Proscriptive adoption of information security standards such as ISO27001 is bound to fail, according to Joel Weise, principal engineer and chief technologist at Sun Microsystems' client services security program office.
"Organisations that take the proscriptive approach see security standards as 'to do' lists, when in fact they are only suggested frameworks," Weise says. "This approach will never work as it simply does not consider the organisation's particular needs."
Weise says organisations should build specific security architecture for their particular IT infrastructure that is applicable to business and technical needs.
To build security architecture, the organisation should consider an 'adaptive security' approach, Weise says. "Adaptive security is a framework for elaborating a comprehensive architecture that enables cost effective risk management for threat containment," he says. "It also seeks to improve operational efficiency and system survivability."
Feedback from Sun's customers that the business environment has become too complex for the IT department to deal with is another driving factor, Weise says. "For example, the rise of the internet and managed services has added to complexity."
Weise noted that as environmental complexity increases, system security decreases. "Threats are developing faster than counter-measures, while a homogenous IT environment allows a 'pandemic' to spread quickly."
He says Sun's chief technologist points to the parallel situation in nature where H5N1 bird flu has caused high mortality rates among infected people. "In the same way, if a cyber attack brings down one server in a data center, all other servers may follow," he said.
"Adaptive security seeks to mimic biological auto immune systems at the microscopic level and ecological systems of disparate entities at the macroscopic level," Weise says. "It is not defined by a single system or process."
Biological systems use immune systems to dynamically respond to threats, while stem cells can be used as a foundation to 'repair' other body elements, Weise notes. Additionally, the human body can discriminate between 'self' features and foreign bodies like liver transplants, which may be rejected.
From a macro perspective, survival of the ecological system does not depend upon the survival of any individual entity. "Ecosystems are by definition diverse and this contributes to their resilience," Weise said.
Weise says that, in the same way, IT systems may be designed to adaptively respond to different threats, with self-regulating, self-healing and self-protecting abilities. "This includes the ability to 'know' normal conditions and detect abnormal system behaviours."
Specifically, adaptive security seeks to reduce threat amplification, area vulnerable to attack and system recovery time in the event of an attack, Weise says. Other objectives include ensuring availability and reliability of data and processing resources, as well as reducing attack speed.
While acknowledging that some elements of adaptive security are mainly theoretical in the IT arena, Weise notes that they already exist in various non-IT areas. "Predictive analytics is an element of adaptive security," he says. "For example, by looking at a person's age and health records, health insurance companies can estimate the client's lifespan.
"I see predictive analytics as a potential area that security vendors can work on to bring the industry further down the road to true adaptive security," Weise says. "This means security software can predict threats before they happen, but no one knows how to do that yet."
Weise notes however, that progress in predictive analytics has already been made in the hardware space. "For example, the CPU has to run under certain conditions like temperature or humidity because we know that it will fail if it is overheated beyond a certain number of hours," he said. "That's why cooling fans are installed."
Another example is observation of devices running on limited power supplies. "If I see any unusual changes in the device's performance, I may 'predict' that the power supply will run out in an estimated time period and hook up the device to an alternative power source before that happens," Weise says.
Weise says Sun is doing research on adaptive security in its labs such as an 'automated self-healing' system. "When we see a threat alert coming to the system, we can automatically bring the system offline, take a forensic snapshot of the system and use it to restore the system in seconds," he says.