There are different types of systems in most environments, and these systems contain different lines of code that have some vulnerabilities that present holes in the systems. We understand this systematic failure is challenging to eliminate, so a pragmatic approach would be to close these holes as much and fast as possible by patching and/or shielding it by compensating controls. However, in today’s world, most enterprises have different types of systems that are more complex and interconnected than ever. There isn’t a doubt of the effectiveness of such a mechanism and matter of fact it’s an industry best practice, and I would recommend using it, but as mentioned before there is new thinking that has a potential to enhance cyber security .
Let me illustrate by using the Swiss Cheese Model. Each cheese slice presents a system, and each hole presents a vulnerability in the system. Assuming we have 3 systems, each has 3 vulnerabilities (of poorly designed or other error factors). So, we would have in total ~ 9 vulnerabilities in our environment that need to be closed (assuming we aim to prevent hazard/threat).
As the model illustrates, that hazard will only happen if these holes are lined up so the hazard/threat can go through these holes. Of course, the likelihood of these holes to line up is higher than before within a short time.
The defender’s pragmatic approach would be to hide these holes by patch & pray and add preventive layers in front of them as much as possible to prevent these hazards. However, the new thinking model suggests a different approach to consider, which is based on an uncertain reasoning model to shift the challenging and required effort from the defender to the adversary.
The systems in our environment are homogeneous so we can manage and control these systems easily and efficiently. However, this homogeneous environment comes with a risk, as static for a long time and the result of penetration of this environment leads to impact at scale rapidly in a short time. The following simulation model of virus break demonstrates that, if attacker blows one system, then he will be able to blow everything.
The new model suggests to consider Diversification -or Cyber Diversity, as I prefer to call it- instead, so the impact (in case of penetration) would be limited to fewer systems (theoretically, to only 1 system). Of course, it isn’t that easy to reach that level of diversity without increasing the complexity in operation, but at this level of diversity no point to manage these systems as used to be. So, things would need to change drastically as a result, and adaptive and autonomous systems would be needed in a homogenous environment.
But, what level of diversity needed and how to reach that level, you might ask.
Let me take the biodiversity levels as an example to explain what level of cyber diversity required in the environment. Ideally, the Genetics diversity would be optimal diversity level in the environment, which means at the Kernel, OS or Microprocessor ISA level. Here’s some examples until the next article.