Advances in cybersecurity have been fast and furious in recent years. Yet for all the gains, there has never been more pain. Hacking, cracking, and attack techniques are more sophisticated than ever, and more and more organizations are succumbing to breaches and failures.
Global cybercrime has reached US$1 trillion, a 50% increase in the past two years alone. Every day, headlines announce a new ransomware attack or other event. “Traditional approaches to cybersecurity, which rely on signatures, are increasingly ineffective,” says Steven Hofmeyr, a computer scientist at Lawrence Berkeley National Laboratory.
As a result, there is renewed interest in adapting biological models to data and system protection. The concept, which dates back to at least the early 2000sborrows concepts from the natural world – including human immune responses and vaccine models – to build protection.
Leveraging endpoint monitoring algorithms and techniques to identify and thwart attackers, a handful of vendors are developing products in the space. “Deterministic protection isn’t a panacea, but it can help reduce exposed attack surfaces without relying on signatures, tuning, or learning,” says Tony Palmer, principal lab engineer in the service of ESG advice.
Biology-based security tools replace whitelists, blacklists, and other conventional detection methods with a framework that detects anomalies in real time. Much like a human body prepares a response to a foreign agent using antibodies, T cells, and other mechanisms, a computer network tries to stop an invasion before it can spread and cause damage.
Hofmeyr, who helped pioneer of the concept with a company called Sana Security (now part of AVG) nearly two decades ago says the iceberg has started to turn – and there’s growing interest in the idea. Advances in machine learning and artificial intelligence (AI) have also made the concept more viable. “When we introduced a product that relied on biologics, people weren’t interested in it. Today it’s recognized that a more sophisticated framework is needed.”
The idea of introducing biological components via AI and machine learning is appealing — and elements of the concept appear in a class of endpoint software called extended detection and response (EDR), says Eric Ahlm, director of research at Gartner. “Signal-to-noise ratios in cybersecurity are incredibly high. The ability to use AI and ML to identify unclear signals is extremely valuable.”
Biosecurity does not replace other security tools; it complements and reinforces them by spotting attacks that often go unnoticed, notes Palmer. “Applying what is good and authorized based on a deep understanding of an application and its workloads makes far more sense than trying to blacklist all potential threats and/or focusing on higher-level system behaviors that can change and evolve over time,” he says.
A new model emerges
A growing number of companies are introducing biological models to enhance protection. For example, cybersecurity firm Virsec aims to protect software workloads across an entire execution stack (web, host, and memory), regardless of application type or environment. This includes bare metal, virtual machines (VMs), and cloud containers. Virsec only allows reliable execution and thwarts known and unknown threats before they can launch, usually within milliseconds.
The framework is designed to inoculate a user against ransomware, remote code execution, supply chain poisoning, and memory-based attacks. “If we want to change the way we protect assets, we need to take a completely different approach,” says Dave Furneaux, CEO of Virsec. “Companies are spending more and more money on solutions and not seeing any improvement.”
Furneaux compares the approach to the mRNA technology that vaccine makers Moderna and Pfizer have used. “Once you figure out how a cell adapts and how it might behave in response to a threat, you can better protect the organism,” says Furneaux.
In biology, the approach is based on an inside-out approach. In cybersecurity, the method goes down to the lowest building blocks of software – which are like the cells of a body – to protect the entire system. “By understanding RNA and DNA, we can create the equivalent of a vaccine,” adds Furneaux.
Other cybersecurity vendors, including Darktrace, Vectra AI, and BlackBerry Cybersecurity, have also developed products that rely to some degree on biological models. For example, Darktrace uses an algorithm to continuously monitor and analyze networks at a granular level. It builds a pattern of normal activity. Once it has the ability to separate noise from threats, the program flags issues and can also automatically close access to sensitive information if it detects suspicious behavior.
Biology takes shape
For now, biological protection models remain in their infancy, and this group of security products has limitations. For example, Virsec is server-side and does not support microsegmentation or extend protection to the Internet of Things (IoT). Additionally, “Any product that focuses on endpoint data — no matter how good the analysis — remains somewhat blind to certain types of attacks,” Ahlm says.
There’s also no guarantee that cybercriminals won’t adapt their methods and find a way to invade these systems, he adds.
Nevertheless, the ground is taking shape. Peters says he can foresee the possibility of deterministic approaches extending beyond server workloads to protect code running in devices up and down the stack. Not only could such a framework significantly reduce alerts and false positives, “it could potentially replace several diverse tools, simplifying security architecture and deployment models,” he explains.
In the end, only one thing may be certain: like biology, cybersecurity is a complex and messy space. “Human immune systems are not rigidly designed. They have to constantly adapt,” Hofmeyr points out. “The idea of applying this approach to security is likely to bring improvements. Conventional signature-based security is no longer sufficient. Polymorphic malware and more sophisticated attacks have introduced the need for a more dynamic framework and advanced.”