What does living security do?

Living security is a new approach to cybersecurity that focuses on continuously adapting protections to match emerging threats. Rather than relying solely on prevention like traditional security, living security emphasizes resilience and response. The goal is to create security systems that can dynamically defend against attacks in real time.

How does living security work?

There are a few key principles that enable living security:

  • Automated intelligence – Living security utilizes AI and machine learning to analyze patterns and detect anomalies. This enables automated threat identification and response.
  • Real-time updates – Security defenses are continually updated in real time based on the latest threat intelligence. New vulnerabilities or attack methods can be accounted for immediately.
  • Unified analytics – Data from across an organization is correlated and analyzed as a whole. This provides greater context and visibility into potential issues.
  • Proactive defense – Security teams can hunt for emerging risks and take proactive measures to strengthen defenses. Living security aims to eliminate threats before damage occurs.
  • Adaptive protection – Machine learning allows security solutions to adapt independently to new threats. Defenses evolve automatically as the threat landscape changes.

By leveraging these capabilities, living security systems can operate independently to a large degree. Human security teams gain the advantage of automated assistance, allowing them to focus on higher-value efforts like threat hunting.

What are the benefits of living security?

Living security offers a number of advantages over traditional preventative security:

  • Real-time threat defense – Since security defenses are continually updated in real time, emerging threats can be identified and mitigated extremely quickly. Attackers have less time to operate before being detected.
  • Reduced reliance on prevention – Living security is resilient against failures in preventative measures. Even if an attack gets through, automated response capabilities can minimize damage.
  • Lower operating costs – Automation reduces the workload for security analysts, allowing existing staff to handle a greater volume of potential issues.
  • Accelerated response – Automated intelligence and workflows allow security teams to investigate and respond to threats much faster.
  • Proactive risk management – Living security enables organizations to hunt for risks and strengthen defenses before attacks occur. This reduces overall business risk.
  • Continuous evolution – Machine learning algorithms enable security solutions to continuously adapt without any new software or patches needed. Defenses stay up-to-date with the threat landscape.

In essence, living security increases both the speed and effectiveness of threat defense through automation. Organizations gain better security outcomes with lower overhead.

What are some examples of living security capabilities?

There are many examples of how living security can be implemented across an organization’s IT infrastructure and security stack. Some key capabilities include:

  • Behavioral analytics – Analyze patterns of user or device activity to identify anomalous behavior that may indicate a security threat, such as compromised credentials or insider data theft.
  • Threat intelligence integration – Ingest and correlate data from threat feeds and other external sources to identify emerging risks or new attacker tactics, techniques and procedures (TTPs).
  • Automated containment – Isolate compromised systems automatically to prevent threats from spreading across the network.
  • Adaptive access controls – Dynamically adjust access policies and permissions based on risk profiles for users and devices.
  • Deception technology – Deploy traps and lures across the network to detect and deflect attacker reconnaissance activities.
  • Machine learning malware prevention – Leverage AI algorithms that can identify new forms of malware based on characteristics and behaviors as they emerge.
  • Security orchestration – Automate and coordinate various security tools and processes through a central intelligent platform.

These capabilities work together to provide continuous monitoring, analysis and adaptation against threats.

What are the key components of a living security architecture?

There are several important components needed to build an effective living security architecture:

  • Unified data lake – A centralized data store that ingests and correlates security data from across the organization’s technology landscape.
  • Analytics engine – Tools to automatically parse through data and identify anomalies, threats, and other risks using techniques like machine learning and statistical analysis.
  • Orchestration functions – Logic to coordinate and drive automated response and remediation across security systems.
  • Adaptive defenses – Endpoints, network security, and other controls capable of automatically changing configuration in response to detected threats.
  • Threat intelligence – Feeds providing real-time information on new attack vectors, malware, adversary TTPs and other emerging threats.
  • Third-party integration – APIs and other mechanisms to ingest and share data with external platforms, threat intelligence services, incident response partners, etc.
  • Security automation – Solutions to automate repetitive manual tasks across security workflows.

Organizations need mature capabilities across threat detection, response, and protection systems in order to transition to a living security model.

What are some challenges with implementing living security?

While living security delivers many advantages, it also comes with some notable implementation challenges:

  • Significant technology investment – Moving to AI-driven automated security capabilities requires deploying new advanced tools across the environment.
  • Lack of skilled staff – Data scientists and other specialists are needed to operate, monitor and enhance living security solutions.
  • Change management – Shifting processes to make use of automated security systems requires overcoming cultural resistance.
  • Legacy system constraints – Collecting and correlating data across complex, heterogeneous environments with many legacy systems can be difficult.
  • Increased false positives initially – Machine learning systems require training and tuning to achieve accurate results and minimize false alarms.
  • Limited adoption to date – As an emerging model, living security lacks extensive real-world deployments and best practices.

Organizations need to navigate these obstacles carefully in order to successfully transform their security architectures.

What skills are needed to operate a living security program?

Some key skills needed to leverage living security capabilities include:

  • Data science – To build machine learning models for behavioral analytics, predictive threat detection and other automated security applications.
  • Threat hunting – To proactively identify emerging risks and vulnerabilities that could be exploited by attackers.
  • Incident response – To quickly isolate and remediate threats that manifest into actual compromise or attacks.
  • Security analytics – To derive insights from complex security data sets and clearly communicate risk.
  • Security engineering – To architect solutions that enable automated defense and integrate disparate data sources.
  • Cloud platforms – To utilize cloud infrastructure for scalable data lakes, analytics, and security controls.
  • Orchestration – To develop and execute playbooks that drive automated investigation, containment, and mitigation workflows.

Both technical and analytical security skills are required to make practical use of living security concepts.

How does living security integrate with IT and security operations?

To be effective, living security solutions need tight integration with existing IT infrastructure, as well as security operations processes and teams. Some examples include:

  • SIEM analysis – Send relevant security alerts and risk scores to Security Information and Event Management (SIEM) systems for review by analysts.
  • IT service management – Create incident tickets and trigger automated remediation workflows through ITSM tools like ServiceNow.
  • Threat intel platforms – Incorporate data feeds from threat intelligence platforms to inform behavioral analytics and anomaly detection.
  • Case management – Share investigation findings and other data with case/ticketing systems to streamline response workflows.
  • Network infrastructure – Integrate with firewalls, proxies, endpoint protections and other security controls to enable dynamic policy adaptation.
  • Identity systems – Connect with identity and access management platforms to automatically isolate compromised accounts.

Full visibility across the IT environment is necessary for living security to work effectively.

How can organizations get started with living security?

Organizations interested in exploring living security should consider the following initial steps:

  • Identify a focused use case like insider threat detection or compromised account protection to pilot solutions.
  • Start aggregating and centrally analyzing security log data from across the environment.
  • Evaluate machine learning options for security analytics and defensive automation.
  • Research vendors offering living security products and managed services.
  • Build in-house skills in data science, behavioral analytics, and automation.
  • Explore open source software like Apache Metron for analytics frameworks.
  • Allocate budget for new security analytics and automation technologies.
  • Define metrics and KPIs to measure effectiveness of living security efforts.

Taking an incremental approach allows organizations to gain hands-on experience while building towards a long-term living security roadmap.


Living security represents a fundamental shift in cybersecurity strategy – from passive prevention to active, adaptive defense. By utilizing advanced behavioral analytics, automation, and AI, organizations can evolve security well beyond traditional blocking and tackling. However, living security requires investment in new architectures and skillsets. As threats become more automated themselves, the need for intelligent, self-learning defense will only grow. Organizations should start exploring today how they can bring their security programs to life.