Cyber Immunology

Designing a Cyber Security system is a complex task. Designing systems is not easy and designing security systems is even more difficult.

Security design is thought typically around 4 axes: Security against technical failure, Security against human failure, Security against natural hazards and Security against intended misbehavior. While the first three elements are typical defined as a Safety approach, defining security against intended misbehavior is a little more difficult. The reason for that is, that safety mostly deals with systems and subsystems refusing operation by different reasons and the whole system needs to be passively move into a fail-safe status. Security against intended misbehavior is the opposite. It includes an active component which manipulates the system to create a state of maximum damage or intended misbehavior. Security against these principles cannot be achieved by relying on passive fallback mechanisms.

So the question is: How does a generic system look like, which protect systems against the unknown treats of intended misbehavior.

The General Protection System

As a pragmatic approach for defining a role model for the general protection system a technical model can be build upon the biological model of the human immunology model. This model incorporates the protection against unknown threats – in general viruses, bacterias, and parasites, it works in a high availability mode, it is self-learning and it is built with more than 400 millions of years of evolutionary design improvement. The challenge is the transformation of a biological model into a technical approach.

The biological model can be structured into 3 natural and 1 artificial area: A unspecific detection and prevention capability, an individual defense capability, a self-learning memory capability and an artificial stimulation and knowledge exchange capability.

The unspecific detection and prevention capability is generally based on Macrophages, detecting alien intruders with an sophisticated friend-foe detection, killing most of them and triggering the foe-specific generation of killer cells, T-Helper cells and B-Cells and cytotoxic T-Cells. This part of the immune system can be compared with the hardening of an IT-System, following the different standards and the addition of an Intrusion Detection System (IDS) and a Security Incident and Event Monitoring System (SIEMS).

The cytotoxic T-Cell as an exemplary defense capability which reacts against the attack can be compared with the Computer Emergency Response Team (CERT), highly specialist IT-Security and Forensic specialists, asked for fighting against a cyber attack.

The generation of attack-specific cytotoxic T-Cells is memorized by the T-Memory cells, providing a a self-learning memory capability of the immune system. This capability can be compared with a lessons learned process, which updates the technical prevention and detection capabilities of the IT-Security system by implementing a Security Change Management Process.

This natural immune system is stimulated by human intervention to increase the effectiveness by active and passive vaccination – stimulating the immune system with weakened threats to trigger an immune reaction (active vaccination) or supporting the memory of the individuals immune system by providing artificial or foreign Antibodies (passive vaccination). These artificial stimulation and knowledge exchange capability are realized in the technical world by stimulation and testing the IT-Security infrastructure by intrusion testing (active vaccination) or updating the prevention and detection capabilities of the system based on the information of external security bulletins.

In summary this approach generates a Cyber Immunology Blueprint based on 7 Key Capabilities.

The Cyber Immunology Blueprint

These seven key capabilities can be seen of the seven work-packages of a Cyber Immunology Implementation.

The hardening & prevention work-package is typical the initial start. Here the critical assets, the security targets, the access control rules and the initial system protection mechanisms and rules are defined, which act as the first line of defense. But as there is not total protection system in real life, the whole system needs to be monitored by an independent supervising authority which detects system malbehavior and identifies possible attack. The implementation of this authority is managed in the Intrusion Detection work-package. This authority also acts as a sensor to the Security Incident and Event Monitoring System which creates the Cyber Security Situational Awareness Picture. To do so, it links the security status of a technical system with the key business processes and the security target definition of an organization. In case of a severe event this system triggers the Security Incident Response, an emergency activity which analyses the incident in depth and defines countermeasures and updates for the Hardening and Prevention work-package. The operational implementation of these countermeasures is managed with a Security Change Management system which should follow the ITIL principles and is mostly based on a dynamic hardware & software inventory. Security Information Exchange and Penetration testing are two work-packages which actively stimulate the whole Cyber Security Blueprint, to prevent the system from becoming static and outdated. The Penetration Testing work-package fulfills the active part of the stimulation while Security and Threat Information Exchange ensures the stimulation by external knowledge.

The depth of implementation for these work-packages can be different, according to the individual needs of an organization. Mostly an implementation of this blueprint follows a spiral approach, implementing simple methods first but in all work-packages, followed by more sophisticated subsystems while the whole Cyber Security System matures and evolves.


Following the experience of nature, a Cyber Immunology System can be modeled by implementing the seven key work-packages of the Cyber Security Blueprint. This system ensures a dynamic, active defence as well as an improved first line of protection for the unknown threat. An individual spiral implementation strategy reduces the amount of resources needed for the setup.