Proscriptive adoption of information security standards like ISO27001 is bound to fail, according to Joel Weise, principal engineer and chief technologist, Sun client services security program office, Sun Microsystems
“Organizations that take the proscriptive approach see security standards as 'to do' lists, when in fact they are only suggested frameworks,” Weise said. “This approach will never work as it simply does not consider the organization's particular needs.”
Weise said that organizations should build specific security architecture for their particular IT infrastructure that is applicable to business and technical needs.
To build security architecture, the organization should consider an 'adaptive security' approach, Weise said. “Adaptive security is a framework for elaborating a comprehensive architecture that enables cost effective risk management for threat containment,” he said. “It also seeks to improve operational efficiency and system survivability.”
According to Weise, Sun's chief technologist office team came up with the concept of adaptive security, based on works by others.
“Our observation that biological and ecological systems appear to have very reasonable survival capabilities drove the emergence of this concept,” Weise said. “So we looked to nature for an appropriate security metaphor.”
Feedback from Sun's customers that the business environment has become too complex for the IT department to deal with is another driving factor, Weise said. “For example, the rise of the internet and managed services has added to complexity.”
Weise noted that as environmental complexity increases, system security decreases. “Threats are developing faster than counter-measures, while a homogenous IT environment allows a 'pandemic' to spread quickly.”
The chief technologist pointed to the parallel situation in nature where H5N1 bird flu has caused high mortality rates among infected people. “In the same way, if a cyber attack brings down one server in a data center, all other servers may follow,” he said.
“Adaptive security seeks to mimic biological auto immune systems at the microscopic level and ecological systems of disparate entities at the macroscopic level,” Weise said. “It is not defined by a single system or process.”
Biological systems use immune systems to dynamically respond to threats, while stem cells can be used as a foundation to 'repair' other body elements, Weise noted. Additionally, the human body can discriminate between 'self' features and foreign bodies like liver transplants, which may be rejected.
From a macro perspective, survival of the ecological system does not depend upon the survival of any individual entity. “Ecosystems are by definition diverse and this contributes to their resilience,” Weise said.
Weise said that in the same way, IT systems may be designed to adaptively respond to different threats, with self-regulating, self-healing and self-protecting abilities. “This includes the ability to 'know' normal conditions and detect abnormal system behaviors.”
Specifically, adaptive security seeks to reduce threat amplification, area vulnerable to attack and system recovery time in the event of an attack, Weise said. Other objectives include ensuring availability and reliability of data and processing resources, as well as reducing attack speed.
While acknowledging that some elements of adaptive security are mainly theoretical in the IT arena, Weise noted that they already exist in various non-IT areas. “Predictive analytics is an element of adaptive security,” he said. “For example, by looking at a person's age and health records, health insurance companies can estimate the client's lifespan.”
“I see predictive analytics as a potential area that security vendors can work on to bring the industry further down the road to true adaptive security,” Weise said. “This means security software can predict threats before they happen, but no one knows how to do that yet.”
Weise noted however, that progress in predictive analytics has already been made in the hardware space. “For example, the CPU has to run under certain conditions like temperature or humidity because we know that it will fail if it is overheated beyond a certain number of hours,” he said. “That's why cooling fans are installed.”
Another example is observation of devices running on limited power supplies. “If I see any unusual changes in the device's performance, I may 'predict' that the power supply will run out in an estimated time period and hook up the device to an alternative power source before that happens,” Weise said.
Weise said that Sun is doing research on adaptive security in its labs such as an 'automated self-healing' system. “When we see a threat alert coming to the system, we can automatically bring the system offline, take a forensic snapshot of the system and use it to restore the system in seconds.”