How to
Jack Danahy
Jun 2015

Can Cyber-Herd Immunity Save Us?

Photo by Source


In the mid 1980s, Fred Cohen, a PhD student at the time, appropriated the biological term virus to describe a new type of self-replicating software that would corrupt (infect) a host, and then use that host’s capabilities to execute further attacks against other systems. These systems would then become the next generation of infectors. It was just like an organic virus, hopping from host to host, bringing misery along the way.

Unfortunately, there was no Jonas Salk-type virologist in the computer industry paying attention to Dr. Cohen’s metaphor. In Dr. Salk’s case, polio was the virus, infecting tens of thousands of people, including President Franklin Roosevelt. Dr. Salk watched the virus spread and realized that treatment was ineffective, and a vaccine was needed to prevent it from taking hold and spreading. The success of his vaccine (it resulted in the virtual eradication of polio in the U.S.) was due to a phenomena called Herd Immunity. In short, as more people were vaccinated against the virus, it had less and less places to spread, and that meant less places to spread from, until finally the disease was eliminated. Here is a simple demonstration of the concept:



Vaccination vs. Anti-Virus

In cybersecurity terms, the unfortunate lack of cyber-Salk has resulted in a never-ending and accelerating cycle of efforts to treat malicious code and viruses. The current model is to identify infected systems, quarantine them, identify the infecting systems, and treat them with pretty aggressive measures like wiping and rebooting. However, this approach is failing because there are simply too many attacks, too little appetite for downtime, and too much cost.

The only way out of this downward spiral is to take advantage of the same Herd Immunity concept that worked so well for Dr. Salk with polio, and with Molly the cow, above. Adopting this approach would finally make some headway against the growing epidemic of attacks affecting so many people.

As we start, it is useful to remember that the polio vaccine was not an “anti-virus” product; it was an inoculation, making individuals resilient to the disease and protecting non-inoculated individuals by reducing the likelihood of exposure. In the same way, we need to take new measures to inoculate our organizations in order to protect ourselves and to protect our customers and businesses with whom we interact.

To be effective, cybersecurity inoculation must be administered in two areas: the systems and the users.

Securing Systems, Educating Employees

Like medical vaccines, a solution that will successfully inoculate systems must first strengthen the systems before the malicious virus can take root and make changes. It will need to operate within the system, but it cannot make the system seem slower. It will need to be constructed in ways that recognize the components of the oncoming virus long before symptoms of the infection appear. In computer terms, this means advancements in the depth of understanding of the behavior of malicious code as it attempts to embed itself, as well as a weaning from dependence on log files and sniffers.

Users, in turn, need to be inoculated against their own innocence and ignorance. A recent McAfee study showed that most users will take the bait on a phishing attack, which explains why most attacks start on user notebooks, laptops, and desktops. A strong cybersecurity strategy alone will not protect a business from attack if the employees don’t realize the consequences of opening a phishing email. Therefore, the vaccine here is one of improved behavioral education. An effective solution will use the same tools that deflect attacks in real-time to also educate the user at the very moment they are engaged in risky behaviors that can get them infected.

When the majority of users are conscious of these risks, there will be less and less success for the social engineers and phishing attackers to get malicious code to a machine. Once systems can identify the earliest steps in malicious behavior, and can disrupt it, there will be fewer platforms where a successful attack can take hold. When the cyber-herd tips (no pun intended) towards protection in both areas, the vulnerable attack surface becomes limited to those systems where both users and software are uninformed. At this point, attacks cannot easily take hold nor spread, as that requires more non-vaccinated user/system pairs.

This approach will require a very different mindset from current SIEM, IDS, and attribution processes, and it requires an optimistic mindset that such a thing can be done.

But it has been done before. Smallpox killed millions, but now it is gone. Polio disabled millions, but is now in near complete control. The Herd Immunity concept can be applied outside of medicine, it just requires some thinking that leverages the strength of the herd, and doesn’t simply follow it.

Photo by Jonas Nilsson Lee

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.