Jan 13

Cyber security: Time for a rethink on boosting immune system

DECEMBER 28, 2016

Companies must ask themselves a crucial question: How do you stop an attacker already inside your network, before the attack escalates into a crisis?


Recently asked to share his thoughts on cyber security, United States President Barack Obama commented: “Traditionally, when we think about security and protecting ourselves, we think in terms of armour and walls. Increasingly, I find myself looking to medicine and thinking about viruses, antibodies. Part of the reason why cyber security continues to be so hard is because the threat is not a bunch of tanks rolling at you, but a whole bunch of systems that may be vulnerable to a worm getting in there.”

This immune system analogy inspires us to rethink how we do cyber security. By understanding and continuously refining our grasp on what is inside us — the “self” and what is “normal” — the human body can detect abnormalities and respond in real-time to anything it identifies as a threat.

 In 2017, organisations looking to secure their networks can take a cue from our body’s smart and automated reactions.

Enterprises that have been successful in mitigating threats have acknowledged that security professionals cannot be expected to do all the heavy lifting. It is impossible to manually track and secure every part of an organisation’s network. Hence, they have turned to unsupervised machine-learning technology that mirrors the mechanism of the human immune system, allowing them to eliminate more than 18,000 serious early-stage threats globally in the past two years.

Cyber attacks that have made headlines this year have proved more than ever that companies have a visibility problem — they cannot see what is happening beneath the surface of their own networks. While we can already expect more Internet of Things (IoT) and Artificial Intelligence (AI) powered hacks moving forward, we need to use an immune system approach in cyber defence to keep up with the evolving threats that await us.


Today’s most savvy attackers are moving away from pure data theft or website hacking, to attacks that have a more subtle target — data integrity.

Ex-students successfully hack college computers to modify their grades. In 2013, Syrian hackers tapped into the Associated Press’ Twitter account and broadcasted fake reports that President Obama had been injured in explosions at the White House. Within minutes, the news caused a 150-point drop in the Dow Jones.

Next year’s attackers will use their ability to hack information systems not to just make a quick buck, but to cause long-term, reputational damage to individuals or groups by eroding trust in data itself.

The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks, as critical data repositories are altered and public distrust in national institutions rises. Local firms will not be immune from such attacks, especially as they digitise and consequently become more reliant on online data.

With a growing focus on integrating MedTech, FinTech and GovTech as a part of our Smart Nation drive, and the acknowledgement by the Cyber Security Agency that Singapore has come under 16 waves of online attacks since last April, local organisations must guard against the possibility of these “trust attacks” hitting our shores.

“Trust attacks” are also expected to disrupt financial markets. An example of this is falsifying market information to cause ill-informed investments. We have already glimpsed the potential of disrupted mergers and acquisitions (M&A) activity through cyber attacks — is it a coincidence that the hacking of one billion Yahoo accounts was disclosed while Verizon was in the process of acquiring the company?


Insiders are often the source of the most dangerous attacks. They are harder to detect, because they use legitimate user credentials. They can do maximum damage, because they have knowledge of and privileged access to the information required for their jobs, and can hop between network segments. A disgruntled employee looking to do damage stands a good chance through a cyber attack.

But insider threats are not just staff with chips on their shoulders. Non-malicious insiders are just as much of a vulnerability as deliberate saboteurs. How many times have links been clicked before checking email addresses? Or security policy contravened to get a job done quicker, such as uploading confidential documents on less secure public file hosting services?

The Employee Cyber Security Kit was introduced by Singapore’s National Security Coordination Secretariat in late 2015, to guide local firms’ employee cyber security awareness efforts. Despite this, we cannot reasonably expect 100 per cent of employees and network users to be impervious to cyber threats that are getting more advanced. They will not make the right decision, every time.

Organisations need to combat insider threat by gaining visibility into their internal systems, rather than trying to reinforce their network perimeter. We do not expect our skin to protect us from viruses — so we should not expect a firewall to stop advanced cyber threats which, in many cases, originate from the inside in the first place.

In the past year, immune system technologies have caught a plethora of insider threats, including an employee deliberately exfiltrating a customer database a week before handing in his notice; a game developer sending source code to his home email address so he could work remotely over the weekend; a system administrator uploading network information to a home broadband router — the list goes on.

Due to the increasing sophistication of external hackers, we are going to have a harder time distinguishing between insiders and external attackers who have hijacked legitimate user credentials. These forms of attacks are inconspicuous, and can remain in a network for weeks or even months, before sounding any alarms.

Companies must ask themselves a crucial question: How do you stop an attacker already inside your network, before it escalates into a crisis?

In the months ahead, there will be mounting pressure for organisations to make themselves more resilient and adopt new technology that can provide the visibility they currently lack. An immune system approach is far more perceptive to intrusions and suspicious behaviour than the legacy tools that are still being relied upon.

Leave a Reply

Your email address will not be published. Required fields are marked *