Artificial evolution: Five defensive systems to advance your InfoSec strategy

One of the timeless struggles of the chief information security officer (CISO) is explaining complex information security concepts to an audience that is not as close to the material, such as a board member, client, or internal partner. 

InfoSec has always had the political job of not only understanding the technical needs at play in cybersecurity, but translating those needs into non-technical speak. It’s much easier for a non-technical person to understand something when they can picture it as a physical system instead of a nebulous, virtual thing. 

One strategy to consider while articulating concepts is looking to tangible, well-understood models. At SEI Sphere, we take our cues from evolved systems in their finest context: nature. We find this approach has many advantages: 

• It makes InfoSec topics feel accessible to non-technical people. 
• It’s a breeding ground for out-of-the-box ideas around how to solve problems in your environment. 
• It can be a starting point for maturity mapping: Taking the output (specifically, what your program lacks) and using it as a blueprint to artificially evolve your systems to a state of greater capability, using other, more established systems as your model.   

Five defensive systems InfoSec can learn from nature. 

Which stages has your InfoSec program achieved?   

1: Quick harm avoidance

Evolution stage: Basic

If you’ve ever tried to put contact lenses in your eyes for the first time, you may remember the struggle. Despite manual efforts to physically hold your eye open, the instinct to blink is too strong and too fast to permit the offending piece of material. In human biology, reflexes are an automatic action your body does in response to something—a programmed defense mechanism for when human comprehension is too slow to defend. 

In the InfoSec world, automatically blocking external attackers who trigger high-fidelity detections or repeated true positives in real time is a great way to establish a baseline of always-on security. Implementing any combination of security, orchestration, automation, and response (SOAR) solutions is also a quick win—just be sure to keep humans involved in steps where more nuanced decision-making is required. 
 

2: Reactive response

Evolution stage: Intermediate

In the realm of human biology, doing battle is an ongoing activity. T cells and B cells work together to protect the body from infection; T cells wipe out infected cells while B cells create antibodies. 

In InfoSec, this is incident response. Our recommendation for the strongest digital army? A “twin workflows” approach: An infinity loop of actions your team can take that is one part juicing all the intelligence you can out of incident tickets and alerts (intelligence gathering); and one part intelligence lifecycle, performing regression testing until new indicators of compromise (IOCs) are developed and shared back to trust circle communities. 
 

3: Proactive defense

Evolution stage: Advanced

Immunization, usually in the form of yearly inoculation, prevents 3.5-5 million deaths every year from persistent diseases like influenza and measles.¹ Field epidemiologists lead investigations initiated in response to urgent public health problems. 

In InfoSec, this is threat intelligence: Identifying and tracking active threats, conducting intelligence operations geared toward exploiting the security failures of threat actors, and proactively creating custom TTP-level signatures to identify threats consistently. It’s a digital shot for the body of your business. 

4: Identity validation

Evolution stage: Intermediate

Babies can recognize their primary caregivers’ faces within a matter of weeks after birth—handy for raising an alert to the potential danger of a stranger.

In InfoSec, multi-factor authentication (MFA) and the zero-trust strategy serve the same gatekeeping function, going beyond the basic blocking and tackling functions of usernames and passwords to verify identity at every turn. Also consider implementing data tagging and entitlement management for environment visibility.

5: Effectiveness validation 

Evolution stage: Advanced

A fasting blood test to check cholesterol levels, an annual physical exam to make sure everything is in working order, and an MRI to answer an important health question—diagnostic testing serves humans well in making sure that problems are recognized early and often before an issue worsens.

In InfoSec, it’s healthy to perform continuous testing of all systems, components, and workflows that generate alerts, tracked end-to-end with failure alerting. For maximum efficacy, ensure your program is already in a decent state of maturity with baseline capabilities in place. Consider crafting “dummy” attacks against the entire workflow of your system—from detection through completed ticket—that record each step and identify and report on abnormalities. For those who love a good hands-on challenge, purple teaming is also a helpful exercise to consider.  

¹ “Vaccines and immunization,” Word Health Organization, who.int, https://www.who.int/health-topics/vaccines-and-immunization#tab=tab_1.