this is down to a failure to have a holistic view - as the data is collected and analysed by different individuals and groups. Also workflow is not always as timely and accurate as is wanted, and there is a need for normalsing data from disparate sources. “It's not easy - users need to embrace the concept (of a holistic approach) and then break it down to usable amounts - but don't just expect self healing.