CERT-SEI
CERT/CC Blog

Why Cybersecurity Is Not Like the Immune System

By Jonathan Spring on 03/24/2014 | Permalink

The idea of a cyber-immune system sometimes circulates through the community. It seems that such proposals either do not properly frame how the immune system works, how good computer security would work, or both. I’m going to try to put both of those in context in order to make clear why cybersecurity is not like the immune system, but why it would be nice if it were.

The common misconception appears to be in how antibodies function as part of a larger system. They are viewed, narrowly but rightly, as a black list of known signatures, analogous to signatures for an IDS or anti-virus program. Security professionals appear to latch onto this because black lists are something we know. However, this skips over how antibodies are produced and what their main advantage really is. The key misunderstanding, I believe, is that the essential functionality of the immune system as a whole is that of a white list.

Wikipedia has a good technical summary of how it all works, but the essential feature is that the immune system is several layered systems that all identify self versus non-self and then destroy the non-self entities. In cybersecurity terms, the immune system is a white list. Each cell in your body has protein markers that identify it as part of your body—as “self.” Any biological entity that cannot present that protein marker will be destroyed. Antibodies only come in as part of an immunological memory that enables a rapid response to previously encountered pathogens. The various biological systems that perform essentially white-listing functions must first discover the pathogen and basically convince your body that it’s worth making a special rule just for this one pathogen because it’s a particularly viral problem.

Thus, to truly be like the immune system, a cyber defense system would have to be a white list of allowed processes and destinations; the system must then recognize methods previously used to compromise it and step up defensive measures to attempt to prevent repeat compromises with specific black-list-enabled fast responses (e.g., signatures in an IPS). A cyber-immune system that is not a white list, but is, say, rather a fancy black list of behaviors based in machine learning, is not like the immune system.

A defense system based just on black lists is about as effective as an immune system with just antibodies and their T cells. It will fall flat in the face of any real threats. As we discussed in a white paper in September, black lists don’t seem to be doing so well in the current environment—they are scattershot and incomplete. Perhaps we do need a cyber-immune system. But if so, it doesn’t need such a fancy name; creating a white list of allowed websites for your web-proxy to visit would probably be a great start.

Topics: Network Analysis , Research , Threat Discovery